Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 1. Policy and Guidance

10.8.1  Policy and Guidance

10.8.1.1  (12-16-2006)
Purpose

  1. This manual provides policies and guidance to be used by IRS organizations to carry out their respective responsibilities in information systems security. It provides guidance on all aspects of security for the protection of IT resources.

10.8.1.1.1  (12-16-2006)
Overview

  1. It is the policy of the IRS to establish and manage an Information Security Program within all its offices. This manual provides uniform policies and guidance to be used by each office.

  2. It is the policy of the IRS to protect its information resources and allow the use, access, and disclosure of information in accordance with applicable laws, policies, federal regulations, OMB Circulars, and Treasury Directives (TDs). All IT resources belonging to, or used by the IRS, shall be protected at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that IT resource.

  3. This policy delineates the security management structure, assigns responsibilities, and lays the foundation necessary to measure progress and compliance. Requirements in this policy are subdivided under three major security control areas: management, operational, and technical.

  4. This IRM establishes the IT security requirements framework for the subordinate detailed IRMs, Law Enforcement Manuals (LEMs), and subordinate Standard Operating Procedures (SOPs), Desk Procedures, Job Aids, etc., which shall be used to provide the detailed guidance for implementing the requirements of this IRM. If there is a conflict with or variance from this IRM within the subordinate documents, this IRM has precedence.

10.8.1.1.2  (12-16-2006)
Scope

  1. The provisions in this manual apply to all offices, business, operating, and functional units within the IRS, and are to be applied when IT is used to accomplish the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers, which use or operate IT systems containing IRS data.

  2. This policy governs all IRS information and information systems. For information systems that store process or transmit classified information, please refer to IRM 1.9,National Security Information, for additional procedures for protecting classified national information.

10.8.1.1.3  (12-16-2006)
IRM Section Topics

  1. This manual contains information on the following subjects:

    • Authority

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Deviations

    • Management Controls ( See Exhibit 10.8.1-1. )

    • Operational Controls ( See Exhibit 10.8.1-2. )

    • Technical Controls ( See Exhibit 10.8.1-3. )

    • Glossary ( See Exhibit 10.8.1-4.)

    • References ( See Exhibit 10.8.1-5.)

10.8.1.1.4  (12-16-2006)
Authority

  1. IRM 10.8.1 is issued in support of TD P 85-01 under the authority of TD 85-01.

  2. TD P 85-01, Treasury IT Security Program, is divided into two volumes.

    1. Volume I, Treasury IT Security Program Policy and Standards, provides a high-level view of IT security policy for senior executives, managers, and IT security practitioners.

    2. Volume II, Treasury IT Security Program Handbook, provides detailed IT security standards and procedures for the IT security practitioner.

10.8.1.2  (12-16-2006)
General Policy

  1. In accordance with Title III of the E-Government Act, known as the Federal Information Security Management Act (FISMA), the IRS shall develop, document, and implement a service-wide information security program supporting the operations and assets of this agency.

    1. There shall be no grandfathering of requirements contained in this IRM.

    2. There shall be no exceptions to the requirements of this IRM based on past practices.

  2. Information systems approved for classified processing and their peripherals shall not be connected to any system not approved for classified operation. Systems approved for classified processing shall not share peripherals with unclassified processing equipment except through National Security Agency (NSA) -approved switching devices. Approval for the use of switching devices shall be included in the accreditation documentation.

  3. The IRS Information Security Program shall:

    1. Assure the objectives of pertinent legislation, OMB Circular A-130, Appendix III, and the TDs are being met by establishing and ensuring compliance with security requirements, procedures, and guidelines to properly implement personnel security, physical security, information system security, telecommunications security, and operations security.

    2. Assure that General Support Systems (GSS) and major applications used by the IRS operate effectively and provide appropriate confidentiality, integrity, and availability (CIA), through the use of cost-effective management, operational, and technical controls;

    3. Assure security is provided for all information collected, processed, transmitted, stored, or disseminated in GSS and major applications that is commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of information, is provided for all information collected, processed, transmitted, stored, or disseminated in GSS and major applications;

    4. Implement policies, standards, and procedures which are consistent with government-wide policies, standards, and procedures issued by the OMB, the Department of Commerce, the General Services Administration (GSA), and the Office of Personnel Management (OPM). Different or more stringent requirements for securing national security information shall be incorporated into agency programs as required by appropriate national security directives;

    5. Provide for the protection of Homeland Security Presidential Directive 7 (HSPD-7), Critical Infrastructure Identification, Prioritization and Protection, by identifying critical assets, individual, proprietary, financial, tax, mission critical, or otherwise sensitive information;

    6. Ensure the ability to maintain processing during and following an emergency;

    7. Ensure the auditability of all information systems;

    8. Ensure management is responsible for designating the sensitivity of information, providing security controls, and certifying adequacy of these controls.

    9. Ensure management accountability for resources entrusted to them in accomplishing IRS objectives; and

    10. Ensure individual accountability for the data, information, and other IT resources to which individuals have access.

  4. The IRS Information Security Program shall include:

    1. Risk assessments that consider internal and external threats to the CIA of systems and data supporting critical operations and assets;

    2. Policies and procedures that are based on the risk assessments associated with the operations and assets for programs and systems by cost effectively reducing information security risks to an acceptable level, and ensuring compliance with prescribed policies and procedures;

    3. Security Awareness Training and Education (Security ATE) to inform personnel of information security risks, procedures designed to reduce such risks, and their personal impact/responsibilities for both;

    4. Management testing and evaluation of the effectiveness of information security policies and procedures;

    5. A process for ensuring remedial action to address any significant deficiencies;

    6. Procedures for detecting, reporting, and responding to security incidents; mitigation of risks associated with such incidents before substantial damage occurs; notification/consultation with appropriate law enforcement officials and other offices/authorities; and

    7. Appropriate reporting to proper authorities of weaknesses and remedial actions.

  5. The IRS shall implement the provisions of FISMA to include the guidelines outlined in NIST publications, OMB circulars, and Federal Information Processing Standards (FIPS).

  6. All Treasury IT systems (i.e., IRS systems) that generate, store, process, display, or transmit information shall be protected at a level commensurate with the sensitivity/criticality of the information processed and the potential impact of a security incident.

  7. This policy and all Cybersecurity' IRMs shall be evaluated a minimum of annually to ensure consistency with the IRS mission, functions, and associated laws, directives, regulations, and standards. They shall be updated when organizational reviews indicate updates are necessary.

10.8.1.2.1  (12-16-2006)
Roles and Responsibilities

  1. The IRS shall implement security roles in accordance with Federal laws and IT security guidelines (e.g., FISMA, NIST, OMB, etc.) that are appropriate for their specific operations and missions.

  2. Contact Cybersecurity for policy related to IT security roles and responsibilities.

10.8.1.3  (12-16-2006)
Management Controls

  1. The IRS shall implement management security controls to mitigate risk of IT applications and electronic information loss in order to protect the organization's mission.

10.8.1.3.1  (12-16-2006)
Risk Assessment

  1. The IRS shall assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of information systems and the associated processing, storage, or transmission of organizational information.

  2. The IRS shall conduct or update a system risk assessment as part of Certification and Accreditation (C&A) activities a minimum of every 3 years or whenever there is a significant change to the system, the facilities where the system resides, or other conditions that may affect the security or status of system accreditation.

  3. System risk assessments shall be reviewed annually.

  4. Cybersecurity shall establish pass/fail criteria mapped to policy checker tool compliance levels, based on an assessment of risk to the IRS infrastructure. Pass/fail criteria shall be reviewed and updated at least annually.

  5. Refer to NIST SP 800-30, Risk Management Guide for IT Systems, for additional guidance on conducting risk assessments.

10.8.1.3.1.1  (12-16-2006)
Criteria for Determining Sensitivity

  1. Sensitivity in an IT environment shall consist of the system, data, applications, and type of user.

  2. All systems and applications shall require some level of protection for CIA, which is determined by an evaluation of the sensitivity and criticality of the information processed, the relationship of the system to the organization's mission, and the economic value of the system components.

  3. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, shall be followed for security categorization.

  4. Information and information systems shall be considered sensitive if one or more of the following security objectives have been assigned a FIPS 199 impact value of moderate.

    1. Confidentiality - The information and/or information system requires protection from unauthorized disclosure and access. A requirement that private or confidential information not be disclosed to unauthorized individuals is an example of confidentiality.

    2. Integrity - The information and/or information system must be protected from unauthorized modification or destruction of information. The two facets of integrity are data integrity and system integrity. Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

    3. Availability - The information and/or information system must be available on a timely basis to meet mission requirements or to avoid substantial losses. Availability requirements assure that systems work promptly and service is not denied to authorized users.

10.8.1.3.1.1.1  (03-03-2008)
Sensitive But Unclassified (SBU) Information

  1. Sensitive But Unclassified (SBU) information shall be defined as any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 United States Code (U.S.C.) Section (§) 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.

  2. The IRS processes SBU information which includes tax, financial, law enforcement, proprietary, life and mission critical, personal, and information relating to the privacy of U.S. citizens. SBU data shall be categorized in one or more of the following groups:

    1. Employee Information - All employee information covered by the Privacy Act. Examples include personnel, payroll, and evaluation data.

    2. Sensitive Law Enforcement Information - Grand jury, informant, and undercover operations information.

    3. Other Protected Information - All information covered by the Trade Secrets Act, the Procurement Integrity Act, and similar statues. Examples include information considered procurement sensitive, information marked Limited Official Use (LOU), and information marked Official Use Only (OUO).

    4. Taxpayer Information - All taxpayer-related information covered by § 6103 of the Internal Revenue Code (IRC), 26 U.S.C. § 6103.

    5. Personally Identifiable Information (PII) - All taxpayer information or any combination of information that can be used to uniquely identify, contact, or locate a person.

  3. SBU information shall include, but is not limited to, the following:

    1. Information which if improperly used or disclosed could adversely affect the ability of the agency to accomplish its mission;

    2. Proprietary information;

    3. Records about individuals requiring protection under the Privacy Act;

    4. Information unreleasable under the Freedom of Information Act (FOIA);

    5. Information which if modified, destroyed or disclosed in an unauthorized manner could cause: loss of life, loss of property or funds by unlawful means, violation of personal privacy or civil rights, gaining of an unfair procurement advantage by contractors bidding on government contracts, or disclosure of proprietary information entrusted to the Government;

    6. Personal information, including employment information such as job applications, disciplinary actions, performance appraisals, drug tests, and health exams;

    7. Tax return information;

    8. Security information containing details of serious weaknesses and vulnerabilities associated with specific systems and facilities;

    9. Law enforcement information;

    10. Proprietary data (business information that does not belong to the IRS);

    11. Procurement sensitive data, such as contract proposals;

    12. Documents and reports that have been marked as OUO or LOU;

    13. All forms of live data; and

    14. IP Addresses.

10.8.1.3.1.1.2  (03-03-2008)
Personally Identifiable Information (PII)

  1. PII is a specific type of sensitive and SBU information. PII shall include the personal information of taxpayers, and the personal information of employees, contractors, applicants, and visitors to the IRS. Examples of PII include, but are not limited to:

    1. Name,

    2. Home address,

    3. Social Security number,

    4. Date of birth,

    5. Home telephone number,

    6. Biometric data (e.g., height, weight, eye color, fingerprints, etc.), and

    7. Other numbers or information that alone or in combination with other data can identify an individual.

  2. All IRS employees shall be responsible for protecting any PII that they may have in their possession, whether the PII is in paper form or in IRS computer equipment and computer systems.

  3. IRS sensitive information and PII shall only be released to those individuals having a "need to know" for access to the information, in the performance of their duties.

  4. Sensitive information and PII that is processed, stored, or transmitted by computer equipment (such as laptops and memory storage devices), outside of IRS facilities, shall be encrypted.

  5. SBU and PII data such as user accounts and passwords shall not be posted to internal or external IRS websites.

  6. All requests for live data shall be processed in accordance with the SBU requirements stated in this IRM.

10.8.1.3.1.2  (12-16-2006)
Penetration Testing and Vulnerability Assessment

  1. The IRS shall develop, document, and maintain vulnerability scanning procedures to record components scanned and vulnerabilities assessed.

    1. Scanning tools shall be used and include the capability to update and customize components scanned and vulnerabilities assessed.

    2. The list of recorded components and vulnerabilities shall be updated at least semi-annually or when new components or vulnerabilities are identified.

  2. The IRS shall conduct internal vulnerability assessments and/or internal penetration tests on IT systems containing sensitive information at least quarterly or when significant changes are made to the IT systems to identify security vulnerabilities.

  3. Major applications and GSS shall undergo penetration testing and vulnerability assessments shall be conducted at least annually or as significant changes are made to the IT system(s).

  4. Where interconnected IT systems are present, analyses shall be conducted at least semiannually to identify security threats to the agency through shared system boundaries.

10.8.1.3.2  (12-16-2006)
Planning

  1. The IRS shall establish and implement service-wide procedures for management, operational, and technical controls stated in policy.

  2. The IRS shall develop, document, periodically update, and implement system security plans for organizational information systems that describe the security controls in place or planned for the information system. Additionally, the rules of behavior for individuals accessing the information systems shall be described.

  3. Business/System owners are required to develop and maintain additional operational documentation (i.e., action and implementation plans, standard operations procedures (SOP), etc. necessary for implementing the requirements of this IRM.

  4. The IRS shall review system security plans annually and update system security plans a minimum of every three years or whenever there is a significant change to the system.

  5. Refer to NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, for guidance on security planning.

10.8.1.3.2.1  (12-16-2006)
Performance Measures and Metrics

  1. The IRS shall define performance metrics to evaluate the effectiveness of their IT security programs.

  2. The IRS shall track and provide annual data for the OMB performance measures as defined in OMB reporting guidance for FISMA.

  3. The IRS shall provide semiannual data on the progress for inclusion in Treasury’s performance measure.

10.8.1.3.2.2  (12-16-2006)
Rules of Behavior

  1. The IRS shall define and implement rules of behavior for all IT systems.

  2. The rules of behavior shall address the use of, security in, and the acceptable level of risk for the system.

  3. The rules shall be based on the needs of the various users of the system.

  4. The rules shall clearly delineate responsibilities and expected behavior of all individuals with access to the system.

  5. The rules shall be clear about the consequences of behavior(s) that are not in compliance with the rules (i.e., job termination and/or criminal prosecution).

  6. OMB Circular A-130 requires that all GSS and major applications have rules of the system, which are termed "rules of behavior." The rules of behavior relate the use of security and acceptable levels of risk for the system.

  7. The IRS shall ensure that users of IT systems are given training regarding the rules of behavior, and the disciplinary actions that may result if they violate the rules. This training shall occur prior to granting access to GSS and major applications.

  8. All users shall sign a statement (or perform a comparable process) acknowledging that they have received and understand the training.

    1. All users shall recertify (re-acknowledge) the rules of behavior at least annually in order to maintain access privileges.

  9. Any failure to comply with the Rules of Behavior shall be considered a security incident. If the incident is deemed willful, it shall be escalated to a security violation and is subject to disciplinary actions.

  10. For additional guidance on preparing rules of behavior for information systems, refer to NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems.

10.8.1.3.2.3  (12-16-2006)
Privacy

  1. The IRS shall protect taxpayer and employee privacy rights.

  2. The IRS shall consider the effects of its actions on the privacy of individuals and ensure that appropriate legal and technical safeguards are implemented.

  3. Privacy protection shall be an essential part of an information system’s life cycle and include the following controls:

    1. Procedures addressing the storage, retrievability, accessibility, retention, and disposal of PII shall be established, maintained and enforced;

    2. A Privacy Impact Assessment (PIA) shall be developed for each system or application;

    3. Procedures for the disclosure of an individual’s record upon that individual’s request shall be developed, maintained, enforced; and

    4. Security safeguards to protect against the unauthorized accumulation, use, and dissemination of SBU data shall be implemented.

  4. The disclosure of an individual’s data upon that individual’s request shall be referred to the Office of Governmental Liaison and Disclosure for adjudication and resolution.

  5. All Privacy Impact Assessments shall be conducted and reviewed by the Office of Privacy.

  6. The Office of Privacy shall establish and manage privacy policies and the PIA processes and procedures.

10.8.1.3.3  (12-16-2006)
System and Services Acquisition

  1. The IRS shall:

    1. Allocate sufficient resources to adequately protect organizational information systems;

    2. Employ system development life cycle (SDLC) processes that incorporate information security considerations;

    3. Employ software usage and installation restrictions in compliance with copyright laws; and

    4. Ensure that third-party providers employ adequate security measures to protect outsourced organizational information, applications, and/or services.

  2. IRS computer systems or networks, as well as those operated by contractors on the IRS’ behalf, must not be used for the downloading of illegal, unauthorized, and/or copyrighted content. Specifically this includes the creation, download, viewing, storage, copying, or transmission of materials related to illegal gambling, illegal weapons, terrorist activities, and any other illegal activities or activities otherwise prohibited in the Rules of Behavior.

  3. Information system developers shall create and implement a written configuration management (CM) plan. CM plans control changes to a system during development. They also track security flaws. Any change(s) to an operational system must be authorized in writing.

10.8.1.3.3.1  (12-16-2006)
Contractors And Outsourced Operations

  1. The IRS and the respective Designated Accrediting Authorities (DAAs) shall ensure that all acquisitions of goods or services provide for information security, personnel security and physical security.

  2. All Statements of Work (SOWs) and contract vehicles shall identify and document the specific security requirements for outsourced services and operations that are required of the contractor.

  3. Outsourced services and operations shall adhere to the IRS security policies.

  4. The security requirements shall include, but not be limited to:

    1. how IRS' sensitive information is to be handled and protected at the contractor's site, including any information stored, processed, or transmitted using the contractor's computer systems;

    2. the background investigation and/or clearances required and any Security ATE required for contractor activities or facilities; and

    3. any facility physical security requirements.

  5. Contracts shall include disposition instructions for all sensitive IRS information and IT resources provided during the contract and procedures for certification that all IRS information has been purged from any contractor-owned system used to process IRS information.

  6. The IRS shall conduct reviews to ensure that the security requirements in the contract are implemented and enforced.

  7. All phases of the procurement cycle (planning, solicitation, source selection, contract administration, and closeout) shall incorporate IT security:

    1. The IRS shall identify security requirements for contractor and contractor outsourced operations that must be met in addition to those related to a specific technology.

    2. The IRS shall write the security requirements into the contract work statement, including explicit procedures where necessary.

    3. The IRS shall assess the contractor's and outsourced operations' capability to meet the IRS' security requirements.

    4. The IRS shall identify and provide the information and resources that are specifically required for an outside contractor to perform contracted services and shall prohibit access to all other information.

    5. The IRS shall identify and document in the SOW how the IRS' information is to be handled and protected at the contractor's facility or site. Contractor operations shall adhere to the Department of the Treasury and IRS security policy.

    6. The IRS shall ensure that, at the expiration of contract, contractors certify that they have sanitized IRS information from any contractor owned system used to process IRS information, and shall ensure the return of any IRS IT resources provided to the contractor.

    7. The IRS shall annually conduct security reviews of work performed at the contractor's facilities to ensure security requirements have been incorporated.

10.8.1.3.3.2  (12-16-2006)
Capital Planning And Investment

  1. Per FISMA requirements, program officials (Business System Planner (BSP) or equivalent) shall include security requirements in their capital planning and investment business cases.

  2. Program officials shall ensure security requirements are adequately funded and documented in accordance with OMB Circular A-11.

  3. Security requirement determination shall be included in business case planning, programming and budgeting documentation.

10.8.1.3.3.3  (12-16-2006)
System Development Life Cycle (SDLC)

  1. The IRS shall ensure that security is integrated into the IRS-approved SDLC. SDLC is a term which denotes any IRS-approved system development life cycle such as the Enterprise Life Cycle (ELC) and Enterprise Life Cycle (ELC) Lite.

  2. ELC milestone requirements shall contain the security requirements and policies stated in this IRM and the subsequent IRM 10.8.x series. The security requirements shall be incorporated into the system requirements, and like all other system requirements be tracked, updated, and validated throughout the system life cycle.

10.8.1.3.3.4  (12-16-2006)
Documentation

  1. The IRS shall ensure security requirements for their IT systems are incorporated in the life cycle documentation.

  2. Information system documentation shall be available and distributed to authorized personnel based on sensitivity.

  3. User guides shall effectively utilize system security features and include information on configuration, installation, and operation of information systems.

  4. Vendor provided documentation describing design and functionality specifications of the information system shall be made available with sufficient detail for control testing.

10.8.1.3.3.5  (03-03-2008)
Product Assurance

  1. Information Assurance (IA) shall be considered a requirement for all systems used to enter, process, store, display, or transmit sensitive information. The acquisition and implementation of evaluated or validated commercial off-the-shelf (COTS) and/or government off-the-shelf (GOTS) IA and IA enabled IT products may be used. It provides for the availability of systems; ensures the integrity and confidentiality of information; and the authentication/non-repudiation of parties in electronic transactions.

  2. Preference shall be given to the acquisition of COTS and/or GOTS IA and IA-enabled IT products (to be used on systems entering, processing, storing, displaying, or transmitting sensitive information) that have been evaluated and validated, as appropriate, in accordance with the following:

    1. the International Common Criteria for Information Security Technology Evaluation Mutual Recognition Agreement,

    2. the NSA/NIST National Information Assurance Partnership (NIAP) Evaluation and Validation Program, and

    3. the NIST FIPS validation program.

  3. The evaluation and validation of COTS and/or GOTS IA and IA-enabled IT products shall be conducted by accredited commercial laboratories or by NIST.

  4. The IRS shall use only cryptographic modules that have been validated in accordance with FIPS 140-2 or later.

  5. Security requirements and specifications based on level of risk shall be included in information system contracts of acquisition and solicitation documents. Documents shall include security requirements such as required security capabilities, development processes, test and evaluation procedures, and documentation required.

  6. Specific consideration shall be made during the planning, acquisition, and implementation of technology products with multiple functionalities to determine business need of all bundled features. Planning for the handling of unneeded features shall be documented in the System Security Plan (SSP).

  7. Planning, acquisition, and implementation of new products shall be made in accordance with mandatory Security Content Automation Protocol (SCAP) and Federal Desktop Core Configuration (FDCC) standards as compliant products become available.

10.8.1.3.4  (12-16-2006)
Certification, Accreditation, and Security Assessments

  1. All IRS applications and GSS shall be certified and accredited (C&A) by an officially Designated Approving Authority (DAA).

  2. C&A (including an Interim Authorization to Operate (IATO) or an Authorization to Operate (ATO) designation) shall be performed before the system is placed into production.

  3. The IRS shall use one of the following C&A processes:

    1. National Institute of Standards SP 800-37, Guide for the Security C&A of Federal Information Systemsor

    2. National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 1000, National Information Assurance C&A Process (NIACAP).

  4. The IRS shall appoint certification officials in writing.

  5. The IRS shall appoint the DAAs in writing.

  6. Where an IT system involves more than one DAA, one shall be designated the DAA by mutual agreement. A single DAA shall be designated for each IT system.

  7. Where an IT system involves more than one bureau, one shall be designated the DAA by mutual agreement. The Treasury shall resolve any conflicting security.

  8. Interconnection Agreements shall be established with all agencies in accordance with NIST SP 800-47. For systems in which the DAA is not the CIO, the coordination shall include a CIO sign-off.

  9. The IRS Information Systems Security Manager (ISSM) shall maintain an inventory of all information systems.

  10. The inventory of major applications and GSS shall contain, at a minimum, the system name, platform and type (major application or GSS); classification level if appropriate; its interfaces and interconnections; whether it is an IT critical asset; and the dates for the last vulnerability test, risk assessment and C&A.

10.8.1.3.4.1  (12-16-2006)
Security Assessments

  1. The IRS shall conduct its annual security assessments in accordance with NIST guidelines (e.g., NIST SP 800-26, Security Self-Assessment Guide for Information Technology (IT) Systems, or comparable).

  2. Weaknesses found during these security assessments shall be documented in a POA&M to include planned, implemented, and evaluated remedial actions to correct any deficiencies.

  3. POA&Ms shall be reviewed at least quarterly to address the elimination or acceptance of all risks identified.

  4. Using the POA&M, the IRS shall track the status of resolution of all weaknesses and shall verify that each weakness is corrected before closing that item on the POA&M.

10.8.1.3.4.2  (12-16-2006)
Certification

  1. At a minimum, the final C&A package(s), shall consist of the following deliverables:

    1. System Security Plan (SSP);

    2. Security Risk Assessment (SRA);

    3. Any Interconnection Security Agreements;

    4. Any Memorandum of Understanding;

    5. IT Contingency Plan (ITCP);

    6. Privacy Impact Assessment (PIA);

    7. Any active POA&Ms;

    8. Any active deviations;

    9. System Test and Evaluation Report (ST&E);

    10. Security Assessment Report (SAR);

    11. Executive Summary of Risk; and

    12. IATO or ATO Recommendation.

  2. IRS system owners shall confirm the required deliverables of the C&A package with ACIO Cybersecurity.

  3. DAAs shall be responsible for accepting the risks of their IT systems.

  4. Assessments shall be conducted to determine if security controls are operating effectively, correctly implemented, and meeting the security requirements of the system.

  5. The assessment of security controls for the purposes of security certification shall be conducted by an independent certification agent or team.

10.8.1.3.4.3  (12-16-2006)
Accreditation

  1. Systems shall be reaccredited whenever there is a significant change to the system, or every 3 years, whichever occurs first.

  2. The DAA shall grant one of three types of accreditation decisions, based on assessment of risk: full, interim, or denied as outlined in the following paragraphs:
    ATO - Full accreditation shall be granted when all of the following apply:

    1. The certification package is complete.

    2. No corrective actions are required or may require minor corrective actions. (Note: There may be findings during C&A that are turned into a POA&M, but do not prevent an ATO).

    3. Residual risks are acceptable to the DAA.


    IATO - Interim Authorization to Operation shall be granted when all of the following apply:

    1. The certification package is complete.

    2. Residual risks are unacceptable to the DAA to grant full accreditation, but there is an important mission-related need to place the system into operation.

    3. A POA&M schedule for correcting the deficiencies to achieve full accreditation is developed. This plan shall be mutually acceptable to the owner and the DAA.


    Denied - If the system cannot meet IATO requirements or the residual risks are considered by the DAA to be too high to accept; the accreditation shall be denied. The system may not be placed into operation until at least an IATO can be granted.

10.8.1.3.4.4  (12-16-2006)
Security Reviews

  1. Per the Government Auditing Standards (2003), performance audits, entailing a broad or narrow scope of work, should apply a variety of methodologies; involve various levels of analysis, research, or evaluation; generally provide findings, conclusions, and recommendations; and result in the issuance of a report. Performance audit objectives shall include, but are not limited to:

    1. whether the audited entity is following sound procurement practices; and

    2. the reliability, validity, or relevance of financial information related to the performance of a program.

  2. Per the Government Auditing Standards (2003), internal control audit objectives relate to management's plans, methods and procedures used to meet its mission, goals and objectives. Objectives related to internal control shall include, but are not limited to, the extent that internal control of a program provides reasonable assurance that

    1. resources are safeguarded against unauthorized acquisition, use, or disposition;

    2. security over computerized information systems shall prevent or timely detect unauthorized access;

    3. contingency planning for information systems provides essential backup to prevent unwarranted disruption of activities and functions the systems support; and

    4. the information and information systems are assured the appropriate level of CIA.

  3. The IRS shall perform performance reviews, specifically internal control reviews of mission assurance conditions. IRS security reviews shall be conducted by internal (e.g., Cybersecurity) or external (e.g., Government Accountability Office (GAO), Treasury Inspector General for Tax Administration (TIGTA)) organizations.

  4. Periodic security reviews shall be conducted to provide assurance that management, operational and technical controls are functioning effectively and providing adequate levels of protection.

  5. Security reviews shall have documented:

    1. Well defined objectives - The objectives are what the review is intended to accomplish. They identify the review subjects and performance aspects to be included, as well as the potential finding and reporting elements that the reviews expect to develop. Review objectives can be thought of as questions about the program (function/system/application) that reviewers seek to answer.

    2. A defined scope - Scope is the boundary of the review and shall be directly tied to the review objectives. For example, the scope defines parameters of the review such as the period of time reviewed, the availability of necessary documentation or records and the locations at which field work shall be performed.

    3. A methodology to achieve the objectives - The methodology comprises the work involved in gathering and analyzing data to achieve the objectives. Review procedures are the specific steps and tests reviewers shall carry out to address the review objectives. Reviewers shall design the methodology to provide sufficient, competent and relevant evidence to achieve the objectives of the review. Methodology includes both the types and extent of review procedures used to achieve the review objectives.

  6. IRS security reviews lend themselves to following the Government Auditing Standards (2003 or later) performance audits and where appropriate, shall follow the guidance provided in the standard.

  7. Copies of security reviews and related C&A documentation shall be available to appropriate personnel.

10.8.1.3.4.5  (12-16-2006)
Information System Connections

  1. The IRS shall configure all equipment connected to an IRS system or network, to at least meet the minimum security requirements in this document and applicable Federal IT security guidelines and requirements (e.g., FISMA, NIST, OMB, FIPS, etc.).

  2. For all equipment capable of storing or transmitting data, the DAA shall perform a risk assessment before connecting it to an IRS system or network.

  3. The DAA shall apply adequate countermeasures before connecting the equipment to an IRS system or network.

  4. The DAA shall decide through C&A processes to allow or disallow equipment to be connected to an IRS system or network.

  5. All information systems interconnections shall be documented through an Interconnection Security Agreement (ISA).

  6. Devices that are not IRS-owned shall not be used to transmit SBU data.

10.8.1.3.4.6  (12-16-2006)
Interconnection Agreements

  1. Interconnections between IRS and non-IRS systems shall be established through controlled interfaces and shall be documented with an ISA.

  2. IT systems accessible to the public shall provide a security and privacy statement at entry points.

  3. The IRS shall document interconnections between external networks with an ISA signed by both DAAs.

  4. The ISA shall document the security protections on both systems to ensure only acceptable transactions are permitted.

  5. The IRS shall create ISAs in accordance with NIST SP 800-47, Security Guide for Interconnecting IT Systems.

10.8.1.4  (12-16-2006)
Operational Controls

  1. The IRS shall implement operational security controls, which are primarily implemented and executed by personnel for each information system.

10.8.1.4.1  (12-16-2006)
Personnel Security

  1. The IRS shall ensure that individuals occupying positions of responsibility within IRS organizations are trustworthy and meet established security criteria for those positions. The IRS shall ensure that organizational information and information systems are protected during personnel actions (such as terminations and transfers), and employ formal sanctions for personnel failing to comply with organizational security policies and procedures.

10.8.1.4.1.1  (12-16-2006)
Disciplinary Action

  1. It is IRS policy that employees shall be subject to disciplinary action for failure to comply with IRS security policy, whether or not the failure results in criminal prosecution.

  2. Users who fail to comply with IRS security policy shall be subject to having their access to IRS IT systems and facilities terminated.

  3. Any person who improperly discloses sensitive information shall be subject to criminal and civil penalties and sanctions under a variety of laws (e.g., Privacy Act, Trade Secrets Act, Bank Secrecy Act).

  4. Non-IRS federal employees or IRS contractors who fail to comply with IRS security policy shall be subject to having their access to IRS IT systems and facilities terminated, whether or not the failure results in criminal prosecution.

  5. The IRS shall establish procedures for disciplinary actions for security violations for employees, in accordance with applicable personnel and conduct regulations. These disciplinary actions shall take into account the sensitivity of the information involved and the number of prior offenses.

  6. Security ATE and the Rules of Behavior for each system shall specify the disciplinary actions for security violations.

  7. The IRS shall adopt standard contract terms, consistent with the Federal Acquisition Regulations, which shall be incorporated into all contracts that permit contractor employees access to these IRS information and information systems. These contract terms shall also permit the government to exclude contractor employees from accessing these systems.

  8. Suspected security violations shall be reported to the appropriate organization, depending on the type of incident (IT, personnel, etc.) for investigation and recommended disciplinary action.

10.8.1.4.1.2  (12-16-2006)
Background Investigations

  1. The IRS shall implement and maintain an appropriate personnel screening and background investigation process.

  2. The IRS shall designate the position sensitivity/risk level for all employee or contractor positions that use, develop, or operate IT systems. The IRS shall ensure the incumbents of these positions have favorably adjudicated background investigations commensurate with the defined sensitivity/risk level.

  3. The IRS shall review and revise position sensitivity/risk levels at least annually or when Position Descriptions are rewritten.

  4. Program officials and appropriate IRS heads shall ensure that adequate funding is available for the required background investigations for employees and contractors accessing their sensitive/classified IT systems.

  5. All employees and contractors accessing sensitive IT systems shall be subject to a background investigation at the risk level appropriate to the sensitivity of the position and sensitivity/classification of the data in accordance with 5 CFR 731.106(a), OPM policy, FIPS 201, NIST SP 800-73, 800-76, and 800-78.

  6. Employees and contractors shall not access sensitive IT systems until they have a favorably adjudicated National Agency Check (a component of the full background investigation) at a minimum.

  7. For contractor employees, an interim access approval shall be completed by Personnel Security and Investigations.

  8. Employees and contractors shall not access sensitive/classified IT systems until they have received the in-brief for the appropriate clearance for the IT system.

  9. Under 5 CFR 732.202 (b) and pursuant to E.O. 10450, Security Requirements for Government Employees, the following positions are exempt from the investigative requirements of E.O. 10450, provided that the employing agency conducts checks deemed appropriate to ensure that the employment or retention of individuals is clearly consistent with the interests of national security including positions that are:

    1. intermittent,

    2. seasonal,

    3. temporary, or

    4. not to exceed an aggregate of 180 days in either a single continuous appointment or series of appointments.

  10. Employees and contractors shall be investigated in accordance with procedures outlined in IRM 1.23, Personnel Security,and the Treasury Security Manual, TD P 71-10, Chapter 2, Section 2. See TD P 85-01 Volume II Part 2 for detailed procedural information.

10.8.1.4.1.3  (12-16-2006)
Unauthorized Access (UNAX)

  1. The willful unauthorized access or inspection of taxpayer records is referred to as UNAX.

  2. On August 5, 1997, President Clinton signed the Taxpayer Browsing Protection Act into law. Under the law:

    1. Willful unauthorized access or inspection of non-computerized taxpayer records, including hard copies of returns - as well as computerized information - is a crime, punishable upon conviction, by fines, prison terms and termination of employment.

    2. Taxpayers have the right to take legal action when they are victims of unlawful access or inspection - even if a taxpayer’s information is never revealed to a third party.

    3. When managers or employees are criminally charged, the Service is required to notify taxpayers that their records have been accessed without authorization.

  3. IRS employees shall only be allowed access to taxpayer records when the information is needed to carry out their tax administration duties.

  4. The provisions and applicable criminal penalties under the Taxpayer Browsing Protection Act shall also apply to all contractors and contractor employees.

  5. The IRS shall establish a program to ensure that all employees understand what UNAX is and what the consequences are if they access or inspect taxpayer records for other than authorized tax administration reasons.

  6. Cybersecurity shall manage a centralized evaluation capability, including the consistency of actions taken, to oversee compliance with the UNAX policy and program.

  7. Cybersecurity shall be responsible for reporting on the progress of the IRS' efforts being taken and making recommendations for improving the effectiveness of the UNAX program to IRS’ Management.

  8. The IRS shall conduct annual awareness briefings that focus attention on the prevention of willful unauthorized access and inspection of taxpayer returns/tax return information.

  9. Each employee and his/her manager shall sign a Form 11370, Certification of Annual UNAX Awareness Briefing, or comparable document/process. This certification/form indicates that the employee has completed the required UNAX training.

10.8.1.4.1.4  (12-16-2006)
Separation From Duty

  1. The IRS shall implement and maintain procedures to ensure appropriate system accesses are revoked for employees/contractors who leave the IRS, are reassigned to other duties, on extended leave, or are under disciplinary actions.

  2. All appropriate personnel shall be notified promptly of all reassignments, promotions, terminations, or retirements of departing employees or contractors to ensure that accesses are removed.

  3. Access shall be suspended for any employee or contractor on extended leave or detail over 90 days. The employee's supervisor or Contracting Officer's Technical Representative (COTR) shall request reinstatement of access upon the return to active duty of the employee or contractor.

  4. The IRS shall implement procedures that require departing employees to return all forms of media used to gain system access to IRS media, personal electronic devices, keys, ID cards, proxy cards, and any other IRS property on their last workday.

  5. All accounts shall be deactivated within one week of an individual's departure on friendly terms and immediately upon an individual's departure on unfriendly terms.

  6. An exit interview shall take place to ensure that all areas are covered and all IRS property and equipment is returned before the individual departs.

  7. Each employee’s manager shall have the primary responsibility for providing prompt notification to the responsible organization via Form 5081, Automated Information System (AIS) User Registration/Change Request,of system user status changes (e.g., terminations, transfers). The responsible organization shall immediately suspend, cancel, and/or adjust all access privileges associated with changes in status of the user.

  8. The IRS shall implement and maintain periodic follow-up reviews and corrective action procedures to ensure timely adjustment of access privileges associated with transfers, terminations, and changes in contractual agreements with non-IRS entities. The procedures shall include, at a minimum:

    1. review of inactive user IDs/accounts,

    2. coordinated review of access control lists with information owners,

    3. coordinated review of network, system, and resource access authority for non-IRS entities with responsible IRS business areas, and

    4. setting of automated account expiration for non-IRS entities, where technically feasible, and when the access termination date can be predetermined.

  9. Friendly termination refers to the removal of an employee from the organization when there is no reason to believe that the termination is other than mutually acceptable. The friendly termination procedures shall include at a minimum:

    1. removal of access privileges, computer accounts, authentication tokens,

    2. the collection of keys,

    3. the briefing on the continuing responsibilities for confidentiality and privacy,

    4. return of IRS property, and

    5. continued availability of data.

  10. Employees shall be instructed whether or not to remove data from their computer before leaving. If cryptography is used to protect data, the availability of cryptographic keys to management personnel must be ensured.

  11. Unfriendly termination involves the removal of an employee under involuntary or adverse conditions. Given the potential for adverse consequences, unfriendly termination procedures shall include at a minimum:

    1. termination of system access. If employees are to be fired, system access shall be removed at the same time (or just before) the employee is notified of their dismissal, and

    2. immediate termination of system access. Additionally, an employee notifying an organization of resignation, when it can be reasonably expected that it is on unfriendly terms, shall be assigned to a restrictive area and function.

10.8.1.4.2  (12-16-2006)
Physical and Environmental Protection

  1. The IRS shall ensure that only authorized personnel have access to IRS buildings and structures housing IT equipment and data.

  2. Access controls shall be based on the level of risk and shall be sufficient to safeguard assets against possible loss, theft, destruction, accidental damage, hazardous conditions, fire, malicious actions, and natural disasters.

  3. The IRS shall incorporate physical and environmental protection controls for all facilities where information is generated, stored, processed, displayed, or transmitted based on the level of potential harm.

    1. The IRS shall protect equipment and power cabling for IT system damage and destruction. Redundant and parallel power cabling paths shall be utilized.

    2. The IRS shall provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the IT system in the event of a primary power loss. In the event of extended loss of the primary power source, a long-term power supply shall provide capability for minimally required operational activities. The long-term power alternative shall be self contained and not rely on external power generation.

    3. The IRS shall employ and maintain an automatic emergency lighting system that activates in the event of a power outage or a disruption of emergency exit/evacuation route areas.

    4. The IRS shall employ and maintain fire suppression and detection systems (e.g., sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors) that can be activated in the event of a fire. Detection and suppression systems shall automatically activate in the event of a fire and provide automatic notification of the activation to the IRS and emergency responders.

    5. The IRS shall regularly maintain and monitor the temperature/humidity levels, within acceptable ranges, inside facilities containing IT systems.

    6. The IRS shall protect the IT system from water damage resulting from broken plumbing lines or other water leakage sources by ensuring that master shutoff valves are accessible, properly functioning, and known to key personnel. In the event of a significant water leak, automated mechanisms to close shutoff valves shall be utilized.

  4. The physical removal of SBU information from IRS facilities must be approved by the DAA.

  5. SBU information shall not be physically removed from IRS facilities prior to receiving documented approval from the DAA.

10.8.1.4.2.1  (12-16-2006)
General Physical Access

  1. Access to Treasury and IRS buildings and structures housing sensitive IT equipment and data shall be limited to authorized personnel.

  2. Controls shall be in place for deterring, detecting, monitoring, restricting, and regulating access to specific areas at all times.

  3. Controls shall be sufficient to safeguard these IRS assets against possible loss, theft, destruction, accidental damage, hazardous conditions, fire, malicious actions, and natural disasters.

  4. See IRM 1.16,Physical Security Program, for employee and contractor identification requirements.

  5. If Federal Personal Identity Verification (PIV) credentials are used as an identification token and token-based access control is employed, the physical access control system shall conform to the requirements of FIPS 201, Personal Identity Verification of Federal Employees and Contractors, and NIST SP 800-73, Interfaces for Personal Identity Verification.

  6. If the token-based access control function employs cryptographic verification, the physical access control system shall conform to the requirements of NIST SP 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification.

  7. If the token-based access control function employs biometric verification, the physical access control system shall conform to the requirements of NIST SP 800-76, Biometric Data Specification for Personal Identity Verification.

  8. All visitors shall sign in upon entering the facility, shall be escorted the entire time they are within the facility, and shall sign out when exiting the facility. See IRM 1.16, Physical Security Program, for specific requirements.

    1. Access logs shall be reviewed by designated personnel at least monthly to identify and remedy suspicious activity.

    2. An automated capability for maintaining and reviewing access logs shall be utilized for FIPS-199 High systems.

    3. See IRM 10.8.3,Audit Logging Security Standards for data collection requirements.

    4. See IRM 1.16,Physical Security Program for specific requirements.

  9. Escorts shall be IRS employees specifically assigned to the area(s) where the visit shall occur.

  10. Combinations or entry codes shall be changed at least annually or whenever a person who knows the combination departs or no longer requires access.

  11. Classified/sensitive material shall be containerized in a manner commensurate with the minimum protection standards (See IRM 1.16, Physical Security Program). For example, some items may be stored in a locked desk drawer while others shall be stored in a security container.

  12. Use of cameras in any form - photographic, digital or other technological devices/equipment - capable of receiving or recording intelligible images shall only be used when such devices are required in the performance of duties.

  13. In all non-duty cases where images are captured, all precautions shall be made to ensure sensitive information is not recorded, and the precautions shall have been approved by the responsible manager for the area where the images are captured.

  14. Information system equipment delivery and facility departure shall be controlled, recorded, maintained, and authorized by appropriate personnel.

10.8.1.4.2.2  (12-16-2006)
Sensitive Facility

  1. The IRS shall incorporate physical protection measures for all facilities where sensitive information is processed, transmitted, or stored.

  2. The IRS shall secure any sensitive information on portable media (e.g., paper, diskettes, CDs, etc.) not suitable for public dissemination in at least one of the following storage requirements locations: a locked file cabinet or locked desk drawer; a locked overhead storage receptacle or similar locked compartment; or in a room/area having sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need to know.

  3. All visitors shall be escorted and shall sign in and out upon entering and leaving data centers, server rooms, or communication closets.

  4. Contractors' access shall be limited to those work areas requiring their presence. Records of their ingress and egress shall be maintained for one year.

  5. The IRS shall establish and maintain an access roster for all limited-access rooms or facilities, such as data centers, LAN rooms, and telecommunications closets. The access roster shall be reviewed at least annually.

  6. Personnel not on the access roster for a limited-access room or facility shall sign in and out, and shall be escorted the entire time they are in the room or facility.

  7. Visitor logs shall be maintained on file and available for review. See IRM 1.15,Records Management, and IRM 1.16,Physical Security Program, for specific requirements.

10.8.1.4.2.3  (12-16-2006)
Staff-Like Access

  1. Staff-like access refers to unescorted access to IRS-owned or controlled facilities, information systems, and SBU information by contractor employees.

  2. Interim staff-like access approval shall be granted when staff-like access is required prior to the completion of the required background investigation.

  3. Interim staff-like access shall be granted only in cases where it has been determined that the risk is acceptable.

  4. Interim staff-like access approval shall be granted by the Associate Director, Personnel Security and Investigations.

10.8.1.4.2.4  (12-16-2006)
Escort Access

  1. Escort access to an IRS facility requires the non-IRS personnel to be accompanied by an authorized IRS employee. During movements throughout the facility, the escort shall have the escorted person(s) in view or be situated as such the escorted person(s) cannot leave the escorted situation without being seen.

  2. Escort access shall not be used for contractor employees who have been denied final staff-like access approval. These employees shall be removed from the IRS contract.

  3. Instances where contractor employees shall be escorted include the following:

    1. until contractor employee has been granted interim staff-like access,

    2. during the time the final investigation is pending completion when interim staff-like access has been denied, or

    3. during any period of time that staff-like access has been suspended such as during the period of time after a proposal to deny staff-like access.

  4. Work Performed Outside an IRS Facility - When work is performed outside an IRS facility (e.g., IRS sensitive data or information provided to a contractor employee off-site) or via remote system access, escort access shall be accomplished by the accompaniment of an IRS employee at the same or higher position risk level as the contractor employee. Contractor employees shall not have access to IRS sensitive information or data unless the contractor is escorted by an IRS employee. Individuals within the IRS organization shall employ appropriate IT system security controls while at alternate work sites.

  5. Management controls such as individual accountability requirements, separation of duties enforced by access controls, or limitations on the processing privileges of individuals shall be approved by the management official responsible for the system.

  6. An IRS employee with knowledge of the system sufficient to determine when the contractor employee's actions could cause damage or harm to the system or data, shall escort the contractor employee during system access.

  7. Exceptions to escorted access requirements shall be approved by the Associate Director, Personnel Security and Investigations.

10.8.1.4.2.5  (02-01-2007)
Restricted IT Areas

  1. The IRS shall designate restricted IT areas that house IT assets such as, but not limited to, mainframes, servers, controlled interface equipment, associated peripherals, and communications equipment. Please contact Cybersecurity for additional information related to restricted IT areas.


More Internal Revenue Manual