10.8.2 IT Security Roles and Responsibilities

Manual Transmittal

September 30, 2016

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities.

Background

Department of Treasury Directive Publication (TD P) 85-01 and federal regulations require that senior management/executive officials establish an IT security program, which includes the identification of IT security roles and responsibilities.

  1. This IRM establishes the IT security roles and responsibilities for the Internal Revenue Service (IRS) organizations and the employees relevant to sensitive information and systems.

IRM 10.8.2 has been aligned to the roles and responsibilities described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers and 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.

IRM 10.8.2 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Information Technology Cybersecurity.

FIPS 200 mandates the use of NIST Special Publication 800-53 as baseline for the creation of agency IT security policy.

Material Changes

(1) The following sections have been updated/clarified with this version of policy:

  1. IRM 10.8.2.2.1.1, Agency Head: Incorporated controls to align with TD P 85-01.

  2. IRM 10.8.2.2.1.2, Chief Information Officer (CIO)/Chief Technology Officer (CTO): Incorporated controls to align with TD P 85-01.

  3. IRM 10.8.2.2.1.2, Chief Information Officer (CIO)/Chief Technology Officer (CTO): Incorporated control removed from IRM 10.8.2.2.2.1.

  4. IRM 10.8.2.2.1.3, Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO): Incorporated controls to align with TD P 85-01.

  5. IRM 10.8.2.2.1.3.1, Certification Agent: Incorporated controls to align with TD P 85-01.

  6. IRM 10.8.2.2.1.3.1, Certification Agent: Added clarification.

  7. IRM 10.8.2.2.1.3.2, Risk Executive (Function): Adjusted controls to align with TD P 85-01.

  8. IRM 10.8.2.2.1.5, Information System Owner/Business and Functional Unit Owner: Incorporated controls to align with TD P 85-01.

  9. IRM 10.8.2.2.1.5, Information System Owner/Business and Functional Unit Owner: Removed duplicate controls.

  10. IRM 10.8.2.2.1.6, Information Owner: Incorporated controls to align with TD P 85-01.

  11. IRM 10.8.2.2.1.7, Authorizing Official (AO): Incorporated controls to align with TD P 85-01.

  12. IRM 10.8.2.2.1.7, Authorizing Official (AO): Removed duplicate controls.

  13. IRM 10.8.2.2.1.8, Information System Security Officer: Incorporated controls to align with TD P 85-01.

  14. IRM 10.8.2.2.1.8, Information System Security Officer: Removed duplicate controls.

  15. IRM 10.8.2.2.1.9, Manager: Incorporated controls to align with TD P 85-01.

  16. IRM 10.8.2.2.1.10, Contracting Officer: Incorporated controls to align with TD P 85-01.

  17. IRM 10.8.2.2.1.12, Information System Security Engineer: Added additional NIST Publications to be reviewed by the Information System Security Engineer.

  18. IRM 10.8.2.2.1.17, Employee: Incorporated requirements to align with Consolidated Appropriations Act of 2016 Division Q section 402.

  19. IRM 10.8.2.2.1.17, Employee: Incorporated controls to align with TD P 85-01.

  20. IRM 10.8.2.2.1.18, Contractor: Incorporated controls to align with TD P 85-01.

  21. IRM 10.8.2.2.1.19, Database Administrator (DBA): Incorporated new control and added clarification.

  22. IRM 10.8.2.2.1.24, Resource Access Control Facility (RACF) Specialist: Added control to point to IRM 10.8.34.

  23. IRM 10.8.2.2.1.35, System Designer: Added additional control.

  24. IRM 10.8.2.2.2.1, IRS Information Technology Cybersecurity Organization: Removed control and relocated to IRM 10.8.2.2.1.2.

  25. All references to Live Data Functional Coordinator (LDFC): Removed as IRM 10.8.8 no longer exists and PGLD no longer has that role.

  26. Exhibit 10.8.2-1, Roles That Require Specialized Training: New Exhibit.

  27. Exhibit 10.8.2-2. References: Updated References.

(2) Editorial changes (including grammar, spelling, and minor clarifications) were made throughout the IRM.

Effect on Other Documents

IRM 10.8.2 dated May 16, 2014, is superseded. This IRM supersedes all prior versions of IRM 10.8.2. This IRM supplements IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.

Audience

IRM 10.8.2 shall be distributed to all personnel responsible for ensuring that adequate security is provided for IRS information and information systems. This policy applies to all employees, contractors, and vendors of the IRS.

Effective Date

(09-30-2016)

S. Gina Garza
Chief Information Officer

Overview

  1. This IRM lays the foundation for roles and responsibilities within the IRS.

Purpose

  1. This IRM establishes the IT security roles and responsibilities for the IRS.

    1. In accordance with IRM 10.8.1Information Technology (IT) Security, Policy and Guidance, the IRS shall implement security roles and responsibilities in accordance with federal laws and IT security guidelines that are appropriate for specific operations and functions.

Authority

  1. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, establishes the security program and the policy framework for the IRS.

  2. Department of Treasury Directive Publication (TD P) 85-01 and federal regulations require that senior management/executive officials establish an IT security program, which includes the identification of IT security roles and responsibilities.

Scope

  1. This IRM covers IT security roles and responsibilities.

  2. The provisions in this manual apply to:

    1. All offices and business, operating, and functional units within the IRS.

    2. Individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers, which use or operate information systems that store, process or transmit IRS Information or connect to an IRS network or system.

  3. Although IRM 10.8.2 is intended to be the primary source for general IT security roles and responsibilities, all documents in the 10.8.X series, additional applicable policy suites of IRMs, applicable business unit Guidelines, Standards and Procedures (GSP), and Standard Operating Procedures (SOP) shall be carefully reviewed for an individual to comprehensively understand their role and specific responsibilities in their environmental context. IRMs in the 10.8.X series provide explicit requirements where security roles and responsibilities are delineated.

    1. Due to each document having its own update lifecycle, there may be instances where updated roles and responsibilities are published in supplementary policies which have not yet been added to this IRM. In those instances, the newer published roles and responsibilities shall be implicitly followed along with those stated in this IRM.

Risk Acceptance and Risk-Based Decisions

  1. Any exception to this policy requires that the Authorizing Official (AO) make a Risk-Based Decision.

  2. Risk-Based Decision requests shall be submitted in accordance with IRM 10.8.1 and use Form 14201, as described in Request for Risk Acceptance and Risk-Based Decision Standard Operating Procedures (SOPs), available on the Enterprise FISMA Compliance SharePoint site via the Risk Acceptance Requests link at:
    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  3. Refer to IRM 10.8.1 for additional guidance about risk acceptance.

Roles and Responsibilities

  1. The IRS shall implement IT security roles and responsibilities that ensure the confidentiality, integrity, and availability of its systems, applications, and information.

  2. The following roles and responsibilities are based on Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and Department of Treasury guidance and policies.

  3. Throughout this IRM, roles may be identified as being responsible for creating, updating, and maintaining documentation. This may be accomplished through agreements and coordination with other organizational entities. When this is done, it does not relieve the individual with the role of the responsibility, but rather requires effective communication between the two parties.

Key Governance and Related Roles & Responsibilities

  1. In accordance with NIST 800–100, Information Security Handbook: A Guide for Managers, there are several governance stakeholders common to most organizations that span the organization. These stakeholders include senior management/executive official, a Chief Information Officer (CIO)/Chief Technology Officer (CTO), information security personnel, and a Chief Financial Officer (CFO), among others. The specific requirements of each role may differ with the degree of information security governance centralization or in response to the specific missions and needs of an organization.

  2. This section provides functional roles and responsibilities for personnel who have security-related governance responsibility for the protection of information systems they operate, manage and support. These roles are defined in accordance with FISMA, NIST, Office of Management and Budget (OMB), Treasury and IRS Policy and Guidelines.

Agency Head
  1. FISMA requires the head of each federal agency to provide information security protections commensurate with the risk and magnitude of the harm that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of its information and information systems. The protection should apply not only within the agency, but also within contractor or other organizations working on behalf of the agency.

    1. For the IRS, the Agency Head is the IRS Commissioner, Acting Commissioner, or senior IRS executive acting on behalf of the IRS.

  2. The Agency Head shall:

    1. Designate a Chief Information Officer (CIO)/Chief Technology Officer (CTO).

    2. Ensure high priority is given to effective information security awareness, security awareness training, and role-based training for the workforce.

  3. In accordance with TD P 85-01, the Agency Head shall:

    1. Ensure that a Cybersecurity Program is developed within their organizations in accordance with Treasury policy.

    2. Ensure the IRS practices its Cybersecurity Program throughout the life cycle of each IRS system.

    3. Ensure an IRS-wide report on the Cybersecurity Program and any internal annual compliance reviews is submitted annually to the Treasury Associate CIO for Cybersecurity (ACIOCS).

    4. Ensure that a system inventory is maintained following Treasury FISMA inventory requirements.

    5. Ensure IRS employees/contractors complete annual cybersecurity awareness training and specialized training (as required).

    6. Ensure each information system is assigned an Authorizing Official (AO) and that no information systems are operated in production environments without an assigned AO.

  4. In accordance with FISMA, the Agency Head shall be responsible for:

    1. Providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:
      i. Information collected or maintained by or on behalf of the agency.
      ii. Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.

    2. Complying with the requirements of FISMA Section 3544 § and related policies, procedures, standards, and guidelines, including:
      i. Information security standards promulgated under the U.S. Code Section 11331 of Title 40.
      ii. Information security standards and guidelines for national security systems issued in accordance with law and as directed by the President.

    3. Ensuring information security management processes are integrated with agency strategic and operational planning processes.

    4. Ensuring that the agency has trained personnel sufficient to assist the agency in complying with the requirements of FISMA Section 3544 §, this policy and related policies, procedures, standards, and guidelines.

    5. Ensuring policies are disseminated to all employees.

  5. In accordance with FISMA, the Agency Head shall:

    1. Ensure that senior management/executive officials provide information security, for the information and information systems that support the operations and assets under their control.

    2. Assess risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems.

    3. Determine the levels of information security appropriate to protect such information and information systems in accordance with standards promulgated under the U.S. Code Section 11331 and policies for information security classifications and related requirements.

    4. Implement policies and procedures to cost-effectively reduce risks to an acceptable level.

    5. Periodically test and evaluate information security controls and techniques to ensure that they are effectively implemented.

    6. Delegate to the CIO/CTO, established under Section 3506 of the FISMA Act (or comparable official in an agency not covered by such section), the authority to ensure compliance with the requirements imposed on the agency.

    7. Ensure that the CIO/CTO, in coordination with other senior management/executive officials, reports annually to the agency head on the effectiveness of the agency information security program to include progress of remedial actions.

Chief Information Officer (CIO)/Chief Technology Officer (CTO)
  1. The CIO/CTO, in accordance with NIST and TD P 85-01, shall be responsible for designating a Point of Contact (POC) to coordinate all policy issues related to information systems security including: computer security, telecommunications security, operational security, certificate management, electronic authentication, Disaster Recovery (DR), and critical infrastructure protection related to cyber threats.

  2. In accordance with TD P 85-01, the CIO/CTO (or designee) shall:

    1. Be a Federal Employee.

    2. Oversee the IRS’ Cybersecurity Program and advise the Agency Head on significant issues related to the program.

    3. Provide FISMA reporting and other cybersecurity information to the Treasury CIO to meet the Treasury’s requirements.

    4. Ensure the Treasury Cybersecurity Office is provided with requested materials and assistance as it conducts Department-wide activities in support of its oversight and central reporting roles

    5. Ensure an acceptable risk posture of IRS systems is accomplished in accordance with minimum security control guidelines established by Treasury and other applicable policy and guidance.

    6. Ensure that an IRS process is maintained for incident response and reporting in accordance with policy to the IRS Computer Security Incident Response Center (CSIRC) and, when warranted, to the TCSIRC.

      Note:

      This function may be delegated.

    7. Ensure that procedures are established to notify the appropriate Human Resource Officer or his/her designee, of all incidents reported to the TCSIRC that involve the compromise or loss of a system or personally identifiable information.
      i. The procedures should address means for identifying the managers of employees/contractors involved in the incident and whether the circumstances of the incident suggest that corrective action is necessary.

    8. Assist the Department of Treasury in compliance reviews, remediation of audit findings, and reporting requirements.

    9. Ensure weaknesses are correctly identified and appropriately prioritized within the IRS’ Plan of Action and Milestones (POA&M) submission.

    10. Review, in consultation with the IRS Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO), any requested IRS-wide exceptions to policy, and sign approved exceptions.

      Note:

      In the IRS exceptions are called Risk-Based Decisions (RBDs).


      i. An approved and signed exception must be held by the IRS with a copy submitted to the Department CIO via the Department CISO.
      ii. IRS-wide exceptions to Treasury requirements shall be managed differently than information system tailoring. Documentation of exception requests to Treasury requirements must include operation justification, risk acceptance, and risk mitigation measures.
      iii. Such requests must be submitted to and approved by the IRS CIO/CTO, in consultation with the IRS SAISO/CISO.
      iv. An approved exception must be signed by the individuals in these roles and held by the IRS, with a copy submitted to the Department CIO via the Department CISO for review.

    11. Oversee implementation and operation of the Cyber Critical Infrastructure Protection (CIP) Program Plan.

    12. Ensure adequacy of resources for protecting cyber critical infrastructure.

    13. Designate an IRS Cyber CIP Coordinator.

    14. Complete mandatory annual specialized information security training.

  3. In accordance with FISMA and NIST guidance, the CIO/CTO shall:

    1. Designate a SAISO/CISO, who shall carry out the CIO/CTO’s responsibilities for system and program security planning and assessments.

    2. Develop and maintain an agency-wide information security program including information security policies, procedures, and control techniques to address system security planning and all applicable requirements.

    3. Ensure information security considerations are integrated into programming, planning and budgeting cycles, enterprise architectures and acquisition/system development life cycles.

    4. Ensure information systems are covered by an approved security plan and are authorized to operate.

    5. Ensure security authorizations are accomplished in an efficient, cost-effective and timely manner.

    6. Ensure centralized capability for reporting of all security-related activities.

    7. Determine the appropriate allocation of resources dedicated to the protection of the organization's missions and business functions and the information systems supporting those missions/business functions based on organizational priorities.

    8. Manage the identification, development, implementation, and assessment of common security controls.

    9. Ensure compliance with applicable information security requirements.

    10. Ensure that personnel with significant responsibilities for system and program security plans and assessments are trained.

    11. Assist senior management/executive officials with their responsibilities for system and program security plans and assessments.

    12. Report annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.

    13. Encourage the maximum reuse and sharing of security-related information including: 1) threat and vulnerability assessments; 2) risk assessments; 3) results from common security control assessments; and 4) any other general information that may be of assistance to information system owners and their supporting security staffs.

    14. Determine the appropriate allocation of resources dedicated to the protection of the agency’s information systems based on organizational priorities.

    15. In certain instances, operate as the AO for agency-wide General Support Systems (GSS) or as co-AO with other senior management/executive officials for selected agency systems.

  4. In accordance with the Department of Treasury's Software Piracy Policy, the CIO/CTO shall:

    1. Develop and implement an enterprise-level plan that ensures that the agency is in compliance with Executive Order 13103.

    2. Coordinate with Department of Treasury Bureaus and Offices an initial assessment of the agency’s existing policies and practices with respect to the use and management of computer software through qualified personnel or an outside contractor.

    3. Maintain an enterprise list of Treasury Department authorized and supported software. The list shall indicate by Bureaus and Offices, terms of licenses, authorized number of users, and physical location of software.

    4. Perform spot audits. Periodic audit checks shall be done to ensure Bureaus and Offices are in compliance with software license agreements.

    5. Establish centralized software acquisition whenever possible.

  5. In addition, the CIO/CTO shall:

    1. Provide leadership and high level direction in the management of projects and plans involving highly complex, mission critical information systems and business systems modernization projects in support of modernizing the nation's tax system.

    2. Ensure the organization's core IT competencies are aligned to provide maximum value in support of agency business processes, and ensures overall strategies are established and engaged to support long-term enterprise-wide information needs and modernization projects.

    3. Define objectives and make decisions which impact the cost, schedule, supportability and performance modernization projects.

    4. Provide focus for technology management within the IRS by developing integrated enterprise-wide technology policies.

    5. Establish and maintain strong relationships with stakeholders such as oversight groups, IRS business leaders and external stakeholders, etc., to facilitate the exchange of information in support of program goals and requirements.

    6. Provide oversight and guidance to key contractors to ensure successful performance of contracts.

    7. Provide executive leadership in IT strategic and operational planning to achieve business goals by fostering innovation, prioritizing complex IT initiatives and directing the evaluation, deployment and management of current and future IT systems across the organization.

    8. Serve as the external spokesman for the IRS on technology matters to the Administration, Congress and external oversight bodies.

    9. Influence strategic business decisions regarding the use of technology and assesses the impact of emerging technology to strategic business needs.

    10. Drive the vision for all enterprise-wide IT activities including planning, budgeting, acquisition, allocation of computer services and communication services.

    11. Develop and implement IT initiatives that will advance operational efficiencies, improve enterprise-wide decision making and communication, increase revenues, drive cost efficiencies and strengthen financial reporting and controls.

    12. Develop and implement an IRS-wide time server, in accordance with IRM 10.8.3.

    13. Ensure IRS Information Technology organization notifies the CSIRC of suspicious activities and complies with CSIRC directions.
      i. IRS Information Technology organization shall comply with their internal configuration management requirements.
      ii. IRS Information Technology organization shall perform containment activities.

  6. The CIO/CTO, as tasked by FISMA, shall administer training and oversee personnel with significant information security responsibilities. To accomplish this, the CIO/CTO shall work with the SAISO/CISO to:

    1. Establish overall strategy for the information security awareness and training program.

    2. Ensure that the agency head, senior managers, system and information owners, and others understand the concepts and strategy of the information security awareness and training program, and are informed of the progress of the program’s implementation.

    3. Ensure that the agency’s information security awareness and training program is funded.

    4. Ensure specialized cybersecurity training is completed annually by the employees/contractors with significant cybersecurity responsibilities.

    5. Ensure cybersecurity awareness training is provided annually to information system users in accordance with applicable guidance.
      i. All users of information systems shall be sufficiently trained in their security responsibilities and other information security basics and literacy through awareness training.

    6. Ensure that an effective information security awareness effort is developed and employed such that all personnel are routinely or continuously exposed to awareness messages through posters, email messages, logon banners, and other techniques.

    7. Ensure that effective tracking and reporting mechanisms are in place.

Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO)
  1. The Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO) is the agency official responsible for serving as the CIO/CTO’s primary liaison to the agency’s information system owners and information system security officer’s. At the IRS, the Associate CIO (ACIO), IRS Information Technology Cybersecurity organization is the SAISO/CISO.

  2. The SAISO/CISO shall serve as the CIO/CTO's primary liaison to AOs, information system owners, and ISSOs.

    1. The ACIO Cybersecurity shall appoint, in writing, a senior-level executive or manager to the role of AO for an IRS information system. The ACIO Cybersecurity may delegate the authority of appointing an AO to another senior-level executive.

  3. In accordance with TD P 85-01, the SAISO/CISO shall:

    1. Develop and manage the IRS cybersecurity program.

    2. Prepare and distribute IRS policies, security standards, and additional guidance, as necessary, to implement and manage the IRS Cybersecurity Program. Provide IRS policy to the ACIOCS as requested.

    3. Ensure parameters are defined and documented for system security controls where parameters are required and are not defined by Federal or Treasury standards, policy, or compulsory guidance.

    4. Establish and manage an IRS cybersecurity oversight program to ensure that the security procedures and standards are in compliance with IRS policies and standards.

    5. Establish a security awareness and training program, including tracking Federal personnel and contractors who received the training, and their positions.

    6. Ensure each information system undergoes a Security Assessment and Authorization (SA&A) and appropriate reports (i.e., Certification & Authorization reports and risk analyses) are performed by each AO as required by Treasury policy and national standards/guidance.

    7. Ensure annual information system security assessments, to include technical control testing and updated risk analyses, are conducted in compliance with Treasury and applicable guidance.

    8. Ensure system authorizations are conducted and maintained in accordance with IRS-defined policy and frequencies.
      i. Ensure the re-accreditation/reauthorization and risk analyses are conducted every 3 years or when major changes occur for IT systems/application processing sensitive information. (IRS-defined Control)
      ii. See IRM 10.8.1 for additional requirements.

    9. Ensure that cyberscurity requirements are fully addressed in IRS IT business cases and budget submissions.

      Note:

      This is to ensure that IT security requirements are addressed and adequately resourced.

    10. Manage and maintain IRS Plan of Action and Milestones (POA&Ms) on all cybersecuirty weakness.

    11. Track milestones and allocation of resources for remediation.

    12. Ensure the IRS CIO/CTO is informed of overall security status and risk posture.

    13. Ensure that the security aspects and day-to-day security operations of the information system, including physical security, personnel security, incident handling, and security training and awareness, are managed, and that summary security metrics are reported to the IRS CIO or ACIO as requested.

    14. Ensure that system security plans and other SA&A documents are developed, implemented, and reviewed in accordance with applicable IRS policies.

    15. Develop and maintain policy and procedures for reporting, investigating, and resolving all cybersecurity incidents involving IRS information systems.

    16. Validate that an Information System Security Officer (ISSO) is assigned for each IRS information system.

    17. Report the results of continuous monitoring to the AO and other IRS officials as appropriate.

    18. Complete mandatory annual specialized information security training.

    19. Review, in consultation with the IRS CIO/CTO, any requested IRS-wide exceptions to policy, and sign approved exceptions.

      Note:

      In the IRS exceptions are called Risk-Based Decisions (RBDs).


      i. An approved and signed exception must be held by the IRS with a copy submitted to the Department CIO via the Department CISO.
      ii IRS-wide exceptions to Treasury requirements shall be managed differently than information system tailoring. Documentation of exception requests to Treasury requriements must include operation justification, risk acceptance, and risk mitigation measures.
      iii Such requests must be submitted to and approved by the IRS CIO/CTO, in consultation with the IRS SAISO/CISO.
      iv An approved exception must be signed by the individuals in these roles and held by the IRS, with a copy submitted to the Department CIO via the Department CISO.

  4. In accordance with FISMA, and NIST, through delegation by the CIO/CTO, the SAISO/CISO shall:

    1. Possess the qualifications, training and experience required to administer information security program functions.

    2. Maintain information security duties as their primary responsibility.

    3. Head an office with the mission of assisting in achieving FISMA compliance.

    4. Develop, document, and implement an agency wide information security program to provide security for all systems, networks, and data that support the operations of the organization.

    5. Periodically assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency.

    6. Develop and maintain risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements.

    7. Facilitate development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems.

    8. Coordinate the development, review, and acceptance of system security plans with information system owners, ISSOs, and the AO.

    9. Coordinate the identification, implementation, and assessment of the common security controls.

    10. Establish and maintain a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency.

    11. Develop and implement procedures for detecting, investigating, reporting, responding, and resolving security incidents.

    12. Develop and review procedures for monitoring and reacting to system security alarms, warning messages, and reports, and implement said procedures. Note: This duty may be delegated to Information System Security Officers (ISSOs).

    13. Oversee a program of disaster recovery readiness and evaluation.

    14. Ensure preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; Ensure that contingency plans for IT systems are developed, maintained and tested.

    15. Support the agency CIO/CTO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.

    16. Assist senior management/executive officials concerning their responsibilities.

  5. In accordance with NIST , the SAISO/CISO shall:

    1. Ensure that IT system SA&A (i.e. Certification & Accreditation reports and risk analyses) are conducted by each AO.

    2. Ensure that security plans are reviewed and submitted to the AO for approval at least annually or upon significant changes to the system, whichever is sooner.

    3. Review IRS business cases and budget submissions to ensure that IT security requirements are addressed and adequately resourced.

    4. Conduct security audits, verifications and acceptance checks and maintain documentation on the results.

    5. Manage and Maintain agency POA&Ms for all IT security weaknesses, tracking milestones, and resource allocation of resources for remediation, and provide a quarterly status to Department of Treasury through the IRS CIO/CTO.

    6. Ensure the CIO/CTO is informed of technical risks and vulnerabilities, to include those accepted by AOs.

    7. Ensure that IRS security status and other relevant data is provided to the CIO/CTO for situational awareness and related purposes.

    8. Coordinate the implementation of logical access controls into operating systems, relational database management systems (RDBMS), remote terminals and IT applications.

    9. Provide IT and facility technical and non-technical (e.g., physical and personnel security) certification support to any Information System Owner.

    10. Prepare and submit a written report for all technical security exceptions. The report shall outline the risks and vulnerabilities and/or advantages that could result from granting the exception or from implementing any alternative. Maintain a file of all approved IT facility security-related exceptions.

    11. Ensure that re-accreditation/reauthorization and risk analyses are conducted at least every 3 years or when major changes occur for IT systems/application processing sensitive information.

    12. Ensure that a Security Control Assessment (SCA) is performed for each non-national security system when conducting a Security Assessment and Authorization (SA&A) (for policy pertaining to national security system see IRM 10.9.1).

    13. Ensure that contingency plans for IT systems processing sensitive information are developed, maintained and tested.

    14. Develop each certification letter citing risks and mitigations along with Authority to Operate (ATO) or Interim Authority to Operate (IATO) recommendation to the AO.

    15. Be a voting member on the Configuration Control Board (CCB) for the IRS' IT architecture.

    16. Review contract vehicles to ensure they address appropriate security measures.

    17. Define and implement performance metrics to evaluate the effectiveness of their IT security programs.

  6. The SAISO/CISO shall maintain an inventory of major applications and GSSs.

    1. See IRM 10.8.1 for additional requirements and guidance.

  7. The ACIO Cybersecurity shall:

    1. Maintain and provide updates to IRM 10.8.3, in accordance with IRM 10.8.2 and other applicable IRS policies.

    2. Develop Guidelines, Standards, and Procedures (GSP) documentation, consistent with the requirements of this IRM, to describe platform-specific files, permissions, and other configuration settings necessary to comply with IRM 10.8.3.

    3. See IRM 10.8.3, Information Technology (IT) Security, Audit Logging Security Standards for additional requirements.

  8. The ACIO Cybersecurity, in conjunction with IRM 10.8.27, Information Technology (IT) Security, Internal Revenue Service Policy on Limited Personal Use of Government Information Technology Resources, shall develop and disseminate policy appropriate to personal use of Government IT resources as necessary.

  9. The SAISO/CISO has the responsibility for the organization’s information security awareness and training program. In this role, the SAISO/CISO shall:

    1. Ensure that security awareness, security awareness training, and role-based training material developed or purchased is appropriate and timely for the intended audiences.

    2. Ensure that security awareness, security awareness training, and role-based training material is effectively deployed to reach the intended audiences.

    3. Ensure that employees, users, those receiving role-based training, and managers have an effective way to provide feedback on the security awareness, security awareness training, and role-based training material and its presentation.

    4. Ensure that security awareness, security awareness training, and role-based training material is reviewed periodically and updated when necessary; and

    5. Assist in establishing a tracking and reporting strategy.

Certification Agent
  1. In accordance with TD-P 85-01, the certification agent:

    1. Shall be a U.S. citizen or permanent lawful resident.

    2. Performs independent assessments of the security controls of the system. Can be an individual, group or organization in a position that is independent from the persons directly responsible for the development and day-to-day operation of the system. Shall also be independent from those responsible for correcting security deficiencies identified during the Security Assessment and Authorization (SA&A) process.

      Note:

      The independence of the certification agent is an important factor in determining any bias that may have entered into the security assessment results. Independence also ensures that the AO receives the most objective information possible in order to make an informed, risk-based, authorization decision.

    3. Prior to initiating security control assessment activities, provide an independent assessment of the system security plan to ensure it provides a set of security controls adequate to meet all applicable security requirements.

    4. Assess security controls to evaluate the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

    5. Shall provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities.

    6. Shall prepare the security assessment report containing the results and findings from the assessment to provide the basis for recommendations to the AO with regard to systems security authorization.

    7. Complete mandatory annual specialized information security training.

  2. This role is assigned to the ACIO, IRS Information Technology Cybersecurity organization.

  3. The certification agent shall be responsible for conducting a security certification, or comprehensive assessment of the security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
    i. This includes final code review.

  4. In accordance with NIST, the certification agent shall:

    1. Provide corrective actions to reduce or eliminate vulnerabilities in the information system.

    2. Be independent from the persons directly responsible for the development of the information system and the day-to-day operation of the system.

    3. Be independent of those individuals responsible for correcting security deficiencies identified during the security certification.

  5. Refer to the Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO) section of this IRM for additional roles and responsibilities.

Risk Executive (Function)
  1. In accordance with TD P 85-01, the Treasury Chief Information Officers Council (CIOC) performs the Risk Executive Function responsibilities defined in NIST SP 800-37 for the entire Department, including the IRS.

    1. The IRS may create a bureau-level risk body as part of the tiered guidance within NIST SP 800-37 and SP 800-39, but must coordinate with and take direction from the Treasury Chief Information Officers Council (CIOC) on decisions pertaining to the Risk Executive Function responsibilities.

      Note:

      Should the IRS decide to create a bureau level role:
      i. The agency head may choose to retain the Risk Executive (function) or to delegate the function to another official (e.g., the chief information officer) or group (e.g., an executive leadership council). However implemented, risk management remains an organization-wide responsibility that starts with the head of the organization and goes through all levels of the organization.
      ii. AOs may have narrow or localized perspectives in rendering authorization decisions, perhaps without fully understanding or explicitly accepting all of the risks being incurred from such decisions.

Common Control Provider
  1. In accordance with NIST 800-37, the IRS shall appoint a common control provider. The common control provider shall be an IRS official or group responsible for the planning, development, implementation, assessment, authorization, and maintenance of common controls (i.e., security controls inherited by information systems).

    Note:

    Organizations can have multiple common control providers depending on how information security responsibilities are allocated organization-wide. Common control providers may also be information system owners when the common controls are resident within an information system.

  2. Common control providers shall be responsible for:

    1. Documenting common controls to be utilized in a System Security Plan (SSP).

    2. Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence.

    3. Documenting assessment findings in a security assessment report.

    4. Producing a POA&M for all controls having weaknesses or deficiencies.

    5. Making available security plans, security assessment reports, and POA&Ms for common controls (or a summary of such information) to information system owners inheriting those controls after the information is reviewed and approved by the senior management/executive official or other with oversight responsibility for those controls.

Senior Management/Executives
  1. OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources, states executive agencies within the federal government shall:

    1. Plan for security in all phases of the system life cycle.

    2. Ensure appropriate officials are assigned security responsibility.

    3. Review security controls annually (i.e., FISMA annual security program review).

    4. Formally authorize (accredit) processing prior to operations (as an AO) and periodically thereafter.

  2. FISMA, OMB\, Department of Treasury, and FISMA guidance specify that senior management/executive officials are subordinate to the Commissioner and shall be responsible for:

    1. Exercising oversight to ensure that a program manager is assigned for each system;

    2. Exercising oversight over Security Awareness Training and Education (ATE/SATE) funding; and

    3. Annually validating and updating the master inventory of information systems.

  3. The AO for a GSS or application shall be a senior management/executive official.

  4. Senior management/executive officials shall be responsible for balancing the mission and business priorities versus any security risks that might be applicable and formally authorizing the operation of an information system (this is known as security accreditation).

Information System Owner/ Business and Functional Unit Owner
  1. The Information System Owner is the agency official responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system, and may rely on the assistance and advice of the ISSO, system operators, and other IT staff in the implementation of their security responsibilities.

    1. If the Business and Functional Unit Owner has been approved to perform the functions of acquisition, management, and operation and maintenance of an information system, then they shall be responsible for performing the Information System Owner responsibilities defined within this IRM.

  2. Information System Owners shall ensure that personnel within their area of responsibility performing Quality Assurance functions have, in addition to the other duties they perform, a working knowledge of computer security and how it can be used to improve the quality of the IRS' Quality Assurance Program.

  3. In accordance with TD P 85-01, the Information System Owner shall:

    1. Be a Federal Employee.
      i. With regard to contractor systems, the “owner” of the system is the IRS official responsible for funding the system and ensuring that it receives appropriate security controls.

    2. Ensure the system is operated according to applicable security standards.

    3. Ensure system personnel are properly designated, monitored, and trained.

    4. Grant access to the system with associated rights and privileges, giving individuals the fewest possible privileges necessary for performance of duties so that privileges are based on least privilege. Further, re-evaluate access privileges periodically (at least annually) and revoke access in a timely manner upon personnel transfer or termination.

      Note:

      These tasks may be delegated to the ISSO or other operation security personnel. However, the responsibility remains with the Information System Owner.

    5. Ensure system users and support personnel receive the requisite security training (e.g., instruction rules of behavior).

    6. Ensure key IRS officials are informed of the requirements to conduct a security SA&A of the information system.

    7. Provide necessary system-related documentation to the Certification Agent.

    8. Establish and maintain system-level POA&Ms and implement corrective actions in accordance with Treasury and IRS policy. This includes taking appropriate steps to update the risk assessment and to reduce or eliminate vulnerabilities after receiving the security assessment results.

    9. Ensure SA&A of the system using the Risk Management Framework (RMF), include:
      i. Ensuring the security of data and application software residing on the system.
      ii. Categorizing the criticality/sensitivity of the system in accordance with Federal Information Processing Standard (FIPS) 199 and ensuring the categorization receives the approval of a senior IRS official (AO, CTO/CIO, Agency Head).
      iv. Maintaining the SA&A Package.
      v. Assembling and ensuring submission of all SA&A documents to IRS Information Technology Cybersecurity.

    10. Include security considerations and identify associated security funding requirements in the procurement of system software, hardware, and support services, including system development, implementation, operation and maintenance, and disposal activities (i.e., life cycle management).

    11. Establish appropriate rules of behavior that apply to all personnel managing, administering, or accessing the system.

    12. Assist in the investigation of incidents if necessary.

    13. Ensure parameters are defined for system security controls where parameters are required and are not established by Federal, Treasury, or IRS policy.

    14. Ensure service providers (to include providers of contingency services and/or operators of systems upon which their systems rely) are informed of the system’s FIPS 199 impact level, and security controls selected.

    15. In the case of outsourced systems and services, ensure the appropriate and applicable security requirements and controls are integrated into the procurement (or other contract or service provisioning) vehicle.

    16. Ensure the AO receives periodic updates regarding the security status of the information system.

    17. Complete mandatory annual specialized information security training.

  4. In accordance with NIST the Information System Owner shall:

    1. Include security considerations and identify associated security funding requirements in the procurement of system software, hardware, and support services, including system development, implementation, operation and maintenance, and disposal activities (i.e., life cycle management).

    2. Categorize the information system and document the results of the security categorization in the security plan.

    3. Describe the information system (including system boundary) and document the description in the security plan.

    4. Ensure system personnel are properly designated, monitored and trained.

    5. Ensure the system is operated according to applicable security standards.

    6. Be responsible for addressing the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements) and for ensuring compliance with the information security requirements.

    7. Obtain and manage the budget throughout the project's life cycle against a project manager's delivered, locked baseline.

    8. Develop and maintain the SA&A package.

    9. Plan and coordinate activities within his/her organization required to complete SA&A, FISMA reviews, and POA&M development.

    10. Ensure appropriate resources are available for the SA&A effort.

    11. In coordination with the ISSO, the Information System Owner is responsible for the development and maintenance of the security plan and ensures that the system is deployed and operated in accordance with the agreed-upon security requirements.

    12. Assist in the identification, implementation, and assessment of the common security controls.

    13. Provide orderly, disciplined, and timely updates to the security plan, security assessment report, POA&M on an ongoing basis, supports the concept of a near real-time risk management and ongoing authorization.

    14. Ensure all security weaknesses and deficiencies identified during the security control assessment are documented in the security assessment report to maintain an effective audit trail. Organizations develop specific plans of action and milestones based on the results of the security control assessment and in accordance with applicable laws, Executive Orders, directives, policies, standards, guidance, or regulations.

    15. Ensure a strategy is developed for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

    16. Ensure security controls that are modified, enhanced, or added during the continuous monitoring process are reassessed by the assessor to ensure that appropriate corrective actions are taken to eliminate weaknesses or deficiencies or to mitigate the identified risk.

    17. Identify security control weaknesses or deficiencies (i.e., the direct or indirect effect the weaknesses or deficiencies may have on the overall security state of the information system and hence on the risk exposure of the organization).

    18. Ensure security control assessments are conducted in parallel with the development and implementation phases of the system development life cycle facilitates the early identification of weaknesses and deficiencies and provides the most cost-effective method for initiating corrective actions.

    19. Provide specific recommendations on how to correct weaknesses or deficiencies in the controls.

    20. Ensure any weaknesses or deficiencies in the security controls noted during the assessment are corrected.

    21. Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the Authorizing Official and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy.

    22. Ensure system-level Plan of Action and Milestones (POA&Ms) are established and corrective actions are implemented in accordance with the Treasury standard for POA&Ms.

      Note:

      This includes taking appropriate steps to update the risk assessment and to reduce or eliminate vulnerabilities after receiving the security assessment results from the Certification Agent.

    23. Define how changes to the information system shall be monitored, how security impact analyses shall be conducted, and the security status reporting requirements including recipients of the status reports.

    24. Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes to the information systems and its environment of operation.

  5. Information System Owners are responsible for the information security of their Contractor Systems. In accordance with FISMA, Information System Owners shall:

    1. Conduct an annual FISMA Contractor Review of the contractor’s facility and systems.

    2. Perform continuous monitoring and create and maintain a POA&M of their FISMA Contractor Systems in accordance with NIST 800-37 and 800-53, Recommended Security Controls for Federal Information Systems and Organizations guidance.

    3. Provide funding to conduct the annual FISMA Contractor reviews.

  6. For DR / Business Resumption (BR), the Information System Owner shall cooperate with the other business units and the area/site managers to develop, maintain, and validate effective, comprehensive plans. At a minimum, the Information System Owner shall coordinate with other appropriate business units and shall be responsible to:

    1. Fully describe and document the information system in Information System Contingency Plan (ISCP).

    2. Acquire and transport replacement equipment required to restore operations.

    3. Acquire space for processing operation to include occupation of an alternate processing facility when necessary.

    4. Estimate supplies and office equipment needed to support a computer processing operation occupying an alternate processing facility when appropriate.

    5. Support expeditious acquisition and transportation of replacement equipment required to restore operations.

    6. Refer to IRM 10.8.60, Information Technology (IT) Security, IT Service Continuity Management (ITSCM), and IRM 10.8.62, Information Technology (IT) Security, Information System Contingency Plan (ISCP) and Disaster Recovery (DR) Test, Training, and Exercise (TT&E) Process, for additional information on IT Disaster Recovery roles & responsibilities.

  7. For DR, the Information System Owner shall coordinate with other appropriate business units and shall:

    1. Determine recovery needs and time frames needed for business restoration through comprehensive Business Impact Analysis (BIA) evaluations.

    2. Develop DR requirements during the development phase of all new systems and throughout any production system upgrades.

    3. Provide the funding for the DR equipment/space/storage needed to meet the recovery goals (set by the business).

    4. Fully describe and document the details of the information system in the ISCP that is required by FISMA for each major system.

    5. Support the development of processing priorities for completion of work following emergencies that degrade computer processing capabilities.

    6. Work jointly with IRS Information Technology Operations and Security Risk Management (SRM) to ensure ISCPs and DR Plans for all applications and systems are tested annually.

    7. Work jointly with IRS Information Technology Operations and SRM in the development and testing of DR plans to ensure availability of data from the recovered system and business continuity.

    8. Work jointly in the testing of the DR plans to ensure availability of data from the recovered system

    9. Work with SRM regarding enterprise priorities.

    10. Refer to IRM 10.8.60, for additional information on IT Disaster Recovery.

  8. For each IRS system within their area of responsibility, the Information System Owner shall:

    1. Ensure audit plans are developed in accordance with IRM 10.8.3; and

    2. Ensure audit logs are collected and maintained in accordance with IRM 10.8.3.

  9. The Information System Owner of the database shall :

    1. Ensure that Database Management System (DBMS) environments comply with the security change management requirements listed in IRM 10.8.1.

    2. Ensure that changes to DBMSs are documented and tracked using the appropriate change management process.

    3. Ensure that development servers are properly configured and managed in accordance with the requirements in IRM 10.8.21.

    4. Work with Program Developer/Programmers to ensure proper configuration of application server software, on the operating system(s) are in accordance with IRM 10.8.21.

    5. Advise the Security Specialist of any technical, operational, or security problems and recommended solutions.

    6. Ensure Database Administrators (DBAs) do not have unnecessary operating System Administrator privileges. DBAs shall have the least level of elevated operating system privileges required to perform DBA-related duties.

    7. See IRM 10.8.21 for additional requirements.

  10. The Information System Owner shall:

    1. Assist Program Developer/Programmers to ensure proper configuration of application server software, on the operating system(s) are in accordance with IRM 10.8.6.

    2. Advise the Security Specialist of any technical, operational, or security problems and recommended solutions for secure application development.

    3. Not have operating system Administrator privileges.

    4. See IRM 10.8.6, Information Technology (IT) Security, Secure Application Development for additional requirements.

  11. The Information System Owner shall be responsible for the following:

    1. Assist System Administrators (SA) and other stakeholders to ensure proper configuration of Linux/Unix based operating systems in accordance with IRM 10.8.10.

    2. Advise the Security Specialist of any technical, operational, or security problems and recommend solutions for the Linux/Unix environment.

    3. See IRM 10.8.10, Information Technology (IT) Security, Linux and Unix Security Policy for additional requirements.

  12. Information System Owners shall be responsible for the following:

    1. Assist System Administrators (SA) and other stakeholders to ensure proper configuration of Windows based operating systems in accordance with IRM 10.8.20.

    2. Advise the Security Specialist of any technical, operational, or security problems and recommend solutions for the Windows environment.

    3. See IRM 10.8.20, Information Technology (IT) Security, Windows Security Policy for additional requirements.

  13. The Information System Owner shall be responsible for the following:

    1. Ensure that Web servers and Web application servers are properly configured and managed in accordance with the requirements of associated IRM.

    2. Work with SAs and other stakeholders to ensure proper configuration of Web servers and web application server software on the operating system in accordance with associated IRM.

    3. Coordinate placement of information and scripts on the Web server and Web application servers with appropriate authorities.

    4. See IRM 10.8.22, Web Server Policy, for additional requirements.

  14. Information System Owners that maintain systems, networks, IRS applications, and COTS shall:

    1. Develop implementation policies and procedures for managing security patches to the systems and applications for which they are responsible.

    2. Review various sources for security-related patches specific to their systems and applications.

    3. Notify Computer Security Incident Response Center (CSIRC) prior to the working on each set of their pending patch activities. Notification shall be via the Patch and Vulnerability Group (PVG) member.

    4. Provide application names and implementation counts to the CSIRC for the Business Impact Analysis during the assignment of severity levels.

    5. Maintain hardware/software inventories.

    6. Coordinate their patch activities with other Information System Owners;

    7. Coordinate their patch activities with the CSIRC.

    8. Provide multiple representations to the PVG based on key stakeholder organizations involved in the Enterprise Life Cycle (ELC) and operations.

    9. Acknowledge receipt of the IRS Patch and Vulnerability Group (PVG) Advisories per the Acknowledgment of Receipt schedule.

    10. In the event an applicable patch is not applied, the Business and Functional Unit Owner shall document this weakness in a POA&M associated with the SA&A package.

    11. Information System Owners shall be represented on the PVG.

    12. SeeIRM 10.8.50, Service-wide Security Patch Management, for additional guidance

  15. I Information System Owners that own or operate a perimeter firewall environment shall comply with the security requirements in IRM 10.8.54, Minimum Firewall Administration Requirements.

Business System Planner (BSP)
  1. The Business System Planner (BSP) shall perform duties outlined for Senior Management/Executives.

Security Program Management Officer (SPMO)
  1. The Security Program Management Officers (SPMOs) have been established within the Business Units and IRS Information Technology Cybersecurity organization to support their AO and other staff with the successful completion of that office's security related responsibilities, including the successful completion of all FISMA requirements.

  2. The SPMO shall support the BSP functions, System Owners, FISMA activities and shall provide other security-related support for other security activities.

  3. The SPMO shall provide ISSOs for the systems owned by their respective Business Unit.

    1. When there is no ISSO assigned for a system, the SPMO shall assume the role of the ISSO.

  4. In support of FISMA, the SPMO shall:

    1. Ensure development and implementation of the IRS Security Program strategy to meet FISMA requirements.

    2. Ensure currency of the FISMA Master Inventory.

    3. Coordinate and ensure completion of annual security reviews.

    4. Make security determinations (such as prioritization) for weakness reporting.

    5. Ensure timely completion of POA&M weaknesses and obtain AO or AO POC concurrence.

      Note:

      POA&Ms shall be approved by the AO (e.g., as a part of the accreditation process or prior to establishing in TFIMS), and shall be managed, and completed as planned.

    6. Collaborate with other SPMOs to ensure consistency of FISMA activities across business units.

    7. Serve as the security point of contact for business unit staff supporting FISMA and as the Cybersecurity interface into the business unit.

    8. Identify needs and implement IT security awareness training to current and newly assigned personnel in the business unit.

    9. Present all training and orientation materials to AOs and various Points of Contact (POCs), at minimum, annually.

  5. For weaknesses and POA&Ms, the SPMO shall:

    1. Identify and track, with ISSO support, the corrective actions to mitigate the weaknesses in the POA&M through status updates, changes to milestones, and additional comments.

    2. Identify the scheduled completion date, cost, and resources needed to mitigate each weakness.

    3. Validate the effectiveness of the corrective actions during continuous monitoring or SCA.

    4. Combine and review all high level security weaknesses from the self-assessment, risk assessment, TIGTA audits, GAO audits, and internal reviews into POA&M weaknesses.

    5. As determined by their business unit, consolidate self-assessment scores for their business unit applications then brief POCs and AOs on results.

    6. Support the development of answers to the self-assessment questions that cross multiple business units.

Information Owner
  1. The Information Owner is a IRS official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. At the IRS, the Information Owner is the Business and Functional Unit Owner.

  2. In accordance with TD-P 85-01 the Information Owner shall:

    1. Be a Federal Employee.

    2. Be responsible for establishing the appropriate use and protection of subject/information (e.g., rules of behavior).

      Note:

      The information owner retains responsibility even when the data/information is shared with other organizations.

    3. Participate in the FIPS 199 information impact analysis in support of categorizing the criticality/sensitivity for systems processing, storing, or transmitting this information.

    4. Identify and periodically at a minimum annually review security requirements needed to adequately protect the information on the information system and communicate requirements to the information system owner as necessary.

    5. Assist in the SA&A process as requested to ensure proper protection of the information.

    6. Allow production data to be stored or processed only on authorized systems.
      i. This requirement applies to the use of Cloud, Web 2.0, and successor technologies.

    7. Complete mandatory annual specialized information security training.

  3. The Information Owner, in collaboration with the AO shall approve the physical removal of Sensitive But Unclassified (SBU) information from IRS facilities in writing prior to its removal.

  4. The Information Owner, in collaboration with the AO shall approve the download, and remote storage of SBU information outside of IRS facilities in writing prior to the action.

  5. Information Owner/Stewards shall provide input to Information System Owners regarding the security requirements and security controls for the information systems where the information resides.

  6. Refer to the Information System owner section of this IRM for detailed roles and responsibilities for Business and Functional Unit Owners.

Authorizing Official (AO)
  1. The AO is an executive or other senior official with the authority to formally assume responsibility of the operation of an information system and the information contained therein, at an acceptable level of risk. (TD P 85-01)

    Note:

    Depending upon the system, the AO may be the CIO, a senior official, or other responsible official (including the Bureau Head, if appropriate)

    Note:

    A single AO shall be designated for each information system.

  2. In accordance with TD P 85-01, the AO shall:

    1. Be a Federal employee.

    2. Ensure they are identified as the system(s) AO to the Department via the FISMA system inventory tracking and reporting tool.

    3. Allow or deny the Authority to Operate (ATO) for systems under their purview, initially and on an ongoing basis, in accordance with the organization’s risk tolerance throughout the operational life of the system(s). This includes halting operations for systems that are already in operation if unacceptable security risks exists.
      i. Upon taking on the role of the AO, the new AO is required to sign an authorization letter(s) taking over the current system(s) authorization(s). If they are unwilling to accept the current system(s) authorization(s), a new security assessment and re-authorization is required.

    4. Ensure that the residual risk posed by each system under their purview stays within the organization’s defined risk tolerance.

    5. Receive periodic updates from system owners or ISSO regarding the security status of systems under their purview and be held accountable for system security.

    6. Review the risks associated with interconnections with systems and/or programs and, as called upon to do so, approve or deny ISA(s).

    7. Review the risks associated with the systems under their purview on an ongoing basis in order to effectively make authorization decisions.
      i. AOs are encouraged to confer with their cybersecurity points of contacts (POCs) (e.g., SAISO/CISO and ISSO) on cyber risks and overall security posture.

    8. Review justifications (risk-based decisions) for baseline controls not being selected for consideration in authorization decisions.
      i. AOs are encouraged to confer with their cybersecurity POCs (e.g., SAISO/CISO and ISSO).

    9. Ensure that each information system under their purview has a designated system owner and an Information System Security Officer (ISSO) who are responsible for ensuring the security of the system is in compliance with requirements throughout the system life cycle (from design through disposal).

    10. Oversee the budget and business operations of the information system(s) under their purview.
      i. AO is often called upon to approve system security requirements, system security plans, and Memorandums of Agreement (MOA) and/or Memorandum of Understanding (MOU). (IRS-defined control)

    11. Only with concurrence of the IRS SAISO/CISO, approve the use of any compensating controls for Department-wide controls, consistent with Departmental policy, and ensure such use and approval is documented.

    12. Retain responsibility for the system(s) security information under their purview including when that information is shared with other organizations.

    13. Complete mandatory annual specialized information security training.

  3. In accordance with NIST , the AO shall:

    1. Conduct a risk assessment before connecting it to an IRS system or network, for all equipment capable of storing or transmitting data.

    2. Apply adequate countermeasures before connecting the equipment to an IRS system or network.

    3. Decide through Security Assessment and Authorization (SA&A) processes to allow or disallow equipment to be connected to an IRS system or network.

    4. Document interconnections between external networks with an Interconnection Security Agreement (ISA) signed by both AOs.

    5. Issue an Interim Authorization to Operate (IATO) the information system under specific terms and conditions.

    6. Deny Authorization to Operate (ATO) the information system (or if the system is already operational, halt operations) if unacceptable security risks exist.

  4. The AO shall also:

    1. Ensure that the BU responsibilities are assigned within their organization for each system.

    2. Obtain and maintain Security Assessment and Authorization for his/her systems and applications.

    3. Sign the Accreditation Letter and assume responsibility and accountability for operating a system at an acceptable level of risk.

    4. Approves and documents (e.g., memo) any risk based decisions.

    5. Ensure Security Assessment and Authorization documentation is current.

    6. Determine information sensitivity in accordance with NIST guidance (e.g., FIPS 199, 800-53) on security.

    7. Coordinate with the CIO/CTO regarding the security requirements of the sensitive information and provide definitive directions to IT developers or owners relative to the risk in the security posture of the IT system.

    8. Respond to self-assessment questions assigned.

    9. Decide on accepting the minimum security safeguards (requirements) prescribed for an IT system.

    10. Implement all applicable federal security and other protection policies as required by the Business system owner.

    11. Ensure that risk analysis responsibilities are accomplished in accordance with this policy.

    12. Ensure development of the documentation required for certification and ensure delivery to IRS Information Technology Cybersecurity organization, which is supporting the CIO/CTO.

    13. Evaluate security impact of any facility-unique patches or system modifications and approve those that do not adversely affect system security.

    14. Report any condition which appears to invalidate a certification, immediately to IRS Information Technology Cybersecurity.

    15. Ensure that current copies of approved Security Assessment and Authorization or IATO documentation are distributed to the organizations with a need to know as outlined in Security Assessment and Authorization processes.

    16. Ensure that all acquisitions of goods or services provide for information security, personnel security and physical security.

    17. Maintain the deliverables/results of contracted and outsourced efforts for which they provided funding.

    18. Approve security plans, security assessment plans/reports, memorandums of agreement or understanding, audit plans and POA&Ms.

    19. Determine whether or not changes in the information system or environment of operation require re-accreditation/reauthorization. Ensure minimum security baseline requirements (i.e., NIST, OMB, Treasury, etc.,) selected are appropriately prescribed for IT systems throughout the enterprise.

    20. Annually ensure each application's ISCP are reviewed and tested, at a minimum annually.

    21. Participate in a Disaster Recovery test, including signing off on the documentation as complete.

  5. The AO shall have the authority to deny, terminate, or alter access to a system or application if the level of risk is increased by granting such access.

  6. The AO can delegate performance of his or her responsibilities to a designated representative except for the signature of the authorization letter.

    Note:

    The only activity that shall not be delegated by the AO is the security accreditation decision and the signing of the associated security authorization decision letter (i.e., the acceptability of risk to the agency).

  7. The AO may delegate the coordinating and conducting of the day-to-day activities associated with the security authorization process to the Authorizing Official Designated Representative.

    1. The AO shall retain responsibility for all risk accepted to the organization regardless of responsibilities delegated.

      Note:

      Day-to-day activities do not include signing security authorization decision letters or Risk Acceptance Request Form 14201. The designated representative is to confer with the AO on decisions where the acceptance of risk to the organization is involved. The AO will then be required to officially accept the risk by signing the associated security authorization decision letter (i.e., the acceptability of risk to the agency).

  8. In the event that there is a change in AOs, the new AO shall review the current authorization decision document, authorization package, and any updated documents created as a result of the ongoing monitoring activities and either sign an Authorization Letter taking over the current authorization or if they are unwilling to accept the current authorization, a new security assessment and re-authorization may be required. (NIST 800-37, Sec. F.4; TD P 85-01 Sec. 2.6)

    1. See IRM 10.8.1, CA-6 Security Authorization for additional guidance.

  9. The AO shall be responsible for ensuring that all activities and functions delegated to the Authorizing Official Designated Representative are carried out.

Authorizing Official Designated Representative
  1. The Authorizing Official Designated Representative shall be an officially designated organization official that acts on behalf of the AO to coordinate and conduct the required day-to-day activities associated with the security authorization process.

  2. The Authorizing Official Designated Representatives shall coordinate their activities with the CIO/CTO, SAISO/CISO, Risk Executive (function), information system and common control providers, information system security officers, security control assessors, and other interested parties during the security authorization process.

  3. The Authorizing Official Designated Representative shall be empowered by the AO to make certain decisions with regard to the planning and resourcing security authorization process, such as:

    1. Approval of the security plan and security assessment plan.

    2. Approve and monitor the implementation of POA&Ms, and the assessment/determination of risk.

  4. The Designated Representative shall be permitted to be called upon to:

    1. Prepare the final authorization package.

    2. Obtain the AO’s signature on the authorizing decision document (i.e., authorization letter).

    3. Transmit the authorization package to appropriate organizational officials.

  5. The only activity that cannot be delegated to the Designated Representative by the AO is the authorization decision and signing of the associated authorization decision document (i.e., the acceptance of risk to organizational operations and assets, individuals, other, organizations, and the Nation); to include authorization letters and risk based decision memos (e.g., Form 14201).

Information System Security Officer (ISSO)
  1. In accordance with TD P- 85-01 the ISSO shall:

    1. Be a U.S. citizen or permanent lawful resident alien.

    2. Ensure that applicable cybersecurity policies are implemented for the system and for those aspects of system-related physical security also under their purview.

    3. Ensure the development and implementation of cybersecurity procedures to support the consistent and effective implementation of security controls for the system.

    4. Ensure operational security posture consistent with current system security policy is maintained.

      Note:

      This includes monitoring compliance with system security policy and providing guidance and recommendations to correct deficiencies.

    5. Ensure timely completion and reporting of required continuous monitoring activities.

    6. Serve as the principal advisor to the AO, information system owner, and SAISO/CISO on all matters (technical and otherwise) involving the cybersecurity of the system.

      Note:

      This includes assisting the SAISO/CISO in identifying, implementing, and assessing the common security controls.

    7. Coordinate with the information system owner and information owner to:
      i. Ensure the system’s security documentation is maintained.
      ii. Ensure changes to the system are controlled in accordance with applicable change management policies.
      iii. Ensure security impacts of proposed changes are evaluated by or reported to officials responsible for change control.

    8. Communicate existing or potential cybersecurity issues to the CTO/CIO, SAISO/CISO, AO, and System Owner.

    9. Ensure that security incidents and the security status of the affected IT system(s) are reported to the IRS CSIRC.

    10. Ensure that they system audit trails are regularly examined and anomalies reported to the IRS CSIRC.

    11. Ensure documentation is developed and maintained detailing the IT hardware and software configuration and all security countermeasures that protect it.

      Note:

      This is usually maintained in the SSP.

    12. Complete mandatory annual specialize information security training.

  2. The ISSO, while working in collaboration with the information system owner, shall be responsible to the AO, information system owner, or SAISO/CISO for ensuring that the appropriate operational security posture (i.e., physical and environmental protection, personnel security, incident handling, and security training and awareness) is maintained for an information system or program.

  3. As the principal advisor to the AO, Information System Owner, or SAISO/CISO on all matters, technical and otherwise, involving the security of an information system, the ISSO shall provide:

    1. Analysis of security findings, issues and plans.

    2. Interpretation and clarification of security policy, guidance and new or changing IRM requirements.

    3. Recommendation for action(s) to resolve or mitigate known weaknesses, or for preventive measures and safeguards for potential threats.

    4. Status monitoring for Plans of Action and Milestones (POA&M), and other applicable action plans designed to resolve known weaknesses or prevent potential threats.

    5. Guidance in resolving known system weaknesses according to available enterprise-level plans or solutions.

    6. Situational Awareness through notification of enterprise security issues, solutions, projects and plans that may impact the system(s) under their purview.

  4. The ISSO shall have the detailed knowledge and expertise required to manage the security aspects of an information system.

  5. In accordance with NIST , the ISSO shall:

    1. Be responsible for ensuring the security of the system is in compliance with the requirements throughout the system life cycle (from design through disposal).

    2. Be appointed in writing.

    3. Be responsible for the coordination of activities that facilitate confidentiality, integrity, and availability of assigned IRS systems and applications.

    4. Accomplish duties through planning, analysis, development, implementation, maintenance, and enhancement of IRS Information Technology Cybersecurity information systems security programs, policies, procedures, and tools consistent with Department of Treasury, FISMA, and NIST guidelines.

    5. Actively support the development and maintenance of the system security plan, to include coordinating system changes with the information system owner and assessing the security impact of those changes.

    6. Perform and/or provide oversight and guidance for day-to-day security activities for assigned systems.

    7. Develop or assist in development of system security policy.

      Note:

      This includes, but is not limited to, contributing analysis and recommendations.

    8. Coordinate changes to the system with the system owner and the information owner, as needed.

    9. Assess security impact of system changes.

    10. In accordance to NIST 800-100, the ISSO is primarily responsible for addressing security concerns related to the Configuration Management (CM) program and for providing expertise and decision support to the Change/Configuration Control Review Board (CCRB/CCB);

    11. Be a voting member on the Change Control Board (CCB) for the systems and applications for which they are assigned.

      Note:

      SPMO is currently the voting member on the CCB.

  6. For their respective Business Unit, the ISSO shall also:

    1. Support the AO in the management of an enterprise risk management capability that incorporates the specific GSS or application.

    2. Ensure current security plans, ISCP, and disaster recovery plans exist.

    3. Ensure DR planning and testing occurs.

    4. Ensure Business Resumption (BR) planning and testing occurs.

    5. Participate, as needed, in testing of corrective action effectiveness, system security controls, and any other security testing.

    6. Participate in Cybersecurity Operations Compliance Reviews and Contractor Site Reviews as they relate to assigned systems.

    7. Provide an early warning to appropriate personnel, assisting with (or in) the tasks necessary to plan, allocate resources, and conduct any required security re-certification and accreditation.

    8. Assist in identification of IT and security resources which support critical operations.

    9. Support the activities relating to the security posture of the GSS or application.

    10. Alert the AO to system-relevant security threats and/or vulnerabilities as they are discovered; provide recommendations for mitigation or resolution as appropriate.

    11. Recommend (dis)approval of deviations from policy and/or security input to risk-based decisions for the systems or applications for which they are responsible.

    12. Analyze the proposed changes to the systems and applications (including hardware, software, and surrounding environment) to provide system-specific input to the determination of need for re-certification.

    13. Analyze, interpret and/or clarify Security Assessment and Authorization packages with requirements and results for the AO.

  7. The ISSO shall support the SPMO in FISMA activities.

Manager
  1. In accordance with TD P 85-01, the Manager shall:

    1. Determine employee access requirements for Federal employees who report to them based on assigned job functions.

    2. Ensure that subordinates comply with this policy and pursue appropriate action for non-compliance based on existing IRS policy.

    3. Review and authorize privileges for employees/contractors and review user security agreements on at least an annual basis to verify the continuing need for access, the appropriate level of privileges, and the accuracy of information contained in the agreement (e.g., systems authorized for access and type).

    4. Notify information system owner to revoke access privileges in a timely manner when a user under their supervision or oversight no longer requires access privileges, requires a change in access privileges, or fails to comply with stated policies or procedures.

    5. Ensure annual and specialized cybersecurity training is completed for those personnel with roles or responsibilities identified in Exhibit 10.8.2-1.

  2. Managers shall:

    1. Explicitly assign information technology security roles to individuals on their staff when said individual is responsible for meeting any requirements or completing any functions and activities of a role defined in IRM 10.8.2.

    2. Assign multiple roles to any employee when said employee performs in multiple roles. No role assignment has precedence so all appropriate roles will be assigned.

    3. Not assign a role to an individual if that individual will not perform in that role. For example, because a person is capable and works within a business function that has system administrators (SAs), if that individual does not have any SA duties, then do not assign the associated role.

      Note:

      The business function to which employees belong does not preclude them from being assigned a role defined in IRM 10.8.2.

  3. In accordance with NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, managers shall:

    1. Work with the CIO/CTO and SAISO/CISO to meet shared responsibilities.

    2. Serve in the role of system owner and/or information owner, where applicable.

    3. Include appropriate security training in the Career Learning Plans (CLP) for those with significant security responsibilities.

    4. Promote the professional development and certification of the information security program staff, full-time or part-time information security officers, and others with significant responsibilities for information security.

    5. Ensure that all users (including contractors) of their systems (i.e., general support systems and major applications) are appropriately trained in how to fulfill their information security responsibilities before allowing them access.

    6. Ensure that users (including contractors) understand specific rules of each system and application they use.

    7. Work to reduce errors and omissions by users due to lack of awareness, awareness training, and/or specialized role-based training.

  4. Managers shall be responsible for complying with information security awareness, awareness training, and role-based training requirements established for their employees, users, and those who have been identified as having significant responsibilities for information security. In accordance with IRM 1.4.1 Resource Guide for Managers, Management Roles and Responsibilities . Managers are also referred to as Front Line Managers.

  5. In addition to the guidance provided in IRM 1.4.X series Resource Guide for Managers, Manager's shall:

    1. Enforce the clean desk policy (see IRM 10.2.14 , Physical Security Program, Methods of Providing Protection for further information).

    2. Ensure employees complete their annual UNAX Awareness certification.

    3. Be responsible for notifying via Online 5081 (OL 5081) and following up with the responsible organization of the system user status changes (e.g., terminations, transfers).

    4. Receive Security Awareness Training and Education (Security ATE/SATE). Detailed training requirements for management are stated in IRM 10.8.1.

  6. Managers shall:

    1. Ensure employees are informed of appropriate uses of Government IT resources as a part of their introductory training, orientation, or the initial implementation of this policy. These requirements are part of the employees’ mandatory annual Security ATE/SATE.

    2. Ensure IT resources are being used appropriately and shall take corrective action, as needed.

    3. See IRM 10.8.27 for additional requirements.

Contracting Officer
  1. In accordance with TD P 85-01, Contract Offices and Procurement Offices shall:

    1. Ensure appropriate cybersecurity terms and conditions are addressed in all IT procurements and other procurements as appropriate.

    2. Ensure that contract vehicles address mandatory Federal and Departmental cybersecurity requirements.

  2. The Contracting Officer shall be responsible for managing contracts/acquisitions and overseeing their implementation, in accordance with IRM 1.1.17,Organization and Staffing, Agency-Wide Shared Services.

  3. The Contracting Officer shall:

    1. Work in partnership with the SAISO/CISO to ensure that agency contracting policies adequately address the information security requirements.

    2. Coordinate with the SAISO/CISO to ensure that all agency contracts and procurements are compliant with the agency’s information security policy.

    3. Ensure that all personnel with responsibilities in the agency’s procurement process are properly trained in information security.

    4. Collaborate with the SAISO/CISO to monitor contract performance for compliance with the agency’s information security policy.

    5. See IRM 1.1.17 for additional requirements.

Contracting Officers Representatives (COR)
  1. The COR shall be a qualified employee appointed by the Contracting Officer to act as its technical representative in managing the technical aspects of a particular contract.

  2. In accordance with TDP 85-01, the COR shall:

    1. Determine whether contractors require information system access in order to accomplish their assigned tasks.

    2. Ensure that contractors comply with this policy and pursue appropriate action for noncompliance.

    3. Review and authorize access privileges for contractors and reviewing user security agreements on at least an annual basis to verify the continuing need for access, the appropriate level of privileges, and the accuracy of information contained in the agreement (e.g., systems authorized for access and type).

    4. Notify system owners to revoke access privileges in a timely manner when a contractor under their supervision or oversight no longer requires access privileges, requires a change in access privileges, or fails to comply with stated policies or procedures.

  3. In accordance with NIST 800-16, the COR shall:

    1. Identify security requirements to be included in statements of work and other appropriate procurement documents (e.g., procurement requests, purchase orders, task orders, and proposal evaluation summaries) as required by the Federal regulations.

    2. Develop security requirements specific to an information technology acquisition for inclusion in procurement documents (e.g., ensures that required controls are adequate and appropriate) as required by the Federal regulations.

    3. Evaluate proposals to determine if proposed security solutions effectively address agency requirements as detailed in solicitation documents and are in compliance with Federal regulations.

    4. Develop security requirements for hardware, software, and services acquisitions specific to the IT security program (e.g., purchase of virus-scanning software or security reviews) and for inclusion in general IT acquisition guidance.

    5. Interpret and/or approve security requirements relative to the capabilities of new information technologies, revise IT acquisition guidance as appropriate, and issue changes.

    6. Identify areas within the acquisition process where IT security work steps are required.

    7. Develop security work steps for inclusion in the acquisition process, (e.g., requiring an IT Security Officer review of statements of work).

    8. Evaluate procurement activities to ensure that IT security work steps are being effectively performed.

    9. Identify general and system-specific IT security specifications which pertain to a particular system acquisition being planned.

    10. Develop security-related portions of acquisition documents.

    11. Ensure that security-related portions of the system acquisition documents meet all identified security needs.

    12. Ensure that IT security requirements are appropriately identified in acquisition documents.

    13. Evaluate the presence and adequacy of security measures proposed or provided in response to requirements contained in acquisition documents.

    14. Monitor contract performance and review deliverables for conformance with contract requirements related to IT security and privacy.

    15. Take action as needed to ensure that accepted products meet contract requirements.

  4. Additionally, the COR shall:

    1. Ensure that security requirements for hardware, software, and services acquisitions are in compliance with the IT security program.

    2. Develop the system termination plan to ensure that IT security breaches are avoided during shutdown and long-term protection of archived resources is achieved.

    3. Ensure hardware, software, data, and facility resources are archived, sanitized, or disposed of in a manner consistent with the system termination plan.

    4. Ensure IT resources are being used appropriately and shall take corrective action, as needed.

    5. Determine if contractors require IT access in the accomplishment of their mission;

    6. Ensure contractors are informed of appropriate uses of Government IT resources as a part of their introductory training, orientation, or the initial implementation of this policy.

    7. Ensure that contractors comply with this policy and pursue appropriate action for noncompliance.

    8. Review and authorize access privileges for contractors and reviewing user security agreements on at least an annual basis to verify the continuing need for access, the appropriate level of privileges, and the accuracy of information contained in the agreement.

    9. Notify system owners to revoke access privileges in a timely manner when a contractor under his/her supervision or oversight no longer requires access privileges, requires a change in access privileges, or fails to comply with stated policies or procedures.

    10. Ensure contracts for Information Systems contain FISMA security language; and

    11. Ensure reviews are conducted on contractor facilities and systems annually, in accordance with FISMA and applicable NIST guidance such as 800-37 and 800-53.

Enterprise Architect
  1. The Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, November 28, 2000, requires agencies to ensure consistency with Federal, agency, and bureau Enterprise Architectures and to demonstrate consistency through compliance with agency business requirements and standards. The Enterprise Architect is a highly experienced IT architect who has a broad and deep understanding of the agency's overall business strategy and general IT trends and directions.

  2. In accordance with OMB Circular A-130, the Enterprise Architect shall:

    1. Lead agency enterprise architecture development and implementation efforts.

    2. Collaborate with lines of business within the agency to ensure proper integration of lines of business into enterprise architecture.

    3. Participate in agency strategic planning and performance planning activities to ensure proper integration of enterprise architecture.

    4. Facilitate integration of information security into all layers of enterprise architecture to ensure agency implementation of secure solutions.

    5. Work closely with the program managers, the SAISO/CISO, and the business owners to ensure that all technical architecture requirements are adequately addressed by applying Federal Enterprise Architecture (FEA) and the Security and Privacy Profile (SPP).

Information System Security Engineer
  1. The Information System Security Engineer is the individual responsible for conducting information system security engineering activities.

  2. In accordance with NIST SP 800-37, SP 800-160, SP 800-27 and SP 800-64, Information system security engineers shall:

    1. Employ best practices when implementing security controls within an information system including software engineering methodologies, security engineering principles, and secure coding techniques.

    2. Coordinate their activities with AO designated representatives, chief information officers, senior agency information security officers/chief information security officer, information system and common control providers, and information system security officers.

Chief Financial Officer (CFO)
  1. To provide a sound leadership structure linked to OMB’s financial management responsibilities, the Chief Financial Officers (CFO) Act of 1991 creates chief financial officer positions in 23 major agencies. The CFO is the senior financial advisor to the Investment Review Board (IRB) and the agency head. Information security investments fall within the purview of the CFO and are included in the CFO’s reports.

  2. In accordance with the CFO Act, the CFO shall:

    1. Review cost goals of each major information security investment.

    2. Report financial management information to OMB as part of the President’s budget.

    3. Comply with legislative and OMB-defined responsibilities as they relate to IT capital investments.

    4. Review systems that impact financial management activities.

    5. Forward investment assessments to the IRB.

Privacy Officer
  1. The role of the Privacy Officer and/or Chief Privacy Officer is defined in accordance with the Consolidated Appropriations Act, 2005 (H.R 4818) and the E-Government Act of 2002. This role within the IRS is assigned to the Director of Privacy, Governmental Liaison and Disclosure (PGLD).

  2. See IRM 10.5.1, Privacy, Information Protection & Data Security Policy and Guidance(PGLD), for a detailed description of Roles and Responsibilities.

Physical Security Officer
  1. The physical security officer is usually responsible for developing and enforcing appropriate physical security controls, in consultation with computer security management, program and functional managers, and others, as appropriate. The role of the Physical Security Officer is established in accordance with NIST SP 800–12, An Introduction to Computer Security. This role is assigned to the Director of Physical Security and Emergency Preparedness.

  2. The Director of Physical Security and Emergency Preparedness (PSEP) shall be responsible for the overall implementation and management of physical security controls across the IRS, including integration with applicable information security controls.

  3. The Director of PSEP shall:

    1. Ensure the organization’s physical security programs, to include appropriate controls for alternate work sites, are developed, promulgated, implemented, and monitored.

    2. Ensure organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging).

    3. Ensure organizational environmental controls (i.e., ongoing and emergency power support and backups, fire protection, temperature and humidity controls, water damage).

    4. Oversee and manage controls for delivery and removal of assets.

  4. The Director of PSEP provides oversight for the Physical Security Analyst and Physical Security Specialist roles.

  5. Refer to Physical Security Program 10.2.x IRMs for additional information on Physical Security Officer roles & responsibilities.

Personnel Security Officer
  1. The Personnel Security Officer manages and implements safeguards and security access authorization functions. The Personnel Security Officer is the first point of contact in helping managers determine if a security background investigation is necessary for a particular position. The Personnel Security Officer may also be responsible for providing security-related exit procedures when employees leave an organization.

  2. The Director of Personnel Security and Investigations shall be responsible for the overall implementation and management of personnel security controls across the IRS, including integration with specific information security controls.

  3. The Director of Personnel Security and Investigations shall:

    1. Develop, promulgate, implement and monitor the organization’s personnel security programs.

    2. Develop, implement, and ensure documentation of position categorization (including third-party controls) and risk level designations, access agreements, and personnel screening, termination, and transfers.

    3. Ensure consistent and appropriate sanctions for personnel violating management, operation, or technical information security controls.

Employee
  1. The provisions of this IRM apply to individuals and organizations having contractual arrangements with the IRS, including employees (IRS personnel, consultants, detailees, temporary employees, and interns) which use or operate IT systems.

  2. In accordance with P.L.114-113 (H.R. 2029), Consolidated Appropriations Act, 2016 Division Q section 402, IRS employees are prohibited from using personal email accounts for official business:

    1. No officer or employee of the IRS may use a personal email account to conduct any official business of the government.

  3. In accordance with Treasury’s TDP 85-01, Employees (End Users) shall:

    1. Complete cybersecurity awareness training annually and specialized security training as required.

    2. Read, acknowledge, and abide by applicable ethics and appropriate use policies for information systems.

    3. Read, acknowledge, and abide by applicable rules of behavior for information systems.

    4. Read, acknowledge, and abide by applicable guidance regarding use of personally owned equipment to access IRS systems.

    5. Be accountable for IT assets assigned to them and protect those assets in accordance with applicable requirements.

    6. Know the security category of the data they handle and measures they must take to protect it.

    7. Notify the appropriate IRS contacts of any suspected security incidents in a timely manner, and cooperate in the investigation of such incidents.

    8. Obtain AO approval prior to connecting devices with camera or voice transmission or recording capabilities to IRS systems or networks.

    9. Use only IRS email accounts for performance of official duties requiring the use of email.

    10. Not send e-mail messages containing IRS information to non-government owned email accounts, except as required for work-related communications to members of the public or other third parties.

    11. Not automatically forward email messages to non-IRS accounts.

    12. Not knowingly generate or distribute junk email (spam), spyware, adware, or malware via Federal systems or equipment.

    13. Not process or store classified information on an unclassified system.

    14. Appropriately protect all passwords and not store, share (e.g., transmit electronically) or record unencrypted passwords on or near the information systems to which they provide access.
      i. Encryption shall be FIPS compliant. See IRM 10.8.1 for additional requirements.

  4. IRS Employees shall:

    1. Comply with all executive, legislative, Department of Treasury and IRS security policies and procedures.

    2. Immediately report any incidents of loss or mishandling of IRS information technology resources to the IRS Computer Security Incident Response Center (CSIRC), their immediate supervisor, and the Treasury Inspector General for Tax Administration (TIGTA).

    3. Contact CSIRC in the event of a suspected incident (see ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ).

    4. Follow directions given from the CSIRC during an incident or as suspicious activities are evaluated.

    5. Attend/complete an initial security briefing and acknowledge attendance at the security briefing in writing.

    6. Complete periodic (at least annual) refresher ATE/SATE training.

    7. Thoroughly read and abide by the Rules of Behavior for the systems. Consult the OL 5081 procedures, as well as associated policies and procedures to which personnel are granted access.

    8. Not have access to sensitive IT systems until they at least have a favorably adjudicated National Agency Check (a component of the full background investigation).

    9. Not access sensitive/classified IT systems until they have received the in brief for the appropriate clearance for the IT system.

    10. Complete and acknowledge the completion (e.g., signing Form 11370, electronic signature) of UNAX training is required.

    11. Be responsible for protecting any Sensitive But Unclassified (SBU) or Personally Identifiable Information (PII) that they have in their possession, whether it is paper-based or in electronic form.

    12. Receive training in acceptable computer security practices prior to system access, in addition to the Rules of Behavior (for all IRS employees involved with the management, operation, programming, maintenance, or use of IRS information systems).

    13. Immediately report any incidents of mishandling, tampering, or the loss of a laptop computer to IRS Information Technology Cybersecurity organization (see IRM 10.8.26, Mobile Computing Device Security Policy, for further guidance).

    14. Complete Security (ATE/SATE). Refer to IRM 10.8.1 for detailed training requirements.

    15. Escort visitors of IRS facilities.

  5. Employees shall:

    1. Protect Sensitive But Unclassified (SBU) data, including Personally Identifiable Information (PII), contained on IRS IT Systems and other forms of portable media from risk of disclosure or compromise.

    2. Minimize the threat of viruses from portable mass storage devices (including, but not limited to, flash disks, pen drives, key drives, and thumb drives), ensuring that these devices have no additional software or firmware beyond storage management and encryption. Also, never knowingly circumventing anti-virus safeguards.

    3. See IRM 10.8.1 for additional requirements.

  6. Employees with a mobile computing device(s) shall follow all requirements as outlined in accordance with IRM 10.8.26.

  7. Employees shall:

    1. Refrain from using Government IT resources for activities that are inappropriate based on established Codes of Ethical Conduct for employees.

    2. Be responsible for their own personal and professional conduct and shall follow, among others, the rules and regulations described below.
      • The Office of Personnel Management (OPM) Employee Responsibilities and which states, "An employee shall not engage in criminal, infamous, dishonest, immoral, or notoriously disgraceful conduct, or other conduct prejudicial to the Government" (5 CFR § 735.203).

    3. Adhere to the Office of Government Ethics (OGE) Standards of Ethical Conduct states:
      • "Employees shall put forth honest effort in the performance of their duties…" (5 Code of Federal Regulation (CFR) § 2635.101(b)(5)).
      • "…an employee shall not use or permit the use of his Government position or title or any authority associated with his public office in a manner that could reasonably be construed to imply that his agency or the Government sanctions or endorses his personal activities" (5 CFR § 2635.702 (b)).
      • "An employee has a duty to protect and conserve Government Property and shall not use such property, or allow its use, for other than authorized purposes." (5 CFR § 2635.704(a)). Employee conduct pursuant to the IRM policy on limited personal use is considered an "authorized use" of government property as the term is used in 5 CFR § 2635.704(a). See TD 87-04(4)(e) (defining limited personal use).
      • "…an employee shall use official time in an honest effort to perform official duties" and "…in accordance with law or regulation…" (CFR § 2635.705).
      • The Department of the Treasury Employee Rules of Conduct states: (1) "Employees shall not engage in criminal, infamous, dishonest, or notoriously disgraceful conduct, or any other conduct prejudicial to the Government." (31 CFR § 0.213).

    4. Ensure that they do not give the false impression that they are acting in an official capacity when they are using Government IT resources for non-government purposes. In addition, they shall not post, disseminate, or otherwise use IRS documents and/or symbols as part of personal documents, Internet sites, or other forms of communication.
      • If there is an expectation that such a personal use could be interpreted to represent an agency, an adequate disclaimer must be used. One acceptable disclaimer is - "The content of this message is mine personally and does not reflect the position of the U.S. Government, the Department of the Treasury, or the IRS."

    5. See IRM 10.8.27 for additional requirements.

Contractor
  1. The provisions of this IRM applies to individuals and organizations having contractual arrangements with the IRS, including contractors, vendors, and outsourcing providers, which use or operate IT systems.

  2. In accordance with Treasury’s TD P 85-01, Contractors (End Users) shall:

    1. Complete Cybersecurity security awareness training annually and specialized security training as required.

    2. Read, acknowledge, and abide by applicable ethics and appropriate use policies for information systems.

    3. Read, acknowledge, and abide by applicable rules of behavior for information systems.

    4. Read, acknowledge, and abide by applicable guidance regarding use of personally owned equipment to access IRS systems.

    5. Be accountable for IT assets assigned to them and protect those assets in accordance with applicable requirements including ensuring assets are not used by unauthorized individuals when unattended (e.g., logging off, locking).

    6. Know the security category of the data they handle and measures they must take to protect it.

    7. Notify the appropriate IRS contacts of any suspected security incidents in a timely manner, and cooperate in the investigation of such incidents.

    8. Obtain AO approval prior to connecting devices with camera or voice transmission or recording capabilities to IRS systems or networks.

    9. Use IRS email accounts for performance of official duties.
      i. When provided with an IRS workstation (e.g., desktop, laptop) as part of a contract, contractors shall use their IRS workstation and account for all official communication (e.g., email, OCS).

      Note:

      This requirement does not apply to contractors who have not been issued an official IRS workstation.

    10. Not send e-mail messages containing IRS information to non-government owned email accounts, except as required for work-related communications to members of the public or other third parties.

    11. Not forward email messages to non-IRS accounts.

    12. Not automatically forward email messages to non-IRS accounts.

    13. Not knowingly generate or distribute junk email (spam), spyware, adware, or malware via Federal systems or equipment.

    14. Not process or store classified information on an unclassified system.

    15. Appropriately protect all passwords and not store, share (e.g., transmit electronically) or record unencrypted passwords on or near the information systems to which they provide access.
      i. Encryption must be FIPS compliant. See IRM 10.8.1 for additional requirements.

      Note:

      This requirement does not apply to contractors who have not been issued an official IRS workstation.

  3. Contractors shall:

    1. Be instructed on appropriate security procedures before being granted unescorted system access.

    2. Be subject to background investigations at the risk level appropriate to the sensitivity of the position and sensitivity/classification of the data.

    3. Not access sensitive IT systems until they have at least a favorably adjudicated National Agency Check (a component of the full background investigation).

    4. Be responsible for protecting any Personally Identifiable Information (PII) that they have in their possession, whether it is paper-based or in electronic form.

    5. Understand the provisions and applicable criminal penalties under Public Law 105-35, Taxpayer Browsing Protection Act, shall also apply to all contractors and contractor employees.

    6. Comply with all executive, legislative and Department of Treasury and IRS security policies and procedures.

    7. Minimize the threat of viruses by write-protecting removable media, routinely scanning files, systems and media for viruses and never circumventing anti-virus safeguards.

    8. Report any suspicious or unusual activity to the appropriate supervisor and CSIRC.

    9. Notify the CSIRC of any suspicious activities that may result in security incidents.

    10. Contact CSIRC (see ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ) in the event of a suspected incident.

    11. Follow directions given from the CSIRC during an incident or as suspicious activities are evaluated.

    12. Not access sensitive/classified IT systems until they have received the in brief for the appropriate clearance for the IT system.

    13. If involved with the management, operation, programming, maintenance, or use of IRS information systems, shall receive training in acceptable computer security practices prior to system access.

    14. Receive the same level of information security awareness and training as federal employees. While under contract to the IRS, contractors are responsible for ensuring that their employees are provided appropriate Security (ATE/SATE).

    15. Contractors with significant security responsibilities shall receive, at least annually, specialized security awareness training specific to their security role and responsibilities.

    16. Attend/complete an initial security briefing and acknowledge attendance at the security briefing in writing.

    17. Attend/complete periodic (at least annual) refresher training and briefings.
      Complete any acknowledgements (e.g., UNAX Form 11370).

    18. Thoroughly read and abide by the Rules of Behavior for the systems, as well as associated policies and procedures by which personnel are granted access.

  4. Contractors shall:

    1. Protect Sensitive But Unclassified (SBU) data, including Personally Identifiable Information (PII), contained on IRS IT Systems and other forms of portable media from risk of disclosure or compromise.

    2. Minimize the threat of viruses from portable mass storage devices (including, but not limited to, flash disks, pen drives, key drives, and thumb drives), ensuring that these devices have no additional software or firmware beyond storage management and encryption. Also, never knowingly circumventing anti-virus safeguards.

    3. See IRM 10.8.1 for additional requirements.

  5. Contractors with an IRS-issued laptop computer(s) shall follow all requirements as outlined in accordance with IRM 10.8.26.

Database Administrator (DBA)
  1. The Database Administrator (DBA) shall perform all activities related to maintaining a correctly performing and secure database environment. Responsibilities include design (in conjunction with application developers), implementation, and maintenance of the database system as described in IRM 10.8.21 and associated IRMs.

  2. The primary security role of any Database Administrator (DBA) is to administer and maintain database repositories for proper use by authorized individuals.

  3. Individuals assigned security responsibilities for DBMS environments, including the SecSpec and DBA, shall obtain database security technical training necessary to implement the requirements of this IRM. The training shall cover the security features specific to the DBMS products the individuals are required to support.

  4. Database Administrator role accounts shall have the least level of elevated privileges required to perform DBA-related duties and shall not include root or root-level access. DBAs who require the ability to perform certain system administrator functions such as account creation or the editing of system configuration files shall use a separate system administrator role account that provides these capabilities, but shall not receive full system administrator privileges.

    1. DBA’s system administrator accounts with limited privileges shall be monitored and audited in accordance with IRM 10.8.1 and IRM 10.8.3. The implementing organization is required to coordinate this activity with the ACIO Cybersecurity.

  5. At a minimum, the DBA shall:

    1. Establish security for database objects within the database and for the DBMS according to IRS security policies.

    2. Support disaster/recovery planning, documentation and implementation efforts for the database(s).

    3. Establish database points of consistency.

    4. Coordinate with the SA to integrate database backups into the system related backup and recovery, including creating the backups if necessary.

    5. Periodically test backup copies of the databases.

    6. Recover the database to a current or previous state, if necessary.

    7. Recover individual objects (e.g., data rows, etc.) to a current or previous state;

    8. Identify database requirements of system resources.

    9. Provide network requirements for the database to the organizations responsible for designing and implementing network services.

    10. Manage the database configuration (e.g., architecture, internal settings, etc.) according to the certified and accredited operating system security configuration;

    11. Support Security Assessments and Authorization efforts.

    12. Monitor/manage database performance and capacity.

    13. Monitor user activities where appropriate.

    14. Enable and configure audit logging on all IRS systems in accordance with IRM 10.8.3, and all other applicable configuration IRMs.

Encryption Recovery Agent
  1. Encryption Recovery Agents shall be required for the safe recovery of data, whenever encryption keys are lost or compromised.

  2. The role of Encryption Recovery Agents shall be established in all organizations that administer IT systems with encryption and resources.

  3. Business and functional unit owners shall establish policies and procedures for the administration of recovery agents for all IT environments.

  4. In accordance with NIST Special Publication 800-57, Recommendation for Key Management – Part 1: General (Revision 3) (dated July 2012), Encryption Recovery Agents shall be responsible for:

    1. The keying material that needs to be saved for a given application.

    2. How and where the keying material would be saved.

    3. Who shall be responsible for protecting the Key Recovery Information (KRI), whether it be an individual or an external organization.

    4. Who can request key recovery and under what conditions.

    5. What audit capabilities and procedures would be included in the Key Recovery System (KRS), including a policy which identifies the events to be audited.

    6. How the KRS would deal with aged keying material or the destruction of the keying material.

    7. Who would be notified when keying material is recovered and under what conditions.

    8. The procedures that need to be followed when the KRS or some portion of the data within the KRS is compromised.

  5. The Encryption Recovery Agent shall provide support during key recovery procedures.

Network Administrator
  1. Network Administrators (NAs) shall be responsible for the day-to-day administration of the network devices under their purview.

  2. At a minimum, the NA shall:

    1. Configure network device parameters within the documented security standards, using the applicable IRMs, policies and system life cycle documentation.

    2. Ensure the proper installation, testing, protection and use of network device software, including installing network software fixes and upgrades.

    3. Maintain the configuration of wireless networks or network devices under his/her control in accordance with the requirements of IRM 10.8.40, Wireless Security.

    4. Enable and configure audit logging on all IRS systems in accordance with IRM 10.8.3, and all other applicable configuration IRMs.

    5. Maintain current documentation that properly defines the hardware and software configuration of the network devices and connections for which they are responsible.

    6. Ensure inventories are accurately maintained.

    7. Recommend and implement processes, changes and improvements to programs, procedures and network devices.

    8. Monitor network performance; performing network diagnostics; analyzing network traffic patterns.

    9. Support disaster recovery planning, documentation, and implementation efforts for the network.

  3. The NA shall support CSIRC efforts and security incident handling.

  4. The NA shall apply patches and hot fixes as directed, following configuration management policies and procedures. Refer to IRM 10.8.50, for further information concerning security patch management.

Program Developer/Programmer
  1. Program Developers/Programmers shall be responsible for the development, testing and maintenance of application programs.

  2. At a minimum, Program Developers/Programmers shall:

    1. Develop application programs in accordance with established organizational policies and procedures.

    2. Develop application programs in accordance with IRM 10.8.1 and IRM 10.8.6.

    3. Adhere to IRS Configuration Management (CM) practices and the ELC requirements.

    4. Create installation scripts, processes, and instructions for production organizations to utilize. The developer shall incorporate feedback mechanisms into the installation processes as needed.

Web Developer
  1. Web Developer shall be responsible for:

    1. Development of Web sites and applications, including creating/manipulating/implementing graphic images and formulating documentation for Web sites and Web applications in accordance with IRM 10.8.1.

    2. Formulating specification requirements, producing level of effort estimates, providing informational support to security certifications, and performing Web server and Web application server project planning, scheduling, and testing.

    3. See IRM 10.8.22 for additional requirements.

Resource Access Control Facility (RACF) Specialist
  1. A System Software RACF Specialist is in the System Administrator (SA) role with a subset of the generic System Administrator (SA) responsibilities. The System Software RACF Specialists, in coordination with the operating system program developer(s), systems operations staff, and the RACF Security Administrator (RSA), shall identify and install all critical system resources, components, data sets, and connections which are to be protected by RACF. The RACF software specialist works with the RSA to determine the appropriate access control levels and monitoring requirements for system resources by:

    1. Configuring system parameters within the documented security standards, using the applicable IRMs and system life cycle documentation.

    2. Maintaining current documentation that properly defines the technical hardware and software configuration of system and network connections.

    3. Starting up and shutting down the system.

    4. Ensuring regular backups, recovery tests, and other associated contingency planning responsibilities for systems are performed.

    5. Monitoring system/user access for performance concerns.

    6. Performing application management activities.

  2. (RSA) functions within the SA role and shall work with the system software RACF Specialist to perform the initial setup of the RACF system and maintain user/group access profiles. The RSA has overall responsibility for all security matters within RACF. The subset of generic SA responsibilities shall include at a minimum:

    1. Establishing and maintaining least privilege user roles and the role based access matrix outlining the access for each role.

  3. RACF Group Administrator functions within the SA role with the same generic SA responsibilities as the RSA. Distributed security administration is allowed, but not required. RACF Group Administrators shall have overall responsibility for all security matters within the scope of their group.

  4. RACF User Administrator functions within the user administrator role. (Refer to the User Administrator (UA) section of this IRM for general requirements). RACF User Administrators (RUA) shall perform user account administration under the direction of a RSA or RACF Group Administrator.

    1. Establishing the RACF User Administrators using the OL 5081 process for user administration requests, while routing the request to the appropriate non-SA (e.g., Account Administrator staff or other user administrator) for processing.

  5. RACF System or Group Auditor functions within the SecSpec role. (Refer to the Security Specialist (SecSpec) section of this IRM for general requirements). In order to provide a system of checks and balances, independent auditor(s) are assigned at the system or user group level and shall review user activities in areas where they perform no activities relating to administration, programming, or security administration.

  6. In the mainframe environment, the RACF software specialist installs the RACF product and identifies security critical system resources. The RSA shall have the responsibility for maintaining RACF resource profiles and user roles.

  7. See IRM 10.8.32, Information Technology (IT) Security, IBM Mainframe System Security Requirements for additional requirements.

Security Specialist (SecSpec)
  1. The SecSpec shall be responsible for reviewing all activities of the SAs, NAs, DBAs, anyone responsible for the operation or administration of IT equipment, anyone involved with user administration, such as the EAA staff, and all other users to ensure they are compliant with security requirements.

  2. The SecSpec shall oversee any and all user (e.g., system, database, application, etc.) administration regardless of how or who performs it.

  3. Additionally, the SecSpec shall:

    1. Ensure the site contingency plans remain up-to-date in response to new security requirements or changes in the IRS IT architecture.

    2. Conduct and support all security reviews of IRS systems and networks.

    3. Provide or recommend security measures and countermeasures based on the security reviews and security policies.

    4. Upon management request, review individual user's access verifying it is the least privilege necessary to perform his/her job.

    5. Inspect and monitor user files, as directed by management.

    6. Conduct security audits, verifications and acceptance checks, while maintaining documentation on the results.

    7. Promote security awareness and compliance.

    8. Report security incidents including those discovered while reviewing audit logs/trails.

    9. Assist with developing a deviation request, such as interpreting policy to determine if a deviation is required, assisting with the risk assessment and possible mitigations.

  4. The SecSpec shall review all types of audit logs/trails and observe system activity at least weekly in order to:

    1. Ensure integrity, confidentiality and availability of information and resources.

    2. Detect inappropriate user and system actions that could be construed as security incidents.

    3. Investigate possible security incidents.

    4. Monitor user or system activities where appropriate.

  5. A SecSpec shall not perform system/security administration on any system/platform/application, etc.

  6. The SecSpec shall have read-only access to system resources and shall not modify audit settings.

  7. SecSpecs shall:

    1. Be familiar with the requirements and procedures specified in IRM 10.8.3 and its exhibits.

    2. Notify their management of any implementation discrepancies between the requirements of IRM 10.8.3 and the actual audit logging status of systems that the SecSpecs support.

    3. Follow any applicable organizational-level incident reporting procedures (such as contacting management, system administrators, or the Computer Security Incident Response Center in the event that evidence of suspicious activity is discovered in the course of reviewing security audit log information.

    4. See IRM 10.8.3 for additional requirements.

  8. The IT SecSpec shall be concerned with the security and integrity of the database and responsible for:

    1. Obtaining database security technical training necessary to implement the requirements of this IRM. The training shall cover the security features specific to the DBMS products the individuals are required to support.

    2. Ensuring that the requirements of IRM 10.8.1 and IRM 10.8.21 are met.

    3. Ensuring that DBAs, System Administrators (SAs), and others having daily operational responsibilities for IRS databases comply with the security requirements of IRM 10.8.21. In general, the SecSpec is not expected to personally implement the requirements, but rather ensure that others do so.

    4. Report IRM non-compliance issues initially to DBAs and SAs for resolution, and escalate non-compliance reporting to IRS management officials (such as the ISSO and Information System Owner) as necessary to bring systems into compliance with IRM 10.8.21.

    5. See IRM 10.8.21 for additional requirements.

  9. The IT SecSpec shall be concerned with the security and integrity of Linux/Unix servers, workstations and devices, and be responsible for:

    1. Review all activity of administrators and those responsible for administration of IT equipment.

    2. Ensure that SAs and others having daily operational responsibilities for IRS Linux/Unix servers and workstations comply with the security requirements of this IRM. The SecSpec is not expected to personally implement the requirements but shall ensure that others do so.

    3. Report Windows IRM non-compliance issues initially to Information System Owner and SAs for resolution, and escalate non-compliance reporting to IRS management officials as necessary to bring systems into compliance with IRM 10.8.20.

    4. Not have operating System Administrator privileges.

    5. See IRM 10.8.10 for additional requirements.

  10. IT SecSpecs shall be concerned with the security and integrity of Windows servers, workstations and devices, and be responsible for:

    1. Review all activity of administrators and responsible for administration of IT equipment.

    2. Ensure that SAs and others having daily operational responsibilities for IRS Windows servers and workstations comply with the security requirements of this IRM. The SecSpec is not expected to personally implement the requirements but shall ensure that others do so.

    3. Report Windows IRM non-compliance issues initially to Information System Owner and SAs for resolution, and escalate non-compliance reporting to IRS management officials as necessary to bring systems into compliance with IRM 10.8.20.

    4. Not have operating System Administrator privileges.

    5. See IRM 10.8.20 for additional requirements.

  11. IT SecSpecs shall be concerned with the security and integrity of Web application servers and be responsible for:

    1. Ensure that the requirements of IRM 10.8.22 are met.

    2. Ensure that SAs and others having daily operational responsibilities for IRS Web servers and Web application servers comply with the security requirements of IRM 10.8.22.

    3. Report IRM non-compliance issues initially to Information System Owner and SAs for resolution, and escalate non-compliance reporting to IRS management officials as necessary to bring systems into compliance with IRM 10.8.22.

    4. See IRM 10.8.22 for additional requirements.

  12. Support Security Assessments and Authorization efforts; controls testing (monthly and annual), contingency testing, documentation development, POA&M weakness correction, and ongoing security vulnerability remediation efforts.

System Administrator (SA)
  1. System Administrators (SAs) shall be technicians who administer, maintain, and operate information systems. They are responsible for implementing technical security controls on computer systems and for being familiar with security technology that relates to their system.

  2. At a minimum, (non-RACF) SAs shall:

    1. Add, remove, maintain system users and configure their access controls to provide the users necessary access with least privilege, as defined for each user in the OL 5081.

    2. Provide lists of system users for systems under his/her control and providing the lists to the appropriate users' managers and appropriate SecSpecs for review, update and certification.

    3. Configure system parameters within the documented security standards, using the applicable IRMs and system life cycle documentation.

    4. Maintain current documentation that properly defines the technical hardware and software configuration of system and network connections for systems they are responsible.

    5. Ensure the proper installation, testing, protection, and use of system and application software.

    6. Install and manage application server software including development tools and libraries, software compilers, code builds, and middleware interfaces between servers and application servers and back-end storage media in accordance with IRM 10.8.6.

    7. Install and manage servers and workstation software in accordance with the applicable IRM for the OS in use.

    8. Start up and shut down the system.

    9. Perform regular backups and recovery tests and other associated contingency planning responsibilities for systems for which they are responsible.

    10. Enable, configure, and archive audit logs/trails and system logs for review by the SecSpecs for all IRS systems in accordance with IRM 10.8.3, and all other applicable configuration IRMs.

    11. Monitor system/user access for performance and security concerns.

    12. Establish conditions on the system so that other operational entities can perform application management activities.

    13. Run various utilities and tools in support of the SecSpecs.

  3. The SA shall be responsible for supporting the SecSpec's needs for read access to system resources as defined in the access control request (e.g., OL 5081).

  4. The SA shall support techniques that allow non-SAs to perform user administration in a controlled and limited manner while still managing access to system resources and other directories and files.

  5. The use of non-SAs for user administration shall be documented in the Computer Operations Handbook or equivalent for the system/application and in the Security Assessments and Authorization documentation for the relevant GSS and application.

  6. The use of non-SAs for user administration shall be established via a Memorandum of Agreement (MOA) and accepted by the involved (AO)s.

  7. Depending on the environment, the SA may perform user support for password issues. This can include (but is not limited to) resetting or issuing a new password when the user forgets the current one or locks the account.

  8. The SA shall support CSIRC efforts and security incident handling.

  9. The SA shall install security patches in a timely and expeditious manner based on CSIRC’s criticality designation.

  10. The SA shall apply patches and hot fixes as directed, following configuration management policies and procedures and contact IRS Information Technology Cybersecurity organization for further information concerning security patch management.

  11. Support ISCP and DR Plan development and accuracy.

Systems Operations Staff
  1. The role of the Systems Operations Staff is assigned to the IRS, Enterprise Operations organization.

  2. Systems Operations Staff shall:

    1. Safeguard equipment, data, and magnetic media during day-to-day performance of their duties.

    2. Be able to perform System Administrator (SA) duties delegated them from the SA with associated least privilege permissions to perform those functions.

Telecommunications Specialist
  1. The role of Telecommunication (Telecomm) Specialist is assigned to the IRS, User and Network Services Organization (UNS).

  2. The (UNS) organization is responsible for providing communications services, including voice, data, video, and fax service.

  3. The Telecomm Specialist shall be responsible for the management of the communication systems in compliance with IT security policy and federal regulations.

  4. The Telecommunications Specialist shall support ISCP and DR Plan development, accuracy, documentation, and implementation efforts for their system(s).

User Administrator (UA)
  1. The User Administrator (UA) role pertains only to organizations (e.g., Enterprise Service Desk - Enterprise Account Administration (ESD-EAA), etc.) who provide the service.

  2. The UA shall have no more capability than appropriate to establish a user on a system or to establish a user within an application.

  3. The UA shall use the IRS approved access control (e.g., OL 5081) process.

  4. An SA or NA establishing user access does not assume this role.

Integrated Data Retrieval System (IDRS) Security Analyst
  1. In 2009, to help ensure proper separation of duties, IDRS security user and unit account administration migrated from Cybersecurity Operations to the Enterprise Operations, Operational Security Program Management Office (EOPSOSPMO). Cybersecurity Operations will continue to perform IDRS security policy support and oversight related tasks.

  2. The IDRS Security Officer role has been replaced with two new roles:

    1. The IDRS Security Account Administrator performs the user and unit account administration tasks previously performed by the IDRS Security Officer.

    2. The IDRS Security Analyst performs the policy support and oversight tasks previously performed by the IDRS Security Officer.

  3. The IDRS Security Analyst performs IDRS security policy support and oversight related tasks for IDRS campus domains and/or IDRS computing centers.

  4. The Integrated Data Retrieval System (IDRS) Security Analyst shall be a non-bargaining unit employee who is a member of the Cybersecurity Operations staff.

  5. For additional related responsibilities, refer to IRM 10.8.34.

Integrated Data Retrieval System (IDRS) Security Account Administrator
  1. In 2009, to help ensure proper separation of duties, IDRS security user and unit account administration migrated from Cybersecurity Operations to the Enterprise Operations, Operational Security Program Management Office (EOPSOSPMO). Cybersecurity Operations will continue to perform IDRS security policy support and oversight related tasks.

  2. The IDRS Security Officer role has been replaced with two new roles:

    1. The IDRS Security Account Administrator performs the user and unit account administration tasks previously performed by the IDRS Security Officer.

    2. The IDRS Security Analyst performs the policy support and oversight tasks previously performed by the IDRS Security Officer.

  3. The IDRS Security Account Administrator performs tasks relating to the administration of IDRS user and unit accounts.

  4. The IDRS Security Account Administrator shall be a non-bargaining unit employee who is a member of the Security Operations & Standards Division (EOPS-SOSD) staff.

  5. To help ensure proper separation of duties, the IDRS Security Account Administrator shall not simultaneously serve as Computing Center IDRS Security Administrator.

  6. The IDRS Security Account Administrator shall maintain a current list of Unit Security Representatives (USRs), alternate USRs, Terminal Security Administrators (TSAs), managers, and the designated Primary Recipients for all IDRS units in the IDRS Unit and USR Database (IUUD). To the extent practical, this listing should be complete and accurate and include at least the following information:

    1. Name

    2. SEID

    3. Division business unit

    4. Name of unit or function

    5. IDRS unit number(s) covered

    6. Telephone number

    7. IDRS unit security role

    8. Business mailing addresses

    9. Indicate when command code ASNPW is in the individual’s profile.

  7. For additional related responsibilities, refer to IRM 10.8.34.

Computer Audit Specialist
  1. The Computer Audit Specialist (CAS) security role, which is specific to IRS business units (e.g., Large Business and International (LB&I)), shall be responsible for working with taxpayer records in which these records are formatted in a usable format for team members. These formats may be unique to the taxpayer and may involve the use of many different tools and programs.

  2. CAS shall load, run and configure software and services on machines to meet examination objectives. This may require them to add and remove device drivers and install/uninstall various programs as needed to work with the taxpayer records.

  3. CAS shall have the ability to add, configure and remove software. This will allow them to run multiple types of audits, whose software package may not be compatible with one another as a result; cannot be installed and loaded onto a particular system simultaneously.

Functional Workstation Specialist
  1. The Functional Workstation Specialist shall include, but not be limited to the following responsibilities:

    1. Have a full analytical and operational knowledge of specific software applications in order to resolve systemic & procedural problems and user errors thereby enabling the user to perform all tasks related to their jobs.

    2. Have a working knowledge of operating systems, protocols, and equipment used in business customer organizations.

    3. Have a working knowledge of methods and practices for troubleshooting, recovering, modifying, and improving application files.

    4. Utilize extensive problem solving skills and limited elevated permissions in order to diagnose and troubleshoot application problems in the performance of customer support.

    5. Have a working knowledge of all BOD processes including field, support functions and the Campuses.

    6. Act as a liaison between the Area/Territory Offices, Campus, and National Office.

    7. Provide both oral and written communication to all users’ levels (including Area Managers, Territory Managers, Group Managers, etc.).

    8. Coordinate activities relating to the security posture of the application with responsible business units and IRS Information Technology (UNS, EOPS, AD) staff.

    9. Forward problem descriptions to the appropriate personnel as these individuals are often the first to encounter application problems.

    10. Coordinate reporting within the Business Unit to ensure workstations are in compliance for consistency purposes.

    11. Ability to perform in an instructor capacity by conducting training and security awareness programs.

    12. Educate & communicate to end users security awareness and practices in the context of performing these and other tasks.

    13. Analyze and evaluate the effectiveness of system operations and make recommendations to correct deficiencies. Develops plans, goals, & objectives for long-range implementation and administration of program activity.

    14. Ensure adequate physical security controls are implemented at the workstation level.

    15. Provide technical direction to users who ensure the confidentiality, integrity, and availability of the tax systems.

    16. Consult with users to ensure they have applied patches and hot fixes as directed following configuration management policies and procedures in compliance with the IRM for purposes of application support.

    17. Escalate IT security matters to the respective party(s) as defined in local guidance.

    18. General knowledge of Disaster Recovery/Contingency Planning terminology and concepts.

Management/Program Analyst
  1. The Management/Program Analyst, in support of meeting FISMA requirements, shall:

    1. Perform analytical studies affecting agency program operations.

    2. Analyze and evaluate the effectiveness of program operations and make recommendations to correct deficiencies.

    3. Develop plans, goals, & objectives for long-range implementation and administration of program activity.

System Designer
  1. System Designers shall be responsible for developing, implementing, and monitoring polices and controls to ensure data accuracy, security and legal regulatory compliance throughout the system lifecycle.

  2. System Designers shall assist in the:

    1. Review and approval of products to ensure they incorporate and meet IRS security requirements.

    2. Planning, documentation and integration of security into a system’s lifecycle from its initiation to its disposal phases.

  3. System Designers shall be responsible for identifying IT assets and determining their value for establishing implementation security safeguard priorities.

  4. System Designers (a.k.a. System Developers) shall ensure Security Testing and Evaluations (ST&E) are conducted during the different stages of a system’s life cycle in accordance with IRM 10.8.1 (e.g., SA-11 Developer Security Testing and Evaluation) and NIST SP 800-64, Security Considerations in the System Development Life Cycle.

    1. See IRM 10.8.1 (e.g., SA-11 Developer Security Testing and Evaluation) for additional ST&E requirements.

  5. System Designers shall consult and collaborate with the IRS Enterprise Architect and concerned Information System Security Engineer (ISSE) and ISSO whenever designing new system(s) and/or sub-systems functionality.

Technical Support Staff (Desktop)
  1. The Technical Support staff shall educate end-users in security procedures and practices in the context of performing their tasks.

Physical Security Analyst
  1. The Physical Security Analyst is responsible for the support, implementation, oversight and management of physical security controls across the IRS, including integration with applicable information security controls. The Physical Security Analyst is considered an “expert” in Physical Security standards and guidance.

  2. The Physical Security Analyst supports the Director, Physical Security and Emergency Preparedness.

  3. The Physical Security Analyst shall:

    1. Review, develop, implement, and monitor the organization’s Physical Security Programs, to include appropriate controls for alternate work sites.

    2. Review organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging) are in accordance with NIST, Treasury and IRS Physical Security standards and guidance.

    3. Coordinate organizational environmental controls (i.e., ongoing and emergency power support and backups, fire protection, temperature and humidity controls, water damage).

    4. Review and oversee controls for delivery and removal of assets.

Physical Security Specialist
  1. The Physical Security Specialist is responsible for the implementation and oversight of physical security controls across the IRS, including integration with applicable information security controls.

  2. The Physical Security Specialist supports the Physical Security Analyst.

  3. The Physical Security Specialist shall:

    1. Review, develop, promulgate, implement, and monitor the organization’s Physical Security Programs, for the protection of employees, equipment and property at all IRS facilities.

    2. Review organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging) to ensure they are in accordance with NIST, Treasury and IRS Physical Security standards and guidance.

Cyber Critical Infrastructure Protection (CIP) Coordinator
  1. The Cyber Critical Infrastructure Protection (CIP) Coordinator is designated by the CIO/CTO. In this role, the IRS Cyber CIP Coordinator shall:

    1. Act as the primary point of contact for addressing IRS CIP issues with Treasury.

    2. Participate in CIP Assessments and critical infrastructure for the IRS.

    3. Maintain a prioritized list of critical infrastructure for the IRS.

    4. Participate in all CIP Working Group meetings.

    5. Provide coordination and collaboration among stakeholders on all IRS Cyber CIP activities.

    6. Determine the IRS Cyber Security Program status relative to the Plan’s objectives.

Organization/Functional Roles and Responsibilities

  1. This section provides functional roles and responsibilities for personnel who have security related responsibility for the protection of information systems they operate, manage and support. These roles are defined in accordance with FISMA, NIST, OMB, TD P 85-01 and IRS Policy and Guidelines.

IRS Information Technology Cybersecurity Organization
  1. In collaboration with the Business and Functional Unit Owner, the IRS Information Technology Cybersecurity organization shall:

    1. Develop, publish, and disseminate security policy.

    2. Develop security controls for systems and applications.

    3. Conduct annual testing of the systems and applications.

    4. Test and validate the effectiveness of corrective actions.

    5. Ensure ISCP and DR requirements are addressed for all applications and systems owned by IRS Information Technology Cybersecurity organization.

    6. Implement corrective actions and validate fixes to mitigate vulnerabilities assigned to IRS Information Technology Cybersecurity.

    7. Create and implement configuration management plans that control changes to systems and applications during development.

    8. Track security flaws, require authorization of changes, and provide documentation of the configuration management plan and its implementation.

  2. For DR and ISCP, the IRS Information Technology Cybersecurity organization shall:

    1. Jointly develop the detailed content of each DR plan to include recovery of the system, the application, and the associated data, including all platforms applicable to the system/application.

    2. Ensure requirements, priorities, recovery times, and costs of each DR plan are appropriate and achievable.

    3. Support the exercise of the ISCP.

    4. Ensure maintenance and update to the content of the DR plans by BU.

    5. Support procurement activities to enhance DR capabilities to meet stated business objectives.

    6. Ensure DR equipment located at recovery locations for the business units are maintained.

    7. Ensure establishment of DR location(s) based on FISMA, NIST, and IRS DR policy and requirements.

    8. Ensure offsite storage of data needed for recovery and ongoing backup of data.

    9. Establish a schedule and notify IRS Information Technology Cybersecurity and the impacted BU of the schedule for coordinating ISCP/DR exercises and tests throughout the year.

    10. Annually test each major system and establish DR testing priorities.

    11. Work with business units and IRS Information Technology Cybersecurity organization to resolve (if possible) issues identified during DR testing or document reasons/risk/impact.

    12. Refer to IRM 10.8.60.

  3. IRS Information Technology Cybersecurity organization shall:

    1. Develop security controls for systems and applications.

    2. Maintain and disseminate IRM 10.8.3.

    3. Establishing sufficient controls to ensure equipment is used appropriately.

    4. Ensure evidence is preserved for potential prosecution in lieu of immediate eradication; detailed instructions from CSIRC (or possibly TIGTA) shall be given to SAs, network administrators (NAs), and other key personnel on how to preserve the evidence.

    5. See IRM 10.8.3 for additional requirements.

  4. IRS Information Technology organization shall notify the CSIRC of suspicious activities and shall comply with CSIRC directions.

    1. IRS Information Technology organization shall comply with their internal configuration management requirements.

    2. IRS Information Technology organization shall perform containment activities.

IRS Information Technology User and Network Services Organization (UNS)
  1. IRS Information Technology User and Network Services Organization (UNS) shall administer the firewall devices comprising the perimeter firewall environment.

    1. See IRM 10.8.54 for additional requirements.

  2. The UNS, Engineering and Capacity Management (EC&M) shall design the IRS network perimeter Demilitarized Zone (DMZ), including firewall requirements, and work directly with IRS Information Technology (UNS), Network Operations Support Services (NOSS) on its implementation and maintenance.

  3. The IRS Information Technology NOSS shall ensure that the IRS minimum firewall requirements and policies are met.

  4. The IRS Information Technology NOSS shall provide administration, operation and maintenance (OA&M) for the firewall devices comprising the perimeter firewall environment. This includes, but is not limited to:

    1. Implementing CSIRC-approved Firewall Change Requests (FCRs).

    2. Troubleshooting access problems.

    3. Applying security patches and software updates.

    4. Refreshing hardware.

    5. Securing maintenance contracts.

  5. The Information System Owner for IRS Information Technology User and Network Services Organization (UNS):

    1. Be responsible for notifications and routing of information to the appropriate organizational points-of-contact (POCs).

    2. Notify CSIRC of any Knowledge Incident/Problem Service Asset Management (KISAM) ticket needing CSIRC’s attention.

    3. Notify CSIRC for a user’s problem that originated with the Enterprise Service Desk.

    4. Report suspicious activity or incidents.

  6. The IRS Information Technology (UNS), Network Operations Management (NOM) shall monitor the ″up/down″ status of the network and firewall devices in the IRS network perimeter DMZ.

Computer Security Incident Response Center (CSIRC)
  1. In accordance with FISMA (§ 3546), Computer Security Incident Response Center (CSIRC) shall:

    1. Provide timely technical assistance to operators of agency information systems regarding security incidents, including guidance on detecting and handling information security incidents.

    2. Compile and analyze information about incidents that threaten information security.

    3. Inform operators of agency information systems about current and potential information security threats, and vulnerabilities.

    4. Consult with the NIST, agencies or offices operating or exercising control of national security systems (including the National Security Agency), and such other agencies or offices in accordance with law and as directed by the President regarding information security incidents and related matters.

  2. CSIRC shall operate and maintain a wireless intrusion detection system.

    1. See IRM 10.8.40 for additional requirements.

  3. In accordance with TD P 85-01 CSIRC shall:

    1. Define relevant patches, prompting their implementation, and reporting their disposition.

    2. Designate which patches are security-related patches subject to service-wide security patch management policies and procedures.

    3. Notify IRS management of critical vulnerabilities and patches to facilitate timely actions.

    4. Review various sources for security-related system and application patches.

    5. Coordinate with external (to IRS) organizations to remain current on known vulnerabilities, exploits, and patches.

    6. Publish vulnerability alerts, advisories, and bulletins on the CSIRC web site, http://www.csirc.web.irs.gov/. See Exhibit 10.8.50-1 for a sample advisory.

    7. Provide the PVG with educational materials and information for distribution.

    8. Maintain a Security Notification Mailing List, which includes the email addresses of all PVG members and other designated personnel.

    9. Support Business and Functional Unit Owners by creating risk management plans for vulnerabilities that do not have patches or when patches cannot be applied.

    10. Assist Business and Functional Unit Owners with patch implementation process.

    11. Maintain a Patch Inventory.

    12. Assign a severity level and associate an implementation schedule with each advisory.

    13. Follow the procedures in this policy for advisory processing.

    14. Chair the PVG.

    15. Send approved advisories as email messages to the PVG members. The email subject line of an advisory shall contain, IRS Patch Advisory >Advisory Number< >Alert Level< >Color Code< >Title<.

    16. See IRM 10.8.1 and IRM 10.8.50 for additional requirements.

  4. CSIRC shall:

    1. Establish and manage the IRS computer security incident handling capability.

    2. Establish and maintain the policies for the IRS security incident handling capability.

    3. Have four basic functions defining the Incident Management Lifecycle:
      •Prevention
      •Detection
      •Response
      •Reporting

    4. Track and document information system security incidents on an ongoing basis.

    5. Actively and continuously monitor IT resources, to include but not limited to firewalls, wireless, network-based and host-based intrusion detection systems (IDSs) and event records, watching for suspicious cyber activities (termed, "suspicious activities," within IRM 10.8.1).

    6. Conduct offline/passive monitoring of logs from IDSs, firewalls, Web servers, and critical hosts, watching for possible security incidents.

    7. Inform Treasury Inspector General for Tax Administration (TIGTA) of suspected criminal activities, following established procedures in the MOU with TIGTA.

    8. Perform routine vulnerability assessments (announced and unannounced Note: These assessments include active/passive monitoring, system and network scanning to support Security Assessments and Authorization processes, etc.).

    9. Serve as front line/1st tier support for security alerts.

    10. Perform initial analyses to determine validity, applicability, impact, and risks from potential security incidents.

    11. Record all detected intrusion attempts and report such events.

    12. Ensure that forensic evidence is properly collected and retained when investigating computer and network security incidents.

    13. Promptly reports incident information to appropriate authorities.

    14. Maintain an Incident Handling Contact List of personnel that are involved in security incident handling activities. The list shall include the contacts' various pager and phone numbers so they can be reached in the event of a security incident.

    15. Employ automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

    16. Maintain all incident reports in an incident database (For electronic reporting, the original messages will be retained. For telephonic reporting, the analyst who answered the phone will prepare a summary and enter it into the database. For each incident, the database record will include, the date and time the report was received, the person who submitted the report, the handling analyst, and the original message or a summary.).

    17. Develop a plan to acquire the data used for analysis.

    18. Create a plan (i.e., Data Acquisition Plan) that prioritizes the sources, establishing the order in which the data should be acquired.

    19. Respond to Government Forum of Incident Response Teams (GFIRST) surveys that are of an incidental or routine administrative nature.

    20. Not respond to GFIRST surveys inquiring as to the status of Treasury systems, whether certain remediation actions have taken place, future security budget plans, and the like.

    21. Participate in an MOA/MOU with the Situation Awareness Management Center (SAMC).

    22. Establish an MOA/MOU with the Treasury Inspector General for Tax Administration (TIGTA) to: establish formal custody transfer procedures for forensic evidence; and establish reporting procedures for incidents.

    23. See IRM 10.8.1 for additional requirements.

  5. CSIRC shall:

    1. Establish and manage the IRS minimum firewall administration requirements.

    2. Oversee and approve all rule sets for the IRS Network perimeter firewall environments.

    3. Review and concur with IRS Information Technology organization DMZ efforts.

    4. Develop and maintain an audit plan, in accordance with IRM 10.8.3, to document what traffic will be logged.

    5. See IRM 10.8.54 for additional requirements.

Situation Awareness Management Center (SAMC)
  1. The Situation Awareness Management Center (SAMC) shall:

    1. Process physical security incidents.

    2. Establish a MOA/MOU with the CSIRC to establish notification procedures for when either organization discovers an incident affects the other; ensure information is recorded in the incident database for both incidents; and ensure shared staff meets the requirements of each organization.

    3. See IRM 10.8.60 for additional requirements.

IRS Patch and Vulnerability Group (PVG)
  1. IRS Patch and Vulnerability Group (PVG) shall:

    1. Facilitate the identification and distribution of patches in accordance with NIST 800-40.

    2. Inventory the organization’s IT resources to determine which hardware equipment, operating systems, and software applications are used within the organization.

    3. Monitor security sources for vulnerability announcements, patch and non-patch remediations, and emerging threats that correspond to the software within the PVG’s system inventory.

    4. Prioritize the order in which the organization addresses remediating vulnerabilities.

    5. Create a database of remediations that need to be applied organization-wide.

    6. Conduct testing of patches and non-patch remediations on IT devices that use standardized configurations.

    7. Oversee vulnerability remediation.

    8. Distribute vulnerability and remediation information to local administrators.

    9. Perform automated deployment of patches to IT devices using enterprise patch management tools.

    10. Configure automatic update of applications whenever possible and appropriate.

    11. Verify vulnerability remediation through network and host vulnerability scanning.

    12. Train administrators, who apply vulnerability remediations, how to apply them appropriately.

      Note:

      This group may be an independent entity, or its duties may be performed by existing group(s) (e.g. Configuration Control Boards, Executive Steering Committees etc.).

    13. See IRM 10.8.50 for additional requirements.

Roles That Require Specialized Training

To help ensure that the appropriate number of training hours is addressed, the list includes the minimum number of security-relevant specialized training hours required per role. Individuals who serve in multiple roles are required to complete the highest of the required hours for each of the roles in which the individual serves. For example, if an individual serves in three roles with hourly requirements of 4, 4, and 8 hours respectively, the individual will have to complete, at a minimum, 8 hours of specialized training.

i. Roles with direct impact on system security (e.g., ISSOs) require 8 hours of specialized training.
ii. Roles with ancillary impact on system security (e.g., Help Desk Personnel) require 4 hours of specialized training.

Note:

The roles and specialized training hours listed come from TD-P 85-01 Appendix H.

Roles Minimum Required Specialized Training Hours
Chief Information Officer (CIO)/Chief Technology Officer (CTO) 4
Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO) 8
Authorizing Official (AO) 4
System Owner 4
Information Owner 4
Information System Security Officer (ISSO) 8
Certification Agent 4
Information System Security Manager - Overseas the cybersecurity program of an information system(s). The ISSM often works closely with the ISSO. 8
Cybersecurity Policy and Guidance Personnel - Individuals responsible for developing and/ or maintaining cybersecurity policy. 8
Incident Analyst/Handler/Responder/Investigator Individuals responsible for providing security operations center services to part of all of an organization. An individual with this role may or may not be a member of an incident response team (bureau CSIRC) 8
Contracting Officer’s Representative for IT Contracts - Individuals 4
Network Administrator - Individuals with the responsibility of oversight and management of a network, including implementation of security requirements. 8
System Administrator - Individuals with the responsibility of oversight and management of a system, including implementation of security requirements. 8
Database Administrator - Individuals with the responsibility of oversight and management of a database, including implementation of security requiremnts. 8
System Programmer/Developer 4
Quality Assurance Personnel - Individuals responsible for ensuring the quality of an information system(s) and/ or it’s data. 4
Change Management Personnel - Individuals with change management (patching, configuration changes, functionality changes, etc.,) responsibilities. 4
Help Desk/IT Services Personnel - Individuals part of the Help Desk or IT Services staff. 4

Glossary

A

Access Control - The process of granting or denying specific requests:

1) For obtaining and using information and related information processing services.

2) To enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

Accountability - The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Asset - A major application, GSS, high impact program, physical plant, mission critical system, or a logically related group of systems.

Audit - An independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and procedures, and to recommend necessary changes in controls, policies, or procedures is; or a comprehensive assessment and report on the financial condition and/or the results of performance of a government entity, program or related activity.

Authentication - Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Availability - The ability to access a specific resource within a specific time frame as defined with the IT product specification. The availability of an IT system allows the accessibility and usability upon demand by an authorized entity. This state is the prevention of the unauthorized withholding of information or resources.

Awareness - Activities which seek to focus attention on information security or set of issues. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Awareness relies on reaching broad audiences with attractive packaging techniques.

B, C

Campus IDRS Security Officer - The Campus IDRS Security Officer role no longer exists. In 2009, to help ensure proper separation of duties, IDRS security user and unit account administration migrated from Cybersecurity Operations to the Enterprise Operations, Operational Security Program Management Office (EOPS-OSPMO). Cybersecurity Operations will continue to perform IDRS security policy support and oversight related tasks. The IDRS Security Officer role has been replaced with two new roles: a. The IDRS Security Account Administrator performs the user and unit account administration tasks previously performed by the IDRS Security Officer. b. The IDRS Security Analyst performs the policy support and oversight tasks previously performed by the IDRS Security Officer.

Certificate - A digital representation of information which at least:

1) Identifies the certification authority issuing it.

2) Names or identifies its subscriber.

3) Contains the subscriber’s public key.

4) Identifies its operational period.

5) Is digitally signed by the certification authority issuing it.

Certification Authority (CA) - A trusted entity in a public key infrastructure (PKI) that issues and revokes certificates exacting compliance to a PKI policy.

Chief Information Officer (CIO)/Chief Technology Officer (CTO) - An agency official responsible for:

1) Providing advice and other assistance to the head of the executive agency and other senior management/executive official of the agency to ensure that IT is acquired and information resources are managed in a manner that is consistent with laws, E.O.s, directives, policies, regulations, and priorities established by the head of the agency.

2) Developing, maintaining, and facilitating the implementation of a sound and integrated IT architecture for the agency.

3) Promoting the effective and efficient design and operation of all major information management processes for the agency, including to work processes of the agency.

Confidentiality - Preserving authorized restrictions on information access and disclosure, (including means for protecting personal privacy and proprietary information) from unauthorized individuals, entities, or processes.

Contingency Plan - Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster.

Countermeasures - Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

D

Department - In the context of this IRM, the terms department, departments, departmental, etc. refer solely to the IRS unless there is a specific reference to Treasury. The terms "department employee(s)" and "Treasury employee(s)" also refer to the IRS.

Designated Approving Authority (DAA)/ Authorizing Official (AO) - Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

Disaster Recovery Plan (DRP) - Applies to major, usually physical disruptions to service that deny access to the primary facility infrastructure for an extended period. A DRP is an information system-focused plan created and maintained by the IRS Information Technology organization or any information technology service provider designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency. The DRP may be supported by multiple information system contingency plans to address recovery of impacted individual systems once the alternate facility has been established. A DRP may support a Business Continuity Plan or Continuity of Operations plan by recovering supporting systems for mission/business processes or mission essential functions at an alternate location. The DRP only addresses information system disruptions that require relocation.

E

Education - Education level integrates all security skills and competencies of the various functional specialties into a common body of knowledge, adds a multi-disciplinary study of concepts, issues, and principles (both technological and social), and strives to produce IT security specialists and professionals capable of forward thinking vision and pro-active response.

Encryption - The conversion of data into a form, called a ciphertext, which cannot be easily understood by unauthorized people, for the purposes of security or privacy.

Enterprise Life Cycle (ELC) - The approach used to manage and implement business change and information systems initiatives.

F

Federal Information Security Management Act (FISMA) - requires agencies to integrate information security into their capital planning and enterprise architecture processes at the agency, conduct annual security reviews of all programs and systems, and report the results of those reviews to the OMB.

Form 5081 - Information System User Registration/Change Request- Used to request access to information systems and applications. The Online 5081 replaces the paper Forms 5081 with an automated, standard process. It provides automated submission, approval, re-certification, and filing of the Form 5081 on a service-wide basis. The Online 5081 Application is an Intranet and web-based application.

Form 14201 - Risk Acceptance Request - Used to request the AO make a Risk-Based Decision (RBD) to deviate from a specific requirement and not accept the risk associated with said RBD.

G, H, I

Identification - The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an information system.

Impact - The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure/modification/destruction of information or loss of information or information system confidentiality, integrity, or availability.

Incident - A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.

Incident Handling - The mitigation of violations of security policies and recommended practices.

Information Owner - Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Information Security - The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide CIA.

Information System Owner - Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

Information System Security Officer (ISSO) - Individual assigned responsibility by the senior agency information security officer/chief information security officer, authorizing official, management official, or information system owner for ensuring the appropriate operational security posture is maintained for an information system or program.

Information Technology (IT) - Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency. For purposes of the preceding definition, "equipment" refers to that used by the Department of the Treasury or by a contractor under a contract with the Department of the Treasury if that contractor:

a) Requires the use of such equipment.

b) Requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term "information technology" includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services) and related resources.

Information System Contingency Plan (ISCP) - Established procedures created and maintained by IRS Information Technology organization and system owners for the assessment and recovery of a system following a system disruption. The ISCP provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures, and testing of a system. The ISCP differs from DR plan primarily in that the information system contingency plan procedures are developed for recovery of the system regardless of site or location. An ISCP can be activated at the system's current location or at an alternate site. In contrast, a DR plan is primarily a site-specific plan developed with procedures to move operations of one or more information systems from a damaged or uninhabitable location to a temporary alternate location. Once the DR plan has successfully transferred an information system site would then use its respective ISCO to restore, recover, and test systems, and put them in operation.

Integrity - The prevention of the unauthorized/improper modification or destruction of information; includes ensuring information non-repudiation and authenticity.

Interconnection Security Agreement (ISA) - An agreement established between the organizations that own and operate connected information systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations.

J, K

Key Management - The activities involving the handling of cryptographic keys and other related security parameters during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.

Key Pair - Two mathematically related keys having the properties that one key can be used to encrypt a message that can only be decrypted using the other key. Even knowing one key, it is computationally infeasible to discover the other key.

L

Least Privilege - The security objective of granting users only those accesses they need to perform their official duties.

Live Data - Live Data is primarily unmodified, non sanitized data extracted from taxpayer files which identities specific individual or corporate taxpayers. It includes taxpayer information, tax return information, and further extends to include live employee data, any other sensitive personally identifiable information (PII), and any Sensitive but Unclassified (SBU) data that is used outside of the authorized IRS production environment. Live data is another form of Sensitive but Unclassified (SBU) data. The use of live data in testing environments is limited to tax administration or other authorized IRS purposes and may be disclosed only to those individuals with a need to know.

M

Major Application - An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information they hold, however, require special management oversight and shall be treated as major. Adequate security for other applications shall be provided by security of the systems in which they operate.

N

Non-repudiation - Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.

O, P

Plan of Action and Milestones (POA&M) - A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

Personally Identifiable Information (PII) - Any information about an individual maintained by an agency, including:

  1. Information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records.
    a. To Distinguish an individual is to identify an individual such as SSN and Passport Number. However, a list of credit scores without any other information concerning the individual does not distinguish the individual.
    b. To Trace an individual is to process sufficient information to make a determination about a specific aspect of an individuals activities or status, for example an audit log.

  2. Information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
    a. Linked information is information about or related to an individual that is logically associated with other information about the individual.
    b. Linkable information is information about or related to an individual for which there is a possibility of logical association with other information about the individual .

  3. The definition of PII is not anchored to any single category of information or technology. Rather, it demands a case-by-case assessment of the specific risk that an individual can be identified.

Private Key - The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data.

Program - A program is the process of translating broadly stated mission needs into a set of operational requirements from which specific performance specifications are derived. A program consists of a functional area that supports a Treasury or IRS mission and has associated IT systems and budgetary resources. A program is an organized set of activities directed towards a common purpose, objective, goal, or understanding proposed by IRS to carry out responsibilities assigned to the organization. Examples of programs include: Compliance, Accounts Management, Submission Processing, production of U.S. currency, asset forfeiture, and bank supervision.

Public Information - This type of information may be disclosed to the public without restriction, but requires protection against erroneous manipulation or alteration. Example: public Web site.

Public Key - The public part of an asymmetric key pair that is typically used to verify signatures or encrypt data.

Public Key Infrastructure (PKI) - A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

Q, R

Remediation - The act of correcting a vulnerability or eliminating a threat through activities such as installing a patch, adjusting configuration settings, or uninstalling a software application.

Review - Based on the Government Auditing Standards (2003), the IRS cannot perform self-audits, however, it can perform many of the audit activities in the context of reviews. The IRS reviews are primarily internal control reviews, based on definitions contained within this section, and comprised of assessments. This is a significant concept as it should reduce the amount of redundant work possible to conduct a review.

Risk - The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

Risk Assessment - The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management (incorporating threat and vulnerability analyses), the output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. The risk assessment brings together important information for agency officials with regard to the protection of the information system and generates essential information required for the security plan. The periodic assessment of risk to agency assets or operations resulting from the operation of an information system is an important activity required by FISMA. (also Security Risk Assessment)

S

Safeguards - Protective measures prescribed to meet the security requirements (i.e., CIA) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.

Scanning - Sending packets or requests to another system to gain information to be used in a subsequent attack.

Security Assessment and Authorization (SA&A) - A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the requirements for the system.

Security Controls - The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the CIA of the system and its information.

Security Requirements - Requirements levied on an information system that are derived from laws, E.O.s, directives, policies, instructions, regulations, or organizational (mission) needs to ensure the CIA of the information being processed, stored, or transmitted.

Self-Assessment - A method for agency officials to determine the current status of their information security programs and, where necessary, establish a target for improvement. For a self-assessment to be effective, a risk assessment shall be conducted in conjunction with, or prior to the self-assessment. A self-assessment does not eliminate the need for a risk assessment.

Sensitive But Unclassified (SBU) Information - Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under FOIA (5 U.S.C. 552).

Sensitive Information - Information the loss, misuse, or unauthorized access to, or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), but has not been specifically authorized under criteria established by an E.O. or an act of Congress to be kept classified in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).

System - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. A system normally includes hardware, software, information, data, applications, communications, and people.

System Administrator (SA) - A person who manages the technical aspects of a system.

System Development Life Cycle (SDLC) - The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

System Security Plan - Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.

T

Technical Controls - The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Threat - Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Training - Training is more formal than "awareness," having the goal of building knowledge and skills to facilitate security in one’s job performance. The training level strives to produce relevant and needed security skills and competency by practitioners whose functional specialties are other than IT security (e.g., management, systems design, development, acquisition, auditing). Current training guidance encourages Role-Based Training.

U, V

Vulnerability - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Vulnerability Assessment - Formal description and evaluation of the vulnerabilities in an information system.

References

Department of Treasury

  1. TD P 85-01 Volume I, Department of Treasury Information Technology Security Program, November 19, 2015.

  2. TD P 87–04, Personal Use of Government Information Technology Resources, January 27, 2012

  3. TD P 15-03, Intelligence Information Systems Security Policy Manual, September 19, 2013.
    The Treasury Directives above are available at: ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Internal Revenue Manuals (IRMs)

  1. IRM 1.1.17, Organization and Staffing, Agency-Wide Shared Services, July 26, 2010.

  2. IRM 1.4.X series, Resource Guide For Managers.

  3. IRM 1.4.1, Resource Guide for Managers, Management Roles and Responsibilities, January 20, 2012.

  4. IRM 10.2.14, Physical Security Program, Methods of Providing Protection, September 23, 2009.

  5. IRM 10.5.1, Privacy Information Protection and Data Security (PIPDS), Policy Roles and Responsibilities, May 5, 2010.

  6. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, July 8, 2015 .

  7. IRM 10.8.3, Audit Logging Security Standards, July 07, 2015..

  8. IRM 10.8.6, Information Technology (IT) Security, Secure Application Development, September 30, 2014.

  9. IRM 10.8.10, Information Technology (IT) Security, Linux and Unix Security Policy, July 13, 2015.

  10. IRM 10.8.20, Information Technology (IT) Security, Windows Security Policy, March 18, 2015.

  11. IRM 10.8.21, Information Technology (IT) Security, Database Security Policy, April 17, 2015.

  12. IRM 10.8.22, Information Technology (IT) Security, Web Server Security Policy, April 17, 2015.

  13. IRM 10.8.26, Information Technology (IT) Security, Laptop Computer Security Policy, August 19, 2014.

  14. IRM 10.8.27, Information Technology (IT) Security, Internal Revenue Service Policy On Limited Personal Use Of Government Information Technology Resources, September 29, 2014.

  15. IRM 10.8.34, Information Technology (IT) Security, IDRS Security Controls, April 1, 2014.

  16. IRM 10.8.40, Information Technology (IT) Security, Wireless Security Policy, August 11, 2014.

  17. IRM 10.8.50, Information Technology (IT) Security, Service-wide Security Patch Management, August 30, 2014.

  18. IRM 10.8.54, Information Technology (IT) Security, Minimum Firewall Administration Requirements, February 13, 2014.

  19. IRM 10.8.60, Information Technology (IT) Security, (IT) Security, IT Service Continuity Management (ITSCM), September 4, 2015.

  20. IRM 10.9.1, National Security Information, National Security Information, August 14, 2012.

    The IRS' Office of Service-wide Policy, Directives and Electronic Research (SPDER), in partnership with LEXIS-NEXIS, has made all IRMs available to all IRS employees. IRS IRMs are available at:≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ . IRS Information Technology Cybersecurity organization companion guides are available at:≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

NIST

  1. NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, April 1998.

  2. NIST SP 800-27 Rev. A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2004.

  3. NIST SP 800-37 Rev. 1, Guide for the Security Certification and Accreditation of Federal Information Systems, February 2010.

  4. NIST SP 800-40 Rev. 3 Creating a Patch and Vulnerability Management Program, July 2013.

  5. NIST SP 800 - 53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 30, 2013.

  6. NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, December 2014.

  7. NIST SP 800-57 Part 1, Recommendation for Key Management – Part 1: General (Revision 3) July 2012.

  8. NIST SP 800-64 Rev. 2, Security Considerations in the System Development Life Cycle, October 2008.

  9. NIST SP 800-100, Information Security Handbook: A Guide for Managers, October 2006.
    Information regarding the NIST publications noted above is available on the NIST web site:≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Other References

  1. FISMA requirements (see ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ).

  2. Privacy Act of 1974.

  3. OMB Memorandum for Chief Acquisition Officers - Revisions to the Federal Acquisition Certification for Contracting Officer’s Representatives (FAC-COR), Sep 6, 2011.

  4. OMB Circular No. A-130, Management of Federal Information Resources, November 28, 2000

  5. Public Law 105-35, Taxpayer Browsing Protection Act of 1997

  6. Consolidated Appropriate Act, 2005 (H.R. 4818)

  7. Code of Federal Regulations (CFR), Title 5 - Administrative Personnel