Your Roadmap to Risk Reduction!
The Continuum GRC ITAM SaaS platform has hundreds of plugin modules available, such as:
Comprehensive IRS 1075 & 4812 Audit Services
Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies and Entities, provides very detailed audit requirements. Publication 1075 documents the managerial, operational, and technical security controls that must be implemented as a condition of receipt of FTI. IRS has mapped the IRS Publication 1075 control requirements to the National Institute of Standards and Technology (NIST) control requirements (NIST SP 800-53).
Modules include:
- Section 1.0, Introduction
- Section 2.0, Federal Tax Information and Reviews
- Section 3.0, Record Keeping Requirement
- Section 4.0, Secure Storage
- Section 5.0, Restricting Access
- Section 6.0, Other Safeguards
- Section 7.0, Reporting Requirements
- Section 8.0, Disposing of FTI
- Section 9.0, Computer System Security
IRS 4812
Publication 4812 is a new publication designed to identify security requirements for contractors and any subcontractors supporting the primary contract. It identifies security controls and requirements for contractors (and their subcontractors) who handle or manage Internal Revenue Service (IRS) Sensitive But Unclassified (SBU) information on or from their own information systems or resources. The level of required security controls may vary depending on the duration, size, and complexity of the contract.
Modules include:
- Access Control and Approving Authorization for IT Assets (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment and Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
FAQ
Who needs to comply with IRS Publication 1075 and 4812 audits?
Any agencies or contractors/subcontractors, data centers, or anyone else that handles or engages with Federal Tax Information (FTI) or Senstive But Unclassified (SBU) data must comply with the security and privacy controls outlined in IRS 1075 and IRS 4812. These Internal Revenue protocols are specifically designed to safeguard Federal Tax Information.
What is Federal Tax Information (FTI)?
Federal Tax Information (FTI) includes tax returns and any information derived from them. This highly-sensitive data from the Internal Revenue Service requires extreme confidentiality, with high levels of security controls, including encryption. Access to Federal Tax Information should be limited only to authorized personnel. Strict systems and practices must be a part of organizations that manage Internal Revenue assets.
What does a 4812 audit involve?
An audit identifies security controls and assesses their effectiveness. The review and risk assessment process looks at elements including access controls, incident response protocols, accountability, and that all appropriate protocols as dictated by the Internal Revenue Service are in place. Some audits can be done internally, others may require a third party.
What services are included in IRS 1075 and 4812 audit support?
Risk assessment and threat modeling around FTI, plus evaluating internal systems and processes. Ensuring alignment with security practices for this sensitive information, including strict access controls. Reviewing record-keeping and documentation. Helping with awareness training and incident response planning. Continuum GRC can assist in these and other audit needs.
What is the Safeguard Security Report (SSR)?
The SSR is used by agencies that work with sensitive information, especially Federal Tax information. It documents the controls, procedures, and processes that are in place to protect it. The SSR documents compliance with the guidelines outlined in publication 1075 and 4812. It requires regular updates based on internal inspections.
What are common areas of non-compliance found in 4812 audits?
Typical areas involve inadequate or outdated documentation, failure to comply with existing regulations or a failure to follow well-defined security procedures. Audits frequently turn up improper staff training and supervision, poor data management, and a lack of disaster recovery planning. And of course, security controls that are too lax.
What are you waiting for?
You are just a conversation away from putting the power of Continuum GRC to work for you.
Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.
About the Standard
IRS Publication 1075 and IRS Publication 4812 are critical guidance documents issued by the Internal Revenue Service (IRS) to ensure the protection of sensitive tax information and contractor security within the United States. IRS Publication 1075 provides detailed security guidelines for federal, state, and local agencies handling Federal Tax Information (FTI), while IRS Publication 4812 outlines security requirements for contractors and subcontractors managing Sensitive But Unclassified (SBU) information. Below is a compliance overview of both publications, detailing their purpose, scope, requirements, and key considerations.
IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies
Purpose
IRS Publication 1075 provides comprehensive guidance to ensure that federal, state, and local agencies, their agents, and contractors adequately protect the confidentiality of Federal Tax Information (FTI). FTI includes any tax return or return information received from the IRS or secondary sources, as defined under Internal Revenue Code (IRC) Section 6103. The goal is to maintain public trust in the tax system by safeguarding sensitive taxpayer data against unauthorized access, use, or disclosure.
Scope and Applicability
- Covered Entities: Applies to federal, state, and local agencies, their agents, contractors, and subcontractors that receive, process, store, or transmit FTI. Examples include:
- State departments of revenue.
- Child support enforcement agencies.
- Federal agencies like the Department of Education.
- Contractors or data centers handling FTI.
- Data Covered: FTI includes tax returns, return information, and any data derived from IRS sources, such as Social Security numbers, income details, or tax liabilities.
Key Compliance Requirements
IRS Publication 1075 is aligned with NIST SP 800-53 security controls and outlines managerial, operational, and technical safeguards across nine key sections. Compliance is enforced through the IRS Office of Safeguards via audits and annual reporting.
- Key Sections:
- Section 1.0: Introduction: Outlines the purpose and legal basis (IRC 6103).
- Section 2.0: Federal Tax Information and Reviews: Defines FTI and the IRS Safeguards Program, including periodic reviews.
- Section 3.0: Record Keeping Requirement: Mandates maintaining records of FTI access and use.
- Section 4.0: Secure Storage: Requires physical security (e.g., locked rooms, secure facilities) for FTI storage.
- Section 5.0: Restricting Access: Limits access to FTI on a need-to-know basis with unique user IDs and strong authentication.
- Section 6.0: Other Safeguards: Includes additional controls like encryption and incident response.
- Section 7.0: Reporting Requirements: Requires annual submission of a Safeguard Security Report (SSR) and immediate reporting of incidents.
- Section 8.0: Disposing of FTI: Specifies secure disposal methods (e.g., cross-cut shredding, degaussing).
- Section 9.0: Computer System Security: Details technical controls like access control, audit logging, and encryption.
- Security Controls:
- Physical Security: Secure areas housing FTI with locks, visitor logs, and restricted access.
- Logical Access Controls: Unique user IDs, passwords, and least privilege principles; prohibit shared accounts.
- Encryption: FTI must be encrypted in transit (e.g., TLS) and at rest (e.g., FIPS 140-2 validated modules) on portable devices or networks.
- Audit Logging: Log and review user activities (e.g., logins, FTI access, security changes).
- Secure Disposal: Shred paper FTI with cross-cut shredders or pulverize; use approved wiping software or degaussing for electronic media.
- Training: Annual security awareness training for all personnel with FTI access, with documented records.
- Risk Management and Audits:
- Conduct regular risk assessments to identify and mitigate threats to FTI.
- Submit an annual Safeguard Security Report (SSR) detailing compliance, security posture, and any changes via the IRS Secure Data Transfer (SDT) program.
- Maintain a System Security Plan (SSP) documenting how controls meet Publication 1075 requirements.
- Develop a Plan of Action & Milestones (POA&M) to address security weaknesses with remediation timelines.
- Undergo Safeguard Reviews (audits) by the IRS Office of Safeguards, typically every three years or randomly, involving document reviews, on-site inspections, and interviews.
- Incident Response:
- Develop a formal Incident Response Plan (IRP) outlining preparation, detection, containment, and recovery procedures.
- Report suspected or confirmed FTI breaches to the IRS Office of Safeguards and the Treasury Inspector General for Tax Administration (TIGTA) within 24 hours.
- Supply Chain Risk Management (SCRM):
- Recent updates to Publication 1075 (Rev. 11-2021) introduced a new SCRM control family to protect system components, products, and services handling FTI.
- Safeguard Review Process:
- Notification: The IRS issues a letter outlining the audit scope and timeline.
- Pre-Audit: Submit SSP, POA&M, IRP, network diagrams, and training records.
- On-Site Review: Auditors inspect facilities, review systems, and interview staff.
- Exit Conference: Discuss preliminary findings.
- Formal Report: Receive a Safeguard Review Report with findings and recommendations.
- Corrective Action Plan (CAP): Submit a CAP within 30–45 days to address non-compliance, with regular progress updates.
Enforcement and Penalties
- IRS Office of Safeguards: Conducts audits and reviews SSRs to ensure compliance.
- Penalties for Non-Compliance:
- Loss of access to FTI.
- Financial penalties or contractual sanctions.
- Reputational damage or legal consequences under IRC 6103.
- Audits: Annual internal audits are required, with external IRS audits occurring periodically or randomly.
Recent Developments (as of August 2025):
- Revised Publication 1075: Effective June 10, 2022, the November 2021 revision superseded the 2016 version, adding SCRM controls and aligning with NIST SP 800-53 Rev. 5.
- Stricter Requirements for 2025: Starting January 1, 2025, organizations must comply with enhanced cybersecurity requirements, including role-based training, insider threat awareness, and incident response plans.
IRS Publication 4812: Contractor Security Assessments
Purpose
IRS Publication 4812 is a relatively new standard designed to ensure that contractors and subcontractors supporting IRS-related contracts implement security controls to protect Sensitive But Unclassified (SBU) information. It complements Publication 1075 by focusing on contractor-specific requirements and security assessments to maintain trust in the IRS’s operations and taxpayer data.
Scope and Applicability
- Covered Entities: Applies to contractors and subcontractors handling IRS SBU information, whether on their own systems or as part of supporting federal contracts. This includes IT vendors, cloud service providers, or other third parties.
- Data Covered: SBU information includes sensitive data not classified as FTI but still requiring protection, such as IRS operational data, employee records, or proprietary information.
Key Compliance Requirements
Publication 4812 outlines security controls and processes for Contractor Security Assessments (CSAs) to evaluate the effectiveness of safeguards. The level of controls varies based on the contract’s duration, size, and complexity.
- Security Control Families (aligned with NIST SP 800-53):
- Access Control (AC): Restrict access to SBU data with authentication and authorization mechanisms.
- Awareness and Training (AT): Provide security training for contractor personnel.
- Audit and Accountability (AU): Implement audit logging and monitoring of SBU access.
- Security Assessment and Authorization (CA): Conduct regular assessments to verify compliance.
- Configuration Management (CM): Maintain secure system configurations.
- Contingency Planning (CP): Develop plans for data recovery and continuity of operations.
- Identification and Authentication (IA): Verify user identities accessing SBU.
- Incident Response (IR): Establish procedures to detect, respond to, and report incidents.
- Maintenance (MA): Ensure systems are securely maintained.
- Media Protection (MP): Securely handle and dispose of media containing SBU.
- Physical and Environmental Protection (PE): Protect facilities and systems housing SBU.
- Planning (PL): Develop security plans for contractor systems.
- Program Management (PM): Establish oversight for security programs.
- Personnel Security (PS): Screen and train personnel handling SBU.
- Risk Assessment (RA): Identify and mitigate risks to SBU.
- System and Services Acquisition (SA): Ensure security in procurement processes.
- System and Communications Protection (SC): Secure data transmission (e.g., encryption).
- System and Information Integrity (SI): Protect SBU from unauthorized changes or corruption.
- Contractor Security Assessments (CSAs):
- CSAs are conducted to monitor compliance and assess the effectiveness of security controls.
- Contractors must provide documentation (e.g., security plans, risk assessments) and allow IRS or third-party auditors to review systems and processes.
- Assessments may include penetration testing, vulnerability scans, or on-site inspections.
- Documentation and Reporting:
- Maintain a System Security Plan (SSP) detailing how controls are implemented.
- Submit periodic reports to the IRS on security posture and incidents.
- Develop a Plan of Action & Milestones (POA&M) to address identified weaknesses.
- Incident Response:
- Contractors must have an Incident Response Plan to address breaches or unauthorized access to SBU.
- Incidents must be reported to the IRS promptly, typically within 24 hours, similar to FTI breaches.
Enforcement and Penalties
- IRS Oversight: The IRS monitors contractor compliance through CSAs and contract reviews.
- Penalties for Non-Compliance:
- Termination of contracts.
- Financial penalties or liability for breaches.
- Reputational damage or exclusion from future IRS contracts.
- Resource Challenges: Small to mid-sized contractors may struggle with the costs of audits, monitoring, and documentation.
Recent Developments (as of August 2025):
- Publication 4812 Revision: The latest revision (Rev. 12-2024) clarifies CSA processes and emphasizes alignment with NIST SP 800-53 Rev. 5 controls.
- Increased Focus on Supply Chain: Enhanced scrutiny of subcontractors to ensure SBU protection across the supply chain.
Key Differences Between IRS 1075 and IRS 4812
Aspect | IRS Publication 1075 | IRS Publication 4812 |
---|---|---|
Focus | Protection of Federal Tax Information (FTI). | Protection of Sensitive But Unclassified (SBU) information. |
Covered Entities | Agencies, agents, and contractors handling FTI. | Contractors and subcontractors handling SBU. |
Data Type | Tax returns and return information (IRC 6103). | Non-FTI sensitive data (e.g., IRS operational data). |
Primary Guidance | NIST SP 800-53-based controls for FTI security. | NIST SP 800-53-based controls for contractor systems. |
Audits/Assessments | Safeguard Reviews by the IRS Office of Safeguards. | Contractor Security Assessments (CSAs). |
Reporting | Annual Safeguard Security Report (SSR). | Periodic reports and POA&M for CSAs. |
Compliance Challenges
- Complexity: Both publications align with NIST SP 800-53, requiring technical expertise to implement controls like encryption, access control, and audit logging.
- Resource Intensity: Small organizations and contractors may struggle with the costs of audits, training, and system upgrades.
- Third-Party Management: Ensuring subcontractors comply with 1075 or 4812 requires robust oversight and contracts.
- Evolving Requirements: Keeping up with updates (e.g., 2025 cybersecurity enhancements) demands continuous monitoring.
- Incident Reporting: The 24-hour reporting requirement for breaches is stringent and requires efficient incident response processes.
Benefits of Compliance
- Public Trust: Protects sensitive taxpayer data, maintaining confidence in the tax system.
- Risk Mitigation: Reduces the likelihood and impact of data breaches or unauthorized disclosures.
- Regulatory Compliance: Avoids penalties, loss of FTI access, or contract termination.
- Operational Continuity: Ensures agencies and contractors can continue accessing FTI or SBU data.
How to Get Started
- Review Guidance:
- Access Publication 1075 (Rev. 11-2021) and Publication 4812 (Rev. 12-2024) on irs.gov.
- Consult the IRS Safeguards Program webpage for templates and resources.
- Conduct Risk Assessments: Use NIST SP 800-30 to identify risks to FTI or SBU.
- Develop Policies:
- Create an SSP, IRP, and POA&M for both 1075 and 4812 compliance.
- Implement a WISP for contractor security under 4812.
- Implement Controls: Deploy encryption, MFA, access controls, and secure disposal methods.
- Train Personnel: Provide annual training on FTI/SBU protection and document completion.
- Engage Vendors: Ensure business associates or subcontractors sign agreements compliant with 1075 or 4812.
- Prepare for Audits: Maintain documentation and conduct internal audits to prepare for IRS Safeguard Reviews or CSAs.
Conclusion
IRS Publication 1075 and IRS Publication 4812 establish rigorous frameworks for protecting FTI and SBU data, respectively. Publication 1075 focuses on agencies and contractors handling tax information, requiring NIST-aligned controls, annual SSRs, and Safeguard Reviews. Publication 4812 targets contractors managing SBU, emphasizing CSAs and similar NIST-based controls. Compliance with both involves risk assessments, robust safeguards, and ongoing monitoring, with significant penalties for non-compliance.