Safeguards Program

The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.

Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities (PDF)
This document contains specific requirements for safeguarding federal tax information. This revision of 1075 became effective on Aug. 24, 2010.

Additional Requirements for Publication 1075
Safeguarding requirements may be supplemented or modified between editions of Publication 1075 by guidance issued by the Office of Safeguards.

Publication 1075

Recommendations on How to Become Compliant with the New Requirements
Given the significant changes in technical safeguards requirements found in Sections 4, 5 and 6, the IRS has some recommendations for agencies to become compliant with the new requirements.

Reporting Requirements
Publication 1075 requires agencies to use approved report templates and to transmit the reports electronically. These reports must be encrypted and submitted to the safeguardreports@irs.gov mailbox.

• Safeguard Activity Report (SAR)
• Safeguard Procedures Report (SPR)
• e-mail Encryption Procedures Using the WinZip Utility

Reporting Unauthorized Accesses, Disclosures or Data Breaches
Local, state and federal agencies receiving federal tax information must follow the revised provisions of Section 10 of Publication 1075 (PDF) upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents. Agencies must contact Treasury Inspector General for Tax Administration and the IRS Office of Safeguards immediately, but no later than 24-hours after identification of a possible issue involving federal tax information. Agencies are not to wait until after their own internal investigation as been conducted.

Contacting TIGTA is critical to expedite the recovery of compromised data and identify potential criminal acts. The IRS Office of Safeguards investigation focuses on identifying processes, procedures or systems within the agency with inadequate security controls which led to the incident.

Internal Inspections Reports
Section 6.3 of Publication 1075, Tax Information Security guidelines for Federal, State and Local Agencies and Entities, requires that agencies receiving federal tax information (FTI) establish a review cycle for internal inspections of headquarters offices and all local/field offices that receive FTI. The Internal Inspections Report – Headquarters Office and Internal Inspections Report – Field Office are for these inspections.

In addition, these agencies must also include an internal inspection of IT operations, using the Internal Inspections Report – IT Operations. Internal inspections of contractors with access to FTI and any off-site storage facilities must also be completed. All scheduled and completed internal inspections should be provided to the IRS Office of Safeguards on the Internal Inspections Implementation Report.

Safeguards Technical Assistance by Topic
The IRS has recommendations and discussions on various Safeguards Program topics available for agencies to help stay in compliance. These documents may assist with preparation of reports, protecting federal tax information, and knowing the legalities of the Safeguards Program.

IRS Disclosure Awareness Videos
IRS Disclosure Awareness training videos are available for local, state and federal governmental agencies that receive federal tax information (FTI). The IRS Office of Safeguards created videos (with captions in English and Spanish) to help explain several key concepts in protecting the confidentiality of FTI.

• Safeguards 1 Building New Systems - Safeguards Systems Development aids to comply with Publication 1075 security requirements when building a new application on which Federal Tax Information will reside or new process which will use FTI.

• Safeguards 2 Building New Processes or Procedures - Safeguards Process Procedure Development aids to comply with Publication 1075 security requirements when building a new application on which Federal Tax Information will reside or new process which will use FTI.

• Disclosure Awareness Training (Pub. 4711) / Spanish Captions
• Disclosure Awareness Training for State Child Support Agencies (Pub. 4712) / Spanish Captions
• Disclosure Awareness Training for State Human Services Agencies (Pub. 4713) / Spanish Captions
• Protecting Federal Tax Information: A Message from the IRS
• Safeguards 101 Webinar

References/Related Topics

• e-mail Encryption Procedures Using the WinZip Utility
• Safeguard Computer Security Evaluation Matrix (SDSEM) (XLS)
• Safeguard Computer Security Evaluation Matrix (SCSEM)
  • Access Control Facility (ACF2) Release IV (XLS)
  • Application Release IV (XLS)
  • CA-Top Secret Release IV (XLS)
  • Cisco IOS Release IV(XLS)
  • Generic UNIX SCO UnixWare, Tru64 UNIX Release IV (XLS)
  • GenTax Release IV (XLS)
  • IBM RACF Release IV (XLS)
  • Management, Operational, and Technical Controls (MOT) - Web Portal and IVR Appendixes (XLS)
  • Management, Operational, and Technical Controls (MOT) Release IV (XLS)
  • Management, Operational, and Technical Controls Data Warehouse Appendix Release IV (XLS)
  • Management, Operational, and Technical Controls Data Warehouse Appendix Release IV (XLS)
  • Manual Database SCSEM (XLS)
  • Multi-Function Device (MFD) Release IV (XLS)
  • Network Assessment (XLS)
  • Novell Netware 6.5 Release IV (XLS)
  • OpenVMS Release IV (XLS)
  • Safeguard Computer Security Evaluation Matrix (SCSEM) (XLS)
  • Technical MOT Release IV (XLS)
  • UNISYS Release IV v1.0 (XLS)
  • UNIX and Linux Solaris, HP-UX, AIX, Red Hat Linux, SuSE Linux Release IV (XLS)
  • Virtual Private Network (VPN) Security Controls Release IV (XLS)
  • Virtualization (VMWare ESX) SCSEM (XLS)
  • VMware ESX Release IV (XLS)
  • Windows 2000, 2003, and 2008 Release IV (XLS)
  • Wireless LAN Release IV (XLS)