Part 10. Security, Privacy and Assurance
Chapter 2. Physical Security Program
Section 15. Minimum Protection Standards (MPS)
August 15, 2016
(1) This transmits revised (Internal Revenue Manual) IRM 10.2.15, Minimum Protection Standards.
(1) On October 1, 2014, Agency-Wide Shared Services (AWSS) Physical Security and Emergency Preparedness (PSEP) merged with AWSS Real Estate and Facilities Management (REFM) to become Facilities Management and Security Services (FMSS). This IRM was updated to reflect new organizational and position titles.
IRM 10.9.1, National Security Information
IRM 10.2.14, Methods of Providing Protection
Treasury Department Publication, TDP 15-71
National Institute Standards and Technology, NIST SP 800-53
Federal Information Security Management Act (FISMA)
Executive Order, Classified National Security Information (EO 13526)
Steven M. Artise
Facilities Management and Security Services
Agency-Wide Shared Services
The Minimum Protection Standards (MPS) system establishes a uniform method for protecting data and items which require safeguarding. This system contains minimum standards which will be applied on a nationwide basis. Since local factors may require additional security measures, managers should work with their local Facilities Management and Security Services (FMSS) staff to analyze local circumstances to determine space, container and other security needs at individual facilities. The MPS has been designed to provide managers with a basic framework of minimum security requirements while still allowing flexibility to deal with local conditions. The MPS system developed for this IRM sets forth requirements to facilitate compliance with Executive Order (EO) 13526, Federal Information Security Management Act (FISMA), Physical Security and Environmental (PSE) Control as prescribed within the National Institute Standards and Technology (NIST SP 800-53), Treasury Department Publication (TDP 15-71), and Interagency Security Committee (ISC) Criteria.
The Chief, AWSS, is authorized to prescribe the Minimum Protection Standards for use within the IRS.
The Director, Facilities Management and Security Services (FMSS) is responsible for oversight of this IRS program.
The FMSS Associate Director, Security Policy, is responsible for planning, developing, implementing, evaluating, and controlling the requirements set forth by this IRM.
All IRS Managers are responsible for ensuring employees adhere to this IRM.
Items and data to be protected are divided into three groups:
Normal Security (NS) — All information which has not been identified as requiring High Security or Special Protection.
High Security (HS) — Items which require greater than normal security, due to their sensitivity and/or the potential impact of their loss or disclosure.
Special Security (SP) — Items which require a specific type of containerization, regardless of the area security provided, due to special access control needs. This group of items is divided into three subcategories: Level 1 (SP–1) must be stored in a safe or vault; Level 2 (SP–2) must be stored in a security container or security room as described in IRM 10.2.14, Methods of Providing Protection, Level 3 (SP–3) must be stored in a locked container.
Exhibit 10.2.15-1, Alternative Chart, identifies storage requirements and Exhibit 10.2.15-2, Protectable Items, provides a listing of protectable items and their security designations.
Containers are grouped into four categories:
Lockable container (SP-3) — any metal container with riveted or welded seams which is locked and to which keys and combinations are controlled
Security container (SP-2) — lockable metal container that has a tested resistance to penetration and is approved for storage of high security items (e.g. metal lateral key lock file w/security modifications, metal lateral file equipped w/lock bars on both sides, etc.). Drop boxes, or any container used for the purpose of collecting payment, or information without human interaction is strictly prohibited within IRS facilities. Placement of these types of containers provide opportunity for malicious activity and pose unacceptable safety and security risks.
Safes and vaults (SP-1) — safes which have been accepted for general use by IRS can be identified by General Service Administration (GSA) approval as Class I, II, IV or V or Underwriters Laboratories (UL) listings of TL-30, TRTL-30, TRTL-60 or TXTL-60. Vaults must have been constructed to specifications approved jointly by IRS and GSA.
Available methods of protection include the use of secured perimeter and/or area space and/or containerization.
For purposes of providing protection, all space can be classified as either secured or locked (non-secured).
Secured areas are designed to prevent undetected entry by unauthorized persons.
To qualify as a secured area, internal space must meet the following minimum standards:
Space must be enclosed by slab-to-slab wall construction supplemented by periodic inspection. Walls/partitions that do not completely enclose the space to be secured from floor slab to ceiling slab, must be supplemented by Underwriters Laboratories approved electronic intrusion detection, woven wire fabric of a least 10 gauge or heavier, or chain link fence. Due to the complexity of intrusion detection systems, and the related specific annunciation/response requirement, review and approval by the local FMSS Physical Security office is required prior to implementation.
Unless electronic intrusion detection devices are utilized, all doors entering the space must be locked in accordance with requirements set forth in IRM 10.2.14, Methods of Providing Protection.
Cleaning, or any other contract work to be done in the area by non-employees, must be done during duty hours or in the presence of a regularly assigned employee.
|Protected Item Classification||IRS Perimeter Type||Interior Area Type||Container Type|
|SP–3||Adverse Action and Adverse Action Appeal files|
|NS||All material, not classified as requiring high security or special protection.|
|HS||All portable equipment which can be stored in a standard pull drawer or lateral file cabinet. This includes laptop computers, combination padlocks, cameras and similar highly portable items.|
|SP–3||Annual listing of undelivered refund checks|
|SP-2||Ammunition - less than 60 rounds can be stored in a Security Container|
|HS||Assault and Threat Reports|
|SP–3||Government Bill of Lading (GBL)|
|SP–2||Checks drawn on U.S. Treasury (except those endorsed to the IRS for the payment of taxes).|
|SP–3||Checks received for payment—including personal checks, cashiers checks, bank draft, money orders and U.S. Treasury checks endorsed to the IRS for the payment of taxes. NOTE: In a service center, checks must be in secured area or containerized.|
|HS||Classification Stamps — "accepted as filed" |
Classified Information—Top Secret/Secret/Confidential see IRM 10.9.1, National Security Information
|SP–2||Combination Records Standard Form SF-700, Security Container Information, for container doors|
|SP–1||Combination Records Standard Form SF-700, Security Container Information, for safe and vaults|
|HS||Coordinated Examination Records—including all open or closed project files, case files, correspondence, activity reports, and other material which contains taxpayer data or third party information acquired in connection with a planned, open or closed case|
|SP–1||Currency over $1,000|
|SP–2||Currency up to and including $1,000|
|NS||Currency Transaction Reports — Forms 4789, Currency Transaction Report|
|HS||Disclosure Records relative to disclosures made to Department of Justice, Executive Departments, or Congressional Committees|
|HS||Discriminant Function (DIF) formulas, program requirements packages and related materials|
|SP–3||Employee Underreporter Program/Cases|
|HS||Examination Records — those maintained at the request of Congressional Committees|
|HS||Examination Selection, Criteria and Formulas, Cycle Variables and Volume Controls|
|SP–1||Firearms (more than 4)|
|HS||Fraud Referrals — all case files, correspondence, or related documents which contain information regarding items referred to Criminal Investigation|
|HS||General Ledger and Subsidiary Records —revenue accounting only|
|SP–3||All government issued credit cards|
|SP–2*||Grand Jury—Case file and information|
|SP–3||Grievance Files and Grievance Appeal Files|
|SP–2||IDRS Passwords and Password Registers|
|SP–3||IDRS Security Handbook|
|SP–2||IDRS Security Records (including reports, control documents, audit trail records and computer tapes)|
|SP–2||Identification Media (IRS) — all unused stock and completed media which is not in the possession of the employee to whom it was assigned|
|SP–3||Identification Media (IRS) — completed non-photo visitor and temporary cards|
|SP–2||Informant Communications File|
|SP–2||Informants’ Claims for Reward|
|SP–2||Informants’ Control File|
|SP–3||Internal Security Records — including all open or closed investigative reports, informant files, and other material that contain investigative information concerning employees and/or taxpayers, or taxpayer data, third party information, tax data, or specific information concerning IRS operations acquired in connection with a planned, open, or closed case.|
|SP–3||Internal Audit Records — including Internal Audit Reports and work papers, open or closed, and other material containing tax data, taxpayer information, functional records and information concerning service center operations, acquired in connection with planned, open or closed audits.|
|SP–3||Internal Revenue Service Employee — delinquency|
|SP–3||Key — to any locked container|
|SP–2||Key — to any room, area, secured area, or security container|
|SP–3||Law Enforcement Manual (LEM) (Normal Security will apply to service centers)|
|HS||Legal Case Files and Records of Chief Counsel, Deputies Chief Counsel, and their Assistants|
|SP–2||LIMITED OFFICIAL USE documents|
|HS||Magnetic Media — all discs, tapes, DVR, CD, VHS tapes, or similar media which contain program, taxpayer or other individual data|
|SP–3||Medical Records — employee health records, disability retirement records, and similar files containing personal medical information|
|HS||Microfilm — all cartridges, cassettes or other microfilm media which contain taxpayer data or account information|
|SP–3||Minority Group Designator Data|
|SP–2||Negotiable and Non-negotiable Instruments — including stocks, bonds, securities or other collateral|
|SP–3||OFFICIAL USE ONLY Documents (unless otherwise increased by the originator)|
|SP–3||Personnel Records — including personnel folders, investigation reports, qualification statements, and other records containing privacy act or sensitive information|
|SP–2||Receipts unissued Form 809, Receipt for Payment of Taxes, (CP–444) or Form 4733, Receipt for Special Taxes, (CP–445)|
|HS||Received with Remittance Stamps|
|SP–2||Relocated Witness Files|
|HS||Risk Analysis Final Reports and associated supporting documentation|
|HS||Sensitive investigative equipment — devices that can be used in the interception of telephonic communications or non-telephonic communications|
|HS||Signature Stamps or Facsimile Signature Plates|
|HS||Statutory Notices — signature stamps or facsimile signature plates|
|HS||Taxpayer and Privacy Act Information (due to the protection provided, processing and computing centers are exempt from this requirement)|
|HS||Tax Practitioner File — including extension files|
|HS||TECS Data — which contains information regarding the involvement of Criminal Investigation with taxpayers of third parties|
|SP–3||Test Materials — OPM, IRS and commercial|
|HS||Testimony of IRS Employees in non-tax matters|
|SP–3||Training Records — including individual ratings, examination record and register cards, and similar individual test result information|
|HS||Unapplied Master File Credit Reports|
|SP–3||Undelivered Refund Check Notices|
|SP–3||Unidentified Remittance Record|
|HS||Unit Ledger Cards|
|*If volume dictates, these items may be stored in a security room as specified in IRM 10.2.14, Methods of Providing Protection.|