Site icon

IRS 1075 and NIST | How Do NIST Guidelines Affect IRS 1075 Regulations?

irs 1075 featured

The Internal Revenue Service is one of the largest and most essential federal government agencies… which means that there is a lot of opportunity for third-party contractors and managed service providers to offer products to support its mission. It also means that these contractors will be expected to adhere to security standards, specifically those outlined in IRS 1075. 

Fortunately, IRS 1075 is aligned with other federal standards, all of which provide a sound security footing and potential to pivot services to other government agencies. Here, we’ll discuss some overlap between IRS 1075 and federal standards, specifically those related to the National Institute of Standards and Technology (NIST). 

 

What Is IRS 1075?

At any given time, the technical infrastructure of the IRS is storing, transmitting or processing several gigabytes of Personal Identifiable Information (PII) related to the financial and tax filings of millions of Americans. 

According to the IRS, it is critical that these citizens have 100% faith in the ability of the IRS to manage this information with as much privacy and confidentiality as is feasible. With that in mind, IRS 1075 is a set of security regulations with jurisdiction over government agencies (and contractors) that handle Federal Tax Information (FTI). This standard covers a set of critical technical and operational guidelines that ensure the protection of FTI, including the following requirements:

While the details of this document are outside of the scope of this article and will be covered in the near future, it is essential to note that, according to the IRS documentation, any system handling FTI in any capacity must adhere to these guidelines. 

Furthermore, it defines specific requirements for contractors handling the data, including requesting and receiving FTI from IRS systems. Some of the more specific provisions include:

As is expected, IRS 1075 relies on relatively strict security and IT guidelines. It does not invent its own set of guidelines, however. Like other federal organizations, the IRS relies on NIST standards for its underlying framework.

 

What Is the National Institute of Standards and Technology?

The National Institute of Standards and Technology (NIST) has a long history in the U.S. as a standard-bearer (pun intended) for normalizing standards in government operations and technical infrastructure. 

Starting in 1988, NIST gained its current name and took as its mission to centralize best practices and technical standards to promote innovation and maintain competitiveness in the U.S. As a side effect, its documentation of IT guidelines have become the de facto standard for almost every federal compliance framework, which in turn has bled into certain private sectors like finance and healthcare. 

One of the most important publications to come out of NIST is the Cybersecurity Framework (CSF), a comprehensive approach to risk management and security implementation. With Executive Order 13800, the Cybersecurity Framework was made mandatory for federal agencies

Alongside the CSF, NIST publishes several in-depth documents for federal agencies that may serve as voluntary or mandatory compliance requirements, depending on the application and industry. 

 

What NIST Documents Play a Part in IRS 1075 Compliance?

All that being said, IRS 1075 doesn’t necessarily require CSF compliance. It instead draws from key NIST documents to inform its standards as a standalone regulation. 

Some critical documents incorporated into IRS 1075 include the following:

 

NIST 800-53 Security and Privacy Controls for Information Systems and Organizations

NIST 800-53 is one of the central documents published by NIST, used as the foundation for many types of compliance. Frameworks in federal cloud service, military security and other areas draw from NIST 800-53.

Simply put, NIST 800-53 is a comprehensive catalog of security controls covering critical areas for the security of IT systems, including access controls, data obfuscation, physical security, media destruction and others. 

Because 800-53 is so comprehensive, it only implements a select number of controls from the following groups:

 

NIST 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations

TLS encryption, the successor to SSL secure communication technologies, is critical to obfuscating data transmission. NIST 800-52 outlines the technical details of TLS and the specific implementations and configurations suitable for secure federal data handling. 

 

NIST 800-63 Digital Identity Guidelines

Digital identity management is a critical component of many compliance frameworks, especially those related to industries replete with fraud or identity theft. NIST 800-63 outlines how to secure systems can create, manage and secure compliant identities and methods to verify those identities effectively.  

 

Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptographic Modules

FIPS 140-2 defines appropriate cryptographic modules, such as encryption and physical security of data for obfuscation. This document helps organizations understand how to select the latest and most suitable types of encryption for their compliant systems, and can include software-based and hardware-based cryptography. 

 

Line Up Your Compliance Efforts for IRS 1075

If your business works with FTI in any way, you must prepare for IRS 1075 audits. Fortunately, much of the technical auditing work for this framework aligns with other standards, primarily NIST 800-53 and FIPS 140-2, which can apply to many compliance standards. 

 

Preparing for IRS 1075 Compliance?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version