10.2.14 Methods of Providing Protection

Manual Transmittal

August 29, 2019

Purpose

(1) This transmits revised IRM 10.2.14, Methods of Providing Protection.

Material Changes

(1) This IRM was updated to reflect current organizational titles, scope, definitions and authorized use.

(2) Removed IRM 10.2.14.2, Implementation of Clean Desk Policy sections (1), (2), (3), (4), (6) and (7). For additional guidance regarding clean desk policy and clean desk waivers, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

(3) Removed IRM 10.2.14.4, Limited Area (2), (3), (4), (5) and (6). For additional guidance regarding Limited Area Access, see IRM 10.2.18, Physical Access Control (PAC).

(4) Removed IRM 10.2.14.4.1, Requirements for Receptionists (Monitors) at Entrances to Limited Areas - Authorized Personnel. For additional guidance regarding Limited Area Access, see IRM 10.2.18, Physical Access Control (PAC).

(5) Removed IRM 10.2.14.4.2, Requirements for Assigned Monitors at Entrances to Limited Areas - Visitors. For additional guidance regarding Limited Area Access, see IRM 10.2.18, Physical Access Control (PAC).

(6) Removed IRM 10.2.14.6, Secured Room. For guidance regarding Secured Room requirements, see IRM 10.2.11, Basic Physical Security Concepts.

(7) Removed IRM 10.2.14.8, Facility Access. For guidance regarding Access, see IRM 10.2.18, Physical Access Control (PAC).

(8) Removed IRM 10.2.14.9.2, Unannounced Alarm Test Report (UATR) Exercises. IRS guard management transitioned to the Federal Protective Service (FPS) management of their guard forces at IRS facilities. Therefore, UATR is no longer a requirement.

(9) Added AWSS 10-0817-0002 Interim Guidance for Cipher Lock Combinations and HR Connect Separating Employee Clearance for IRM 10.2.14, issued on July 31, 2017.

(10) Added FMSS-10-0618-0001 Interim Guidance on FMSS Physical Security Alarm Training for IRM 10.2.14, issued on June 1, 2018.

(11) Added FMSS-10-0818-0003, Interim Guidance for Alarm Inventories for IRM 10.2.14, issued on August 31, 2018.

(12) Added FMSS-10-0818-0004, Interim Guidance for IRM 10.2.14.9.2 Alarm Event Reports, issued on August 31, 2018.

(13) Added FMSS-10-1218-0005, Interim Guidance for Emergency Contact List (ECL) for IRM 10.2.14 to implement policy for Territory Manager and Program Manager ECL review and verification responsibilities, issued on December 31, 2018.

(14) Added Security Container updated requirements to IRM 10.2.14.3.2.

(15) Added Alarm Maintenance and Testing Certification Report form requirements to IRM 10.2.14.7.1.

(16) Added Video Surveillance System (VSS) security storage requirements to IRM 10.2.14.7.2.

(17) As of January 1, 2017, the Internal Revenue Service (IRS) instituted a requirement that the IRM address relevant internal controls. This will inform employees about the importance of and context for internal controls by describing the program objectives and officials charged with program management and oversight. Internal controls are the program’s policies and procedures which ensure:

  1. Mission and program objectives are clearly delineated and key terms defined.

  2. Program goals are established and performance is measured to assess the efficient and effective mission and objective accomplishment.

  3. Program and resources are protected against waste, fraud, abuse, mismanagement and misappropriation.

  4. Program operations are in conformance with applicable laws and regulations.

  5. Financial reporting is complete, current and accurate.

  6. Reliable information is obtained and used for decision making and quality assurance.

Effect on Other Documents

This IRM supersedes 10.2.14 dated August 17, 2016.

Audience

Servicewide

Effective Date

(08-29-2019)

Richard L. Rodriguez
Chief
Facilities Management and Security Services

Program Scope and Objectives

  1. This section applies to the required physical security countermeasures to be used for the protection of IRS personnel, facilities and property. The IRS employs the physical security strategy of layered defense to deter, detect, and mitigate attempts at unauthorized access to IRS controlled space and information, to comply with Department of Treasury, Interagency Security Committee (ISC) standards and policy.

  2. Purpose: This IRM establishes the framework for applying physical security countermeasures to protect IRS personnel, facilities and property.

  3. Audience: Servicewide

  4. Policy Owner: Chief, Facilities Management and Security Services (FMSS).

  5. Program Owner: FMSS Associate Director (AD), Security Policy.

  6. Primary Stakeholders: FMSS Field Operations, Business Unit Executives, Senior Managers, Chief Counsel Executives, Managers, and Employees.

  7. Program Goals: To provide policy and procedures designed to provide physical security methods of providing protection.

Background

  1. To comply with Department of Treasury, ISC, and IRS protection standards and policies, the IRS has established physical security methods of providing protection. The IRS uses the physical security strategy of layered defense to deter, detect, and mitigate attempts at unauthorized access to IRS controlled space and information. The methods of providing protection with layers of defense can be specifically tailored to suit the requirements of the protected resources under varying circumstances. Additional guidance on the employment of methods of providing protection can be found in IRM 10.2.15, Minimum Protection Standards (MPS).

Authority

  1. The Facilities Standards for the Public Buildings Service (PBS) P100

  2. Treasury Department Publication (TDP) 15-71

  3. National Institute of Standards and Technology (NIST) SP 800-53

  4. Federal Information Security Management Act (FISMA)

  5. Executive Order, Classified National Security Information (EO 13526)

  6. Executive Order, Interagency Security Committee (EO 12977)

Responsibilities

  1. The Chief, FMSS prescribes and is responsible for oversight of methods of providing protection policies and guidance.

  2. FMSS AD, Security Policy is:

    1. responsible for oversight of the planning, developing, implementing, evaluating, and controlling methods of providing protection policies and guidance.

    2. the approving authority for any variation to the existing alarm policy.

  3. Chief, FMSS Physical Security Protection Programs (PSPP) is responsible for planning, developing, implementing, evaluating, and controlling methods of providing protection policies and guidance.

  4. FMSS Territory Managers (TM) are responsible to verify that local FMSS Physical Security Section Chiefs (SSC) enforce IRS policy and provide oversight in the implementation and enforcement of methods of providing protection polices and guidance.

  5. An FMSS Physical SSC is responsible for implementing and enforcing IRS policy and procedures for methods of providing protection within their assigned territory, ensuring that IRS policy and procedures are followed.

  6. All IRS managers are responsible for:

    1. informing all employees within their span of control of the importance of following facility security practices.

    2. initiating Personnel Actions Requests (PAR) and Separating Employee Clearance (SEC) actions in HR Connect, and verifying all facility access door keys and proxy cards are recovered from separating employees.

      Note:

      For additional information, see IRM 10.2.5, Identification Media.

  7. All employees and contractors are responsible for complying with established security practices and procedures.

Program Management and Review

  1. Program Reports: The authoritative data source for monitoring methods of providing protection will be:

    1. Security Information Management System (SIMS) monthly deliverable reports

    2. Alarm Testing and Maintenance reports

    3. FMSS Program Site (SharePoint)

  2. Program Effectiveness: Program owners’ reviews of SIMS monthly deliverables (reports confirming timely completion of program deliverables).

    1. Timely completion of core deliverables

    2. Analysis of alarm testing and maintenance results

Definitions

  1. Countermeasures - An action or device that can prevent or mitigate the effects of threats.

  2. Intermediate Distribution Frame (IDF) - a distribution frame in a central office which cross-connects the user cable media to individual user line circuits and may serve as a distribution point for multipair cables from the Main Distribution Frame (MDF) or Combined distribution frame (CDF) to individual cables connected to equipment in areas remote from these frames.

  3. Main Distribution Frame (IDF) - a cable rack that interconnects and manages the telecommunications wiring between itself and any number of IDF. Unlike an IDF, which connects internal lines to the MDF, the MDF connects private or public lines coming into a building with the internal network. For example, an enterprise that encompasses a building with several floors may have one centralized MDF on the first floor and one IDF on each of the floors that is connected to the MDF.

  4. Acronyms

    Acronym Definition
    AD Associate Director
    AEHR All Events History Report
    API Application Programmers Interface
    CCTV Closed-Circuit Television
    CDF Combined Distribution Frame
    CI Criminal Investigations
    COR Contracting Officer’s Representative
    CSCC Central Security Control Console
    DAS Direct Attached Storage
    DHS Department of Homeland Security
    DVR Digital Video Recorder
    ECL Emergency Contact List
    EO Executive Order
    EPACS Enterprise Physical Access Control System
    FISMA Federal Information Security Management Act
    FMSS Facilities Management and Security Services
    FOIA Freedom of Information Act
    FPS Federal Protective Service
    GSA General Services Administration
    IDF Intermediate Distribution Frame
    IDS Intrusion Detection System
    ISC Interagency Security Committee
    IT Information Technology
    KC Kansas City
    KCO Key Control Officer
    KCR Key Custody Receipt
    KISAM Knowledge Incident/Problem Service and Asset Management
    MC Megacenter
    MDF Main Distribution Frame
    NAS Network Attached Storage
    NIST National Institute of Standards and Technology
    PAR Personnel Actions Request
    PBS Public Buildings Service
    POC Point of Contact
    PSO Protective Security Officer
    PSPP Physical Security Protection Programs
    PSS Physical Security Specialist
    PTZ Pan-Tilt Zoom
    SAMC Situational Awareness Management Center
    SAN Storage Area Network
    SDK Software Developers Kit
    SEC Separating Employee Clearance
    SF Standard Form
    SIMS Security Information Management System
    SSC Security Section Chief(s)
    TAC Taxpayer Assistance Center
    TDP Treasury Department Publication
    TIGTA Treasury Inspector General for Tax Administration
    TM Territory Manager
    UL Underwriters Laboratories
    UPS Uninterrupted Power Supply
    VMD Video Motion Detection
    VSS Video Surveillance System

     

Related Resources

  1. FMSS Physical Security Design Manual

  2. IRM 1.4.6, Managers Security Handbook

  3. IRM 10.2.5, Identification Card

  4. IRM 10.2.11, Basic Physical Security Concepts

  5. IRM 10.2.15, Minimum Protection Standards (MPS)

  6. IRM 10.2.18, Physical Access Control (PAC)

  7. IRM 10.5.1, Privacy and Information Protection, Privacy Policy

  8. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance

  9. IRM 10.9.1, National Security Information

  10. TAC Design Guide

Clean Desk Policy

  1. The IRS has adopted general clean desk and containment objectives for the protection of taxpayer, privacy act, and other protected data. There are certain areas, such as mass processing operations, where the full implementation of clean desk and/or containerization procedures are not appropriate.

    Note:

    For additional guidance regarding clean desk policy and clean desk waivers, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Containers

  1. The term "container" includes all vertical and lateral file cabinets, safes, supply cabinets, open and closed shelving, desk and credenza drawers, Kansas City (KC) carts (storage cart on wheels) or any other piece of office equipment designed for the storage of files, documents, papers or equipment.

  2. Some of these containers are designed for storage only and do not provide protection (for example, open shelving or KC carts).

  3. For purposes of providing protection, containers can be grouped into three general categories:

    1. Locked containers

    2. Security containers

    3. Safes and vaults

Locked Container

  1. Locked containers are any lockable metal container with riveted or welded seams which is locked.

  2. All key and combination locks must be controlled by the business unit with oversight of the area with the same level of protection for the items being protected.

Security Container

  1. A security container will be used for storing items requiring a higher level of security. A Class V GSA approved penetration resistant cabinet will be used to store these items. All GSA-approved containers must have a GSA approval label, or a GSA recertification label on the front of the equipment and show the penetration resistance specification for the cabinet (Covert and Surreptitious). Examples of a security container are:

    1. Class V Two Drawer Container

    2. Class V Four Drawer Container

    3. Class V Map Plan Container

    4. Class V General Purpose Container

    5. Class V Information Processing Systems (IPS) Container


      The Penetration Resistant Cabinets will have:

    1. Dual Locks (DL) - Two Separate Combination Locks

    2. Dual Multiple Locks (DM) - Independently controlled locking drawers each drawer having one or two separate combination locks with separate locking mechanism

    3. Multiple Lock (ML) - Independently controlled locking drawers with each drawer having its own individual combination lock and locking mechanism

    4. Single Lock (SL) - A single combination lock on the control drawer which controls access to each individual drawer in the cabinet

    Note:

    For a list of these items, see Exhibit 10.2.15-2, Minimum Protection Standards Protectable Items.

  2. All key and combination locks must be controlled by the business unit with oversight of the area with the same level of protection for the items being protected.

Safes and Vaults

  1. Safe type containers which have been accepted for general use by the IRS can be identified by interior labels which reflect one of the following, which are General Services Administration (GSA) approved:

    1. Class I Safe, insulated - 1 hour, 10 minutes forced, 30 minutes surreptitious

    2. Class II Safe, insulated - 1 hour, 5 minutes forced, 20 minutes surreptitious

    3. Class IV Safe, not insulated - 5 minutes forced, 20 minutes surreptitious

    4. Class V Safe, not insulated - 10 minutes forced, 30 minutes surreptitious

  2. Containers will be marked on the outside of the front face of the containers "General Services Administration Approved Security Container."

  3. Safes with TL-30 must be equipped with a Group 1 or 1 R combination lock; TRTL-30, TRTL-60 or TXTL-60, Underwriters Laboratories (UL) Listings. Safes designations:

    1. TL-30 - resistant to attack by mechanical or electrical tools for 30 minutes

    2. TRTL-30 - resistant to attack by torch and mechanical or electrical tools for 30 minutes

    3. TRTL-60 - resistant to attack by torch and mechanical or electrical tools for 60 minutes

    4. TXTL-60 - resistant to all the above and high explosives

  4. Approved vaults are those which have been constructed to specifications approved jointly by IRS and GSA and utilizes UL approved vault doors.

  5. All key and combination locks must be controlled by the business unit with oversight of the area with the same level of protection for the items being protected.

Drop Boxes

  1. Drop boxes, or any container used for the purpose of collecting payment, or information without human interaction is strictly prohibited within IRS facilities. Placement of these types of containers provide opportunity for malicious activity and pose unacceptable safety and security risks.

Limited Area

  1. A Limited Area is an area to which access is limited to authorized personnel only. All who access a Limited Area must have a verified official business need to enter. Limited Area space can be identified by the FMSS Physical SSC based on critical assets. Per IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, National Critical Assets are defined as assets essential to the minimum operations of the economy and the government. An asset is considered a National Critical Asset if its failure or inability to function will result in an adverse national impact. All Limited Areas must meet secured area requirements. Designating a facility or space within a facility as a Limited Area is an effective method of controlling the movement of individuals and eliminating unnecessary traffic.

    Note:

    For information on secured area requirements, see IRM 10.2.15, Minimum Protection Standards (MPS).

  2. Limited Areas will have signs prominently posted as "Limited Area" and separated from other areas by physical barriers which will control access. The number of entrances will be kept to a minimum and each entrance must be controlled. Adequate control will be provided by establishing a workstation of a responsible employee at the entrance to ensure that only authorized persons with an official need enter. Only individuals assigned to the area will be provided Limited Area SmartID containing the "R" indicator. If the Limited Area is a small room or closet that is not always staffed and does not have an established staffed entry point, it must be properly secured. All visitors will need a local Point of Contact (POC) and will have to be logged in, accounted for, and escorted continually while in the Limited Area.

    Note:

    For additional guidance and requirements for receptionists (monitors) at the entrance to a Limited Area, see IRM 10.2.18, Physical Access Control (PAC).

  3. Keys and/or access cards to Limited Areas must be controlled by the business unit with oversight of the area and secured with the same level of protection required for the items being protected in the Limited Area.

Locks - General

  1. The lock is the most accepted and widely used security device for protecting installations and activities, personnel, tax data, classified material and government and personal property. All containers, rooms, buildings and facilities containing vulnerable or sensitive items should be locked when not in actual use.

  2. Regardless of their quality or cost, locks should be considered as delay devices only. Many ingenious locks have been devised, but equally ingenious means have been developed to open them surreptitiously. Some types of locks require considerable time and expert manipulation for covert opening, but all will succumb to force with the proper tools. Therefore, the locking system must be planned and used in conjunction with other security measures if a high degree of security is to be obtained. All door keys to hard walled space (excluding cubical doors) must be acquired through the local FMSS Physical Security staff.

  3. All keys to facility access doors must be issued using Form 1930-D, Key Custody Receipt (KCR). The KCR must be completed with all signatures and provided to the local FMSS Physical Security staff within five business days of issuing a facility access door key.

Type of Locking Devices

  1. Available locks range from the very simple (and easily defeated) variety to highly developed key locks, to combination locks and highly sophisticated electronic coded switches.

  2. The degree of protection afforded by a well-constructed vault, safe, or filing cabinet may be measured in terms of the resistance of the locking mechanism to picking, manipulation or drilling. There are several types of locking devices available, such as:

    1. Key Locks - The time for picking most standard pin-tumbler locks (including those that are specially keyed) range from a few seconds to a few minutes. High security key locks are also vulnerable to surreptitious defeat; however, such defeat is much more difficult. The possibility of the loss and compromise of a key and the possibility of an impression being made should also be considered in determining the security value of a key-type lock. Key locks are the most common mechanical type lock and include locks, lever locks and pin tumbler locks.

    2. Combination Locks - This type of lock is incorporated in padlocks, vaults and doors. Combination locks are typically used for their ease of use and require additional handling and maintenance by the business unit. Combination locks should be used sparingly and only within interior areas at those facilities where access into the space is controlled at the space perimeter.

      Example:

      Scramble pads offer the flexibility of multiple codes for multiple functions; individual pin numbers can be used in conjunction with the key pad and the codes cannot be discerned by others.

    3. Enterprise Physical Access Control Systems (EPACS) - EPACS can serve a valuable purpose by documenting the entry/exit of personnel and allowing access or denial with minimal delays. EPACS should be used to secure limited and controlled areas, where feasible, to control entry.

      Example:

      (of limited and controlled areas) Employees’ work areas, Criminal Investigations (CI) perimeter doors, Telecommunications closets, MDF and IDF closets, Receipt and Control functions, power generation, battery and electrical Switchgear, Computer Rooms.

      Note:

      Additionally, EPACS should be installed on interview room doors where there is face to face contact with taxpayers, to allow IRS employees’ quick exit from threatening taxpayers into secured IRS space. The FMSS Physical SSC will determine where EPACS will be installed at such locations based on space configuration, type of existing hardware, type of partition walls, risk mitigation assessment results, etc. FMSS AD, Security Policy is the authority for approval of deviations to this policy.

Other Access Controls

  1. Combination type door locks, which rely on something the individual knows, have been used in the past for controlling access. Though these types of locks add a layer of security, if the combinations are widely disseminated and not changed frequently, unauthorized access may occur and not detected. With this type of access control, there is no audit trail of who entered or exited, so unauthorized access may be difficult to detect.

  2. There are several types of electronic access control systems. The access cards contain encoded information about what the user can access and who the user is. These systems are used for controlling access to buildings, rooms and computers and provide another level of security. However, as with other types of locks, if the access cards, keys or combination locks are not properly controlled and accounted for, unauthorized access may occur.

  3. High security interior rooms (e.g. CI’s weapons, evidence/Grand Jury room) require standalone combination locks with electronic audit trail capabilities. The local FMSS Physical Security Staff will provide a tool for programming these locks to the business unit using them at each location.

Control and Safeguarding of Keys and Cipher Lock Combinations

  1. Access to a locked area, room or container can only be controlled if the key, access card or combination is controlled. As soon as the combination is obtained by an unauthorized person or otherwise compromised, or the key is lost, the security provided by that lock is lost. Keys to IRS space will be retained by the local FMSS Physical Security staff where there is a security presence in the event of inadvertent office lock-outs. Spare keys may be retained by a designated off-site business function for use in catastrophic situations where local personnel are available to provide access to IRS space. Managers issuing keys must complete a KCR Form for each person that has been assigned a key. The KCR must be completed with all signatures and provided to the servicing FMSS Physical Security staff within five business days of issuing key.

  2. In accordance with Treasury Directive (TDP 15-71), the combination to each lock will be changed under any of the following conditions:

    1. When the safe or lock is first placed into service.

    2. When a person knowing the combination no longer requires access to it and other controls do not exist to prevent their access to the lock.

    3. When a combination has been, subjected to possible compromise, actual compromise or unauthorized disclosure.

    4. At least every three years, unless conditions dictate sooner.

  3. Cipher lock combination changes must be requested utilizing OS GetServices Knowledge Incident/Problem Service and Asset Management (KISAM) request. Combinations will be given only to those who have a need to have access to the area, room or container. Combinations will not be written on calendar pads, desk blotters or any other item even though it is carried by one person or hidden away. A record of combinations to security containers will be maintained by using Standard Form (SF) 700, Security Container Information (the form has three parts).

    1. SF-700 Instructions. Part I shall be completed in its entirety (all blocks of SF 700 are self-explanatory). After all information on Part I of SF-700 is entered, all parts will be separated and Part I is to be attached to the inside (front) of the container (control drawer-the drawer with the lock mechanism). The combination will be recorded on Part II, which will then be placed inside Part III and sealed. The classification on Parts II and III should be “unclassified” unless national security information is kept in the container.

      Note:

      For additional guidance, see IRM 10.9.1, National Security Information.

  4. A record of the combination (Parts II & III of SF-700) for safes and vaults must be maintained in a central location within the local business unit management office. The local business unit management should designate an on-site representative to perform this function. The local FMSS Physical Security staff must be able to access the combinations either by maintaining a list of their location (filing location), having an on-site contact or having access to the on-site location should an event occur that requires their intervention. CI will control their own copies of the SF-700.

  5. Combinations (other than combinations for security containers, safes, vaults, and cipher locks that must be annotated in SF-700) and accountability records for container keys will be maintained by local business unit management. A locally devised spreadsheet or receipt may be used for accountability/tracking purposes.

  6. All SF-700 containing combinations must be placed in a container having the same or a higher security classification as the highest classification of the material being stored in the container or area the lock secures.

  7. All master keys (a key that can open all applicable IRS space within a location), properly identified according to the door(s) it will open, must be maintained in a central location by the local FMSS Physical Security staff. CI controls all keys to CI space. Exceptions may exist where the area is required to be "off-master" .

  8. A record of the combination (parts II & III of SF-700) for safes and vaults must be maintained in a central location within the local business unit management office. The local business unit management should designate an on-site representative to perform this function. The local FMSS Physical Security staff must be able to access the combinations either by maintaining a list, having an on-site contact or having access to the on-site location should an event occur that requires their intervention. CI will control their own copies of SF-700.

  9. Minimum requirements for locking systems for secured areas are as follows:

    1. Only IRS personnel authorized by the local FMSS Physical Security staff with proper background adjudication can have after-hours access to secured areas.

    2. Electronic access control systems with after-hours alarming capability can be used to secure doors to secure limited or controlled areas after hours. The local FMSS Physical Security staff will review access control system logs to confirm the system is purged of users who no longer have a need for access (i.e. reassigned/separated employees), In addition, access control logs must be regularly reviewed by the business unit authority with oversight of the area to verify no unauthorized access has occurred.

    3. High security pin tumbler cylinder locks must be used to secure doors to secured areas after normal duty hours. The pin tumblers must meet the following requirements: key operated mortised or rim-mounted dead bolt lock; dead bolt throw of one inch or longer; double cylinder if the door has a transom or any glass (if the door is equipped with alarms or security glass the door is not required to have the double cylinder lock); cylinders are to have five or more pin tumblers; if bolt is visible when locked, it must contain hardened inserts or be made of steel; and, both the key and the lock must be "off-master" .

    4. Key padlocks and combination padlocks may be used for secured areas if they meet the requirements of IRM 10.2.15, Minimum Protection Standards (MPS).

    5. All keys to secured area access door locks will be labeled with an identifier unrelated to the room number and engraved with the words U.S. Government - DO NOT DUPLICATE.

    6. Keys to secured areas not in the personal custody of an authorized IRS employee and any combinations must be stored in a security container.

    7. The number of keys or knowledge of the combinations to a secured area must be kept to the absolute minimum. Keys and combinations must be given only to those individuals, preferably supervisors, who have a frequent need to access the area after hours.

    8. The keys to a cashier or a teller’s cash box and the combination to the safe or vault in which the cash box is stored, cannot both be in the possession of an employee, a manager, and/or supervisor (including physical security function). Only the cashier or teller may have both the key to their own cash box and combination to the safe and vault.

  10. The local FMSS Physical SSC or Senior Physical Security Specialist (PSS)/Analyst must approve requests for duplicate/additional keys for secured area doors and security containers.

  11. Keys will be issued only to persons having a need to have access to an area, room, or container. The number of keys on-hand and keys issued will be kept to a minimum. A "Master Key" must only be issued to a limited number of personnel selected by the facility’s issuing authority. In no case will master keys be issued to more than 5% of an office population. Keys issued to individuals must be kept in the possession of the individual and not left unsecured or loaned to another individual.

  12. Padlocks must be locked to the staple or hasp or placed inside the container when the area or container is open to preclude theft, loss, or substitution of the padlock.

  13. To maintain the integrity of the security container (lateral and upright), only two keys will be provided for each container (lateral) and padlock (upright with bar lock). If the central core of a security container lock or padlock is replaced with a non-security lock core and has more than two keys, then the container does not qualify as a security container. To safeguard the two keys limits for each container/padlock, the local FMSS Physical Security staff will maintain the supply of extra locks and padlock cores.

    1. When a key to a security cabinet or padlock in a secured area is lost or broken, the local FMSS Physical Security staff will provide a new lock or padlock core with two keys to the requestor.

    2. The local FMSS Physical Security staff will order an additional key for the old lock/padlock. Upon receipt of the new key, place the lock or padlock core with keys back in stock, making it available for the next lost or broken key occurrence. The lock or padlock core may not be reused at the original location.

    3. If the lost key is found, it must be destroyed.

    4. FMSS budgets for and funds maintenance and replacement of office access controls, locks and keys.

  14. FMSS Physical SSC will designate in writing an FMSS “Key Control Officer” (KCO).

    1. The FMSS KCO will confirm each business unit conducts a 100% "Annual Key Audit" at least once each calendar year (January-December).

    2. The annual key audit is designed to reconcile all on-hand and issued metal mechanical keys to uphold accountability.

    3. The key audit may be conducted by issuing a control to the business unit requesting written confirmation verifying 100% receipt, possession and accountability of all mechanical metal keys.

    4. If the business unit audit reveals more than a 5% loss of office keys, that office space will be scheduled to be re-keyed (new core installed) within 10 business days.

    5. The report will be maintained by the FMSS KCO conducting the audit for a minimum of three years.

    6. Receipts for keys/proxy cards will be maintained by the FMSS KCO until the items are returned.

    7. A master key control reconciliation log will be maintained by the KCO reflecting the beginning balance of keys on-hand, issued, or lost, etc.

    8. Key control records and documentation maintained must support the performance and completion of the annual key audit.

Separating Employee Clearance (SEC) - Accounting for Keys

  1. It is imperative that IRS Managers use the automated HR Connect, SEC Module to certify recovery and return of all facility access door keys from separating employees to the local FMSS Physical Security staff.

    Note:

    For additional guidance, see IRM 10.2.5, Identification Media.

  2. Business unit managers and/or proxy responsibilities are to:

    1. complete PAR actions in HR Connect for separating employees.

    2. verify that all facility access door keys are recovered from separating employees.

    3. notify the local FMSS Physical Security staff of any non-recoverable keys and provide written documentation of the circumstances around the failed recovery efforts.

  3. The FMSS Identity, Credential & Access Management (ICAM) office will provide program oversight in accordance with IRM 10.2.5, Identification Media.

  4. FMSS Physical Security Staff responsibilities are to:

    1. identify separating employees using the SEC module.

    2. reconcile key and key card control inventory to reflect disposition of keys and key cards (recovered and unrecovered).

    3. report unrecovered facility access door keys and key cards to the Situational Awareness Management Center (SAMC) and Treasury Inspector General for Tax Administration (TIGTA).

    4. submit an OS GetServices KISAM ticket to initiate and track combination lock changes.

      Note:

      CI controls facility access Cipher Lock Combinations to CI space.

Detection Equipment

  1. There are a variety of different types of automatic detection equipment. These include, but are not limited to, door and window contacts, motion detectors, sound detectors, vibration sensors, etc., designed to set off an alarm at a given location when the sensor is disturbed.

  2. All alarms must annunciate at a protection console, a central station or a local police or fire station, where a timely response is available. This requirement does not apply to alarm exit panic hardware on fire exit doors.

  3. Only assigned IRS FMSS Physical Security personnel or approved contractor will have administrative rights and access to security systems.

  4. All duress alarms must be installed (a tool is required for removal) on a permanent surface, such as furniture or wall, not visible to the public. Hardwired devices are the preferred method; however, wireless devices are acceptable if extenuating circumstances exist, (e.g. cost prohibitive, lessor will not allow, etc.). Any new installations of wireless devices after the publication date of this IRM must first be approved by the FMSS AD, Security Policy.

  5. The IRS work/repair request system (e.g. OS GetServices) will be used to track all alarm work/repair requests until resolved. The FMSS PSS responsible for the building will create and submit a service ticket for each work/repair request.

  6. The IRS is responsible for testing, maintaining and accountability for only those alarm devices and systems owned by the IRS and located within IRS owned or leased space. Alarm systems and devices of multi-tenant buildings that are shared, but not owned by the IRS are not the responsibility of the IRS and are not subject to the requirements of this policy.

IDS & Duress Alarm Systems Test

  1. All IRS alarm input/points in every IRS facility are required to be tested annually by an alarm service vendor as part of the annual preventative maintenance requirement. All facility alarm inventory, testing and preventative maintenance will be documented on the Alarm Maintenance and Testing Certification Report form and maintained by the local FMSS Physical SSC for a period of three years. The local FMSS Physical SSC will verify corrective actions are applied, as required.

  2. Alarm notifications:

    1. The local FMSS Physical Security staff must ensure the Department of Homeland Security (DHS) Megacenter (MC) or Central Security Control Console (CSCC) has a current ECL with the appropriate POC and their phone number to ensure a prompt notification of any alarm. An armed "First Responder" (e.g. local or on-site federal law enforcement) must be the first POC in the ECL. Guards assigned to specific posts (e.g. Taxpayer Assistance Center (TAC) offices), Cl or TIGTA agents cannot be listed as first responders. At campus locations, with onsite guard services, the first responder may be an armed security guard (e.g. a rover). The POC information must be listed in descending priority, beginning with armed law enforcement personnel followed by appropriate personnel.

    2. PSS are responsible for the development, review and update of the ECL for assigned facilities. The ECL must be updated as personnel changes occur to ensure accuracy. The ECL will be reviewed for accuracy at a minimum, once every fiscal year.

    3. The FMSS Physical SSC is responsible to ensure the ECL has been developed, reviewed and updated for all territory facilities by conducting a review and validating for completion and accuracy of the ECL for all territory locations, at a minimum, once every fiscal year.

    4. The TM will confirm with the FMSS Physical SSC that an ECL review and validation for all territory facilities has been completed every fiscal year.

      Note:

      When an alarm is activated at facilities with guard services and a local FPS Inspector, the FPS MC notifies the FPS Inspector first and dispatches on-site guards to respond., At facilities with no guard presence, FPS will be listed first on the ECL, unless geographical factors warrant listing local law enforcement first to expedite response.

  3. Duress buttons are sometimes unintentionally hit by chairs, employee’s knees/hands, or other equipment that may render the alarm inoperable. This may result in a potential failure to signal an alarm during attempted alarm activation. The local FMSS Physical SSC must provide written operation instructions to the business unit manager occupying the space where the duress button is located. Business unit managers are responsible to ensure that each employee assigned to work in the space where duress alarms are located receives a copy of the written instructions provided by the local FMSS Physical SSC. The written instructions must include:

    1. The location of the duress alarm button(s).

    2. How to activate and reset the duress alarm button(s).

    3. Where the duress alarm enunciates.

    4. Who will be responding to the duress alarm (i.e., CI, Protective Security Officer (PSO) (FPS Guard), local law enforcement, etc.).

    5. guidance to dial 911 for emergency assistance if the duress alarm is inoperable or under repair.

  4. The local FMSS Physical SSC will confirm that all alarm preventative maintenance and testing dates are posted to SIMS. All service invoices, written testing/tracking documentation will be maintained by the FMSS PSS and FMSS Physical SSC who has jurisdiction for the facility for a minimum of three years.

  5. If during a test, or other times, it is determined that an alarm is malfunctioning the local FMSS Physical SSC along with the Site Contracting Officer’s Representative (COR) will be immediately notified, as appropriate. Malfunctioning alarms must be recorded and repaired in a timely manner and tracked by the local FMSS PSS until the alarms are repaired and functioning properly. The repair tracking and invoice documentation (work order, invoice etc.) must be maintained by the local FMSS Physical Security staff.

  6. Compensatory measures will be taken to validate proper security is maintained while an alarm is inoperable. Compensatory measures may include, but are not limited to the following options or a combination of options:

    1. Deploying PSO to inoperable alarm point(s) to ensure proper security is maintained

    2. Conducting random patrols

    3. Conducting aggressive recurring security checks, etc.

    4. Locking doors

    5. Maintaining continuous Closed-Circuit Television (CCTV) coverage

  7. Should the entire alarm system fail and become inoperable, or if numerous multiple alarms simultaneously annunciate, priority dispatch and response must first be directed to critical alarm points (i.e., weapon vaults/rooms, duress alarms, vaults and safes containing funds or other instruments of monetary value, perimeter entry points, etc.), which is determined by the local FMSS Physical SSC until the system is reset and functioning properly. Scheduled service call invoices, work repair request tickets and alarm reports must be kept for three years by the local FMSS Physical SSC.

  8. Alarm Events Report - For all territory locations, the local FMSS Physical Security staff will review alarm activations reported to the alarm monitoring services, through alarm activation reports, such as the DHS AEHR, HIRSCH Velocity alarm logs or similar reports, each month.

  9. The designated FMSS PSS must review the report to identify any alarm event which may require corrective action. The PSS must advise the FMSS Physical SSC of any corrective actions to be taken, initiate and monitor the corrective action until fully implemented. The FMSS Physical SSC must monitor identified corrective actions until fully implemented.

  10. The FMSS Physical SSC will ensure that:

    1. an inventory of all duress alarms for IRS facilities under the jurisdiction of each FMSS Territory is documented for each location and is available to individuals conducting duress alarm tests before each test is conducted. This inventory list must be:
      i. detailed by the location of each alarm.
      ii. maintained by the local FMSS Physical Security staff.
      iii. validated and signed by the local FMSS PSS and updated as needed, but at least annually.

      Note:

      The records of the duress alarm inventory list with signature validation will be kept on file for three years by the local FMSS Physical Security staff.

    2. changes in facility space use, such as downsizing, expansion, or re-purposing may require updates to a facility’s alarm inventory.
      i. The Physical SSC will assign a local FMSS PSS to participate in the space project management process, to identify alarm inventory changes (i.e. adding and removing alarms).
      ii. The local FMSS PSS will advise the Physical SSC of any changes to the alarm inventory and will update and validate the alarm inventory, as needed.

    3. corrective actions are taken for all malfunctioning alarms. The local FMSS PSS will:
      i. submit an OS GetServices ticket to establish a record of the alarm malfunction and acquire the necessary resources.
      ii. require the vendor to test the device after repair and provide an itemized invoice for the services provided.
      iii. track the status of the repair until completion.
      iv. verify that the invoice serves as the record of the repair and testing.
      v. repair documentation (i.e. invoices, testing reports) will be kept on file by the local FMSS Physical Security staff for a period of three years.

  11. FMSS Managers (TM and Physical SSC) and PSS who are responsible for alarm inventory validation and testing must complete the ELMS Course 69472, FMSS Physical Security Alarm Program Training course every fiscal year.

    Note:

    The training course provides an overview of Physical Security Alarm Program roles and responsibilities, including duress alarm and IDS testing, inventory documentation, ECL maintenance and the AEHR.

Video Surveillance System (VSS)

  1. VSS is very useful in physical security operations. Recurring maintenance and adequate lighting are key to VSS’ effectiveness. To facilitate an effective field of view, VSS surveillance capabilities must be checked on a routine basis to assess equipment effectiveness and identify obstructions. Coordination with facility or maintenance personnel is required to request the trimming of foliage, so VSS fields of view are not obstructed. Tree canopies must be trimmed higher, so the perimeter can be properly observed by guards and VSS cameras. VSS camera domes controlled by IRS must be cleaned on a recurring basis to promote clear visibility. VSS along with other risk mitigating elements (security layering, guard force, patrols, security lighting, etc.) should be used to observe and protect the fence line and the facility perimeter. External VSS cameras should be positioned a minimum of 18 feet above grade, if feasible, to prevent tampering.

  2. VSS is frequently used as an integral part of an alarm system. This may be accomplished by:

    1. using sensors to establish a secured area and installing a VSS system, which includes a time-lapse digital video recorder to complement the sensors.

    2. placing cameras at critical locations to provide direct visual monitoring from a vantage point such as an on-site protection console.

    3. using VSS on gates, doors, and other security areas not manned continuously. The system normally consists of a television camera, camera control box, recorder, monitor, two-way communication system, and electrical circuitry.

  3. Use of VSS on entry points may include the use of a two-way communication system between the monitor panel and the gate/door and an electrically operated gate/door. With this device the person viewing the monitor(s) can be alerted on the speaker system when an individual requires access, allows communication with the individual and allows them to visually assess the situation on the monitor This assessment helps to determine authority to enter and their security status. Once authority for access is verified, access is granted by pressing the electric gate/door lock/unlock button.

  4. VSS recorders (DVR) will be placed in a locked closet or in a locked container (in accordance with IRM 10.2.15, Minimum Protection Standards so only FMSS staff or other authorized individuals have access to the recorder. A DVR must be enclosed and properly secured to preclude attempted adjustment by unauthorized personnel. A monitor will also be located with the recorder so specific timeframes can be reviewed, as needed.

  5. Interior VSS systems are also an essential part of the overall layered security approach. However, personal work space (office/cubicle) of federal employees will not be viewed or recorded by VSS systems. All VSS systems will normally include:

    1. a VSS camera and dark dome (for new systems it is required, for older systems as funding permits) so personnel observing the camera cannot determine the orientation of the camera at a given time.

    2. an appropriate type of lens.

    3. monitors as necessary.

    4. digital recorder(s).

    5. multiplexer(s) as necessary.

    6. a VSS control box.

    7. an Uninterrupted Power Supply (UPS) to provide electricity immediately (real time) if there is a power outage.

  6. TAC VSS systems are a required countermeasure. VSS can record and discourage criminal or threatening behavior and aid in investigating incidents.

  7. An advisory sign will be posted immediately adjacent to the interior customer entrance of a facility so personnel entering are aware the area is monitored by VSS and recorded.

  8. TAC VSS monitors may be located at fixed guard posts. If there is no guard posted, the monitor(s) will be placed in the non-public area of the TAC where they can be properly observed.

  9. VSS recorders will be placed in a locked closet or a secured lockbox that only FMSS staff or other authorized individuals have access to. A monitor must also be located with the recorder so specific time frames can be reviewed, as needed.

  10. VSS and VSS recordings will not be used to verify employee attendance. Image recordings will only be provided if requested through the local FMSS Physical SSC and approved by the FMSS Operations or FMSS Security Policy AD, provided it has been requested by law enforcement, CI, or TIGTA as part of an on-going investigation. This data must only be provided if requested by law enforcement, CI, or TIGTA as part of an ongoing investigation or an approved Freedom of Information Act (FOIA) request.

    Note:

    For additional information on VSS requirements, see the FMSS Physical Security Design Manual and TAC Design Guide.

Digital Video Recorders (DVR)

  1. Compatible security systems and software, as well as system integration and interoperability are paramount in today’s security environment. FMSS is modernizing its DVR systems and, in some facilities, integrating system capabilities and developing a national system maintenance contract. Additional information on DVR requirements is available in the current FMSS Physical Security Design Manual and TAC Design Guide.

  2. To facilitate this, DVR systems and related security equipment and software must be compatible to be integrated. All IRS facilities with VSS systems will upgrade to DVR and confirm VSS systems are compatible with the current and “future state” systems software and products. Real time VSS viewing is the desired state at campuses and computing centers, as well as other facilities with armed guard presence. Passive monitoring of recorded VSS images will continue at other facilities.

  3. The system software will support the use of IT software management tools currently in use or planned for future implementation. Software will support access to live and recorded video using an internet web browser and active directory authentication for a minimum of 64 simultaneous users. The DVR system will provide the ability to control up to a minimum of 16 IP CCTV cameras both fixed and Pan-Tilt Zoom (PTZ).

  4. The system must provide the operator the ability to configure multiple scenarios for video monitoring and playback of recorded video. The software will support notification messages to computers directly attached, remote and/or mobile.

  5. The DVR system must work with all cameras currently installed at specified locations. Alarm events that are linked to cameras on DVR will trigger an alarm recording (pre-alarm with increased frame recording rate and PTZ preset control).

  6. Video clip can be exported for authorized viewing and evidentiary purposes or saved locally for electronic distribution. At any time, a specific camera can be selected by an operator based on "Start Time" and "End Time" to retrieve recorded video.

  7. The DVR system recorder must be capable of recording and storing a minimum 30 days of video input from each attached CCTV camera. Video Motion Detection (VMD) capable CCTV cameras will be activated in designated sensitive areas, either continuously or at designated times each day, where applicable. However, there should not be any pedestrian traffic in the viewed/monitor area or around them when activated.

  8. The DVR system must, at a minimum, combine multiplexing, alarm detection, event detection, video, audio and text recording and should use record mode settings of linear or circular/continuous. The DVR system should save video, audio and text to a standard recordable CD or DVD.

  9. The DVR system should easily integrate with third party software applications using an Application Programmers Interface (API). The manufacturer of the unit will offer a Software Developers Kit (SDK) to select third party manufacturers.

  10. The DVR system’s API will be backwards compatible with previous versions of the software equal to or greater than v3.2. The DVR system will provide the operator the ability to isolate video containing motion and find video where perimeters were crossed, lights were turned on or off, alarms were triggered and numerous additional scenarios.

  11. The DVR system should permit audits of the activity log to monitor changes to the settings and configurations and must include, but not be limited to, the following information:

    1. User Name – login name of the user

    2. Date/Time – date and time the action was performed

    3. Access Lock – whether the action was local to the unit or done through remote software

    4. Category – the action’s category

    5. Activity – the action performed within the category

    6. Data – description of the action

  12. The DVR system should be able to manage storage of video, audio and text by exporting to Network Attached Storage (NAS), Storage Area Network (SAN) and Direct Attached Storage (DAS) devices using optional software.

  13. The remote management software should allow an operator to select units, cameras, and time-frames for automatic retrieval of video clips to an operator’s computer. This allows for downloads to be scheduled during times that network traffic restrictions are not an issue. The DVR system will incorporate playback and multi-screen playback functions.