Internal Revenue Service Publication 1075 (IRS-1075) is a set of regulatory guidelines that prevent the disclosure of federal tax information (FTI). The publication regulates how US government agencies interact, handle, store, and safeguard FTI. The US government revised IRS 1075 on January 5th, 2022.
IRS Publication 1075 includes information on data security controls, safeguards, best practices, and policies external government agencies and contractors must implement to achieve compliance and ensure the continued confidentiality of FTI data.
The two most important features of IRS 1075 are its implementation of data center controls and the development of the IRS Safeguards Program.
Keep reading to learn more about all the policies introduced by IRS 1075 and their implications for the cybersecurity programs of covered organizations.
Scope of IRS Publication 1075
IRS 1075 protects the confidential relationship between U.S. citizens and the IRS by regulating how entities interact with FTI. The publication predominantly enforces tax information security guidelines for federal, state and local agencies that file tax records and process tax returns. However, the publication also imposes criminal penalties on any government contractor, agent, sub-contractor, or other entity that illegally discloses federal tax returns or return information.
In the publication, the IRS explicitly states that it is an agency’s responsibility to ensure all its organizational departments, consolidated data centers, contractors, and sub-contractors understand and implement the practices discussed through IRS 1075.
The publication also explicitly states that its sections apply to all types of FTI, regardless of the extent of information presented or the type of media used to provide the information.
What is Federal Tax Information (FTI)?
For the most part, FTI consists of federal tax returns and return information. However, IRS 1075 categorizes FTI as Sensitive But Unclassified (SBU) information and recognizes that it may contain personally identifiable information (PII). Therefore, the publication also protects any information derived from an individual’s tax return or return information.
The publication’s definition of FTI includes tax returns and return information obtained from any of the following organizations:
- Internal Revenue Service (IRS)
- Social Security Administration (SSA)
- Federal Office of Child Support Enforcement (FOCSE)
- Bureau of the Fiscal Service (BFS)
- Centers for Medicare and Medicaid Services (CMS), and
- Any other organization acting on behalf of the IRS
Note: The publication restricts agencies from masking FTI to avoid the confidentiality requirements and data controls set forth by the IRS.
What are Returns and Return Information?
The publication defines a return as any tax return, estimated tax declaration, or refund claim filed by an individual on behalf of the IRS. Returns include paper and electronic forms, including tax forms 1090, 941, and 1120, and informational forms like Form 1099 or W-2s.
IRS 1075 defines return information very broadly. The publications definition includes but is not limited to:
- Information obtained by the IRS that relates to any tax, fine, penalty, interest, forfeiture, or other imposition or offense,
- Data extracted from an individual’s tax return, including names of dependents or the location of a business,
- A taxpayer’s name, address, social security number, or other identification numbers,
- Information collected by the IRS that details an individual’s tax affairs (even if the agency deleted the individual’s name and address),
- The status of a tax return (the taxpayer has filed the return, the return is under review, the IRS is processing the return, etc.), or
- Information contained in transcripts of accounts
Note: Agencies can find a complete catalog of tax forms on IRS.gov.
What is Personally Identifiable Information (PII)?
Most forms of FTI will include personally identifiable information (PII) elements. IRS Publication 1075 states that FTI may consist of the following aspects of PII:
- Taxpayer name
- Taxpayer mailing address
- Taxpayer social security number
- Email addresses
- Telephone numbers
- Bank account numbers
- Taxpayer place and date of birth
- Mother’s maiden name
- Biometric data
- Any combination of the above
What is the IRS Safeguards Program?
To ensure applicable agencies apply the controls listed throughout IRS 1075, the Internal Revenue Service established the IRS Safeguards Program. The mission of the program is to verify compliance with Internal Revenue Code (IRC) § 6103(p)(4) and offer FTI agencies guidance.
IRS 1075 includes the vision statement of the Office of Safeguards, which states that the office aims to become a trusted advisor of applicable agencies by ensuring they have complete insight into all FTI requirements.
The Office of Safeguards also aims to create a collaborative environment that empowers agencies to adopt best practices and develop risk-based infrastructure into their FTI operation.
What Regulations and Controls are Imposed by IRS 1075?
To be considered compliant with IRS 1075, organizations interacting with FTI must follow all regulations set by the publication and be able to demonstrate to the IRS that they can protect the confidentiality of taxpayer information.
Organizations subject to IRS 1075 must complete several security requirements, including:
- Establishing an accurate record-keeping system
- Restricting access to FTI and only allowing authorized parties to interact with taxpayer information
- Completing periodic Safeguard security reports (SSRs)
- Training all employees who are responsible for handling, storing, securing, transporting, or disposing of FTI to carry out the regulations of IRS 1075 and prevent unauthorized access
- Destroying all FTI or returning it to the IRS or the SSA
- Establishing computer system security controls to ensure secure storage of FTI
- Maintaining technology-specific requirements when using FTI on a mobile device or through cloud computing
- Implementing a Plan of Action & Milestones (POA&M)
IRS 1075 requires organizations to establish a secure and accurate record-keeping system. An organization’s record-keeping system should store all FTI records, any documents associated with FTI records, and information systems that store or communicate access rights.
The publication also requires organizations to create an FTI log that records who accesses, transfers, uses, stores, or disposes of FTI and the time and date on which the individual completed the action.
Under IRS 1075, organizations must establish access controls and security policies to limit who can access FTI. Only authorized personnel should be permitted to access FTI. Organizations must install digital access protocols (multi-factor authentication, password encryption requirements, etc.) to ensure permissions are secure and develop secure storage procedures to ensure the physical security of all FTI.
Safeguard Security Reports (SSRs)
The IRS requires organizations to submit periodic Safeguard Security Reports (SSRs) to the IRS Office of Safeguards. These reports will detail the processes, procedures, and controls the organization has implemented to protect FTI.
Agencies are required to submit SSRs annually after FTI is initially received. Organizations applying for FTI for the first time or requesting new data streams will face stricter safeguarding requirements. These agencies must submit an SSR for approval at least 90 days before receipt of FTI.
To facilitate IRS approval and communication of reporting requirements between the agency and the IRS, an agency must also designate an agency Safeguards point of contact (POC) and make program officials and contractors available to discuss FTI, its use, and data transfer protocols.
Note: Agencies applying to receive FTI for the first time must also submit evidence of installed controls in conjunction with their first SSR.
Disposal of FTI
After an organization completes its use of FTI, it must ensure the secure destruction of the information or return the data back to the IRS or SSA. Organizations that return FTI to the IRS or SSA must use a receipt process and ensure information remains confidential.
Computer System Security
This regulation is by far the most complex requirement of IRS 1075. This publication section requires agencies to follow ongoing cybersecurity best practices and implement advanced security controls to ensure FTI access is limited.
IRS 1075 utilizes many cybersecurity practices put forth by the National Institute of Standards and Technology (NIST). More specifically, the publication references NIST SP 800-53 and uses a combination of NIST-designated and IRS-designated controls to enforce best practices.
NIST-designated controls found in IRS 1075 include:
- Automated system account management using email or text messaging notifications
- Automatically disable and remove temporary accounts after two business days
- Disable all accounts within 120 days when the accounts have expired, are no longer associated with a user, or violate an organizational policy
- Monitor accounts for agency-defined atypical usage, including within virtual desktops and at alternate worksites
- Utilize a Virtual Private Network (VPN) connection to protect FTI
- Restrict access to data repositories holding FTI or other sensitive data
- Provide practical employee training that simulates actual data events or incidents
IRS 1075 outlines technology-specific requirements for several types of technology commonly used to access agency data. The publication sets guidelines for cloud computing, telecommunications, email communications, and more.
To use a cloud computing model to interact with FTI, agencies must:
- Achieve FedRAMP authorization,
- Leverage onshore access,
- Provide a physical description of all data centers that receive FTI,
- Utilize encryption keys to protect the transmission of FTI,
- Conduct annual risk assessments,
- Install multi-factor authentication, and
- Follow all other security controls listed in IRS 1075
To access FTI on a mobile phone, agencies must:
- Implement a centralized mobile device management (MDM) solution
- Establish configuration, connection, and organization-wide implementation controls to ensure personnel only use organization-controlled mobile devices
To access FTI over email or through email communications, agencies must:
- Develop a written policy that exhibits the following
- Establish baseline controls to prohibit and permit email transmission of FTI on a case-by-case basis
- Develop a plan of action to mitigate the damage if personnel inadvertently includes prohibited FTI in an email
- Require adequate labeling to quickly identify emails that contain FTI (“email subject contains FTI”)
Plan of Action & Milestones (POA&M)
The IRS requires agencies who interact with FTI to develop a Plan of Action & Milestones (POA&M) that sets solutions based on the findings of internal inspections and remediation plans. An agency’s POA&M should include a record of progress and establish date windows that the agency must achieve to resolve any risks or vulnerabilities.
IRS 1075 requires agencies to train all employees who interact with FTI appropriately. This requirement includes employees who are responsible for handling, storing, securing, or disposing of FTI. Employees who interact with FTI must also complete an annual training course to receive an FTI certificate.
Penalties for Non-Compliance with IRS 1075
IRS 1075 imposes several criminal penalties for those who misuse FTI or fail to comply with any of the publication’s requirements. The penalties enforced by IRS 1075 include the following:
- Unauthorized disclosure or use of FTI: fines of up to $5,000, imprisonment for up to 5 years, or a combination of the two
- Unauthorized access of FTI: fines up to $1,000, imprisonment for up to 1 year, or a combination of the two
Failing to comply with the provisions outlined in IRS 1075 can also carry civil penalties of up to $1,000 per violation.
How Does the IRS 1075 Impact Cybersecurity?
IRS 1075 requires organizations to maintain cybersecurity best practices to protect the confidentiality and integrity of FTI. While the publication explicitly requires organizations to install various cybersecurity controls, it also implicitly requires organizations to develop healthy cyber hygiene and a secure cybersecurity baseline.
The publication also reiterates the importance of taking a holistic approach to cybersecurity since it can punish organizations for the negligence of their contractors and subcontractors.
How Can UpGuard Help?
UpGuard Vendor Risk empowers organizations to ensure IRS 1075 compliance across their entire supply chain. By using Vendor Risk, your organization will have access to flexible security questionnaires, powerful vendor assessment tools, and seamless remediation workflows that allow it to safeguard FTI 24/7
UpGuard Vendor Risk will also enable your organization to:
- Increase visibility across its supply chain
- Automate its vendor risk assessment process with flexible templates
- Receive real-time risk updates
- Tier vendors based on their criticality and vulnerability levels
- Calculate the impact of remediated risks
- Generate instant reports
- Stayed informed on relevant data breaches and industry information
- Monitor all third-party risks in one centralized dashboard
Organizations interacting with FTI can also utilize UpGuard BreachSight to manage their external attack surface. This comprehensive cybersecurity tool enables organizations to monitor security risks, identify vulnerabilities, and make informed decisions regarding risk remediation based on real-time notifications.