The Safeguard Security Report (SSR) is the primary source for agencies to report to the IRS Office of Safeguards on the processes, procedures and security controls in place to protect Federal Tax Information (FTI) in compliance with IRC 6103(p)(4).
Agencies executing data exchange agreements involving access to FTI and subject to safeguarding requirements must have an approved SSR prior to having access to FTI. Section 7 of Publication 1075 outlines SSR Reporting Requirements 6103(p)(4)(E):
A Read-Only copy of the Safeguard Security Report (PDF) is available for review.
The SSR is a living document. Do not start a new SSR using a blank template; use the accepted SSR template that was returned to your agency with the previous year’s acceptance letter for submission. Any agency who intends to execute a new data exchange agreement should contact the SafeguardReports@irs.gov mailbox to request a blank SSR document to begin the onboarding process:
- The agency should submit the report for approval at least 90 days prior to the agency receiving FTI.
- The SSR submission and all associated attachments must be updated and submitted annually to identify changes that impact the protection of FTI and safeguarding procedures.
- Correspondence, reports and attachments will continue to be sent electronically to the Office of Safeguards using Secure Data Transfer, if the agency participates in the SDT program. If the agency does not participate in SDT or SDT is otherwise not available, these transmissions should be sent via email to the SafeguardReports@irs.gov mailbox.
SSR Submission Deadlines:
|Partner Agency||Reporting Period||SSR Deadline|
|All Federal Agencies||Jan. 1 – Dec. 31||January 31|
|AK, AL, AR, AS, AZ, CA||Feb. 1 – Jan. 31||February 28|
|CNMI, CO, CT, DC, DE, FL, GA||March 1 – Feb. 28||March 31|
|GU, HI, IA, ID, IL, IN, KS||April 1 – March 31||April 30|
|KY, LA, MA, MD, ME, MI||May 1 – April 30||May 31|
|MN, MO, MS, MT, NE||June 1 – May 31||June 30|
|NC, NH, NJ, NM, NV, NY||July 1 – June 30||July 31|
|ND, OH, OK, OR||Aug. 1 – July 31||August 31|
|PA, PR, RI, SC, SD, TN||Sep. 1 – Aug. 31||September 30|
|TX, UT, VA, VI, VT, WA||Oct. 1 – Sep. 30||October 31|
|WI, WV, WY||Nov. 1 – Oct. 31||November 30|
|SSR DOs||SSR DON'Ts|
|Report any changes to your agency’s environment and/or new technologies each year.
Annotate dates of changes and updates.
|Do not use Track Changes.|
|Use the accepted SSR template that was returned with your previous acceptance letter.||Do not use highlights.|
|Certification by Head of Agency is required each year with SSR submission.
If Head of Agency is different than Agency Director, provide contact information for both individuals in section 2.1 each year.
|Do not embed docs.|
|Submit via SDT if available; secure email if not.||Do not use attachments as the only implementation explanation.|
|Summarize the applicable portion of each attachment in the control implementation session.||Do not substitute SSR as a Notification.|
|Update the signature page annually (use an electronic signature or scan a signed document).||There is no requirement to remove the previous IRS comments prior to submission.|
Provide a response to IRS-provided blue comments on the previous submissions.
Rules for attachments for SSR submissions:
- Label and title appropriately,
- Provide a summary of attachments required in control implementation sections,
- Provide clear and concise mapping of attachments in SSR response,
- Include HQ, all data centers and 10% of field offices in internal inspection templates,
- Provide a summary response in the agency section and use attachments as supplemental information (unless attachments are requested specifically in one of the corresponding eight areas in the template) and
- Use Word, Excel and PDF attachments only.
Requests received by the mailbox for SSR assistance are generally assigned within 72 hours and a response issued in less than 40 days, although general questions are usually responded to in a shorter timeframe. If you are experiencing delays, follow up with a 2nd request (in your follow up request, please indicate the date of your original request).
The submission of the Notifications is a requirement independent of a complete SSR governed by Section 7.4 of Pub 1075. Changes must be included on the SSR even if a Notification has been submitted. Notating on the SSR does not satisfy the Notification requirement.
It is permissible to share the results of the SSR to mitigate or correct deficiencies identified in the document with your partner state agencies and contractors.
Currently, no SSR “waiver” process exists. An SSR must be submitted annually per section 7.2.4 of Pub 1075, even for agencies with a Safeguard review scheduled.
As part of the onboarding process, new agencies are required to have an approved SSR, Security Assessment Report (SAR) and Authority To Operate (ATO) before receiving FTI.