The federal government has strict and comprehensive regulations on how agencies handle constituents’ personal information. This is just as true for tax information. The IRS leans on established guidelines associated with federal security to dictate regulations for agencies that handle tax information and, by and large, treats that information as a sensitive and critical part of operations. These guidelines are housed in the robust regulatory document called IRS 1075.
IRS Publication 1075 and Cybersecurity Law
IRS Publication 1075, “Tax Information Security Guidelines for Federal, State and Local Agencies,” specifies the digital and information security required for these agencies to store, transfer and process Federal Tax Information (FTI).
- Federal Tax Information: FTI is income tax information, or information derived from income tax forms, that are under the control of agencies for any purpose.
- Personal Identifiable Information (PII): PII is personal information that can identify a user and includes items like phone numbers, ID numbers, addresses, social security numbers, and others. For IRS information management, PII is considered FTI and subject to jurisdiction in tax-related systems and applications.
The key motivation of IRS 1075 is to regulate IT systems holding FTI pursuant to the Internal Revenue Code (IRC) Section 6103, “Confidentiality and Disclosure of Returns and Return Information,” which states that returns and return information (FTI) shall remain confidential. Agencies handling FTI are responsible for protecting it.
At the heart of IRS 1075 are nine sections:
Section 1: Introduction
This section sets the overview of the jurisdiction and expectations of IRS 1075. It also provides references to the IRS Safeguards Website (a resource for information related to IRS 1075) and the Safeguards Mailbox (an alternative to the website to request resources via email). This section also defines all terms related to the law, including returns, FTI, returns, access, etc.
Section 2: Federal Tax Information and Reviews
This section sets into law that agencies must demonstrate adherence to 1075 and the capability to maintain the confidentiality of FTI before receiving permission to use it. As part of this requirement, they must provide a Safeguards Security Report (SSR) based on schedules dictated by the type of demand. This section also states that participating organizations must limit the processing of FTI to authorized methods, that partners use the IRS Secure Data Transfer Program (SDT) for data management and that these organizations undergo regular, thorough reviews to determine criticality impact levels based on their findings:
- Limited: A vulnerability is expected to have a low or minimal impact on the organization’s ability to protect FTI.
- Moderate: A vulnerability is expected to have a demonstrable impact on the organization’s ability to protect FTI.
- Significant: A significant vulnerability is expected to have a severe and/or imminent impact on the organization’s ability to protect FTI.
- Critical: A vulnerability is expected to impact the organization’s ability to protect FTI immediately.
Section 3: Record-Keeping Requirements
Participating agencies and partners must track FTI from the moment it enters their systems until it is destroyed. These records must be in the form of secure and protected audit logging.
Section 4: Secure Storage
Section 4 establishes physical Minimum Protection Standards, or MPS, based on four distinct areas of emphasis:
- Secured Perimeter: Secure storage of IT systems and information must exist in secured, locked and monitored locations.
- Security Room: IT systems must be secure with limited access for only authorized employees.
- Badged Employees: Employees must have identification to prove or provide access to any secure systems.
- Security Container: Stored FTI must also be in a certain case that can resist forced penetration.
Section 5: Restricting Access
Agencies handling FTI must ensure that only employees with duties or responsibilities related to that FTI have access to it. This means that these employees must work within identity and access management systems that designate roles and responsibilities in their IT infrastructure and that FTI is designated to avoid unauthorized access.
Section 6: Other Safeguards
Agencies must provide training for their employees to cover practices like disclosure, management, reporting, disposal and audits of FTI. Agencies must also implement specific safeguards like data encryption with a minimum of AES-128 cryptography protected with strong passwords.
Section 7: Reporting Requirements
Agencies must submit IRS reports, encrypted, through the SDT program. This includes the annual SSR and anything containing FTI.
Section 8: Disposing of FTI
All FTI must be destroyed after its reasonable processing use has been completed. Paper printouts must be burned or shredded. FTI stored on media like tape or microfiche must also be burned. Digital FTI stored on hard drives must follow NIST SP 800-88 on Media Sanitation.
Section 9: Computer System Security
Agencies must implement minimal IT security controls in line with the National Institute of Standards and Technologies (NIST) and Federal Information Processing Standards (FIPS).
Key Documents and Guidelines for IRS 1075
To best determine cybersecurity controls for relevant IT systems, IRS 1075 leverages NIST and FIPS documentation as guidelines for securing these systems. Such documents directly speak to how organizations implement security to protect FTI as a form of PII.
Some key documents include the following:
- NIST Special Publication 800-53: This document is the heart of IRS 1075 (and many other regulations). It is a catalog of security controls covering everything from cryptography and access management to physical security and training requirements. IRS 1075 imports specific controls familiar from NIST 800-53 but includes more requirements if the data is stored in cloud environments–situations where the relationship between NIST 800-53 and FedRAMP are more relevant.
- NIST Special Publication 800-52: This document defines how organizations may choose and implement Transport Layer Security (TLS) solutions to encrypt data in transit.
- NIST Special Publication 800-30: This document defines guidelines for conducting risk assessments for risk management, an essential aspect of computer system security controls defined through NIST 800-53.
- FIPS 140-2: This document defines federal standards for data encryption and where IRS 1075 derives its requirements for a minimum AES-128 cryptography standard.
Automate IRS 1075 Audits with Continuum GRC
If your IT systems are managing FTI in any capacity, you’ll invariably be handling personal information within a federal context–with all the security requirements and regulations that follow. Implementing these controls, managing personnel, and organizing audits can become incredibly time-consuming and costly.
Continuum GRC has already implemented risk assessment and audit modules to automate the process of IRS 1075 audits across all sections of the law. Our ITAM system takes complex compliance and auditing requirements and streamlines them into effective, accurate processes to ensure that your company understands its relationship to the requirements of the law.
Are You Gearing Up for IRS 1075 Compliance?
Call Continuum GRC at 1-888-896-6207 or complete the form below.