Part 2. Information Technology

Chapter 25. Managed Service for IRS

Section 20. SharePoint

2.25.20 SharePoint

Manual Transmittal

November 21, 2025

Purpose

(1) This transmits revised IRM 2.25.20, Integrated Enterprise Portal-Web Services, SharePoint. This IRM will address operational controls, program level controls and technology governance for the M365 Enterprise SharePoint Online (SPO) environment.

Material Changes

(1) This transmits new rules and guidelines in the use and management of the IRS SharePoint Platform and includes various updates and changes to reflect the differences in the previous on-premises environment and the current cloud-based environment.

(2) Changes have been made to IRM 2.25.20.1:

  • Identified in paragraph one that M365 and SharePoint Online are provided by Microsoft Corporation

  • Deleted maintains operational continuity, in paragraph two

  • Deleted director as owner and added IT-EOPS WISD in paragraph four and five

  • Added clarifying language to the list of responsibilities in paragraph five

  • Deleted ELC PMO as a stakeholder and added OneSDLC, in paragraph six

(3) Changes have been made to IRM 2.25.20.1.2:

  • Deleted SharePoint environment server Site Collection information and added SPO application is managed per the GCC by Microsoft, in paragraph one

  • Removed references to “Site Collections” and clarified that creation of sites require approval of the owning Business Unit in paragraphs two and three

  • Removed paragraph discussing requests to alter infrastructure in paragraph four

(4) Changes have been made to IRM 2.25.20.1.3:

  • Added Information Technology (IT) Enterprise Operations (EOps) ultimately is responsible for Microsoft 365 (M365) SharePoint Online Program and deleted information for on-premises environment, in paragraphs one and two

(5) Changes have been made to IRM 2.25.20.1.4:

  • Deleted IESC and added M365 Program as source of funding and governance in paragraph one

  • Deleted ETI and added WISD for overseeing SharePoint activities in paragraph two

  • Deleted outdated information of the SPGB and FED board, providing oversight to SharePoint

(6) Changes have been made to IRM 2.25.20.1.4.1:

  • Added SPS section to identify Microsoft SharePoint Online as the platform instead of SharePoint on-premises. SPS performs day to day management. The servers are no longer hosted on the organization’s infrastructure; instead, they are hosted and maintained by Microsoft, in paragraphs one through five

(7) Changes have been made to IRM 2.25.20.1.5:

  • Deleted PMP as resource guide in paragraph two

  • Added the SharePoint Site Management Guide (SMG) provides guidance and updated link for paragraph three

  • Deleted Standard Operating Procedures (SOP) information, including a bulleted list of Self-Services, and added an SPS online link for Self Services in paragraph four

(8) Changes have been made to IRM 2.25.20.1.6:

  • Added SCA and SA will be used synonymously in paragraph two

  • Added and deleted multiple terms and definitions in the table list to reflect SharePoint Online in paragraph three

  • Added and deleted multiple acronym and definitions in table list to reflect SharePoint Online in paragraphs two through four, including tables

(9) Changes have been made to IRM 2.25.20.1.7:

  • Deleted the old URL and resource link and added new SPO Central URL and resource link in paragraphs one and two

(10) Changes have been made to IRM 2.25.20.2:

  • Changed reference from Site “Collections” to “Sites” for consistency with SPO in paragraph three

  • Deleted linkage to the obsolete SP Communications mailbox in paragraph four

  • Added information on how to submit a service request ticket via IRWorks and included links for the SMG and SPO Central in paragraphs five and six

(11) Changes have been made to IRM 2.25.20.2.1:

  • Inserted Web to infrastructure Services Division in paragraph one

  • Inserted updated IRM reference in paragraph two

  • Updated primary objective from SP platform to M365 SPO in paragraph three

  • Deleted old Project Management Plan link in paragraph five

(12) Changes have been made to IRM 2.25.20.2.2:

  • Added Supported Services and Limitations to title

  • Deleted outdated information related to the old SP platform and added the IRM FAS a reference in paragraphs one through five

(13) Changes have been made to IRM 2.25.20.2.2.1:

  • Deleted outdated content and added updated products and services for SPO in paragraphs one bullet list

(14) Changes have been made to IRM 2.25.20.2.2.1.1:

  • Updated title from SharePoint Platform to Online

  • Deleted information related to web base and added cloud-based integration updates in paragraphs one and two

(15) Changes have been made to IRM 2.25.20.2.2.1.2:

  • Updated the title to include SharePoint Online

  • Deleted outdated information and added new steps on submitting a Self-Services request via SPO Central in paragraph one through three

(16) Changes have been made to IRM 2.25.20.2.2.1.3:

  • Deleted information about SPS managing COTS product and updates made on SPO Central in paragraph two

(17) Changes have been made to IRM 2.25.20.2.2.1.5:

  • Deleted outdated links, content, and services and updated information to include links and updated content via SPO Central in paragraph one and two

(18) Changes have been made to IRM 2.25.20.2.2.1.6:

  • Added support to the title

  • Deleted and added updated way to submit a ticket from KISAM to IRWorks in paragraph one

  • Deleted SP environment to M365 SPO in paragraph two

  • Deleted and added information on what is supported in the SharePoint environment by SPS in paragraph three

  • Deleted and updated information related to collection, backups, and recycle bins in paragraph four

(19) Changes have been made to IRM 2.25.20.3.1:

  • Deleted platform and added online to reference what SharePoint services in paragraph one

  • Deleted outdated ticketing information and added updated content for SPS request in paragraphs two through five

(20) Changes have been made to IRM 2.25.20.3.1.1:

  • Updated the title to remove SharePoint Farm and include System Administrator

  • Deleted outdated and updated content from SharePoint Farm to SharePoint Services for roles, management, support, and configuration in paragraph one through seven

(21) Change have been made to IRM 2.25.20.3.2:

  • Deleted outdated content related to SP governance and updated information to reference the M365 Program Office in paragraph four

(22) Changes have been made to IRM 2.25.20.3.2.1:

  • Deleted Site Collection to Site and SCA to SA to keep current with language throughout this IRM in section one through five

  • Added that the Business Units are responsibility for training their users for each user group in paragraph five, as well as ensuring completion of the annual site certification

  • Deleted and updated content related to PCLIA, PII or SBU for external sources in paragraph five

(23) Changes have been made to IRM 2.25.20.3.2.2:

  • Deleted outdated content and added content related to Site and Site collection in paragraph two

  • Deleted quota allocations and added quota monitoring will be used instead for site storage, and configuration in paragraph two

  • Deleted outdated links, and replaced with IRWorks, SMG, SPO Central in paragraph three

(24) Changes have been made to IRM 2.25.20.3.3:

  • Updated the title from Site Collection Level to SharePoint Online Sites in paragraph one to reference the flattened site structure environment

  • Removed paragraph containing obsolete content defining Site Collections in paragraph two

(25) Changes have been made to IRM 2.25.20.3.3.1:

  • Deleted the word collection from Site Administrator in the title staying consistent throughout the document

  • Deleted outdated content and added to providing support for technical issues with site, and web-part or pages in paragraphs one through nine

  • Deleted and added new links for ticket submission with support/issues via IRWorks in paragraph three

  • Removed paragraph five related to deploying and assigning Site Owners with permission to manage sites

  • Deleted paragraph eight related to IRS-specific SharePoint training

(26) Changes have been made to IRM 2.25.20.3.3.2:

  • Added types of three SharePoint users in paragraph one

(27) Changes have been made to IRM 2.25.20.3.3.2.1:

  • Deleted information on local policies and reworded it in paragraph two

  • Updated wording for support/incident tickets and links for IRWorks in paragraph five

  • Deleted wording using sub-sites in paragraph six

  • Deleted the need to obtain mandatory training via ITM, and added recommended training via SPO Central in paragraph seven

  • Deleted old links and updated paragraph seven with new links for SPO Central and SMG

(28) Changes have been made to IRM 2.25.20.3.3.2.2:

  • Deleted SP PIA in paragraph two

(29) Changes have been made to IRM 2.25.20.3.4.1:

  • Deleted outdated content from Solution Developers section

(30) Changes have been made to IRM 2.25.20.3.4.1:

  • Deleted sub-site and added site in paragraph one

(31) Changes have been made to IRM 2.25.20.3.4.2

  • Deleted sub-site and added site as well as added updated support/incident ticket submission link for IRWorks in paragraph one

(32) Changes have been made to IRM 2.25.20.3.4.3

  • Deleted sub-site and added site in paragraph three

(33) Changes have been made to IRM 2.25.20.3.4.4.2:

  • Removed the obsolete section, Federal Customer Advisory Board (FED CAB) in paragraphs one and two

(34) Changes have been made to IRM 2.25.20.3.4.4.3:

  • Removed the obsolete section, SharePoint Change Control Board (SP CCB) in paragraphs one through four

(35) Changes have been made to IRM 2.25.20.3.4.3:

  • Removed Site Collection and sub-sites and added sites

(36) Changes have been made to IRM 2.25.20.3.4.4.5

  • Removed Business Unit Help Desk Assignment Group section which is outdated content in paragraphs one through three

(37) Changes have been made to IRM 2.25.20.3.4.4.6:

  • Removed Business Unit Technical Point-of-Contact (POC) section paragraphs one through three

(38) Changes have been made to IRM 2.25.20.3.4.4.7:

  • Removed Business Unit Service Request Reviews outdated content section paragraphs one and two

(39) Changes have been made to IRM 2.25.20.4.1:

  • Deleted the word platform and outdated information from SharePoint guidance for security in paragraph one

  • Deleted Delegated Business Sponsors responsibilities to just Business Unit in paragraph one

  • Removed the PMP from paragraph two

(40) Changes have been made to IRM 2.25.20.4.2:

  • Changed instances of “Site Collection” to “Site” and “BUs” to “Business Units” for consistency through the document in paragraph one

  • Deleted IRM reference in paragraph one

(41) Changes have been made to IRM 2.25.20.4.3:

  • Deleted Site Collection to stay consistent throughout document in paragraph one

(42) Changes have been made to IRM 2.25.20.5.1:

  • Deleted the word environment in paragraph one

(43) Changes have been made to IRM 2.25.20.5.2:

  • Clarified language about user compliance with IRS SharePoint policies in paragraph one

(44) Changes have been made to IRM 2.25.20.5.3:

  • Updated title to add SBU, PII, and FTI data

  • Updated outdated content and added SBU and FTI to storage content during a site request process in paragraph one

  • Deleted outdated content and added updates to creation, submission, and implementation of sensitivity labeling in paragraphs two through seven

  • Deleted old link and added new URL for SMG in paragraph four

(45) Changes have been made to IRM 2.25.20.5.4:

  • Deleted outdated links and added updated url for SMG and SPO Central in paragraphs one and two

  • Deleted infrastructure and changed it to configuration for support and permissions management in paragraph five

(46) Changes have been made to IRM 2.25.20.5.5:

  • Deleted Site Collection to Site to stay consistence throughout the document in paragraphs one and two

  • Deleted audit retention log from 120 days to 6 months in paragraph one

  • Updated URL for SMG in paragraph two

(47) Change have been made to IRM 2.25.20.6:

  • Deleted all changes to infrastructure through deployment code to M365 cloud infrastructure requires coordination with Microsoft in paragraph two

(48) Changes have been made to IRM 2.25.20.6.1:

  • Deleted SPS will maintain development, test, disaster recovery, etc. environments and added updated content related to M365 cloud for SPO infrastructure through Microsoft and GCC in paragraph one

  • Deleted risks to uptime targets to just risk for reducing operation risks with SharePoint environment in paragraph two

  • Deleted the request to remove, change, or modify environmental thresholds process in paragraph three

(49) Changes have been made to IRM 2.25.20.6.2:

  • Deleted collection from title

  • Deleted outdated site type content and added SharePoint Online template options with updated links in paragraphs one through four

(50) Changes have been made to IRM 2.25.20.6.3:

  • Deleted outdated content and Inserted servers supporting M365 platform are managed by SPS in paragraph one

  • Deleted the review and approval process and added servers are specifically dedicated to supporting SPO environment like SaaS, etc. in paragraph two

  • Inserted SPO is solely supported in the M365 cloud environment in paragraph two

(51) Changes have been made to IRM 2.25.20.6.4:

  • Deleted components or any interfacing software and inserted SharePoint infrastructure and components in the GCC is managed by Microsoft in paragraph one

  • Inserted SPS manages supporting the infrastructure interfacing software like SaaS, Data Gateway etc. in paragraph two

(52) Changes have been made to IRM 2.25.20.6.5:

  • Inserted citation for IRM 10.8.24 for IT Security, cloud computing security policy in paragraph one

(53) Changes have been made to IRM 2.25.20.6.6:

  • Renamed section M365 SPO Back-up and Restore

  • Deleted SharePoint backup section and added recovery options in paragraph one

  • Deleted outdated content related to manual configuration, disaster recovery options for on-prem and added M365 SharePoint site restore options

(54) Changes have been made to IRM 2.25.20.7:

  • Deleted outdated change management practices and inserted configuration are managed by Microsoft per the GCC and configured per M365 office requirements in paragraphs one through three

(55) Changes have been made to IRM 2.25.20.7.1 & 2.25.20.7.2:

  • Sections 2.25.20.7.1 and 2.25.20.7.2 have been deleted because all maintenance, configuration, deployment of Server-Side Code of Components is done through Microsoft

Effect on Other Documents

IRM 2.25.20, dated 12-11-2020, is superseded

Audience


Users of SharePoint to include IRS staff interfacing with the system in any capacity including administrator (Site Owner), content author (site member with write permissions), or content consumer (site visitor with read permissions).

Effective Date

(11-21-2025)

Kaschit Pandya
Acting Chief Information Officer

2.25.20.1 (11-21-2025)

Program Scope and Objectives

  1. Overview: SharePoint is used throughout the IRS as a collaborative and content management platform to support and enhance the productivity of IRS staff (employees and contractors). M365 SharePoint Online (SPO) is provided by Microsoft Corporation per the Government Community Cloud (GCC). SharePoint Services provides the IRS SharePoint platform and related capabilities. SharePoint Services will coordinate with Microsoft as necessary.

  2. Purpose: SharePoint Services enforces policy, provides enterprise-wide governance, and encourages SharePoint users to adopt SharePoint best practices.

  3. Audience: Users of SharePoint to include IRS staff interfacing with the system in any capacity including administrator (site owner), content author (site member with write permissions), or content consumer (site visitor with read permissions).

  4. Policy Owner: IRS Information Technology Enterprise Operations (IT-EOps) Web Infrastructure Services Division (WISD) oversees the policies contained herein.

  5. Program Owner: IRS Information Technology Enterprise Operations (IT-EOps) Web Infrastructure Services Division (WISD) is responsible for the administration, policies and procedures, and system updates related to the use of SharePoint.

  6. Primary Stakeholders: Any IRS organization utilizing the SharePoint platform, in any capacity, should be considered a stakeholder to the related policies and procedures. Certain IRS organizations work with SharePoint Services to support operations and governance of the platform. These stakeholders include, but are not limited to, the following:

    • Privacy, Governmental, Liaison and Disclosure (PGLD)

    • User and Network Systems (UNS)

    • Enterprise Operations (IT-EOps)

    • OneSDLC (One Solution Delivery Lifecycle)

  7. Program Goals: The goal of SharePoint Services is to maintain SharePoint operationally, improve capabilities, provide governance, enforce policy, and support user competency and efficiency with SharePoint functionality.

2.25.20.1.1 (11-21-2025)

Background

  1. SharePoint Services was established to consolidate infrastructure operations and provide enterprise-wide governance and oversight into SharePoint activities.

2.25.20.1.2 (11-21-2025)

Authority

  1. The SharePoint Online (SPO) application is authorized per the Government Community Cloud (GCC) for IRS and managed by Microsoft.

  2. SharePoint sites will only be created or deleted after approval by their respective Business Unit then, by SharePoint Services.

  3. Once created, Sites are the responsibility of the requesting Business Unit unless ownership is transferred to another Business Unit.

2.25.20.1.3 (11-21-2025)

Responsibilities

  1. Information Technology (IT) Enterprise Operations (EOps) ultimately is responsible for Microsoft 365 (M365) SharePoint Online Program.

  2. SharePoint Services is responsible for implementation, operations, management, governance, and enhancement of SharePoint.

    • SharePoint Services is responsible to support best practices and operational consistency via the performance of various communication and education activities

  3. Individual IRS Business Units are responsible for ensuring that SharePoint is used in compliance with IRS policy and provide the primary support for their users.

    • The individual IRS Business Units are responsible to ensure their use of the SharePoint platform complies with applicable sections of the IRS Internal Revenue Manual (IRM) including, but not limited to, the following:

    • IRM 10.5.1, Privacy and Information Protection, Privacy Policy

    • IRM 10.8.1, Information Technology Security, Policy, and Guidance

    • IRM 10.8.2, Information Technology Security, IT Security Roles, and Responsibilities

    • IRM 1.15.1, Records and Information Management, The Records, and Information Management Program

    • IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles

    • IRM 1.15.3, Records and Information Management, Disposing of Records

    • IRM 1.15.4, Records and Information Management, Retiring and Requesting Records

    • IRM 1.15.5, Records and Information Management, Relocating/Removing Records

    • IRM 1.15.6, Records and Information Management, Managing Electronic Records

    • IRM 1.15.7, Records and Information Management, IRS Published Product Identification

    • IRM 11.3.12, Disclosure of Official Information, Designation of Documents

2.25.20.1.4 (11-21-2025)

Program Management and Review

  1. The M365 Program is the source of funding for SharePoint and provides high-level governance for the SharePoint Program.

  2. The Web Infrastructure Services Division (WISD) is responsible for oversight of SharePoint activities and reports to the M365 Program.

  3. Most program-level direction, strategy, and change management decision making authority has been delegated to SharePoint Services.

2.25.20.1.4.1 (11-21-2025)
SharePoint Services

  1. The mission of this office is to deliver superior, leading-edge, flexible, and cost-effective collaborative solutions that enable IRS staff to solve business problems and complete activities.

  2. The primary purpose of this office is to perform day-to-day management of the IRS M365 SharePoint Online, including supporting operational continuity, enforcing policies, and providing enterprise-wide governance. The primary objectives of this office are to:

    • Maintain SharePoint successful operational up-time and minimize down-time mitigating risks associated with unavailability

    • Provide change management and oversight for changes to SharePoint configuration or Site Management

    • As SharePoint is established in the cloud (SPO), all infrastructure changes require coordination with Microsoft and must be within the parameters of the GCC

  3. The secondary purpose of this office is to define, develop, institutionalize, and maintain proven guidance for the use of SharePoint (and related systems). The secondary objectives of this office are to:

    • Identify strategic direction for SharePoint with consideration of IRS requirements, external process owners, and operational limitations

    • Integrate and standardize policies and processes and change management activities to promote repeatable processes and consistency

    • Provide leadership, consultation, and assistance to ensure understanding and effective use policy and guidance

  4. SharePoint Services does not generally perform Site Administration or other support activities that typically fall to the Site Admins and Site Managers. Exceptions may be made at SharePoint Services’ discretion.

  5. SharePoint Services provides high-level support to the Business Units via a hierarchical model that involves:

    • Users elevate concerns or needs to the appropriate Site Owner or Site Administrator

    • Site Owners or Site Administrators escalate questions or concerns to the appropriate Business Unit

    • Business Unit contact SharePoint Services for resolution of questions as needed via IRWorks ticket

    • This process is amplified in the SharePoint Site Management Guide (SMG)

2.25.20.1.5 (11-21-2025)

Program Controls

  1. This program uses multiple sources to establish controls. This IRM constitutes one of the controls.

  2. The SharePoint Site Management Guide (SMG) available on SPO Central specifies required activities, guidance, and policy for the management of individual sites and sub-sites.

  3. SharePoint Services Online provides process and controls for site creation, site deletion and other tools and applications supporting SharePoint.

2.25.20.1.6 (11-21-2025)

Terms, Definitions, and Acronyms

  1. This program has specific terms and acronyms associated with it.

  2. The terms Site Collection Administrator (SCA) and Site Administrator (SA) are synonymous, and requirements specified in this document apply to both.

  3. The table lists commonly used terms and their definitions:

    Term Definition
    Business Unit The highest-level operating division or office headed by an executive. Example: IRS business units include Small Business/Self-Employed (SB/SE), Office of Appeals and Human Capital Office (HCO), etc.
    Business Unit Point of Contact(BU POC) An IRS organization Point-Of-Contact (POC) sometimes referenced as a BU SharePoint Contact that interfaces and facilitates communications with, SharePoint Services. These resources perform a variety of activities and roles including Technical POC, Governance Representative, and Self-Services Reviewer (e.g., approve SharePoint and Teams Requests).
    Content Owner An IRS organization specific resource with site managerial responsibilities for content. Includes various responsibilities but does not rise to the level of Site Owner.
    Delegated Business Sponsor IRS personnel responsible for the content and configuration (permissions, etc.) associated with a SharePoint site from a management or non-technical perspective to satisfy all administrative, managerial, or governance obligations.
    ISSO Information Systems Security Officer
    Manager (or Site Manager) Any of the various SharePoint roles that includes site management or administrative responsibilities. Includes Site Sponsor, Site Administrator, and Site Owner.
    Member (or Site Member) End-user of a site who may read or contribute information (items or documents) to the site.
    One SDLC One Solution Delivery Lifecycle
    Out-of-the-Box Refers to software or a tool installed within an environment or platform as-is (with minimal configuration) and without any customizations or significant modifications.
    Owner (or Site Owner) Manages a specific site. This individual has similar responsibilities as the Site Administrator but has a more limited scope of responsibility and access. Site Owners ensure that their site is Section 508 compliant.
    Software as a Service Software as a Service (SaaS) is a cloud-based software delivery model where application are hosted online and accessed via the internet.
    Section 508 Federal law mandating that all electronic and information technology developed, produced, maintained, or used by the federal government be accessible to people with disabilities.
    SharePoint Administrator The SharePoint Administrator role has access to the SharePoint admin center and can create and manage sites, designate Site Administrators, manage sharing settings.
    SharePoint Analyst Supports SharePoint Services with SharePoint management and administration including user support, communication, processing requests for service, and creating documentation (policy, procedures, or best-practices).
    SharePoint (or Solution) Developer Develops capabilities or solutions within SharePoint using Power Platform applications or custom code (e.g., SPFx). Examples may be custom workflows or customizing individual web parts.
    SharePoint Hub Site SharePoint hub sites help you meet the needs of your organization by connecting and organizing sites based on project, department, division, region, or Business Unit adding shared hub navigation, improved search capabilities, etc. A connective SharePoint site that organizes the intranet into families of team sites and communication sites. SharePoint Hub Sites model relationships between sites as links, rather than hierarchy or ownership, to enable changes in a dynamic organization.
    SharePoint Online The instance of SharePoint in the IRS M365 tenant (in the Cloud) maintained by Microsoft.
    SharePoint Environment An instance of SharePoint including Production SharePoint Online Sites.
    Server Farm The collection of servers, software, and other components that provide the SaaS, Data Gateway and additional services as required on an enterprise-level supporting the M365 SPO environment.
    System Administrator Maintains, manages, and reports on one or more Server farms. Provides support for any issues with the configuration of the Data Gateway and Compliance Guardian.
    SharePoint Platform The M365 SPO SharePoint Online (SPO) is a Software as a Service (SaaS) platform supporting IRS SharePoint. It includes the Production (Cloud) environments Additionally, it includes SharePoint components such as SaaS, Compliance Guardian.
    Site Sites are a generic term that refer to any site within the M365 SPO environment.
    Site Administrators Responsible for all aspects of their site and manages core elements (e.g., metadata, navigation, permissions, templates). Provides support for any issues within their site. Formerly Site Collection Admin.
    Site Sponsor The Business Owner of a Site responsible from a non-technical perspective.
    Third-Party Tool Administration Includes management of all third-party components and software used as part of the SharePoint platform. This could include the Power Platform applications that facilitate forms or workflow development, or Administrator facing tools used to assist in SharePoint management and governance.
    Visitor (or Site Visitor) End-user of a site who has read-only access to information (items or documents) stored within the site.

  4. The table lists commonly used acronyms and their definitions:

    Acronym Definition
    AC Access Controls
    AU Audit Controls
    BOD Business Operating Division
    BU Business Unit (an IRS organizational unit)
    CAB Customer Advisory Board
    CIO Chief Information Officer
    COTS Commercial Off-the-Shelf
    CUI Controlled Unclassified Information (e.g., PII or FTI)
    DB Database
    DBA Database Administrator
    ELC Enterprise Life-Cycle
    EOps Enterprise Operations
    ETID Enterprise Technology Implementation Division
    FED Federal
    FTI Federal Taxpayer Information
    GCC Microsoft Government Community Cloud
    IESC Infrastructure Enterprise Steering Committee
    IRAP Information Resources Accessibility Program
    IRM Internal Revenue Manual
    IRWorks Knowledge Incident/Problem Service Asset Management
    IT Information Technology
    ITM Integrated Talent Management
    MIRP Major Incident Response Plan
    OneSDLC One Solution Delivery Lifecycle
    OOB Out-of-the-Box
    PCA Program Privacy Compliance and Assurance Program
       
    PGLD Privacy, Governmental Liaison and Disclosure
    PII Personally Identifiable Information
    PMO Program Management Office
    POC Point-Of-Contact
    PPUG Power Platform Users Group
    SA (1) Systems Administrator (2) Site Administrator
    SAAS Software as a Service
    SBU Sensitive But Unclassified
    SCA Site Collection Administrator
    SMG Site Management Guide
    SP SharePoint (any version)
    STR SharePoint and Teams Request
    UA User Administrator
    UNS User and Network Services
    VPN Virtual Private Network
    WISD Web Infrastructure Services Division

2.25.20.1.7 (11-21-2025)

Related Resources

  1. The SharePoint Site Management Guide (SMG) is a resource for information about this program and is available on SPO Central.

  2. SPO Central is a site providing a primary method to communicate announcements, procedures, policies, and support articles.

2.25.20.2 (11-21-2025)

Program Overview

  1. Program-level direction, strategy, and change management decision making authority is delegated to SharePoint Services.

  2. SharePoint Services provides oversight, management, and operational support for IRS SharePoint.

    • SharePoint Services supports all aspects of SharePoint performance including capabilities, interfaces, and impacts

  3. Business Units are responsible for the proper management, adherence to policy and overall administration of their organization's individual sites.

  4. This IRM establishes controls that support SPO governance and management. SharePoint Services established, maintains, and supports this IRM.

  5. Users are expected to submit requests to SharePoint Services via IRWorks. Users are discouraged from contacting SharePoint Services personnel (employees and contractors) directly. SharePoint Services responses to IRWorks questions or issues will be able to be referenced in the SharePoint Site Management Guide (SMG) on SPO Central.

  6. SharePoint Services will post communications to users via SPO Central (News).

2.25.20.2.1 (11-21-2025)

Information Technology Governance

  1. SharePoint Governance is a function of SharePoint Services. This is performed via interfaces with various governance organizations including the Web Infrastructure Services Division (WISD).

  2. SharePoint Governance organizations and roles are identified in IRM 2.25.20.3.4.3, SharePoint Governance Roles.

  3. The primary objective of SP governance is to ensure M365 SPO is implemented and managed in a manner that follows IRS policy, procedures, and regulations.

  4. SharePoint governance includes the various Business Units to ensure that all stakeholders’ interests are considered.

  5. Local Business Unit SharePoint governance should not conflict with IRS SharePoint Services Governance policy, procedures, and regulations. IRS and SharePoint Services governance policy has precedence over local policy. Local policy is the ruling policy for the business unit unless it conflicts with IRS and SharePoint Services policy.

2.25.20.2.2 (11-21-2025)

SharePoint Supported Services and Limitations

  1. SharePoint supported services and limitations to services are listed in the below paragraphs and in IRM 2.25.20.1.4.1.

2.25.20.2.2.1 (11-21-2025)
Products and Services

  1. SharePoint Services offers the following products and services:

    • SharePoint Online

    • SharePoint Online (SPO) Central

    • SharePoint-Related Commercial-Off-the-Shelf (COTS) Products

    • SharePoint Records Management

    • M365 SharePoint Online Service Requests

    • SharePoint Services Technical Support

2.25.20.2.2.1.1 (11-21-2025)
SharePoint Online

  1. Microsoft’s cloud-based collaborative platform that integrates with Microsoft Office, OneDrive, Power Platform and Exchange Online.

  2. Microsoft M365 SharePoint Online provides several areas of functionality:

    • Collaboration functionality supports the completion of activities among physically disconnected resources

    • Document Management functionality supports the development and control of enterprise content

    • Permissions functionality supports content access controls including levels associated with reading, editing, and/or deleting content

2.25.20.2.2.1.2 (11-21-2025)
SharePoint Online (SPO) Central

  1. A SharePoint site providing a primary method to communicate announcements, procedures, policies, and support articles with end-users.

  2. SPO Central provides a method to submit SPO Self-Service Requests including new site creation, site deletion, Site Certification, and other services.

  3. The SPO Central site can be found at: SPO Central.

2.25.20.2.2.1.3 (11-21-2025)
SharePoint-Related Commercial-Off-the-Shelf (COTS) Products

  1. SharePoint Services facilitates the integration of various COTS add-ons for IRS SharePoint to improve and enhance end-user SharePoint experience.

  2. SharePoint Services participates in the offering of various COTS products used with SharePoint; a list is available on SPO Central.

  3. All SharePoint products and services including any related COTS components within the IRS SharePoint environment must be reviewed and approved by SharePoint Services.

2.25.20.2.2.1.4 (11-21-2025)
SharePoint Records Management

  1. SharePoint Services collaborates with Privacy, Governmental Liaison and Disclosure (PGLD) in the configuration of SharePoint records management services and functions to support electronic records management per IRM 1.15.6, Managing Electronic Records.

    • SharePoint Services supports PGLD in the configuration of SharePoint components to maintain the security of electronic records, per IRM 1.15.6.8, Security of Electronic Records

    • SharePoint Services supports PGLD in the configuration of SharePoint components to support the retention, and the disposition, of electronic records per IRM 1.15.6.9, Retention and Disposition of Electronic Records

  2. SharePoint Services supports business units, PGLD, and IT organizations in the design and implementation of records management functionality in SharePoint, but does not configure and manage records management schedules, including any disposition or retention decisions.

    • SharePoint Services is not responsible for performing records management on behalf of IRS business/operational units or providing records management guidance

    • SharePoint Services is responsible for providing expertise on how SharePoint capabilities and functions may be used to support records management objectives

2.25.20.2.2.1.5 (11-21-2025)
M365 SharePoint Online Central Service Requests

  1. SharePoint Support Service Requests are available via M365 SharePoint Online Service Requests and include but not limited to the following:

    • Hub Site Creation

    • SPO to SPO Migration Request

    • Orphaned Site Administration Assignments

    • Site Metadata and Attribute Changes

  2. SharePoint Service Requests must be made via IRWorks and are subject to the review and approval of SharePoint Services.

2.25.20.2.2.1.6 (11-21-2025)
SharePoint Services Technical Support

  1. SharePoint Services supports the resolution of certain incident management tickets submitted via IRWorks from the Business Unit.

    • Incident Requests

    • Service Requests

  2. SharePoint Services Technical Support is limited to supporting issues associated with the M365 SPO configuration and/or SharePoint Online site management support

  3. Certain Information Technology components affiliated with the SharePoint environment are not supported by the SharePoint Services. This includes, but is not limited to, the following:

    • M365 Security Groups

      • Per TIGTA, individual site permissions are the responsibility of the Site Administrators

    • IRS Network including Virtual Private Network (VPN) connections

    • Users’ systems including browser settings and configurations

    • Other M365 services such as Power Platform, OneDrive for Business, etc

  4. In certain situations, SharePoint Services may be able to assist Site Administrators with the recovery of data or content via the Out-of-the-Box (OOB) SharePoint Recycle Bin.

    • Data loss recovery is limited based on the capabilities and durations of the SharePoint Online Recycle Bin

    • Microsoft provides:

      • Data recovery at the site level only

      • Data recovery is to a given date. All content changes after the given date are lost and unrecoverable

      • Retention period is defaulted to 30 days

    Note:

    If an item needs to be recovered from a specific date, the entire site reverts to that date and all other changes are lost.

2.25.20.3 (11-21-2025)

Roles and Responsibilities

  1. The SharePoint standard roles are common terms that are similar across SharePoint implementations (See IRM 2.25.20.1.6, Terms, Definitions, and Acronyms).

  2. Each organization that deploys SharePoint will use these roles in a generic sense.

  3. There are IRS specific roles established to support IRS SharePoint governance and management.

  4. IRS SharePoint users are expected to obtain training (including security training) appropriate to their level of use.

2.25.20.3.1 (11-21-2025)

SharePoint Services

  1. SharePoint Services manages M365 SharePoint Online and works with the Business Unit or other Points-of-Contacts (POCs) to support SharePoint operations.

  2. SharePoint Services supports the activities of the various IRS organizational units formalized by Self-Services Online Tools, IRWorks, Backup/Restore Requests, Operations & Maintenance Services and other ad-hoc SharePoint Service Requests.

  3. SharePoint Services establishes enterprise IRS SharePoint governance policy and best practices.

  4. SharePoint Services supports enterprise searching, search schema, context indexing, and cross platform content crawls.

  5. SharePoint Services provides recommended training for entry-level to master-level courses for all user groups on SPO Central.

2.25.20.3.1.1 (11-21-2025)
System Administrator

  1. The System Administrator is a Services specific role for Compliance Guardian and Data Gateway services server farms.

  2. This role maintains, manages, and reports on Compliance Guardian and Data Gateway services farms and provides support for any issues with the configuration.

  3. These activities require elevated rights and permissions on a variety of infrastructure components including, but not limited to, the following:

    • SharePoint Administration across the M365 SharePoint Online Production to include permissions to access and manipulate all aspects of all the sites contained therein

    • SharePoint Online Administration across all supporting databases to include permissions to access and manipulate all aspects of the databases comprising the SP environment

    • Third-Party Tool Administration rights across all third-party components and software used to support and facilitate the use of the SharePoint platform at IRS including, for example, Power Platform, form tools, governance support tools, reporting tools, etc

  4. Supports the resolution of incident management tickets submitted via IRWorks from the Business Units

  5. Supports general activities associated with SharePoint management and administration including user support, communication activities, processing requests for service, and creating documentation (policy, procedures, governance or best-practices).

  6. SharePoint Administrators are required to take specialized IT training per IRM 10.8.2, IT Security Roles and Responsibilities, (see Exhibit 10.8.2-1, Roles That Require Special Training) due to their System Administrator role.

  7. The System Administrator role includes roles defined in IRM 10.8.2, IT Security Roles and Responsibilities, including, but not limited to, the following

    • IRM 10.8.2.2.1.11, Enterprise Architect

    • IRM 10.8.2.2.1.19, Database Administrator (DBA)

    • IRM 10.8.2.2.1.21, Network Administrator

    • IRM 10.8.2.2.1.22, Program Developer/Programmer

    • IRM 10.8.2.2.1.23, Web Developer

    • IRM 10.8.2.2.1.26, System Administrator

    • IRM 10.8.2.2.1.35, System Designer

    • IRM 10.8.2.2.1.36, Technical Support Staff (Desktop)

2.25.20.3.1.2 (11-21-2025)
SharePoint Analyst

  1. SharePoint Analyst is a SharePoint Services specific role.

  2. This role supports general activities associated with SharePoint management and administration including user support, communication activities, processing requests for service, and creating documentation (policy, procedures, governance or best-practices).

  3. SharePoint Analysts are required to take specialized IT training per IRM 10.8.2, IT Security Roles and Responsibilities (see Exhibit 10.8.2-1, Roles That Require Special Training).

  4. This includes roles defined in IRM 10.8.2, IT Security Roles and Responsibilities, including, but not limited to, the following:

    • IRM 10.8.2.3.1.27, Web Developer

    • IRM 10.8.2.3.1.31, Systems Operations Staff

    • IRM 10.8.2.3.1.33, User Administrator (UA)

    • IRM 10.8.2.3.1.38, Management/Program Analyst

    • IRM 10.8.2.3.1.40, Technical Support Staff (Desktop)

2.25.20.3.2 (11-21-2025)

Business Units

  1. Business Units are responsible for ensuring their organization’s SharePoint sites are used in compliance with IRS policy.

  2. Business Units own and manage the content (e.g. document libraries, lists, calendars, etc.) associated with their SharePoint sites.

  3. Business Units are responsible for ensuring their organization’s use of SharePoint is compliant with applicable data management and processing rules, policies, and other applicable IRMs.

  4. Business Units can develop their own supplemental or organization specific policies regarding SharePoint use and management.

    • Participants in the development of any enhanced, supplemental, or organization specific SharePoint policy are determined by the IRS organization developing policy

    • SharePoint Services recommends that individuals shaping organization specific SharePoint policy be involved and engaged with the SharePoint Services via the M365 Program Office

    • Any organization specific or enhanced SharePoint policy is scoped and limited to what is supportable by the SharePoint Services from operational, organizational, and governance and policy perspectives. SharePoint Services does not alter its practices or procedures to satisfy Business Unit specific policies or requirements

  5. This IRM and all SharePoint Services identified policies and procedures take precedence over any Business Unit specific policy.

  6. Business Units are responsible for determining required training for their users. Required training plans should be developed based on the desired skill sets and knowledge for each user group, as determined by the Business Unit.

2.25.20.3.2.1 (11-21-2025)
Delegated Business Sponsor

  1. The Delegated Business Sponsor of one or more SharePoint site is responsible for the content stored within the sites and all operations of the sites from a non-technical perspective as necessary to satisfy all administrative, managerial, or governance obligations.

  2. The Delegated Business Sponsor is responsible for identifying Site Administrators (SA) and may rely on the assistance or advice of SAs, and other IT staff, in the implementation of all responsibilities including:

    • Securing sensitive content from dissemination or alteration

    • Protecting IRS records from inadvertent removal or deletion

    • Maintaining operational compliance with all system mandates

  3. Delegated Business Sponsors shall ensure that personnel within their sites performing administrative functions (full-control permissions) have, in addition to the other duties they perform, a working knowledge of SharePoint security and how it can be used to improve and enforce content security and records management compliance.

  4. Delegated Business Sponsors are not required to be, but typically are, executive or senior-level federal employees.

  5. Delegated Business Sponsors shall:

    • Ensure their site are operated according to applicable security standards and SharePoint best practices

    • Ensure their SA are properly designated and trained

      • Business Units are responsible for assigning SA to certify SPO sites. SA must certify completion of certification requirements (PII/SBU/FTI, Permissions, Audit Logs) annually. Additional guidance on Site Certification is available in the SharePoint Site Management Guide (SMG)

    • Ensure their site user permissions models are focused on granting permissions via groups and not directly to individuals. Direct permissions should be used when the use of groups is not feasible or practical

    • Grant access to the system with associated rights and privileges, adhering to the principles of least privilege (i.e., giving individuals the least possible privileges necessary for performance of their duties)

    • Re-evaluate access privileges periodically and revoke access in a timely manner upon personnel transfer or termination

    • Support applicable IRS policies regarding personnel managing, administering, or accessing the system

    • Assist in the investigation of various site use questions and incidents as necessary (site use, permissions, content recovery, etc.)

    • Ensure security parameters are defined according to business need unless system security controls have been established by higher-level authorities such as the Federal Government, the Department of Treasury, IRS policy, or SharePoint Services

    • In the case of outsourced systems and services, ensure the appropriate and applicable security requirements and controls are integrated into the procurement (or other contract or service provisioning) vehicle

    • Ensure the site certification requirements (PII/SBU/FTI, Permissions, Audit Log) are maintained. Additional guidance on Site Certification is available in the SharePoint Site Management Guide (SMG)

2.25.20.3.2.2 (11-21-2025)
Business Unit (BU) Point of Contact(BU POC)

  1. An IRS organization specific resource that interfaces with, and facilitates communications with SharePoint Services.

  2. Serves as their organization’s primary Point-Of-Contact (POC) with SharePoint Services and performs a variety of activities including:

    • Approving requests made by their organization for new Sites, Site Deletions, Site Quota monitoring, or for other services

    • Approving requests made on behalf of Site Administrators for SharePoint changes or SharePoint configurations

    • Facilitating communications with SharePoint Services for their organization's Site Managers

    • Facilitating their organization's compliance with SharePoint certification

    • Generally assisting Site Managers (and users) within their business/organization unit’s SharePoint support issues and facilitating engagement with SharePoint Services when necessary

  3. Supports the resolution of incident and service request submitted via IRWorks from the Business Unit. For additional assistance please refer to IRM 2.25.20.3.1, SharePoint Services.

2.25.20.3.3 (11-21-2025)

SharePoint Online Sites

  1. The IRS, following with Microsoft best practices, moved to a flattened site structure environment. Sub-site availability was discontinued and is not available in SharePoint Online.

    • Sites are the fundamental SharePoint element

2.25.20.3.3.1 (11-21-2025)
Site Administrator (SA)

  1. Responsible for all aspects of the Site and manages core elements (e.g., metadata, navigation, permissions, templates, branding, etc.).

    • Two Site Administrators (SA) are required to be identified upon Site request/creation

    • Each site is expected to maintain a minimum of two active Site Administrators

  2. Site Administrators support data management and protection through the appropriate use of sensitivity labels. Site Administrators ensure that sensitive information is protected from unauthorized disclosure or transfer to unsecured environments.

  3. Provides resolution and support for any technical issues with the site, for example; permissions management, Web Parts, or page deployment/deletion, restoration of items from the Site Recycle Bin, editing search keywords, and management of search scopes.

  4. Support the resolution of support/incident tickets submitted via IRWorks.

  5. If necessary, Site Administrators (SA) are responsible for submitting a 508 Compliance Package available at §508 Process for OneSDLC Products.

  6. Responsibilities of the SA include:

    • Ensuring only authorized PII/SBU/FTI is stored on sites

    • Managing Site permissions including provisioning, changing, or removing user access

    • Providing first-level technical support for all end-users of the site

    • Completing Site Certifications including PII/SBU/FTI, Permissions, and Auditing. Additional guidance on Site Certification is available in the SharePoint Site Management Guide (SMG)

  7. All SharePoint users performing the role of Site Owners are expected to prepare for expanded SharePoint access and authority.

  8. Site Administrators are encouraged to consult with Business Units for additional training.

2.25.20.3.3.2 (11-21-2025)
SharePoint Users

  1. SharePoint provides three types of users which may have access to one or more sites and can take actions depending on their specific access level.

    • Owners (administrator)

    • Members (contributor)

    • Visitors (reader)

2.25.20.3.3.2.1 (11-21-2025)
Owners

  1. Manager of a specific site with responsibilities like the Site Administrator, but with a limited scope of responsibility and access.

  2. Administrative duties and functions may fall under other roles established by the local policies, procedures, and governance for the Business Unit.

  3. Ensure that content on their site is Section 508 compliant.

  4. Manage the site permissions including provisioning, changing or removing user access.

  5. Support the resolution of support/incident tickets submitted via IRWorks.

  6. Provide support and management for the site. Activities include but are not limited to: permissions management, content management, ensuring that only approved sites are used for PII/SBU/FTI, identification and reporting of any out of ordinary or suspicious behaviors.

  7. All SharePoint users performing the role of Site Owners are expected to prepare for expanded SharePoint access and authority through recommended training. Site Owners can access IRS-specific SharePoint training via ITM. Site Owners can also review other training related materials prepared by SharePoint Services via SPO Central Supporting reference materials on SPO Central include but are not limited to the SharePoint Site Management Guide (SMG).

2.25.20.3.3.2.2 (11-21-2025)
Members

  1. End-user of a site who may read or contribute information to the site.

  2. Members are responsible for following all acceptable use policies and ensuring content they contribute is compliant with Section 508 considerations.

2.25.20.3.3.2.3 (11-21-2025)
Visitors

  1. End-user of a site who has read-only access to information stored within the site.

2.25.20.3.4 (11-21-2025)

Other Roles

  1. IRS SharePoint includes other roles that are ancillary or defined to support IRS specific activities.

2.25.20.3.4.1 (11-21-2025)
Site Managers

  1. Site Managers refer to multiple organizational unit roles (Site Sponsors, Site Administrators, and Site Owners) that are expected to support the day-to-day administration and management of the sites that corresponds to their level of involvement.

2.25.20.3.4.2 (11-21-2025)
Content Owners

  1. Content Owners refer to users that perform various functions within a Site. This includes, but is not limited to, the following types of activities:

    • Add, delete, or modify content within SharePoint components (Web Parts, Pages, Lists, etc.) without intervention from other users

    • Approve permission changes or access requests for their sites

    • Provide best practice utilization guidance to site users

    • Monitor sites to ensure they are used in an acceptable, professional manner, and content is appropriate

    • Ensure SBU/PII/FTI data is handled according to IRS privacy policies

    • Ensure content meets Section 508 accessibility requirements

    • Address, report, or resolve usage concerns or violations

    • Support the resolution of support/incident tickets submitted via IRWorks

2.25.20.3.4.3 (11-21-2025)
SharePoint Governance Roles

  1. IRS SharePoint governance strategy involves the creation of several IRS specific roles.

  2. These roles support SharePoint governance and the implementation of best practices.

  3. These roles provide various levels of support to Site Managers and may have direct or indirect involvement with the management of Sites.

2.25.20.4 (11-21-2025)

SharePoint Security

  1. SharePoint Security responsibilities and activities are decentralized and performed hierarchically by various IRS organizations and SharePoint roles.

  2. SharePoint Services supports data management and protection though the assignment of appropriate sensitivity labels to sites.

2.25.20.4.1 (11-21-2025)

SharePoint Services

  1. SharePoint Services is responsible for establishing policies, providing direction, and communicating guidance for the security of the SharePoint. This includes, but is not limited to, the following:

    • Providing guidance for Site creation, access, and group controls

    • Establishing security policy for the following:

      • Purpose (or reason for some policy, guidance, or recommendation)

      • Scope

      • Roles/Responsibilities

      • Executive Sponsorship

      • Compliance

    • Providing guidance to site managers for group and role membership

    • Requiring approval by the Business Unit POC for requests to create sites for which they are responsible

2.25.20.4.2 (11-21-2025)

Business Units

  1. The individual Business Units are responsible for applying and enforcing security policies, guidance, and recommendations across all owned sites . This includes, but is not limited to, the following:

    • Ensure implementation of security controls for protecting sensitive IRS data (i.e., SBU, PII) residing in the Business Unit’s SharePoint sites and collaborative environments

    • Ensure all applicable security training requirements are met by employees managing SharePoint

      • IRM 10.8.2.3 IT Security Roles and Responsibilities

    • Following any SharePoint relevant Access Controls (AC) and enhancements including:

      • IRM 10.8.1.4.1.1 Section (1 sub-sections b, d, e, f), (2), (3), (4), (5), (6), (7, (8), and (9)

      • IRM 10.8.1.4.1.1.1 Sections (1) and (6)

      • IRM 10.8.1.4.1.1.7 All sections

      • IRM 10.8.1.4.1.1.11 All sections

      • IRM 10.8.1.4.1.2 All sections

    • Following all Shared IRS Storage (OneDrive, SharePoint, Teams, and other IRS Collaborative sites requirements) specified in:

      • IRM 10.5.1.6.18.3 All sections

    • Following any SharePoint relevant Audit Controls (AU) and enhancements including:

      • IRM 10.8.1.4.3.1 All sections

      • IRM 10.8.1.4.3.2 All sections

    • Assign Site Managers to manage and perform the various security activities

2.25.20.4.3 (11-21-2025)

Site Managers

  1. Site Managers (Site Sponsors, Site Administrators, and Site Owners) are responsible for performing recommended security practices and activities for all assigned SharePoint sites. This includes, but is not limited to, implementing security controls and enhancements.

  2. Site Managers shall be assigned by the Business Units.

2.25.20.5 (11-21-2025)

Compliance with IRS Policies

  1. SharePoint use is subject to numerous policies and direction established by the Federal Government, the Department of Treasury, and the IRS. The following sections are IRS-specific and are not intended to absolve users from adherence from following higher-level governance, direction, mandates, etc.

2.25.20.5.1 (11-21-2025)

General

  1. Proper operation of SharePoint requires specific governance, numerous policies and processes, and artifacts to guide the actions of SharePoint program staff, Business Units, and end users.

2.25.20.5.2 (11-21-2025)

Process Owners

  1. SharePoint Services interfaces with Process Owners to ensure IRS policies are complied with by IRS SharePoint users. The Process Owners include but are not limited to:

    • Privacy, Governmental Liaison and Disclosure (PGLD) – Determines the PII/SBU/FTI data policies all SharePoint site owners and users must follow and identifies the records management configuration and policies that must be supported by SharePoint to support in-place and centralized records management

    • Information Resources Accessibility Program (IRAP) – Determines the accessibility requirements which apply to the IRS SharePoint platform

    • Cybersecurity – Establishes baseline security controls and configurations for servers and guidance for all servers and network components comprising the IRS SharePoint platform

    • Enterprise Services/Enterprise Architecture – Develop the technical architecture and direction, including product selection, in coordination with SharePoint Services

2.25.20.5.3 (11-21-2025)

Sensitive but Unclassified (SBU) Data/Personally Identifiable Information (PII) Data/Federal Tax Information Data (FTI) Data

  1. The storage of SBU (including PII and FTI data) content in SharePoint is authorized during site request process.

    • SharePoint users are required to ensure that sensitive information is protected from unauthorized disclosure and access. This includes taxpayer information as well as other non-tax information, documents, records, and processes

  2. The SBU (including PII and FTI data) compliance status of a site must be reviewed and certified periodically by the Site Administrators, per the IRS SharePoint Site Management Guide (SMG) in accordance with PGLD requirements.

  3. Failure of the Business Unit and Site Administrators to certify by the deadline could lead to the site being disabled or removed at the discretion of SharePoint Services and/or PGLD.

  4. SharePoint Services supports the implementation and application of sensitivity labels per PGLD requirements.

2.25.20.5.4 (11-21-2025)

Permissions

  1. Permissions should be assigned via SharePoint Groups. Direct permissions should be used when the use of groups is not feasible or practical (typically in situations when item level permissions are used as part of an automated tool). Permissions best practices are discussed within the IRS SharePoint Site Management Guide (SMG).

    • Use of the “Everyone except external users” group shall be used when access to all IRS users with intranet access is desired

  2. Site permissions must be reviewed and certified periodically by the Site Administrators, per the IRS SharePoint Site Management Guide (SMG) according to guidelines determined by SharePoint Services, approved policies, or any applicable IRMs.

  3. Failure to certify by the deadline could lead to the Site being disabled or removed at the discretion of SharePoint Services and/or Cybersecurity.

2.25.20.5.5 (11-21-2025)

Audit Logs

  1. Unless otherwise authorized by the SharePoint Services, all Sites must have auditing of permission changes enabled with at least a 6-month audit log retention. Site Administrators are free to enable additional auditing and specify a longer retention time.

  2. Audit Logs must be reviewed and certified periodically by the Site Administrators, per the IRS SharePoint Site Management Guide (SMG) according to guidelines determined by SharePoint Services, approved policies, or any applicable IRMs.

  3. Failure to certify by the deadline could lead to the site being disabled or removed at the discretion of SharePoint Services and/or Cybersecurity.

  4. The individual IRS Business Units are responsible to ensure their SharePoint permissions and permissions auditing complies with applicable sections of the IRS IRM including; but not limited to, the following:

    • IRM 10.8.1, Information Technology Security, Policy and Guidance

    • IRM 10.8.2, Information Technology Security, IT Security Roles and Responsibilities

2.25.20.5.6 (11-21-2025)

Records Management

  1. Records stored in SharePoint must be managed in accordance with PGLD guidelines as documented in IRM 2.25.20.2.2.1.4, SharePoint Records Management and IRM 1.15, Records and Information Management.

2.25.20.6 (11-21-2025)

Configuration Standards

  1. SharePoint Technical architecture is defined and managed by SharePoint Services in consideration of guidance and direction provided by stakeholders.

  2. SharePoint is established in the M365 cloud (SharePoint Online), all infrastructure changes require coordination with Microsoft and must be within the parameters of the GCC.

  3. All SharePoint, and related, configuration changes must be reviewed and approved by SharePoint Services.

2.25.20.6.1 (11-21-2025)

SharePoint Environments

  1. SharePoint is established in the M365 cloud (SharePoint Online), all infrastructure changes require coordination with Microsoft and must be within the parameters of the GCC.

  2. SharePoint Services establishes thresholds, limits, or other throttles to functions within the IRS SharePoint environment to reduce operational risks.

  3. For more information about privacy considerations, refer to IRM 10.5.1.6.18.3, Shared IRS Storage (OneDrive, SharePoint, Teams, and Other IRS Collaborative Sites).

2.25.20.6.2 (11-21-2025)

Site Types

  1. SharePoint Services configures SharePoint Online sites using either a Communication Template or a Team Template.

  2. A Communication Templated site is a traditional website or intranet site where content is provided for information purposes to inform and educate a broad audience, such as the public or your entire organization.

    • A Communication Template SharePoint Online site cannot be Microsoft Teams enabled

  3. A Team Templated Site is required for use in conjunction with the Microsoft Teams application. All teams within the Microsoft Teams application have a corresponding Team Templated SharePoint Online Site.

  4. The IRS SharePoint Site Management Guide (SMG) contains additional information about the two SharePoint Online site template types.

2.25.20.6.3 (11-21-2025)

Servers

  1. Servers supporting the M365 SharePoint Online platform are managed by SharePoint Services.

  2. These servers are specifically dedicated to supporting the SharePoint Online environment, e.g., SaaS, Data Gateway and Compliance Guardian. SharePoint Online is solely supported in the M365 cloud environment.

2.25.20.6.4 (11-21-2025)

Infrastructure

  1. All SharePoint infrastructure, including physical or virtual components in the GCC, are managed by Microsoft.

  2. SharePoint Services manages the supporting infrastructure required for interfacing software and services such as SaaS, Data Gateway, and Compliance Guardian.

2.25.20.6.5 (11-21-2025)

Auditing Requirements

  1. Infrastructure and configuration of SharePoint Technical environment is audited in compliance with applicable sections of the IRS IRM, including; but not limited to, the following:

    • IRM 10.8.1, Information Technology Security, Policy, Guidance

    • IRM 10.8.24, Information Technology (IT) Security, Cloud Computing Security Policy

    • IRM 10.8.6.3.3, Audit and Accountability

2.25.20.6.6 (11-21-2025)

M365 SPO Back-up and Restore

  1. SharePoint Online includes built-in file recovery options through the Recycling Bin and backup retention process.

    • SharePoint Online (SPO) sites are preserved nightly. Each evening, all modified data since the previous day's backup is copied and maintained

    • Once a week, SPO sites also undergo a full backup that copies all data

  2. Deleted files can be restored from the Recycle Bin for up to 30 days from the time of deletion. After this period, the files are moved to the Second-Stage Recycle Bin.

    • SAs are responsible for providing support and assistance to site users attempting to recover files from the Second-Stage Recycling Bin

    • For further escalation to SharePoint Services to request a restore from SharePoint backup, please refer to the SharePoint Site Management Guide (SMG)

2.25.20.7 (11-21-2025)

Configuration of SharePoint

  1. SharePoint configuration is managed by Microsoft per the GCC and configured per M365 Office requirements.