Information For...

For you and your family
Standard mileage and other information

Forms and Instructions

Individual Tax Return
Request for Taxpayer Identification Number (TIN) and Certification
Single and Joint Filers With No Dependents
Employee's Withholding Allowance Certificate

 

Request for Transcript of Tax Returns
Employer's Quarterly Federal Tax Return
Installment Agreement Request
Wage and Tax Statement

Popular For Tax Pros

Amend/Fix Return
Apply for Power of Attorney
Apply for an ITIN
Rules Governing Practice before IRS

Remote Access for Data Centers

Issue: Clarification on the multi-factor authentication for remote access requirement when agencies are accessing servers located at their consolidated data center.

Response

IRS Internal Revenue Manual (IRM) 10.8.1, Information Technology (IT) Security, Policy, Guidance defines Remote Access as:

“Access by users (or information systems) communicating external to an information system security perimeter.”

Additionally the IRS policy states:

“Remote access connections shall be established via two-factor authentication where one of the factors is provided by a hardware device separate from the computer gaining access.”

The IRS Publication 1075 computer security requirements are aligned with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls. NIST SP 800-53 defines remote access as:

“Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).”

Additionally, NIST 800-53 requires for Moderate impact systems (all systems that receive, store, process and transmit federal tax information are Moderate impact) to employ multifactor authentication that is compliant with NIST SP 800-63, Electronic Authentication Guidance level 3 or 4 (see control IA-2).

Based on IRS IRM and NIST guidance, since the servers will be located in a different building than the users after the consolidation, the deciding factor for multifactor authentication is whether or not the user connection to the servers in the consolidated datacenter is communicated outside of agency controlled networks through the Internet. If this is the case, then multifactor authentication compliant with NIST SP 800-63 level 3 or 4 is required. If this traffic remains within the confines of the agency controlled network, then multifactor authentication is not required.

A new Safeguard Procedures Report (SPR) is required for this type of change – moving to a consolidated data center.

References/Related Topics