Hello, my name is Jason.
This podcast is part two of a two-part series from the IRS Safeguards office on updates to Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies.
Publication 1075 is your guide for tax information security.
Complying with it ensures that you are diligently protecting the sensitive federal taxpayer information with which you are entrusted.
This podcast, part two, covers four of seven key changes featured in the September 2016 revision that’s now on IRS.gov.
We covered the first three changes in part one.
The last four changes are:
One: Shared Facilities and Consolidated Data Centers
Two: 45-Day Notification Reporting Requirements
Three: Destruction and Disposal and
Four: Exhibit 7, Safeguarding Contract Language
First, Shared Facilities and Consolidated Data Centers
Publication 1075 has guidance on the use of shared facilities and consolidated data centers.
Shared facilities may be used by FTI recipients only if access to FTI is restricted to those allowed to re-disclose by statutory authority.
In addition to your agency, all contractor and shared sites that receive, process, store or transmit FTI are subject to Safeguard Reviews.
Additionally, agencies using consolidated data centers must implement controls to ensure FTI is adequately protected.
This includes a service level agreement, or SLA, between the agency authorized to receive FTI and the consolidated data center.
The SLA must cover all items included in section five point four point two point two of Publication 1075.
As a part of the agency review process, all affiliated contractors who receive, transmit, process and store FTI on behalf of the agency are subject to review and IT testing.
These requirements also apply to releasing electronic media to a private contractor or other agency office, even if the purpose is merely to erase the old media for reuse.
The second key change is to Notification Requirements
Publication 1075 now includes guidance on the 45-day notification requirements for FTI.
This notification relates to systems processes, and whether or not advanced approval is required.
One: For FTI-related to disclosure to contractors, notification is required before you release FTI to any agency contractor not listed in your last annual SSR.
And two: For FTI-related to re-disclosure by a contractor to a sub-contractor, FTI may not be released to a sub-contractor without approval in writing from the IRS Safeguards office.
Note that both of these stipulations apply only to agencies specifically authorized by Internal Revenue Code section 6103 or by regulation.
The third key change involves Destruction and Disposal.
Publication 1075 includes new requirements for shredding and provisions applying to physical media that leave your physical or systemic control.
The shredding guidelines for paper have changed to adhere to National Institute of Standards and Technology 800-88r1, which requires one millimeter by five millimeters.
New destruction guidelines for electronic media are in two media sanitation sections: nine point three point ten point six, Media Sanitization, and nine point four point seven.
Whenever physical media leave the physical or systemic control of the agency for maintenance, exchange or other servicing, any FTI on it must be destroyed before release, following the requirements in these two.
When using either destruction method – you must check every third piece of physical electronic media to ensure appropriate destruction of FTI.
Destroy microfilms (microfilm, microfiche, or other reduced image photo negatives) by burning to white ash.
If the agency has legal authority to disclose FTI to a disposal contractor and chooses one that is National Association for Information Destruction (NAID) certified, the agency will not be required to complete an internal inspection every 18 months of that facility.
However, it must maintain a copy of, and periodically validate the NAID certification.
Safeguards will accept NAID certification and will not need to do an on-site review of that facility, providing the agency is authorized to do so and has a copy of the NAID certification.
The last key change is to Exhibit 7, Safeguard Contract Language, which is updated to include background investigation requirements.
The PERFORMANCE section now states, “The contractor and the contractor’s employees with access to, or who use FTI must meet the background check requirements defined in IRS Publication 1075.
Your agency must modify current contracts and Service Level Agreements to
include language regarding minimum background investigation requirements.
This concludes our podcast on the updates to Publication 1075.
It’s a good idea to review the entire publication to ensure you are familiar and comply with these requirements.
If your agency has questions, send them to us at SafeguardReports@IRS.gov.
You can also get more information at IRS.gov using the search term “Safeguards” @irs.gov.
Thanks for listening.