Information For...

For you and your family
Standard mileage and other information

Forms and Instructions

Individual Tax Return
Instructions for Form 1040
Request for Taxpayer Identification Number (TIN) and Certification
Request for Transcript of Tax Return


Employee's Withholding Allowance Certificate
Employer's Quarterly Federal Tax Return
Employers engaged in a trade or business who pay compensation
Installment Agreement Request

Popular For Tax Pros

Amend/Fix Return
Apply for Power of Attorney
Apply for an ITIN
Rules Governing Practice before IRS

Safeguards Technical Assistance Remote Access Requirement

Request for Technical Assistance

Please provide clarification on the multi-factor authentication for remote access requirement when tax offices are accessing servers located at their consolidated data center.


IRS Internal Revenue Manual (IRM) 10.8.1, Information Technology (IT) Security, Policy, Guidance defines Remote Access as:

“Access by users (or information systems) communicating external to an information system security perimeter.”

Additionally the IRS policy states:

“Remote access connections shall be established via two-factor authentication where one of the factors is provided by a hardware device separate from the computer gaining access.”

The IRS Publication 1075 computer security requirements are aligned with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls. NIST SP 800-53 defines remote access as:

“Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).”

Additionally, NIST 800-53 requires for Moderate impact systems (all systems that receive, store, process and transmit federal tax information are Moderate impact) to employ multifactor authentication that is compliant with NIST SP 800-63, Electronic Authentication Guidance level 3 or 4 (see control IA-2).

Based on IRS IRM and NIST guidance, since the servers will be located in a different building than the users after the consolidation, the deciding factor for multifactor authentication is whether or not the user connection to the servers in the consolidated datacenter is communicated outside of agency controlled networks through the Internet. If this is the case, then multifactor authentication compliant with NIST SP 800-63 level 3 or 4 is required.  If this traffic remains within the confines of the agency controlled network, then multifactor authentication is not required.

A new Safeguard Procedures Report (SPR) is required for this type of change.  Please submit the SPR within 60 days from the date of this memo.  The report can be sent to the Safeguard mailbox, in word format, encrypted using Windows WinZip, at

References/Related Topics: