Here at Ignyte, we talk a lot about the most common and popular security certifications and frameworks for cloud service providers and others, FedRAMP, CMMC, and their associated NIST publications. These are very important, but they’re far from everything that can be relevant to a CSP or to businesses looking to maintain their security credentials.
Most CSPs have to deal with basic PII, CUI, and other forms of protected information that may be treated broadly the same. Others have to adhere to other standards when they handle specific kinds of information. For example:
- Defense-related information, or CDI (Covered Defense Information), adds in DFARS compliance requirements.
- Healthcare-related information requires that the CSP maintain HIPAA compliance.
Similarly, specific kinds of financial information have their own controls. While general financial information is protected, if your cloud services provider also handles federal tax information, you’re going to need to comply with IRS Pub 1075.
What is IRS Pub 1075, what is included in its requirements, and what do you need to do to comply? Let’s discuss.
What is IRS Pub 1075?
Officially known as Internal Revenue Service Publication 1075, or IRS 1075 for short, this document provides guidance and rules for both government agencies and their contractors and agents who need to access and handle FTI or Federal Tax Information. If you’re interested, the full text of IRS 1075 can be found here. Be warned; it’s a 216-page-long PDF and isn’t exactly light reading.
IRS 1075 is not itself part of a certification the way something like FedRAMP or CMMC are. Fortunately, however, it’s actually fairly similar. This is because the IRS publication is based largely on the same set of security standards and protocols outlined in NIST SP 800-53. NIST SP 800-53, along with NIST SP 800-171, form the foundation of CMMC and FedRAMP certification. We’ve covered this extensively in our blog.
The goal of the IRS publication is the same as the goals behind FedRAMP and CMMC; it’s a set of standards and rules that can be clearly defined and audited, which ensure that an agency or a contractor is handling federal tax information properly. This helps guarantee that there’s as little risk as possible of loss, breach, misuse, or other fraud committed using that information.
Similarly, IRS 1075 also includes data encryption standards that mirror the Federal Information Processing Standard (FIPS) 140 documentation on encryption.
Overall, IRS 1075 is not a direct mirror of NIST SP 800-53; it’s more of an accumulation of several NIST documents and other standards. It also contains elements of NIST 800-52 (Guidelines for the Selection, Configuration, and Use of Transport Layer Security), NIST 800-63 (Digital Identity Guidelines), and the aforementioned FIPS 140.
Who Needs to Comply with IRS 1075?
As with any governmental security standard, the first question you are likely to ask is, “Does this apply to me?” For many businesses, CMMC and FedRAMP can be tricky to determine; fortunately, IRS 1075 is not so difficult.
The IRS mandates that any agency or company that touches, handles, stores, transmits, or interacts with federal tax information in any way needs to comply with IRS 1075 policies. This includes all individual departments within a governmental agency, any cloud service provider or contractor working with that agency in handling FTI, any data center storing or processing FTI, all the way down the chain of contractors and subcontractors.
If you’re a service provider providing your services to another cloud company that itself in turn is providing services to a tax preparation service, which handles FTI, there’s a decent chance you need to comply with IRS 1075. The exception is if you’re certain you do not interact with FTI at all. For example, if your service facilitates calendar notifications, you aren’t handling FTI; if your service provides cloud storage or document verification of tax documents, you definitely have to comply with IRS 1075.
If you already comply with FedRAMP or CMMC or another similar level of security, there’s a good chance you’re most of the way to compliance with IRS 1075 already.
What Constitutes Federal Tax Information?
Federal tax information, or FTI, is the central kind of information protected by IRS 1075. So what is it?
According to the 1075 publication directly:
“FTI consists of federal tax returns and return information (and information derived from it) that is in the agency’s possession or control that is covered by the confidentiality protections of the IRC and subject to the IRC section 6103(p)(4) safeguarding requirements including IRS oversight. FTI is categorized as sensitive but unclassified (SBU) information and may contain personally identifiable information (PII).
FTI includes return or return information received directly from the IRS or obtained through an authorized secondary source such as Social Security Administration (SSA), Federal Office of Child Support Enforcement (OCSE), Bureau of Fiscal Services (BFS) or Centers for Medicare and Medicaid Services (CMS) or another entity acting on behalf of the IRS pursuant to an IRC section 6103(p)(2)(B) Agreement.
FTI includes any information created by the recipient that is derived from federal return or return information received from the IRS or obtained through a secondary source.”
Well, that’s quite the mouthful while simultaneously not saying much. IRC section 6103 is the Internal Revenue Code, also known as the tax code. You’re certainly free to look up the relevant sub-sub-subsections if you like, but we’re happy to distill it down for you.
Basically, any relevant information related to federal taxes and tax returns, and information derived from it, falls under the purview of IRS 1075. An individual’s estimated tax payments, the information in various tax forms like W-2s or 1099s, or (for a common example) the full returns generated by a third party like Intuit or H&R Block all constitute FTI.
This doesn’t just mean the relevant numbers but also includes information such as the location of the business an individual worked for, their tax identification number, the names of their claimed dependents, the status of their tax return, and account statements or transcripts relevant to tax filing. Many elements of FTI are also PII, such as the individual’s mailing address, social security number, birth date, and even telephone number.
If your company is adjacent to or handles any of this information in even the barest, most passing way, it’s still enough to require you to comply with IRS 1075.
How Do You Achieve IRS 1075 Certification?
You don’t.
IRS 1075 is a set of guidelines that the IRS requires you to adhere to if you’re handling FTI. However, they do not manage or govern a certifying body or process to obtain certification or an ATO the way you would comply with FedRAMP or CMMC Certification.
Instead, like many IRS systems, auditing can happen randomly and at any time. If you are in compliance with IRS 1075, you will be able to pull auditing reports and deliver information regarding your compliance to the auditor. Passing the audit allows you to continue providing services. Failing the audit removes your ability to work with FTI until such time as you can pass another audit. IRS can also ask various systems to perform audits through a 3PAO organization like Ignyte to gain additional assurances.
When you have passed the audit, the IRS generally issues an attestation of compliance, which is similar to a certification, but not quite the same. These attestations can vary between internal-use and external-use, and are usually gated behind an NDA, so only authorized individuals or entities can even see them. In order to share the IRS Safeguards document, the IRS must explicitly allow it to be shared and only with a customer under NDA.
Small cloud service providers generally need to align their entire business at all layers with proper security protocols. Larger companies like Google, Amazon, and Microsoft instead create Government-focused versions of their services and maintain compliance with those while requiring that their clients who handle FTI (or CUI or SBU) use those government-focused versions. This allows them to save time, effort, and processing power on their general services while focusing their efforts where they’re most impactful.
How to Comply with IRS 1075
Fortunately, compliance with IRS publication 1075 is relatively straightforward. We say relatively here because it’s not easy and, in fact, is rather difficult if you aren’t used to security frameworks. However, since IRS 1075 is largely based on NIST 800-53, there’s a significant overlap between your basic FedRAMP compliance and IRS 1075 compliance.
Since the two are so similar, most CSPs that pursue one can also attain the other. That said, if you don’t interact with federal tax information, there’s no reason to go out of your way to adhere to IRS processes when FedRAMP alone is enough to open up most government contracts for you.
Generally, compliance with IRS 1075 can be divided into broad categories, all of which have specific and relevant security controls attached. As a reminder, all of these are relevant both to physical access and manipulation of FTI, as well as digital/online interactions with FTI. Cybersecurity is a core focus of NIST 800-53 and, consequently, IRS 1075.
- Record-keeping. The IRS demands ongoing auditing and an audit trail be kept available for any handling of FTI, including all access, transfer, usage, storage, and disposal of FTI records.
- Storage. All storage needs to be secure and encrypted using FIPS 140 compliant encryption standards. This includes both digital and physical storage.
- Access. FTI should only be available to be accessed or used by authorized parties, which requires both access restrictions and user identity verification and authorization protocols. As with the other elements of IRS 1075, this is also broadly outlined in other NIST documents as well.
- Reporting. Part of IRS 1075 compliance is the generation of a Safeguard Activity Report and a Safeguard Procedures Report, both of which are to be sent to specified IRS contacts for review and oversight.
- Training. Any employee who may come into contact with FTI needs to be trained in proper and secure processes and handling, and requires annual certification for that training.
- Disposal. When it comes time to get rid of FTI or devices that hold FTI, they need to be disposed of properly so that no information can be recovered in the process or after the fact.
If these categories and controls sound familiar, well, we really can’t belabor enough on the point that the overlap between IRS 1075 and NIST 800-53 is significant.
What Are the Penalties for Noncompliance?
If you’re a service provider that does not handle FTI in any capacity, there’s no penalty for not adhering to IRS 1075. That said, if you’re working on a government contract and should be adhering to FedRAMP, falling short of IRS 1075 without violating FedRAMP is difficult.
If your company does handle FTI, failure to comply with IRS 1075 is a breach of the rules and safeguards. This generally results in both a significant fine and a loss of contract or ability to access or use FTI until such time as you regain compliance, often with stricter oversight.
This is true if your agency is discovered to be out of compliance through auditing; if a breach or data loss occurs, you can be subject to even steeper penalties. Unauthorized disclosure of FTI can include fines of up to $5,000 and imprisonment for up to five years; unauthorized access is a fifth of the above.
Tracking and Maintaining IRS 1075 Compliance
Taxes and tax-related information are things the government takes very seriously. As such, if you handle or expect to handle FTI in any capacity, you are well advised to do everything you can to make sure you’re compliant. The only question, then, is how?
This is where we can help. At Ignyte, we’ve developed our platform with FedRAMP in mind, but we also cover a wide range of additional security frameworks. Whether it’s CMMC, HITRUST, DFARS, FISMA, or, yes, IRS 1075, we have the ability to help.
If you have any questions about how IRS 1075 works, how you can gain and maintain compliance, or how our platform can help, feel free to reach out and contact us today. Alternatively, simply click here to book a demo and see the platform in action. We look forward to working with you!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.