Accessibility Skip to Top Navigation Skip to Main Content Home  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Advanced Search   Search Tips

Security During Transmission of MeF Returns Using the Internet

 

Transmitters may use the internet to transmit electronic return data to the IRS Modernized e-File (MeF) system.  The design of the Internet Filing Application (IFA) and Application to Application (A2A) features Web Services-Interoperability (WS-I) security standards as discussed in more detail below. 

The IRS Mission Assurance and Security Services (MA&SS) organization and Modernization and System Security Engineering (M&SSE) and Privacy function ensure all IRS systems used to receive, process and store tax return data are secure.  ANY AND ALL access to tax return data is protected, fully controlled, monitored, verified, and logged for analysis of potential abusive or malicious purposes.

OMB Circular A-130 and the Federal Information Security Management Act (FISMA) (Title III of the E-Government Act (P.L.107-347) require major applications such as MeF to undergo a Certification and Accreditation (C&A) Process.  

  • Certification is a formal review and test of the security safeguards implemented to determine whether the system provides adequate security that is commensurate with the risk of operating the system on the IRS information technology infrastructure.
  • Accreditation is the formal authorization by the Executive Level Business Owner responsible for the operation of the MeF system and the explicit security. 

Specific guidance is provided by various National Institute of Standards (NIST) special publications (the “800” series.)  The process must include formal review and testing of the design and implementation of the system’s security controls.  The IRS M&SSE organization and the business system owner were jointly responsible and actively involved in completing the IRS C&A Process for MeF. 

IFA and A2A are hosted within the IRS’ Modernized System Infrastructure and are accessed through the Registered User Portal (RUP).  Transmitters are required to use a unique user name and password in conjunction with their Electronic Filer Identification Number (EFIN) and Electronic Transmitter Identification Number (ETIN) data in order to log in to the RUP.  Once the transmitter successfully logs into the RUP, the Secure Socket Layer (SSL) Handshake Protocol allows the RUP and transmitter to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the first byte of return data is transmitted.  This connection is private.  The transmitter and the RUP negotiate a secret encryption key (Transmitter's Browser for the IFA channel and the Transmitter's Web Service Client for the A2A channel) for encrypted communication between the transmitter and the MeF system.  This secret key is shared only between the transmitter and the RUP and is not known to any individual.  The transmission is part of a secure communications protocol HTTPS/SSL.  The strength of the encryption key used determines the degree of difficulty for anyone to decode the key and thereby decode the return data. IRS uses SSL 3.0 128-bit encryption for access to the RUP.   The key created for each transmission is almost impossible to break since using 128-bit creates as many combinations as the number of water molecules in 2.7 million Olympic-size swimming pools.  The secure SSL tunnel also protects the return data from being intercepted while in transit.