10.2.15 Minimum Protection Standards (MPS)

Manual Transmittal

August 16, 2019

Purpose

(1) This transmits revised (Internal Revenue Manual) IRM 10.2.15, Minimum Protection Standards (MPS).

Material Changes

(1) This IRM was updated to reflect current organizational titles, scope, definitions and authorized use.

(2) Removed IRM 10.2.15.3, Protection Methods. For additional information, see IRM 10.2.14, Methods of Providing Protection.

(3) Removed IRM 10.2.15.3.1, Secured Areas. For additional information, see IRM 10.2.14, Methods of Providing Protection.

(4) As of January 1, 2017, the Internal Revenue Service (IRS) instituted a requirement that the IRM address relevant internal controls. This will inform employees about the importance of and context for internal controls by describing the program objectives and officials charged with program management and oversight. Internal controls are the program’s policies and procedures which ensure:

  1. Mission and program objectives are clearly delineated and key terms defined.

  2. Program goals are established and performance is measured to assess the efficient and effective mission and objective accomplishment.

  3. Program and resources are protected against waste, fraud, abuse, mismanagement and misappropriation.

  4. Program operations are in conformance with applicable laws and regulations.

  5. Financial reporting is complete, current and accurate.

  6. Reliable information is obtained and used for decision making and quality assurance.

Effect on Other Documents

This IRM supersedes 10.2.15 dated August 15, 2016.

Audience

Servicewide

Effective Date

(08-16-2019)

Richard L. Rodriguez
Chief
Facilities Management and Security Services

Program Scope and Objectives

  1. The Minimum Protection Standards (MPS) system provides the minimum criterion of physical security requirements for protecting IRS data and property. MPS will be applied on a servicewide basis.

  2. Purpose: This IRM establishes the MPS matrix to reference minimum protection standards, determine security requirements for IRS property and data, and apply local factors that may require additional protection.

  3. Audience: Servicewide.

  4. Policy Owner: Chief, Facilities Management and Security Services (FMSS).

  5. Program Owner: FMSS Associate Director (AD), Security Policy.

  6. Primary Stakeholders: FMSS Field Operations, Business Unit Executives, Senior Managers, Chief Counsel Executives, Managers, Employees and Contractors.

  7. Program Goals: To meet MPS for all IRS assets in accordance with applicable standards.

Background

  1. The MPS was developed to establish and provide minimum physical security requirements in accordance with Executive Order (EO) 13526, Federal Information Security Management Act (FISMA), Physical Security and Environmental (PSE) Control as prescribed within the National Institute Standards and Technology (NIST SP 800-53), and Treasury Department Publication (TDP 15-71), The IRS has adopted the Interagency Security Committee (ISC) Criteria as the basis of our physical security standards. The MPS design provides a comprehensive matrix of applicable standards from all authorities, to reference MPS, determine security requirements for IRS property and data, and apply local factors that may require additional security.

Authority

  1. Treasury Department Publication (TDP) 15-71

  2. National Institute of Standards and Technology (NIST) SP 800-53

  3. Federal Information Security Management Act (FISMA)

  4. Executive Order, Classified National Security Information (EO 13526)

  5. Executive Order, Interagency Security Committee (EO 12977)

Responsibilities

  1. The Chief, FMSS prescribes and is responsible for oversight of MPS policy and guidance.

  2. The FMSS AD, Security Policy has oversight for planning, developing, implementing, evaluating, and controlling the requirements set forth by this IRM.

  3. FMSS Territory Managers (TM) are responsible to confirm Security Section Chiefs (SSC) follow IRS policy and provide oversight in the implementation and enforcement of the MPS Program.

  4. FMSS SSC are responsible for implementing and enforcing the MPS program within their assigned territory, confirming that IRS policy and procedures are followed.

  5. All IRS managers must confirm that MPS are applied within their area of supervision and that those measures meet the established requirements.

  6. All employees and contractors have a responsibility for being aware of MPS and complying with established requirements for protecting information, records, property and documents with which they are entrusted.

Program Management and Review

  1. Program Reports: Facility Security Assessments (FSA).

  2. Program Effectiveness: The FSA Program quarterly reviews of physical security threats, vulnerabilities and risk, consists of:

    1. Compliance with ISC standards, as validated in the FSA reports

    2. Compliance with Treasury and IRS requirements, as validated in the Facility Security Assessment Addendum (FSAA) reports

    3. Completion of required FSA and FSAA reports within the required timeframe prescribed in IRM 10.2.11, Basic Physical Security Concepts

Terms/Definitions/Acronyms

  1. Defined Terms

    Word Definition Example of using a word that is open to interpretation.
    (This column is for illustration purposes only)
    Limited Area Entry to critical areas is controlled and access is limited to those individuals who work in the area or have demonstrated a legitimate need to enter the area The contractor did not have clearance to enter the Limited Area.
    (Bill of) Lading A legal document issued by a carrier to a shipper that details the type, quantity, and destination of the goods being carried. A bill of lading also serves as a shipment receipt when the carrier delivers the goods at a predetermined destination The bill of lading indicated the package was delivered timely.
    Subsidiary Subordinate to the general ledger Reports are submitted monthly to report the balancing of the subsidiary accounts to the general ledger accounts.

     

    Acronyms

    Acronym Definition
    AD Associate Director
    EO Executive Order
    DIF Discriminant Function
    FISMA Federal Information Security Management Act
    FMSS Facilities Management and Security Services
    FSA Facility Security Assessments
    FSAA Facility Security Assessment Addendum
    HS High Security
    IDRS Integrated Data Retrieval System
    ISC Interagency Security Committee
    MPS Minimum Protection Standards
    NIST National Institute of Standards and Technology
    NS Normal Security
    PSE Physical Security and Environmental
    PSPP Physical Security Protection Program
    SP Special Security
    SSC Security Section Chief(s)
    TDP Treasury Department Publication
    TM Territory Manager(s)

     

Related Resources

  1. IRM 1.4.6, Managers Security Handbook

  2. IRM 10.2.8, Incident Reporting

  3. IRM 10.2.14, Methods of Providing Protection

  4. IRM 10.2.18, Physical Access Control (PAC)

  5. IRM 10.5.1, Privacy and Information Protection, Privacy Policy

  6. IRM 10.9.1, National Security Information

Protected Items/Data

  1. All tax and privacy data are required to be secured. The MPS has three levels, of security, based on several factors:

    1. Normal Security (NS) — All information which has not been identified as requiring High Security or Special Protection.

    2. High Security (HS) — Items which require greater than normal security, due to their sensitivity and/or the potential impact of their loss or disclosure.

    3. Special Security (SP) — Items which require a specific type of containment, regardless of the area security provided, due to special access control needs. This group of items is divided into three subcategories: Level 1 (SP–1) must be stored in a safe or vault; Level 2 (SP–2) must be stored in a security container or limited area as described in IRM 10.2.14, Methods of Providing Protection, Level 3 (SP–3) must be stored in a locked container.

  2. Exhibit 10.2.15-1, Alternative Chart, identifies storage requirements and Exhibit 10.2.15-2, Protectable Items, provides a listing of protectable items and their security designations.

    Note:

    For additional information on this requirement, see IRM 10.2.14, Methods of Providing Protection.

Protection Methods

  1. Available methods of protection include the use of secured perimeter and/or area space and/or containerization.

Secured Areas

  1. For purposes of providing protection, all space can be classified as either secured or locked (non-secured).

  2. Secured areas are designed to prevent undetected entry by unauthorized persons.

  3. To qualify as a secured area, internal space must meet the following minimum standards:

    1. Space must be enclosed by slab-to-slab wall construction supplemented by periodic inspection. Walls/partitions that do not completely enclose the space to be secured from floor slab to ceiling slab, must be supplemented by Underwriters Laboratories approved electronic intrusion detection, woven wire fabric of a least 10 gauge or heavier, or chain link fence. Due to the complexity of intrusion detection systems, and the related specific annunciation/response requirement, review and approval by the local FMSS Physical Security staff is required prior to implementation.

    2. Unless electronic intrusion detection devices are utilized, all doors entering the space must be locked in accordance with requirements set forth in IRM 10.2.14, Methods of Providing Protection.

  4. Cleaning, or any other contract work to be done in the secured area by non-employees, must be done during duty hours or in the presence of a regularly assigned employee.

Alternative Chart

Protected Item Classification IRS Perimeter Type Interior Area Type Container Type
Normal Security Secured Locked Locked
High Security      
Alternative #1 Secured Locked Security
Alternative #2 Secured Secured Locked
Special Security      
SP–1     Safe/Vault
SP–2     Security
SP–3     Locked

Protectable Items

Designation Item
NS All material not classified as requiring high security or special protection.
NS Currency Transaction Reports
HS All portable equipment which can be stored in a standard pull drawer or lateral file cabinet. This includes laptop computers, combination padlocks, cameras and similar highly portable items
HS Assault and Threat Reports
HS Classification Stamps — "accepted as filed"
Classified Information—Top Secret/Secret/Confidential see IRM 10.9.1, National Security Information
HS Coordinated Examination Records—including all open or closed project files, case files, correspondence, activity reports, and other material which contains taxpayer data or third-party information acquired in connection with a planned, open or closed case
HS Disclosure Records relative to disclosures made to Department of Justice, Executive Departments, or Congressional Committees
HS Discriminant Function (DIF) formulas, program requirements packages and related materials
HS Examination Records — those maintained at the request of Congressional Committees
HS Examination Selection, Criteria and Formulas, Cycle Variables and Volume Controls
HS Fraud Referrals — all case files, correspondence, or related documents which contain information regarding items referred to Criminal Investigation
HS General Ledger and Subsidiary Records —revenue accounting only
HS Legal Case Files and Records of Chief Counsel, Deputies Chief Counsel, and their Assistants
HS Magnetic Media — all discs, tapes, DVR, CD, VHS tapes, or similar media which contain program, taxpayer or other individual data
HS Microfilm — all cartridges, cassettes or other microfilm media which contain taxpayer data or account information
HS Received with Remittance Stamps
HS Testimony of IRS Employees in non-tax matters
HS Unapplied Master File Credit Reports
HS Unit Ledger Cards
SP–1 Ammunition
SP–1 Combination Records Standard Form SF-700, Security Container Information for safe and vaults
SP–1 Currency over $1,000
SP–1 Firearms (more than 4)
SP-2 Ammunition - less than 60 rounds can be stored in a Security Container
SP–2 Checks drawn on U.S. Treasury (except those endorsed to the IRS for the payment of taxes).
SP–2 Combination Records Standard Form SF-700, Security Container Information for container doors
SP–2 Currency up to and including $1,000
SP-2 Director’s Seals
SP–2 Key — to any room, area, secured area, or security container
SP–2 LIMITED OFFICIAL USE documents
SP–2 Negotiable and Non-negotiable Instruments — including stocks, bonds, securities or other collateral
SP–2 Receipts unissued Form 809, Receipt for Payment of Taxes
SP–2 Relocated Witness Files
SP–2* Grand Jury—Case file and information
SP–2 Integrated Data Retrieval System (IDRS) Passwords and Password Registers
SP–2 IDRS Security Records (including reports, control documents, audit trail records and computer tapes)
SP–2 Identification Media (IRS) — all unused stock and completed media (including SmartID cards, pocket commissions and passports) which is not in the possession of the employee
SP–2 Informant Communications File
SP–2 Informants’ Claims for Reward
SP–2 Informants’ Control File
SP–3 Government Bill of Lading
SP-3 Adverse Action and Adverse Action Appeal files
SP–3 Annual listing of undelivered refund checks
SP–3 Checks received for payment—including personal checks, cashier’s checks, bank draft, money orders and U.S. Treasury checks endorsed to the IRS for the payment of taxes.

Note:

In a service center, checks must be in secured area or containerized.

SP–3 Employee Underreporter Program/Cases
SP–3 All government issued credit cards
SP–3 Grievance Files and Grievance Appeal Files
SP–3 IDRS Security Handbook
SP–3 Internal Security Records — including all open or closed investigative reports, informant files, and other material that contain investigative information concerning employees and/or taxpayers, or taxpayer data, third party information, tax data, or specific information concerning IRS operations acquired in connection with a planned, open, or closed case.
SP–3 Identification Media (IRS) — completed non-photo visitor and temporary cards
SP–3 Internal Audit Records — including Internal Audit Reports and work papers, open or closed, and other material containing tax data, taxpayer information, functional records and information concerning service center operations, acquired in connection with planned, open or closed audits.
SP–3 Internal Revenue Service Employee — delinquency
SP–3 Key — to any locked container
SP–3 Law Enforcement Manual (LEM) (Normal Security will apply to service centers)
SP–3 Medical Records — employee health records, disability retirement records, and similar files containing personal medical information
SP–3 OFFICIAL USE ONLY Documents (unless otherwise increased by the originator)
SP–3 Personnel Records — including personnel folders, investigation reports, qualification statements, and other records containing privacy act or sensitive information
SP–3 Minority Group Designator Data
SP–3 Test Materials — OPM, IRS and commercial
SP–3 Training Records — including individual ratings, examination record and register cards, and similar individual test result information
SP–3 Undelivered Refund Check Notices
SP–3 Unidentified Remittance Record
*If volume dictates, these items may be stored in a limited room as specified in IRM 10.2.14, Methods of Providing Protection.