Request for Technical Assistance

Please provide clarification on the multi-factor authentication for remote access requirement when tax offices are accessing servers located at their consolidated data center.

Response

  • IRS Internal Revenue Manual (IRM) 10.8.1, Information Technology (IT) Security, Policy, Guidance defines Remote Access as: "Access by users (or information systems) communicating external to an information system security perimeter."
  • Additionally the IRS policy states: "Remote access connections shall be established via two-factor authentication where one of the factors is provided by a hardware device separate from the computer gaining access."
  • The IRS Publication 1075 computer security requirements are aligned with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls. NIST SP 800-53 defines remote access as: "Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet)."

Additionally, NIST 800-53 requires for Moderate impact systems (all systems that receive, store, process and transmit federal tax information are Moderate impact) to employ multifactor authentication that is compliant with NIST SP 800-63, Electronic Authentication Guidance level 3 or 4 (see control IA-2).

Based on IRS IRM and NIST guidance, since the servers will be located in a different building than the users after the consolidation, the deciding factor for multifactor authentication is whether or not the user connection to the servers in the consolidated datacenter is communicated outside of agency controlled networks through the Internet. If this is the case, then multifactor authentication compliant with NIST SP 800-63 level 3 or 4 is required. If this traffic remains within the confines of the agency controlled network, then multifactor authentication is not required.

A new Safeguard Procedures Report (SPR) is required for this type of change. Please submit the SPR within 60 days from the date of this memo. The report can be sent to the Safeguard mailbox, in word format, encrypted using Windows WinZip, at safeguardreports@irs.gov.