The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.
These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.
Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities (PDF), contains specific requirements for safeguarding federal tax information. The revisions to Publication 1075 became effective on December 14, 2007, and tighten controls to protect federal tax information.
Reporting Requirements
IRS’ revised Publication 1075 updates reporting requirements. Agencies must now use approved report templates and transmit reports electronically. The revised Publication 1075 requires submission of the Safeguard Activity Report (SAR) and the Safeguard Procedures Report (SPR) using approved templates developed by the Office of Safeguards. In addition, agencies must submit these reports electronically using the IRS approved encryption method of WinZip. Refer to e-mail Encryption Procedures Using the WinZip Utility.
Recommendations on how to become compliant with the new requirements
Given the significant changes in technical safeguards requirements found in Sections 4, 5 and 6, the IRS has some recommendations for agencies to become compliant with the new requirements.
Safeguards Technical Assistance by Topic
The IRS has recommendations and discussions on various Safeguards Program topics available for agencies to help stay in compliance. These documents may assist with preparation of reports, protecting federal tax information, and knowing the legalities of the Safeguards Program.
-
Help for Completing the Required Safeguard Procedures Report.
An agency requesting Federal Tax Information (FTI) must submit a Safeguard Procedures Report (SPR) at least 45 days before the scheduled or requested receipt of FTI according to Section 2.0 of Publication 1075. In addition, a new SPR must be submitted whenever significant changes occur in an agency’s safeguard program or every six years. Two documents, Top Five Problems Agencies Encounter With SPR Processing and Helpful Hints-Preparing a Safeguards Procedures Report (SPR) are available to help agencies submit SPRs that contain clear and sufficient information in order to receive the requested FTI. Sample SPR is also available.
-
Managerial, Operational and Technical Policies
IRS has guidance on creating Managerial, Operational and Technical Policies and integrating them with an organizational security policy and program.
-
Media Sanitation Methods
When confidential taxpayer information is no longer needed, CDs, DVDs, magnetic tapes, and other media need to be sanitized. Several factors need consideration when deciding the method for media sanitation. IRS and the National Institute of Standards & Technology have provided guidelines for choosing one of the four methods of sanitizing and ensuring the success of the disposed information.
-
Meeting IRS Safeguards Audit Requirements
Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities, provides very detailed audit requirements, but how these requirements cut across various IT layers e.g. Operating System, Database, and Application to provide end-to-end auditing might not be as apparent and straight forward. The IRS Office of Safeguards hopes to assist agencies in better understanding and implementing audit based requirements for Safeguards.
-
Meeting Safeguard Requirements with Agency Internal Audits
The IRS Office of Safeguards can provide guidance and clarification on how Agency Internal Audits can be helpful in meeting some of the Safeguarding requirements and also provide coverage for security evaluations on a continuous basis.
-
Planning to Contract Could Require an IRS Contact
Governmental agencies entrusted with FTI and holding the authority to re-disclose this information to contractors must follow the statutory/regulatory requirements with respect to safeguarding the FTI. The IRS must be properly notified at least 45 days prior to executing any agreement to disclose FTI to a contractor. If the specific procedures are not adhered to, an agencys continued access to FTI could be jeopardized.
-
Preventing Data Leakage Safeguards Technical Assistance
Data leakage is becoming more common throughout industry and government, leading to the development of software and procedural techniques to detect and prevent such occurrences. Research and guidance on data leakage in the IRS Safeguards Program is available for agencies.
-
Safeguards Technical Assistance
Agencies that have not gone through the revised Publication 1075 (Tax Information Security Guidelines for Federal, State and Local Agencies and Entities) based Safeguard review often have questions related to the Managerial, Operational and Technical (MOT) SCSEM (e.g. what is it based on, why is it needed, and how can we prep for it). By proactively addressing these types of questions in a technical assistance memo, the IRS Office of Safeguards aims to provide consistent and timely information to the agencies. It will also assist in preparation for the upcoming Safeguard review.
-
Use of Collaborative Tools
Agencies and businesses increasingly rely on digital forms of communication for computer-based real-time collaboration. These software applications provide virtual space, which enables participants to communicate via voice, video, chat, whiteboard, and can share user desktops, applications and documents. However, these types of collaborative tools are not suitable for transmitting FTI across encrypted tunnels.
-
Warning Banner Must be Used When Housing Federal Tax Information
In accordance with Section 6.2 of Publication 1075, warning banners must be used during initial logon on computers housing federal tax information. The Office of Safeguards recommends text to fulfill this requirement.
Questions?
Please send questions to Safeguards program. Depending upon the volume and diversity of the questions, we will either answer you directly or add additional information to this site to address your question.
References/Related Topics
|