The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.
These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.
The updated version of Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (PDF) (Rev. 11/16) contains specific requirements for safeguarding federal tax information.
Comments and suggestions on the revised Publication 1075 can be forwarded to the safeguards mailbox at: email@example.com.
Frequently Asked Questions
Answers to commonly asked questions about various Safeguards topics, including Q&As regarding the Safeguard Security Report (SSR).
Publication 1075 Notification Requirements
Safeguarding requirements may be supplemented or modified between editions of Publication 1075 by guidance issued by Safeguards.
FOIA Request Memorandum
Important information on how federal, state and local agencies should respond to FOIA/Open Records/or similar Information Sharing requests for any IRS safeguard report or related communications in the possession of a federal, state or local agency.
Child Support Resources
Guidance regarding Tribal child support enforcement agencies (12-2016) is now included.
See “Safeguards Alert Memorandums” below for trending security concerns.
Office hours notes: Background investigation requirements
Publication 1075 requires agencies to use approved report templates and to transmit the reports electronically. These reports must be encrypted and submitted to the firstname.lastname@example.org mailbox.
Reporting Unauthorized Accesses, Disclosures or Data Breaches
Local, state and federal agencies receiving federal tax information must follow the revised provisions of Section 10 of Publication 1075 (PDF) (Coming soon) upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents. Agencies must contact Treasury Inspector General for Tax Administration and IRS Safeguards immediately, but no later than 24-hours after identification of a possible issue involving federal tax information. Agencies are not to wait until after their own internal investigation as been conducted.
Contacting TIGTA is critical to expedite the recovery of compromised data and identify potential criminal acts. IRS Safeguards investigation focuses on identifying processes, procedures or systems within the agency with inadequate security controls which led to the incident.
Internal Inspections Reports
Section 6.4 of Publication 1075, Tax Information Security guidelines for Federal, State and Local Agencies and Entities, requires agencies receiving federal tax information (FTI) establish a review cycle as follows:
- Local offices receiving FTI: at least every three years
- Headquarters office facilities housing FTI and the agency computer facility: at least every 18 months
- All contractors with access to FTI, including a consolidated data center or off-site storage facility: at least every 18 months
In addition, the agency must:
- Complete a documented schedule (internal inspection implementation report) detailing the timing of all internal inspections in the current year and next two years (three-year cycle) and
- Develop and monitor a Plan of Action and Milestones (PO&AM), which includes all corrective actions identified and the actions the agency plans to take to resolve the findings
Below are templates to assist agencies in meeting the Internal Inspections requirements. The use of these templates is not a requirement if the agency has developed documents that meet the requirements in Publication 1075, Section 6.4.
- Internal Inspections Report
- Internal Inspections Implementation Plan
- Internal Inspection Plan of Action and Milestones
Safeguards Technical Assistance by Topic
The IRS has recommendations and discussions on various Safeguards program topics available for agencies to help stay in compliance. These documents may assist with preparation of reports, protecting federal tax information, and knowing the legalities of the Safeguards Program.
2016 Safeguards Security Awareness Videos
New videos are available for local, state and federal governmental agencies, which receive federal tax information (FTI). IRS Safeguards has created videos (captioned in English and Spanish) to help explain key concepts in protecting the confidentiality of FTI.
Building New Systems, Policies and Procedures
These videos are designed to assist local, state, and federal agencies in designing and building a new application or policies and procedures containing Federal Tax Information (FTI).
Protecting Federal Tax Information
Short video on the on the overall protection of Federal Tax Information (FTI).
Updates to Publication 1075 – Part 1
This podcast, part one, covers three key changes featured in the September 2016 revision of Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies
Updates to Publication 1075 – Part 2
This podcast, part two, covers four key changes featured in the September 2016 revision of Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies.
Use of Automated Tools
To enhance our ability to identify, monitor and mitigate risk to FTI, Safeguards uses an automated tool during on-site reviews.
Physical Security and Disclosure References/Related Topics
Publication 1075 requirements pertaining to the protection of FTI in a physical environment and the disclosure of FTI to other persons are available in the Safeguard Disclosure Security Evaluation Matrix.
|Safeguard Disclosure Security Evaluation Matrix (SDSEM) (XLS)||
Safeguards Alert Memorandums
The following resources address recent security trends regarding the protection of FTI.
|Alert Memo-Integrated Eligibility Systems||
|Alert Memo – Protecting FTI On Mainframes with Open Port 23||N/A||6/17/2013|
|Alert Memo – Multi-factor Authentication Implementation||N/A||6/17/2013|
|Alert Memo – Windows Server 2003 End of Life||N/A||1/21/2015|
|Alert Memo - Windows XP End of Life||
Computer Security Compliance References/Related Topics
The following Computer Security Evaluation Matrix (SCSEM) downloads are available for use in preparing an IT environment that will receive, process, or store FTI.
The IRS Office of Safeguards utilizes Tenable’s industry standard compliance and vulnerability assessment tool, Nessus, to evaluate the security of systems (e.g., Windows, *NIX, Cisco) that store, process, transmit or receive Federal Tax Information. We use Nessus to conduct configuration compliance checks using Center for Internet Security (CIS) benchmarks supplemented with some IRS-specific requirements. This process has been developed to provide agencies with enhanced information regarding the security controls in place to protect FTI.