Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Privacy Impact Assessment - Criminal Investigation Management Information System

 

Approved - Sept. 18, 2008

System Overview
The IRS Criminal Investigation Management Information System (CIMIS) is a management tool for tracking the status and progress of CI investigations, time expended by CI employees, Employee information, and IRS CI investigative Equipment.

The purpose of the Criminal Investigation Management Information System (CIMIS) is to be the primary management and supervisory support tool for IRS Criminal Investigation (CI), by providing accurate, real time information on CI operations to all levels of management throughout the CI organization. CIMIS is the vehicle that collects, compiles, and delivers information on investigative activities and legal actions to authorized users within CI. Data contained in CIMIS are also used to respond to congressional mandates, Treasury regulations, Office of Management and Budget (OMB) requirements and IRS directives. CIMIS is relied upon heavily for preparing congressional testimony and for releasing information on prosecutions resulting from CI investigations to the media. CIMIS is the central tool used by CI management to achieve effective execution and coordination of investigative activities, and to ensure CI’s progress toward IRS strategic enforcement goals.

The role of CIMIS in CI’s management and oversight of criminal investigations is critical to the IRS’ strategic goal of enhancing the enforcement of the nation’s tax laws. The results of CI’s investigations and outcomes of follow-on prosecutions are highly visible demonstrations of the consequences of tax law violations, and serve as powerful deterrents to individuals who consider evasion or abuse of the nation’s tax systems. Further, by enabling CI to better manage its investigative resources, CIMIS will act as a “force multiplier”, further improving CI’s ability to identify and prevent tax and financial criminal activity, both domestically and overseas.

Capabilities include direct data entry from the field, real time query, and report features. Data from this application is also exported to other applications. These include the Asset Forfeiture Tracking System (AFTRAK), the Electronic Total Investigative Processing System (e-TIPS), the Investigative Scanning Document Management (ISDM) system, the Information Technology Asset Management System (ITAMS), and the Public Information Officers Database (PIOneer), as well as several other systems and/or agencies external to the IRS, including the Treasury Enforcement Communication System (TECS).

Systems of Records Notice (SORN)

  1. Treasury/IRS 46.002 – Criminal Investigation Management Information System (CIMIS)
  2. Treasury/IRS 34.037 – IRS audit trail and security records system


Data in the System

1. Describe the information (data elements and fields) available in the system in the following categories:

A.  Taxpayer
B.  Employee
C.  Audit Trail Information (including employee log-in info)
D.  Other (Describe)

A.  Taxpayer.  Includes data related to the identity of the individual, the tax forms they have filed, an estimated criminal tax deficiency, terms of probation involving taxes, and other information regarding potential criminal tax and other financial investigations.

  • Name
  • Doing Business As (DBA)
  • Alias
  • Identity Type
  • Affiliation to Subject
  • Taxpayer Information Number (TIN)
  • Other Identifying Numbers (driver’s license, passport, etc.)
  • Address
  • Date of Birth
  • Gender
  • Type of Tax Forms
  • Preparer Name

B.1.   CI Employee. Compared to investigative data, employee data is stored in separate business tables, tracked in separate log tables, and access granted based on separate user roles. 

  • Name
  • SSN (in future updates to CIMIS, employee’s SSNs will be partially mask in reports, with the goal of eliminating  SSNS from CIMIS database the ultimate goal)
  • Identification Number (SEID)
  • Date of Birth
  • Retirement Plan and 6C Date
  • Service Computation Date
  • Award/Type
  • Type/Date of Background Investigation
  • Security Clearance
  • Skills
  • Education/Degree/Graduation
  • Position
  • Management Assignments and Training
  • Time Reporting Data

B.2 Non-CI Employee.  Non-CI employee data is limited to name, title and organization within specific investigative data, e.g., a requesting or cooperating revenue agent.  The employee can be another IRS employee. 

  • Name
  • Address
  • Phone Information
  • CI Affiliation

C.  Audit Trail Information. 
Employee log-in and data entries/modifications within CIMIS, in accordance with LEM 25.10.8 and 25.10.7, from the Windows Operating System event logs and SQL Server event and trace logs.

  • User ID
  • Workstation
  • Type of Action
  • Date
  • Time

D.  Other 
Inventory and assignment of equipment and vehicle expense and mileage information.  Strictly speaking, the below data does not contain privacy information; however, equipment inventory is tied to an employee within CIMIS, and as a result could be used to ultimately identify an individual.

  • Equipment ID Number
  • Order Information (date, intended organization, etc.)
  • Acquisition Information (date, amount, etc.)
  • Category/Sub-category/Sub-category Class
  • Description
  • Purpose
  • Manufacturer
  • Model
  • Serial Number
  • Vehicle Specific Information (model year, license plate #, initial odometer reading, etc.)
  • Vehicle Maintenance Expenses and Mileage Information
  • Shipment and Consignment Information
  • Assignment and Storage Information
  • Disposal Information (dates, disposal, proceeds)

2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.

A.  IRS
B.  Taxpayer
C.  Employee
D.  Other Federal Agencies (List)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)

A.  IRS 
IDRS (identity and tax return information - see 1.A above) – this data is manually entered into CIMIS.

B.  Taxpayer 
Identity and tax return information may be provided by the taxpayer or their designated representatives through interviews and document requests (identity and tax return information, see 1.A above)

C.  Employee 
All employee related information, see 1.B above

D.  Other Federal Agencies 
Agency investigative data is generally not reflected in CIMIS; however, some exceptions include:

  • Department of Justice (DOJ) may provide administrative information (legal opinions/authorizations) and results of judicial proceedings
  • Financial Crimes Enforcement Network (FinCEN) may provide taxpayer identity information (see 1.A above)
  • United States Postal Inspection Service (USPIS) may supply mail cover approvals and corresponding dates
  • Any agency may provide or confirm identity information and criminal allegations

E.  State and Local Agencies.
Agency investigative data is generally not reflected in CIMIS.  Any agency may provide or confirm identity information and criminal allegations.  (Taxpayer identity information, see 1.A above.)

F.  Other third party sources. 
Informants and other third party source information is generally not reflected in CIMIS.  Their names may be listed as associate identities or they may provide additional taxpayer identifying information and criminal allegations.  (Taxpayer identity information, see 1.A above)

3.  Is each data item required for the business purpose of the system? 
The data collected is required for CIMIS to track CI investigations, employee data, hours spent on investigations, and equipment inventory.

4. How will each data item be verified for accuracy, timeliness, and completeness?
Different levels of CI Management will be responsible for reviewing data entries in CIMIS.  Periodic reviews and inventories are conducted specifically to measure the accuracy, timeliness and completeness of data entered into CIMIS.  In addition, CI Management conducts complete reviews of the inventory within CIMIS once every three years to ensure accuracy. 

CIMIS does not receive data from other systems.  However, for data entered into the system, validity checks within the application are utilized to verify accuracy and completeness.

5. Is there another source for the data?
Employee time records can be accessed via Diary.  Diary is a desktop application used by agents to record their time. While CIMIS is the source of record, data is stored semi-permanently in that desktop application until it is recorded into CIMIS. 

However, there is no other source of data for the type of information that will be contained in CIMIS.

6. Generally, how will data be retrieved by the user?
Data will be retrieved either through the view and edit capability of the application, from preformatted reports, and/or a designed query.

7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier?
Employee data can be retrieved by name, SSN, SEID, and a system generated unique identifier. 

CI Employee data must be maintained per Internal Revenue Manual (IRM) 1.15.30 Records Management, Records Control Schedule for Criminal Investigation, January 1, 2003.  Prior to SEID number being assigned to IRS CI employees only the SSN was used to provide information on CI employees.  The SSN is the only valid number to identify former employees and employees whose marital status has changed, i.e., last name.

Investigation data can be retrieved by name, TIN and system generated unique identifier.

Equipment data can be retrieved by assignment name and a system generated unique identifier.

Access to the Data

8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?
All CI personnel (Users, Managers, System Administrators, Developers, Others) can gain access to the system if approved by Management.  Access controls are in place and are enforced primarily by controlling access to the Windows based operating system and by controlling access to CIMIS itself through the use of user roles that grant activity permissions and limit the organizational data scope for those permissions to five main areas:  Personnel, equipment, administrative, investigation, and time reporting.  Individuals are given read write or approval roles to the data contained within a given area.  In addition, each section has a super user role that allows the user to correct and fix data within that section. 

For a complete listing of user roles and their permissions, please see the Roles and Activities Matrix.  This matrix is too large to include in this document, but can be obtained by contacting the “Requesting Contact” named at the beginning of this document.

9. How is access to the data by a user determined and by whom?
Access is granted on a need-to-know basis by CI management, and is restricted through the use of user roles identified in the CIMIS application.  Access is documented through the use of logs and audit trails.

  1. Every user obtaining access to CIMIS is assigned a user role that determines his access to data.  The user’s scope/level of access is based on a need to know, as determined by management.  For example, agents may view their own employee data (personnel and time reporting) as well as investigative data pertaining to their assignments (investigative).  Management has access to their own data and employees they supervise (personnel) as well as all investigations they have supervisory authority over (investigations).  Support personnel (all areas), administrators (data base administration) and developers (upgrades, repairs, troubleshooting) are governed by the same rules.
  2. The CI employee requesting permissions in the CIMIS system, hereinafter referred to as the “user”, must first have an active, valid CI network account.  In order for the user to have been granted a CI network account, the user must meet rigorous requirements which include mandatory drug testing and background investigation.  Contractors receive restricted access based also on their need to know as determined by CI management and must pass a drug test and limited background check.
  3. Each office is advised to have a primary and backup person serving as the local office CIMIS User Administrator.  User roles are determined by management based on five broad subject areas within the system:  personnel, equipment, investigation, time reporting, and administration. Based on the user’s responsibility, the administrator will provide the user with the user information that must be entered in the Online 5081 (OL5081) system when requesting new or modified access.
  4. The Online 5081 (OL5081) process is used to document access requests, modifications, and terminations for all types of users. A user’s manager or designated official must approve the addition of, modification of, or deletion of, the user’s role(s) and organizational data scope. 
  5. The approved request is then electronically forwarded to the local office user administrators, who will review and approve the request for permissions as the FSC/USR in OL5081.  These CIMIS subject matter experts (SMEs) have been specifically trained in proper user administration.
  6. Lastly, the approved request is then electronically forwarded to the HQ persons designated to provide the final approval as the Security/SA official.  Subsequently, the requesting user is notified by the OL5081 system that the request has been granted.
  7. Once the request has been approved by the FSC/USR, the actual creating or editing of user profiles in CIMIS may be done by either the local office User Administrator or the HQ CIMIS user administrators.

10. Do other IRS systems provide, receive, or share data in the system?  If YES, list the system(s) and describe which data is shared.  If NO, continue to Question 12. Yes. 

CIMIS  does not receive any data from other IRS systems; however, the following systems receive limited data extracts from CIMIS:

  • eTips
  • AFTRAK
  • ISDM
  • PIOneer
  • ITAMS

The list of data elements received by each system is too extensive to include in this document.  Please reference the CIMIS Interface Control Document for more information.  This document can be obtained by contacting the “Requesting Contact” named at the beginning of this document.

11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?

Yes

eTips

  •   C&A – 2/5/08
  •   PIA – 1/6/07

AFTRAK

  • C&A – 5/30/06
  • PIA – 5/11/06

ISDM

  • C&A – Currently in development
  • PIA – 7/08

PIOneer

  • C&A – 5/30/06
  • PIA – 5/22/06

ITAMS

  • C&A – 6/5/06
  • PIA – 4/28/06

12.  Will other agencies provide, receive, or share data in any form with this system?
Yes. CIMIS  does not receive any data from other agencies; however, CIMIS may provide the following information:

  • Audit logon information to the GAO and/or TIGTA pursuant to an investigation and/or their oversight function. 
  • Investigation information to the DOJ, FINCEN, TIGTA, and TECS.
  • Equipment information to the Department of Treasury, GSA, and the GAO.
  • A data extract to the Financial Crimes Enforcement Network (FinCEN), the administrator of the Bank Secrecy Act (BSA).

Administrative Controls of Data

13.  What are the procedures for eliminating the data at the end of the retention period?
Data is never eliminated.  Per IRM 1.15.30.1, "The records described in Item 15, Investigative files, are frozen; therefore, disposal is not authorized at this time."  Per IRM Exhibit 1.15.30-1, investigative files are described as follows:

Investigative Files. Prosecution, non-prosecution and discontinued investigations (including withdrawal reports) together with related exhibits, workpapers, forms, correspondence and relative data that pertains to actual or alleged income and other tax evasions, wagering, coin-operated gaming devices, occupational and excise taxes, electronic surveillance recordings, memorandum, notes, etc., whether conducted by the IRS or received by the IRS from other sources, and other Actions investigated by the Criminal Investigation Division independently or jointly with other components of the Service.

(1) Regional office.
     (a) Disposal not authorized.

(2) District offices.
     (a) Disposal not authorized.
     (b) Retire to Federal Records Center 2 years after case is closed.

Note: If the Chief sees an impending need for the case file to effect civil settlement, or if the case is of significant interest, the file may be retained and returned to the Federal Records Center when no longer needed.

14.  Will this system use technology in a new way?  If "YES" describe.  If "NO" go to Question 15.
No. CIMIS will not use technology in a new way.

15.  Will this system be used to identify or locate individuals or groups?  If so, describe the business purpose for this capability.
Yes. CIMIS is the vehicle that collects, compiles, and delivers information on investigative activities to target an individual or group for tax law violations.

16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.
Yes. Monitoring the case lifecycle against an individual, organization, business, etc is the business purpose of the system. 

17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently?
Yes. CIMIS is the vehicle that collects, compiles, and delivers information on investigative activities to target an individual or group for tax law violations.  Therefore, by creating a case against a person who violates tax laws, CIMIS treats him/her differently from those who do not.

18.  Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?           
Yes. CIMIS stores information on criminal investigations which are placed in our judicial system which adheres strictly to the concept of due process.

19.  If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?         
CIMIS is an intranet Web-based system for authorized CI employees. Cookies are not used to track access.  Audit logs and trails are used by CIMIS to track CI user access.

View other PIAs on IRS.gov
 


Page Last Reviewed or Updated: November 26, 2008