10.2.18 Physical Access Control (PAC)

Manual Transmittal

July 05, 2018

Purpose

(1) This transmits the new Internal Revenue Manual (IRM) 10.2.18, Physical Access Control (PAC).

Material Changes

(1) This is a new IRM that incorporates the current physical access controls previously embedded in IRM 10.2.5, Identification Media, IRM 10.2.11, Basic Security Concepts, and IRM 10.2.14, Methods of Providing Protection.

Effect on Other Documents

All physical access control information has been incorporated into this new IRM section from IRM 10.2, Physical Security Program.

Audience

Servicewide

Effective Date

(07-05-2018)

Richard L. Rodriguez
Chief
Facilities Management and Security Services

Program Scope

  1. This IRM section applies Physical Access Controls (PAC) to IRS facilities and work areas. PAC is designed to admit authorized personnel while simultaneously identifying and preventing unauthorized personnel entry, and counter the introduction of prohibited items.

  2. Purpose: This IRM establishes the framework for the application of PAC policy in IRS facilities or space (government owned or leased).

  3. Audience: Servicewide.

  4. Policy Owner: Chief, Facilities Management and Security Services (FMSS).

  5. Program Owner: FMSS Associate Director (AD), Security Policy.

  6. Primary Stakeholders: FMSS Field Operations, Business Unit (BU) Executives, Senior Managers, Chief Counsel Executives, Managers, and Employees.

Background

  1. PAC is essential to the safeguarding of IRS personnel, tax data, and other IRS assets. PAC effectively keeps our facilities safe and secure, by controlling the movement of personnel in and out of the facility by setting specific criteria for authorized access.

  2. This IRM consolidates and revises all PAC policy found in IRM 10.2, Physical Security Program.

  3. This IRM further solidifies the responsibilities of stakeholders in implementing the PAC policy.

Authority

  1. Homeland Security Presidential Directive (HSPD)-12 - Policy for a Common Identification (ID) Standard for Federal Employees and Contractors

  2. Department of Homeland Security (DHS) Interagency Security Committee (ISC) Standards

  3. Treasury Security Manual - TD P 15-71

  4. Federal Information Processing Standards (FIPS) Publication 201

  5. OMB Memorandum M-05-24: Implementation of Homeland Security Presidential Directive (HSPD) -12 - Policy for a Common ID Standard for Federal Employees and Contractors

Responsibilities

  1. The Chief, FMSS prescribes and is responsible for oversight of PAC policy and guidance.

  2. AD, Security Policy is responsible for oversight of the planning, developing, implementing, evaluating, and controlling PAC policy and guidance.

  3. Chief, Identity Credential and Access Management (ICAM) is responsible for planning, developing, implementing, evaluating, and controlling PAC policy and guidance.

  4. FMSS Territory Managers (TM) are responsible to ensure Security Section Chiefs (SSC) follow IRS policy and provide oversight in the implementation and enforcement of the PAC Program.

  5. FMSS SSC are responsible for implementing and enforcing the PAC Program within their assigned territory, ensuring that IRS policy and procedures are followed.

  6. All IRS managers, Contracting Officers (CO), Contracting Officer’s Representatives (COR), and Government Officials with personnel administrative functions have a responsibility for:

    1. Informing all employees within their span of control of the importance of following facility security practices.

    2. Determining only authorized personnel are in the work area for which they are responsible and immediately challenging the presence of suspected unauthorized persons.

    3. Reporting suspected unauthorized access to the Situational Awareness Management Center (SAMC), as prescribed in IRM 10.2.8, Incident Reporting.

  7. All employees and contractors have a responsibility for:

    1. Following facility security practices.

    2. Determining only authorized personnel are in the work area for which they are responsible and immediately challenging and /or reporting the presence of suspected unauthorized persons.

    3. Reporting suspected unauthorized access to the SAMC, as prescribed in IRM 10.2.8, Incident Reporting.

Program Objectives and Review

  1. Program Objective: To safeguard IRS personnel, facilities, data and other assets through the control of entry into IRS facilities.

  2. Program Goals: To provide policy and procedures designed to admit only authorized personnel into IRS facilities.

  3. Program Reports: The authoritative data source for monitoring the PAC will be:

    1. Access Control Records

    2. Approved Visitor Access Lists

    3. Deactivation of separating personnel

    4. Facility Access Registers

    5. Form 13716, Request for ID Media and/or Access Card for IRS Employees

    6. Form 13716-A, Request for ID Media/Access Card for Contract Employee

    7. Form 14604, Contractor Separation Checklist

    8. Limited Area Registers (LAR)

    9. SAMC Incident Reports

    10. HR Connect Separated Employee Clearance Record (module)

  4. Program Effectiveness: PAC Program Annual Review of physical access controls. This review is part of the Annual Security Services Report, an internal Security Policy report, that rates the overall status of each of the core security functions. The review provides information pertaining to each program, based on the program manager oversight activities.

  5. Annual Review: The PAC Program Manager will conduct an annual review of all PAC Program policies, guidance and recommended changes will be submitted to the AD, Security Policy for approval.

Terms/Definitions/Acronyms

  1. Access - The authority granted to employees and contractors that provide opportunity to physically come into contact with (including, but not limited to reading, transporting, and/or transcribing/interpreting) Sensitive But Unclassified (SBU) data in the performance of official duties; entering an IRS facility without escort; and/or to login to IRS systems with approved credentials.

    Note:

    For additional information, see IRM 10.23.1, Personnel Security, Personnel Security and IRM 10.23.2, Personnel Security, Contractor Investigations.

  2. Access Control - Procedures designed to admit authorized personnel and prevent entry by unauthorized persons.

  3. Authorized Access List (AAL) - A list of persons approved by the local FMSS physical security office for unescorted and/or escorted physical access. Also used in limited areas to identify persons approved by the Business Operating Division (BOD) manager for unescorted access into designated limited areas.

  4. COR - An individual designated and authorized by the contracting officer to perform contract administration activities on his/her behalf within the limits of delegated authority for a specific acquisition or contract.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  5. Contractor Employee - An individual, not a federal employee, that performs work for or on behalf of the Federal Government.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  6. Employee - A federal employee, employed by the IRS.

  7. Escorted Access - A situation where a contractor employee not yet granted staff-like access that needs to be accompanied by a "qualified escort" during work performance and movement throughout the facility.
    Extended definition: a situation where an individual (i.e., contractor, visitor, or vendor) is not approved for staff-like access and requires escorted access.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  8. Facility Access - Controlled entry into a facility based on access status, role or function and employment category.

  9. Limited Area - An area to which access is limited to authorized personnel only. Limited Area space can be identified by the FMSS Physical SSC based on critical assets.

    Note:

    For additional information, see IRM 10.2.14, Methods of Providing Protection.

  10. Perimeter Access - Pedestrian and/or vehicular access to controlled exterior areas, demarked by a fence or similar boundary demarcation; usually at campus locations.

  11. Perimeter Vehicle Access Register (PAR) - Daily record of vehicles, without passes, entering the perimeter.

  12. Qualified Escort - An authorized (designated) IRS employee or a contractor employee approved for final staff-like access at the same or higher position risk level as the contractor employee who requires escorting, and with knowledge of the task or activity to be performed.

    Note:

    For additional information on escort/escorted ratio, see IRM 10.2.18.5.2, Escorted Access.

  13. Routine Access - Access to facilities on a consistent basis, generally multiple times a week.

  14. Staff-like Access - Authorized unescorted access to Treasury-owned or controlled facilities, IT systems, security items and products, and/or to areas storing/processing SBU data, as determined by Treasury/bureau officials. Staff-like access may be interim or final.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  15. Unescorted Access - Staff-like access granted to a contractor employee to IRS facilities, IT systems, and SBU data without escort.
    Extended definition: authority granted to individuals to gain access/entry and be present without an escort. Unescorted access is an element of staff-like access authorization.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  16. Vendor - A business or person who provides goods or services.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  17. Visitors - A person visiting an IRS facility who has not been issued an IRS photo ID card. Visitors may include contractors who have or have not been approved for staff-like access, other federal agency employees and contractors, and the general public.

  18. Visitor Access Register (VAR) - Daily record of visitors entering the perimeter or the facility.

  19. Acronyms

    Acronym Definition
    AAL Authorized Access List
    AD Associate Director
    BB Ball Bearing
    BOD Business Operating Division
    BU Business Unit
    CFR Code of Federal Regulations
    CO Contracting Officer
    COR Contracting Officer’s Representatives
    DHS Department of Homeland Security
    FIPS Federal Information Processing Standards
    FMR Federal Management Regulation
    FMSS Facilities Management and Security Services
    HCO Human Capital Office
    HSPD Homeland Security Presidential Directive
    ICAM Identity Credential and Access Management
    ID Identification
    ISC Interagency Security Committee
    IT Information Technology
    LAR Limited Area Register
    OEP Occupant Emergency Plan
    PAC Physical Access Control
    PAR Perimeter Vehicle Access Register
    POC Point of Contact
    RSI Random Security Inspections
    SAMC Situational Awareness Management Center
    SBU Sensitive But Unclassified
    SSC Security Section Chief
    TM Territory Manager(s)
    VAR Visitor Access Register
    VGSA Visitor Group Security Agreement

     

Related Resources

  1. IRM 1.4.6, Managers Security Handbook

  2. IRM 1.14.9, IRS Parking Program

  3. IRM 10.2, Physical Security Program

  4. IRM 10.2.5, Identification Media

  5. IRM 10.2.8, Incident Reporting

  6. IRM 10.2.11, Basic Security Concepts

  7. IRM 10.2.14, Methods of Providing Protection

  8. IRM 10.5, Privacy and Information Protection

  9. IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

  10. IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments

  11. IRM 10.8, Information Technology (IT) Security

  12. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance

  13. IRM 10.23, Personnel Security

  14. IRM 10.23.1, Personnel Security, Personnel Security

  15. IRM 10.23.2, Personnel Security, Contractor Investigations

Prohibited Items

  1. Unless in the lawful performance of official duties, IRS employees, contractors, visitors and the general public are not permitted to enter IRS facilities and/or space with items prohibited in Federal Management Regulation (FMR) - Title 41, Code of Federal Regulations (CFR). Prohibited items include but are not limited to:

    1. any item prohibited by any applicable federal, state, local, and tribal law and/or ordinance.

    2. firearms, includes Ball Bearing (BB) or pellet guns, compressed air guns, antique firearms, flare guns, knives or other devices with blades in excess of 2.5 inches, swords, explosives, incendiary devices, night sticks, brass-knuckles, throwing stars, etc.

    3. dangerous weapons.

    4. explosives.

    5. other destructive devices (including their individual parts or components) designed, redesigned, used, intended for use, or readily converted to cause injury, death, or property damage.

  2. IRS employees, contractors, visitors and the general public may be denied access if they attempt to enter a facility with prohibited items.

  3. In certain circumstances, the local FMSS physical security office may modify the list of prohibited items at a facility, in accordance with guidance outlined in the ISC document, Items Prohibited from Federal Facilities: An Interagency Security Committee Standard.

Screening Requirements

  1. Employees, contractors, visitors and the general public may be subjected to screening of personal effects at facility entrance(s) to deter and detect prohibited items. Screening requirements are in accordance with current ISC standards, and may vary by location.

  2. Personal effects subject to inspection include packages of all types; luggage, briefcases, shoulder bags, athletic bags and handbags. Inspection includes opening the item and viewing its contents and/or viewing x-ray images of the item to determine if unauthorized items are present.

  3. Alternative screening methods can be requested by facility entrants. Personnel with a "pacemaker" WILL NOT be screened with any type of metal detector. All persons declaring a medical condition which prohibits them from metal detection screening must submit to alternative methods of screening. No proof of medical condition is required.

  4. Alternative methods of screening personnel must be considered and implemented by the FMSS physical Security Section Chief (SSC), with FMSS TM approval. Alternative screening methods may include but are not limited to the following:

    1. Removal of outerwear clothing (coat, jacket, sweater) for visual inspection.

    2. Pat-down by someone of the same gender if items not removed cannot be observed.

    3. Removal of all personal items pockets/person for x-ray screening or visual inspection.

    4. Screening of all hand-held bags, briefcases, purses, etc., by the x-ray scanner and screened or subject to visual screening.

    5. Some other optional and reasonable screening methodology, per local procedures.

  5. Modifications to entry access screening requirements must be submitted by the local FMSS physical security office to the FMSS AD, Security Policy for coordination and approval. Modification requests should include identified risk(s) and appropriate mitigation strategies to address the risk. For additional information, see subsection 10.2.18.11, Deviations.

Random Screening Requirements

  1. Random Security Inspections (RSI) of personnel entering and/or exiting IRS facilities will be conducted. The inspections will include all hand-carried items to ensure they do not contain unauthorized weapons/explosives materials, drugs, unauthorized government property or other contraband entering or leaving the facility.

  2. The inspections must include a strict random pattern. The random pattern must be strictly enforced for the duration of a particular RSI period at a particular time and place to avoid the appearance or perception of selective screening or targeting personnel, which is prohibited.

Physical Access Eligibility Requirements

  1. Access to IRS facilities and work areas is provided to IRS employees, contractors and visitors on an escorted or unescorted basis. The local FMSS physical security office will determine and grant the type of access, based on the eligibility requirements.

  2. The requirements for unescorted and escorted access are set forth in subsection IRM 10.2.18.5, Physical Access Eligibility Requirements, IRM 10.23.2, Personnel Security, Contractor Investigations, IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance and IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments.

  3. Where there is a guard present, a daily VAR, approved by the local FMSS physical security office, must be used to verify a visitor’s eligibility for:

    1. unescorted access, when they do not possess an IRS issued Smart Identification (ID) or PAC card.

      Note:

      For additional information, see subsection 10.2.18.7.1, Facility Unescorted Access.

    2. escorted access.

  4. The VAR must contain, at a minimum, the following information:

    1. Name, telephone number and location of IRS Point of Contact (POC)

    2. Visitor name

    3. Reason for visit

    4. Rooms/Areas to be visited

    5. Actual Date(s)/Times of visit

    6. Type of access to be granted; unescorted or escorted

Unescorted Access

  1. Unescorted access allows for staff-like facility access, with the exception of designated Limited Areas. Unescorted access is provided to all IRS employees.

  2. IRS Contractors, other federal agency employees and contractors and other persons requiring routine access must meet the following requirements before unescorted facility access is granted:

    1. Interim or final staff-like access approval from Human Capital Officer (HCO) Personnel Security, as set forth in IRM 10.23.2, Personnel Security, Contractor Investigations.

    2. Documented completion of designated training as set forth in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance and IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments.

Escorted Access

  1. Escorted access does not allow for the entry and/or movement throughout the facility without a qualified escort. Limited Areas may be subject to more stringent escort access procedures.

  2. IRS contractors, other federal agency employees and contractors and other persons requiring routine access that do not meet the requirements for unescorted access must be escorted at all times while in IRS facilities.

  3. A "qualified escort" will be required for persons with escorted access. The requirements for qualified escort are:

    1. The qualified escort must be only authorized (designated) IRS or contractor employees approved for final staff-like access at the same or higher position risk level as the escorted person, with knowledge of the task or activity to be performed.

    2. The qualified escort must accompany the person during all work performance and movement throughout the facility.

    3. The qualified escort must, at a minimum, maintain visual contact with the escorted person.

    4. The qualified escort must accompany visitors to the exit on completion of the visit to sign out and return ID.

      Note:

      Persons who have been denied final staff-like access cannot be escorted.

    5. At no time during escorted access are individuals permitted access to SBU data, or IRS IT systems.

      Note:

      For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigation.

  4. The AD, Security Policy is the approval authority for exception of the escort/escorted ratio requirements:

    1. At least one qualified escort per every five escorted persons is required.

    2. The total number of escorts may depend on the size of the group.

    3. The number of escorts required should be noted in the Visitor Group Security Agreement (VGSA), Contract Agreement, or similar document.

Perimeter Access

  1. Perimeter access is controlled at locations where IRS is responsible for perimeter security, as prescribed in IRM 10.2.11, Basic Security Concepts. Perimeter access includes pedestrian and vehicular access.

  2. Employees and contractors that have an IRS issued photo ID (SmartID or PAC card) and additional ID media, such as parking permits and/or facility access cards must present the ID card and other media at the entry point to gain access to the perimeter area.

  3. Employees and contractors that do not possess a parking permit and/or facility access cards, visitors and delivery personnel may only enter at manned perimeter checkpoints. Vehicle passes, logs, and a VAR can be used to authorize perimeter access, vehicular or pedestrian. The persons will be required to provide valid photo ID, such as a driver’s license, for identify verification and are subject to local screening procedures.

  4. Temporary vehicle passes may be issued to employees, contractors and visitors who have not been issued a parking permit. A PAR will be maintained by the guard must include the following information:

    1. Vehicle pass number

    2. Name of employee

    3. Vehicle license number

    4. Date of issue

  5. The temporary vehicle pass may not be used for in and out access, but rather the visitor must show a picture ID and be checked against the access list each time the visitor enters. A temporary vehicle pass must be dated and is valid only for the date of issuance.

Facility Access

  1. Facility Access refers to controlled entry into a facility based on access status, role or function and employment category. Facilities may include federal buildings and commercial leased locations. Only authorized personnel should have unescorted access to IRS facilities.

  2. ID cards must be worn at or above the waist and visible from the front when in IRS facilities.

Facility Unescorted Access

  1. Only employees, IRS contractors, other federal agency employees and contractors, that meet the eligibility requirements as outlined in subsection 10.2.18.5.1, Unescorted Access, are permitted unescorted access to IRS facilities.

  2. ID cards must be worn at or above the waist and visible from the front when in IRS facilities.

  3. Contractors, meeting the unescorted access requirements that do not have an IRS issued photo ID card may be placed on a VAR, approved by the local FMSS physical security office.

  4. Local FMSS physical security offices will determine if additional ID media, such as facility access cards, may be required.

  5. Employees and contractors must ensure that only authorized personnel are in the workspace.

    Note:

    Do not allow unauthorized persons to follow behind or "tailgate" (also known as "piggybacking" ) when entering workspace or facility.

Facility Escorted Access

  1. IRS contractors, other federal agency employees and contractors and visitors that do not meet the requirements for unescorted access must be escorted at all times while in IRS facilities and workspace. Escorted access does not allow for the entry and/or movement throughout the facility without a qualified escort.

  2. Escorted persons will require a qualified escort. Refer to subsection 10.2.18.5.2(3), Escorted Access, for the requirements for qualified escort(s).

Limited Area Access

  1. A Limited Area is an area to which access is limited to authorized personnel only, as described in IRM 10.2.14, Methods of Providing Protection. Access, unescorted or escorted, must be approved by the BU manager responsible for the area.

  2. Visitors will be directed to the main entrance of the Limited Area for entry.

Limited Area Unescorted Access

  1. Unescorted access allows for staff-like unsupervised access to designated Limited Areas. Unescorted access is provided to personnel:

    1. who meet facility unescorted access requirements.

    2. approved by the BU supervisor responsible for the area.

    3. possessing a photo ID card with a "R" indicator.

    4. placed on a designated AAL for the Limited Area.

  2. Persons on an AAL will not be required to sign-in nor will the limited area monitor be required to make any entry in the LAR. However, identity verification and a signature will be required for issuance of a temporary access card to the Limited Area.

Limited Area Escorted Access

  1. Limited Area escorted access does not allow for the entry and/or movement throughout the designated Limited Area without a qualified escort. Escorted access applies to individuals who must perform official duties within Limited Areas and have not been granted unescorted entry authorization. Escorted access also applies to personnel visiting Limited Areas, and IRS employees without a "R" indicator.

  2. IRS contractors, other federal agency employees and contractors that do not meet the requirements for staff-like access must be escorted at all times while in designated Limited Areas.

  3. At the main entrance to the Limited Area, the Limited Area Monitor (BU staff), will:

    1. complete the entries on Form 5421, Limited Area Register for each visitor and have the visitor sign the register.

    2. verify the identity of each visitor by comparing the name and signature entered in the register with the name and signature on a government issued photo ID card (i.e., driver’s license).

    3. issue an appropriate Limited Area non-photo ID card, upon verification of identity. If the visitor is an IRS employee not assigned to the area, an exchange of ID cards will be made.

    4. collect the non-photo ID card from visitors leaving the areas.

    5. enter the time of the visitor’s departure in the register.

  4. A qualified escort will be required for persons with escorted access. Refer to subsection 10.2.18.5.2(3), Escorted Access, for the requirements for qualified escorts.

Treasury Inspector General for Tax Administration (TIGTA) Access

  1. TIGTA employees will be granted staff-like access to IRS facilities when they present their TIGTA issued SmartID card at facility entry points. TIGTA employees entering IRS facilities without their SmartID card are subject to the escorted access requirements as outlined in subsection 10.2.18.5.2, Escorted Access.

Emergency First Responders Access

  1. Federal and/or local emergency responders may be allowed unescorted access when responding to known emergency event, i.e. alarm activations, 911 call, or notification by Occupant Emergency Plan (OEP) team.

  2. For non-emergency events, emergency responders must be escorted at all times.

Deviations

  1. Requests for the development of new or modification of the existing PAC policy, must be submitted through the local FMSS physical security office to the FMSS AD, Security Policy, for coordination and approval.

  2. The Chief, FMSS is the approving authority for any variation to the existing PAC policy.

Records and Accountability

  1. The local FMSS physical security office will be responsible for maintaining VAR and PAR for a period of five years for areas designated by the ISC as Facility Security Level (FSL) V, and for two years for areas designated by the ISC as FSL I through IV, and then destroy according to the General Records Schedule 5.6, Security Records, Item 110 and 111.

Physical Access Control Matrix

Type Description Unescorted Access Escorted Access
Eligibility Requirements ID Card Issuance Eligibility Requirements ID Card Issuance
Employee IRS Employee
  • Staff-like Access Approval

  • Designated Training Completion

Photo ID
SmartID
N/A N/A
Contractor IRS Contractor
  • Staff-like Access Approval

  • Designated Training Completion

Photo ID

SmartID
or
PAC Card
  • No Staff-like Access Approval

  • Qualified Escort

Non-Photo ID
Other Federal Agency/Bureau Employee Employee from another federal agency
  • Staff-like Access Approval

  • Designated Training Completion

Non-Photo ID

Visitor
  • No Staff-like Access Approval

  • Qualified Escort

Non-Photo ID
Other Federal Agency/Bureau Contractors Contractor from another federal agency
  • Staff-like Access Approval

  • Designated Training Completion

Non-Photo ID

Visitor
  • No Staff-like Access Approval

  • Qualified Escort

Non-Photo ID
Visitor Person visiting an IRS facility
  • Staff-like Access Approval

  • Designated Training Completion

Non-Photo ID

Visitor
  • No Staff-like Access Approval

  • Qualified Escort

Non-Photo ID

Qualified

NOTE: Designated training is set forth in IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements, IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments, and IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.