The Internal Revenue Service is one of the largest and most essential federal government agencies… which means that there is a lot of opportunity for third-party contractors and managed service providers to offer products to support its mission. It also means that these contractors will be expected to adhere to security standards, specifically those outlined in IRS 1075.
Fortunately, IRS 1075 is aligned with other federal standards, all of which provide a sound security footing and potential to pivot services to other government agencies. Here, we’ll discuss some overlap between IRS 1075 and federal standards, specifically those related to the National Institute of Standards and Technology (NIST).
What Is IRS 1075?
At any given time, the technical infrastructure of the IRS is storing, transmitting or processing several gigabytes of Personal Identifiable Information (PII) related to the financial and tax filings of millions of Americans.
According to the IRS, it is critical that these citizens have 100% faith in the ability of the IRS to manage this information with as much privacy and confidentiality as is feasible. With that in mind, IRS 1075 is a set of security regulations with jurisdiction over government agencies (and contractors) that handle Federal Tax Information (FTI). This standard covers a set of critical technical and operational guidelines that ensure the protection of FTI, including the following requirements:
- Ensuring data confidentiality and obfuscation via encryption
- Implementing access control and restriction based on user roles
- Keeping and maintaining secure records and audit logs
- Deploying physical security measures for all critical office locations, data centers and workstations and devices
- Planning and using compliant methods of erasure and destruction for any media holding FTI
- Planning and mobilizing clear plans of security monitoring, mitigation and remediation in cases of data breaches
- Reporting unauthorized disclosures of FTI to the IRS
While the details of this document are outside of the scope of this article and will be covered in the near future, it is essential to note that, according to the IRS documentation, any system handling FTI in any capacity must adhere to these guidelines.
Furthermore, it defines specific requirements for contractors handling the data, including requesting and receiving FTI from IRS systems. Some of the more specific provisions include:
- Secure Data Transfer (SDT) Program: Contractors requesting data from the IRS must do so through the SDT, which establishes an encrypted electronic transmission between the two parties. The technical aspects of the SDT program are contained in the SDT handbook.
- Limitations of Usage: An agency or contractor may only use FTI based on the specific language of their request. Any further use of FTI outside the scope of that request necessitates submitting a secondary request of usage.
- Assessments and Reviews: IRS 1075 includes several requirements for third-party and self-assessment. Organizations must officially review and report on policies and procedures every three years, update system authorizations every three years, and conduct penetration testing every three years. Additionally, these organizations must also maintain continuous monitoring of systems at all times. On top of these assessments, the IRS may determine that an organization must undergo Safeguard Reviews either as on-site or remote audits. These reviews are hands-on assessments of the adequacy of the implementation of compliance and security programs, instead of audits of the programs more broadly.
- End of FTI Usage: Once an agency no longer requires access to FTI, it will notify the IRS in writing and take sufficient steps to destroy this data per IRS 1075 requirements.
As is expected, IRS 1075 relies on relatively strict security and IT guidelines. It does not invent its own set of guidelines, however. Like other federal organizations, the IRS relies on NIST standards for its underlying framework.
What Is the National Institute of Standards and Technology?
The National Institute of Standards and Technology (NIST) has a long history in the U.S. as a standard-bearer (pun intended) for normalizing standards in government operations and technical infrastructure.
Starting in 1988, NIST gained its current name and took as its mission to centralize best practices and technical standards to promote innovation and maintain competitiveness in the U.S. As a side effect, its documentation of IT guidelines have become the de facto standard for almost every federal compliance framework, which in turn has bled into certain private sectors like finance and healthcare.
One of the most important publications to come out of NIST is the Cybersecurity Framework (CSF), a comprehensive approach to risk management and security implementation. With Executive Order 13800, the Cybersecurity Framework was made mandatory for federal agencies.
Alongside the CSF, NIST publishes several in-depth documents for federal agencies that may serve as voluntary or mandatory compliance requirements, depending on the application and industry.
What NIST Documents Play a Part in IRS 1075 Compliance?
All that being said, IRS 1075 doesn’t necessarily require CSF compliance. It instead draws from key NIST documents to inform its standards as a standalone regulation.
Some critical documents incorporated into IRS 1075 include the following:
NIST 800-53 Security and Privacy Controls for Information Systems and Organizations
NIST 800-53 is one of the central documents published by NIST, used as the foundation for many types of compliance. Frameworks in federal cloud service, military security and other areas draw from NIST 800-53.
Simply put, NIST 800-53 is a comprehensive catalog of security controls covering critical areas for the security of IT systems, including access controls, data obfuscation, physical security, media destruction and others.
Because 800-53 is so comprehensive, it only implements a select number of controls from the following groups:
- Access Controls
- Awareness and Training
- Audit and Accountability
- Assessment, Authorization and Monitoring
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental Protection
- Program Management
- Personnel Security
- Risk Assessment
- Communications Protection
- Information Integrity
- Supply Chain Risk Management
NIST 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
TLS encryption, the successor to SSL secure communication technologies, is critical to obfuscating data transmission. NIST 800-52 outlines the technical details of TLS and the specific implementations and configurations suitable for secure federal data handling.
NIST 800-63 Digital Identity Guidelines
Digital identity management is a critical component of many compliance frameworks, especially those related to industries replete with fraud or identity theft. NIST 800-63 outlines how to secure systems can create, manage and secure compliant identities and methods to verify those identities effectively.
Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptographic Modules
FIPS 140-2 defines appropriate cryptographic modules, such as encryption and physical security of data for obfuscation. This document helps organizations understand how to select the latest and most suitable types of encryption for their compliant systems, and can include software-based and hardware-based cryptography.
Line Up Your Compliance Efforts for IRS 1075
If your business works with FTI in any way, you must prepare for IRS 1075 audits. Fortunately, much of the technical auditing work for this framework aligns with other standards, primarily NIST 800-53 and FIPS 140-2, which can apply to many compliance standards.
Preparing for IRS 1075 Compliance?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.