IRS Logo
Print - Click this link to Print this page

Safeguards Program

The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.

The updated version of Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (PDF) (Rev. 09/16) contains specific requirements for safeguarding federal tax information. 

Comments and suggestions on the revised Publication 1075 can be forwarded to the safeguards mailbox at: safeguardreports@irs.gov.
 

Frequently Asked Questions
Answers to commonly asked questions about various Safeguards topics.  Recently posted are Q & A’s regarding the Safeguard Security Report (SSR).  Check back soon for answers on additional topics.


Publication 1075 Notification Requirements
Safeguarding requirements may be supplemented or modified between editions of Publication 1075 by guidance issued by the Office of Safeguards.

FOIA Request Memorandum
Important information on how federal, state and local agencies should respond to FOIA/Open Records/or similar Information Sharing requests for any IRS safeguard report or related communications in the possession of a federal, state or local agency.

Disclosure Policy on Use of FTI for Child Support Enforcement
This matrix of how Federal Tax Information (FTI) may be used for purposes of Child Support Enforcement actions includes what information may be disclosed, to whom it may be disclosed and under which limitations and conditions.

ALERTS

See “Safeguards Alert Memorandums” below for trending security concerns.


Publication 1075

Office hours notes: Background investigation requirements 

Reporting Requirements
Publication 1075 requires agencies to use approved report templates and to transmit the reports electronically. These reports must be encrypted and submitted to the safeguardreports@irs.gov mailbox.

Reporting Unauthorized Accesses, Disclosures or Data Breaches
Local, state and federal agencies receiving federal tax information must follow the revised provisions of Section 10 of Publication 1075 (PDF) (Coming soon) upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents. Agencies must contact Treasury Inspector General for Tax Administration and the IRS Office of Safeguards immediately, but no later than 24-hours after identification of a possible issue involving federal tax information. Agencies are not to wait until after their own internal investigation as been conducted.

Contacting TIGTA is critical to expedite the recovery of compromised data and identify potential criminal acts. The IRS Office of Safeguards investigation focuses on identifying processes, procedures or systems within the agency with inadequate security controls which led to the incident.

Internal Inspections Reports
Section 6.3 of Publication 1075, Tax Information Security guidelines for Federal, State and Local Agencies and Entities, requires that agencies receiving federal tax information (FTI) establish a review cycle for internal inspections of headquarters offices and all local/field offices that receive FTI. The Internal Inspections Report – Headquarters Office and Internal Inspections Report – Field Office are for these inspections. 

In addition, these agencies must also include an internal inspection of IT operations, using the Internal Inspections Report – IT Operations. Internal inspections of contractors with access to FTI and any off-site storage facilities must also be completed. All scheduled and completed internal inspections should be provided to the IRS Office of Safeguards on the Internal Inspections Implementation Report.

Safeguards Technical Assistance by Topic
The IRS has recommendations and discussions on various Safeguards Program topics available for agencies to help stay in compliance. These documents may assist with preparation of reports, protecting federal tax information, and knowing the legalities of the Safeguards Program.

Safeguards Videos

2016 Safeguards Security Awareness Videos
New videos are available for local, state and federal governmental agencies, which receive federal tax information (FTI). The IRS Office of Safeguards has created videos (captioned in English and Spanish) to help explain key concepts in protecting the confidentiality of FTI. 

Building New Systems, Policies and Procedures 
These videos are designed to assist local, state, and federal agencies in designing and building a new application or policies and procedures containing Federal Tax Information (FTI).

Protecting Federal Tax Information 
Short video on the on the overall protection of Federal Tax Information (FTI)

References/Related Topics

Physical Security and Disclosure References/Related Topics
Publication 1075 requirements pertaining to the protection of FTI in a physical environment and the disclosure of FTI to other persons are available in the Safeguard Disclosure Security Evaluation Matrix.

Document

Version

Release Date

Safeguard Disclosure Security Evaluation Matrix (SDSEM) (XLS)

3.0

9/12/2012


Safeguards Alert Memorandums
The following resources address recent security trends regarding the protection of FTI.

Document

Version

Release Date

Alert Memo-Integrated Eligibility Systems

2.0

9/10/2015

Alert Memo – Protecting FTI On Mainframes with Open Port 23 N/A 6/17/2013
Alert Memo – Multi-factor Authentication Implementation N/A 6/17/2013
Alert Memo – Windows Server 2003 End of Life N/A 1/21/2015
Alert Memo - Windows XP End of Life

N/A

4/9/2014


Computer Security Compliance References/Related Topics
The following Computer Security Evaluation Matrix (SCSEM) downloads are available for use in preparing an IT environment that will receive, process, or store FTI.

Document

Version

Release Date

Application – Generic Application SCSEM (XLS) 2.0 3/25/2016
Application - Oracle Public Sector Revenue Management (PSRM) (formerly Enterprise Taxation and Policy Management (ETPM)) 2.0 3/25/2016
Application – GenTax SCSEM (XLS) 2.0 6/17/2016
Application - RSI Revenue Premier SCSEM(XLS) 2.0 3/25/2016
Application - Teradata SCSEM(XLS) 2.0 3/25/2016
 
Database – DB2 SCSEM (XLS) 1.0 3/25/2016
Database – DB2 zOS SCSEM (XLS) 2.0 3/25/2016
Database – Oracle 11g SCSEM (XLS) 2.0 3/25/2016
Database – Oracle 12c SCSEM (XLS) 1.0 3/25/2016
Database – SQL Server 08 and 12 SCSEM (XLS) 2.0 3/25/2016
Database – Generic Database SCSEM (XLS) 2.0 3/25/2016
Database – Data Warehouse SCSEM (XLS) 2.0 3/25/2016
 
Mainframe – ACF2 SCSEM (XLS)

2.0

3/25/2016

Mainframe – IBMi SCSEM (XLS)

2.0

3/25/2016

Mainframe – RACF SCSEM (XLS)

2.0

3/25/2016

Mainframe – Top Secret SCSEM (XLS)

2.0

3/25/2016

Mainframe – UNISYS SCSEM (XLS)

3.0

3/25/2016

 
Management, Operational and Technical (MOT) (XLS)

3.0

3/25/2016

 
     
 
Network – Firewall SCSEM (XLS) 1.0 5/29/2015
Network – Network Assessment SCSEM (XLS) 1.5 6/3/2015
Network – Storage Area Network SCSEM (SAN) (XLS)

2.0

3/25/2016

Network – Switch/Router SCSEM (XLS) 2.0 3/25/2016
Network – Virtual Private Network (VPN) SCSEM (XLS)

2.0

3/25/2016

Network – Voice Over Internet Protocol (VoIP) SCSEM (XLS)

2.0

3/25/2016

Network – Wireless Local Area Network (LAN) SCSEM (XLS)

2.0

3/25/2016

 
Other – Cloud Computing SCSEM (XLS)

2.1

3/25/2016

Other – Generic Operating System SCSEM (XLS)

2.0

3/25/2016

Other – Mobile Devices SCSEM (XLS)

2.0

3/25/2016

Other – OpenVMS SCSEM (XLS)

2.0

3/25/2016

Other – Printer SCSEM (Multi-Function Device and High Volume Printer) (XLS) 2.0 3/25/2016
Other – Web Server SCSEM (XLS)

2.0

3/25/2016

 
Generic *NIX Systems SCSEM (XLS) 1.7 3/25/2016
AIX 6 and AIX 7 SCSEM (XLS) 1.2 3/25/2016
Oracle Solaris 10, 11, and 11.1 SCSEM (XLS) 1.0 3/25/2016
Red Hat Enterprise Linux 5 and 6 SCSEM (XLS) 1.2 3/25/2016
SUSE and Linux 11 (XLS) 1.1 3/25/2016
Oracle Linux 5 and 6 SCSEM (XLS) 1.1 3/25/2016
 
Virtualization – VMWare ESXi 5.0 SCSEM (XLS) 2.0 3/25/2016
Virtualization – VMWare ESXi 5.5 SCSEM (XLS) 1.0 3/25/2016
 
Microsoft Windows 7 SCSEM (XLS) 1.3 3/25/2016
Microsoft Windows 8 SCSEM (XLS) 1.2 3/25/2016
Microsoft Windows Server 2008 SCSEM (XLS) 1.3 3/25/2016
Microsoft Windows Server 2008 R2 SCSEM (XLS) 1.3 3/25/2016
Microsoft Windows Server 2012 SCSEM (XLS) 1.2 3/25/2016
Microsoft Windows Vista SCSEM (XLS) 1.4 3/25/2016
Microsoft Windows 10 SCSEM (XLS) 1.0 3/25/2016
 
Macintosh OSX 10.8 SCSEM (XLS) 2.0 3/25/2016

 

Automated Testing
The IRS Office of Safeguards utilizes Tenable’s industry standard compliance and vulnerability assessment tool, Nessus, to evaluate the security of systems (e.g., Windows, *NIX, Cisco) that store, process, transmit or receive Federal Tax Information. We use Nessus to conduct configuration compliance checks using Center for Internet Security (CIS) benchmarks supplemented with some IRS-specific requirements. This process has been developed to provide agencies with enhanced information regarding the security controls in place to protect FTI.

Page Last Reviewed or Updated: 07-Dec-2016