Contractor Security Information


Our contractors must participate in a background investigation process and complete security training before starting work.

Security Forms for IRS Investigations

You must send specific forms and documents to start a background investigation after your contract has been awarded but before starting work. To identify the documents you need, contact the Contracting Officer's Representative (COR) of the awarded contract.

After we award you the contract, email all investigation packages to Contractor Security Management. We may accept a security clearance granted through other federal agencies. You will need to send documentation as evidence of your clearance through another federal agency. There may be additional requirements not listed on this page.

If you have questions or concerns, please contact your COR.

IT Security Training

Training Requirements

You must complete security awareness and role-based security IT training before beginning work and each year after completing the trainings. The trainings are available on IR Web which requires IRS LAN access. A text version is available if you do not have IRS LAN access.

Contact your IRS COR for more details on these policies.

You must take one or more of the five (5) awareness briefings below before we grant you access to facilities, systems or sensitive but unclassified (SBU) data:

  • Information Systems Security (ISS) covers systems access
  • FMSS Facilities Management and Security Services covers physical security
  • Privacy, Information Protection and Disclosure
  • UNAX Unauthorized Access Briefing
  • Inadvertent Sensitive Information Access

You must report the awareness training completion by sending Form 14616, Contractor Security Awareness Training Certification and Form 11370, UNAX, to your COR for submission.

Additional information is available in Policy & Procedures 24.1 . Contact your COR for more details on these briefings.

You must complete security training pertinent to your role if you perform system administration, network administration, database administration, programming, developing or other specialized information technology security services listed below. Security training is also required if your work is 50 percent or more related to the Federal Information Security Act (FISMA).

If you work in more than one position, then you must complete the greater number of security training hours between the different positions. You must complete training outside the IRS. SITS training is not available through our systems or links.

Send the certificates of completion to your COR.

Specialized Information Technology Roles, and Hours of Training Required for Each Role Per IRM 10.8.1 and IRM 10.8.2.

The following Specialized IT Roles each require 8 hours of training:

  • Computer Audit Specialist
  • Database Administrator (DBA)
  • Enterprise Architect
  • Functional Workstation Specialist
  • Information System Security Engineer
  • Live Data Functional Coordinator (LDFC)
  • Management/Program Analyst
  • Network Administrator (NA)
  • Physical Security Analyst
  • Physical Security Specialist
  • Program Developer/Programmer Security Specialist (SecSpec)
  • System Administrator (SA)
  • System Designer
  • Systems Operations Staff
  • Technical Support Staff (Desktop)
  • Telecommunications Specialist
  • User Administrator (UA)
  • Web Developer

Data Breach Information for Contractors

You're responsible for protecting all information entrusted to you. This information includes federal tax returns, return information and other information subject to the Privacy Act. Internal Revenue Code Section (§)6103 (Cornell Law School) outlines the steps you need to take to protect and disclose confidential returns and return information. The Privacy Act of 1974 (Department of Justice) outlines what you need to do to protect information covered by the Act.

You're prohibited by federal law from disclosing federal returns or return information unless allowed by statute. You and those who work for you have a responsibility to understand and apply the provisions of the law that relate to your job.

Publication 4812, Contractor Security Controls

You must follow Publication 4812, Contractor Security ControlsPDF, if you have information, will need access to information, or maintain or use information systems.

You must be aware of your responsibilities under the law to safeguard sensitive information.  Publication 4465-A, Protecting Federal Tax Information for ContractorsPDF, contains the steps you need to take when data is lost or compromised and the penalties for unauthorized disclosure.

You must follow breach response policies and procedures as defined in Publication 4812, Section 18, Incident Response, when responding to an identified unauthorized disclosure or data breach.

You must report all accidental unauthorized disclosures of tax information to your Contracting Officer’s Representative (COR) or Project Manager within one hour of detection. Your COR is the liaison responsible for managing the contract and communicating with you. Your COR will report the disclosure to incident management using the incident reporting form.

You should assign a trained Point of Contact (POC) to help with mitigating the breach. To notify the COR, create a breach report with the below information:

  • Name of contact for resolving data breach with contact information,
  • Date and time the breach occurred,
  • Date and time the breach was discovered,
  • How the breach was discovered,
  • Description of the breach and the data involved, including specific data elements, if known,
  • Potential number of FTI records involved; if unknown, give a range, if possible,
  • Address where the breach occurred and
  • Any information technology (IT) involvement (e.g., laptop, server or mainframe).

Contact your COR immediately if FTI may has been involved in an unauthorized disclosure or data breach. Then conduct your internal investigation to confirm this information.

Notification to affected individuals regarding an unauthorized disclosure or data breach is based upon the Breach Response Plan.