Section 9.18.12 – Protecting FTI in Virtual Environments


To utilize a virtual environment that receives, processes, stores or transmits FTI, the agency must meet the following mandatory requirements:

Notification Requirements

  • The agency must notify the IRS Office of Safeguards 45 days prior to putting FTI in a virtual environment.
  • If the agency’s approved SPR is less than six years old and reflects the agency’s current process, procedures and systems, the agency must submit the Virtualization Notification (see Exhibit 15), which will serve as an addendum to their SPR.
  • If the agency’s SPR is more than six years old or does not reflect the agency’s current process, procedures and systems, the agency must submit a new SPR and the Virtualization Notification (see Exhibit 15).

Technical Requirements

  • When FTI is stored in a shared location, the agency must have policies in place to restrict access to FTI to authorized users.
  • Programs that control the hypervisor should be secured and restricted to authorized administrators only.
  • FTI data transmitted via hypervisor management communication systems on untrusted networks must be encrypted using FIPS-approved methods, provided by either the virtualization solution or third party-solution, such as a virtual private network (VPN) that encapsulates the management traffic.
  • Separation between virtual machines (VMs) must be enforced, and functions which allow one VM to share data with the hypervisor or another VM, such as clipboard sharing or shared disks, must be disabled.
  • Virtualization providers must be able to monitor for threats and other activity that is occurring within the virtual environment. This includes being able to monitor the movement of FTI into and out of the virtual environment.
  • The VMs and hypervisor/ host OS software for each system within the virtual environment that receives, processes, stores or transmits FTI must be hardened in accordance with the requirements of Publication 1075 and be subject to frequent vulnerability testing.
  • Special VM functions available to system administrators in a virtualized environment that can leverage the shared memory space in a virtual environment between the hypervisor and VM should be disabled.
  • Virtual systems are configured to prevent FTI from being dumped outside of the VM when system errors occur.
  • Vulnerability assessment must be performed on systems in a virtualized environment prior to system implementation.
  • Backups (virtual machine snapshot) must be properly secured and must be stored in a logical location where the backup is only accessible to those with a need to know.

References/Related Topics