IRS Safeguards Update and Publication 1075 Additional Requirements
DATE: December 30, 2011
TO: ALL STATE IV-D DIRECTORS
As you are aware, we recently met with the Internal Revenue Service’s (IRS) officials to discuss your concerns about the IRS safeguard process and safeguard review findings. In addition, IRS’ safeguards team met with us last month to provide an overview of new sections, exhibits, technical assistance memorandums, and three new safeguard computer security evaluation matrices (SCSEM). As described in IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, requirements may be supplemented or modified between editions of the 1075 via guidance issued by the IRS Office of Safeguards and posted on their IRS.gov website.
We recognize that the safeguards review process and some of the new requirements will be financially and operationally burdensome for states. For example, we anticipate that states will need to reprogram their computer systems to comply with the new requirements. As a result of our discussions with IRS, they agreed to several measures to address these issues, including forming a workgroup that will include state IV-D directors. We plan to meet with IRS in the coming weeks to discuss the process further and will provide additional information to you as it becomes available.
The recently added IRS sections contain these technical assistance memorandums and exhibits:
•9.18.12: Protecting Federal Tax Information (FTI) in Virtual Environments
•9.18.13: Protecting FTI in Voice Over IP Networks
•9.18.14: Protecting FTI in a Cloud Computing Environment
•Exhibit 15: Virtualization Notification Requirements
•Exhibit 16: Cloud Computing Notification Requirements
The documents can be found in the Additional Requirements for Publication 1075 section. Additional new technical assistance memorandums can be found under the Safeguards Technical Assistance by Topic section of the IRS website.
•Incident Response Test and Exercise Guidance
•Protecting FTI in Databases through Labeling
•Protecting FTI By Proactive Auditing
•Protecting FTI in Electronic Case Records
•Protecting FTI From Social Media Sites and Collaboration Tools
•Protecting FTI through Network Defense-in-Depth
•Use of FTI in Open Source Software
•Use of Live FTI in System Testing (Expands live data testing requirements provided in Section 9.18.8 Live Data Testing). This memorandum also includes the Live FTI Data Testing Request Form.
The new SCSEMs can be located under the "Safeguards Program" section of the website at www.irs.gov/privacy/article/0,,id=177651,00.html. They include:
•Management, Operational, and Technical Controls (MOT) – Web Portal and IVR Appendixes
•Manual Database SCSEM
•Virtualization (VMWare ESX) SCSEM
In collaboration with OCSE, the Office of Safeguards will provide a teleconference briefing in February 2012 to discuss the new IRS guidance and requirements, and address your questions. We will send out notification to you once a call date is established. If you have any questions or require additional information, please contact Scott Hale at 202-401-5745 or firstname.lastname@example.org or Danny Markley at 202-260-1888 or email@example.com.
Office of Child Support Enforcement
cc: ACF/OCSE Regional Program Managers
Tribal IV-D Directors