The IRS 1075 publication lays out a framework of compliance regulations to ensure federal tax information, or FTI, is treated with adequate security provisioning to protect its confidentiality. This may sound simple enough but IRS 1075 puts forth a complex set of managerial, operational and technical security controls you must continuously follow in order to maintain ongoing compliance.
Any organization or agency that receives FTI needs to prove that they’re protecting that data properly with IRS 1075 compliance. Federal, state, county and local entities – as well as the contractors they employ – are all within its scope.
IRS 1075 is comprised of the following sections:
- Federal Tax Information and Reviews
- Recordkeeping Requirement: IRC 6103(p)(4)(A)
- Secure Storage: IRC 6103(p)(4)(B)
- Restricting Access: IRC 6103(p)(4)(C)
- Other Safeguards: IRC 6103(p)(4)(D)
- Reporting Requirements: IRC 6103(p)(4)(E)
- Disposing of FTI: IRC 6103(p)(4)(F)
- Computer System Security
- Reporting Improper Inspections or Disclosures
- Disclosure to Other Persons
- Return Information in Statistical Report
The complete document describing IRS 1075 requirements is available here.
All agency information systems used for receiving, processing, storing or transmitting FTI must be hardened in accordance with the requirements in IRS 1075. Agency information systems include the equipment, facilities and people that collect, process, store, display and disseminate information. This includes computers, hardware, software and communications as well as policies and procedures for their use.
The computer security framework was primarily developed using guidelines specified in NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, and NIST SP 800- 53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Only applicable NIST SP 800-53 controls are included in IRS 1075 as a baseline. Applicability was determined by selecting controls required to protect the confidentiality of FTI.
Let’s focus on Section 9: Computer System Security.
IRS 1075 requires organizations and agencies to protect FTI using core cybersecurity best practices like file integrity monitoring (FIM) and security configuration management(SCM). Both of these technologies depend upon a known, secure baseline. Any deviations from this baseline signal authorized or unauthorized changes that could bring your systems out of compliance or expose them to attacks.
According to IRS 1075, all organizations and agencies that handle FTI must do the following:
- Determine the types of changes to the information system that are configuration controlled
- Review proposed configuration-controlled changes to the information system and approve or disapprove such changes with explicit consideration for security impact analyses
- Document configuration change decisions associated with the information system
- Implement approved configuration-controlled changes to the information system
- Retain records of configuration-controlled changes to the information system for the life of the system
- Audit and review activities associated with configuration-controlled changes to the information system
- Coordinate and provide oversight for configuration change control activities through a Configuration Control Board that convenes when configuration changes occur
- Test, validate and document changes to the information system before implementing the changes on the operational system
Tripwire can help with its Tripwire Enterprise software.
One of Tripwire Enterprise’s most fundamental capabilities is establishing a secure baseline configuration for your system and tracking all changes against that baseline. Tripwire Enterprise ensures the integrity of your files and systems, keeping a record of all changes that take place and producing audit-ready reports to make proof of compliance easier.
Tripwire Enterprise supports IRS 1075 Policy Compliance hardening guidelines out of the box.
If your organization or agency handles federal income tax information of any sort, you are required to stay in compliance with IRS 1075. Failure to do so can lead to heavy fines and even criminal charges, but Tripwire technology makes ongoing compliance simple and keeps you audit-ready at all points in time.