Safeguards Technical Assistance

Agencies that have not gone through the revised Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities (PDF) based Safeguard review often have questions related to the Managerial, Operational and Technical (MOT) SCSEM (e.g. what is it based on, why is it needed, and how can we prepare for it). By proactively addressing these types of questions in a technical assistance memo, the IRS Office of Safeguards aims to provide consistent and timely information to the agencies. It will also assist in preparation for the upcoming Safeguard review.

Publications 1075 provides information security requirements to agencies that receive, process, store or transmit federal tax information (FTI) under the provisions of Internal Revenue Code Section 6103.

Information security requirements are based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 and other sources. NIST has aggregated the best industry security practices from the Department of Defense, civil agencies and the private sector and established a catalog of security controls that address a more comprehensive approach to ensuring the protection of sensitive information. Not all the NIST 800-53 controls are applicable to Safeguards Program. These controls are flagged in Publication 1075 (PDF) and excluded from Safeguards Review Scope.

The IRS Office of Safeguards utilizes detailed testing procedures documented in Safeguards Computer Security Evaluation Matrices (SCSEMs). Currently, separate SCSEMs exist for various technologies e.g. Unix/Linux, IBM and Unisys mainframes, and Windows 2000/20003. These SCSEMs evaluate secure configuration required to satisfy certain Publication 1075 requirements.

The majority of the computer security requirements from the previous Publication 1075 are the same, while new NIST 800-53 based requirements are added to the REVISED Publication 1075. Previous SCSEMs used to evaluate the effectiveness of the security controls implementation are also revised in light of the latest Publication 1075. The latest MOT SCSEM has been developed to address the majority of the new computer security requirements.

The MOT SCSEM evaluates the remainder of the Management, Operational, and Technical security controls based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.

The following is the full list of security control areas:


Management Controls:

  • Certification, Accreditation, and Security Assessments (CA)
  • Planning (PL)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)

Operational Controls:

  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental (PE)
  • Personnel Security (PS)
  • System and Information Integrity (SI)

Technical Controls

  • Access Control (AC)
  • Audit and Accountability (AU)
  • Identification and Authentication (IA)
  • System and Communications Protection (SC)

Many of the new requirements center on having the current security practices documented. For instance, an agency is typically already performing some kind of risk assessment and often knows what it will do should a contingency interfere with the system’s operation. The new MOT requirements will call for policy and procedures to document the risk assessment process and will require that a contingency plan be in place which defines the process and identifies the roles and responsibilities in the event of a contingency.

The Agency can do a number of things to help address the MOT requirements and prepare for the IRS Safeguard review.

  1. The Agency should perform an internal audit (risk assessment) to understand the implementation status of the system’s security controls.
  2. The Agency should document and address the findings from the internal audit.
  3. The Agency should review the MOT document request list to understand what kinds of evidence and artifacts fulfill the control requirements.
  4. As part of the Preliminary Security Evaluation (PSE) conference call the Agency shall receive the MOT SCSEM (Safeguard Computer Security Evaluation Matrix) outlining all of the MOT test procedures. The Agency should prepare the evidentiary documentation and share the materials with IRS Safeguard review team when they arrive on-site.
  5. The Agency should establish a central electronic repository of evidence which demonstrates the control has been satisfied.
  6. The Agency should map the evidence/artifacts to the latest MOT document request list in preparation of the IRS Safeguard review.
  7. The Agency should repeat this process to continually monitor their security posture and make necessary updates as needed.

References/Related Topics: