When you think about an IRS publication, you’re probably thinking about the complex forms you need to fill out, usually relating to taxes. That’s not all the IRS publishes, though, and one of the more important documents they maintain is called Publication 1075.
When it comes to sensitive information for everyday Americans and private sector businesses, there’s very little more important and more sensitive than tax information. The IRS, therefore, needs to take protecting this information seriously. The rules laid out in IRS Publication 1075 are how this is done.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontPublication 1075 sets security rules to protect Federal Tax Information (FTI). It applies to federal, state, and local agencies and any vendor or provider that handles FTI. It uses NIST SP 800-53 controls. Audits can be reactive, random, or future proactive and cover documents, sites, staff interviews, and tests. Failure to follow rules can lead to loss of FTI access, fines, prison, civil penalties, and harm to reputation.
What is IRS Publication 1075?
As you can likely guess from being on our blog, IRS Publication 1075 is a document relating to information security. It’s aimed at federal, state, and local government agencies and is designed to set the standard for information security necessary to protect FTI, or Federal Tax Information. The full name of the document is Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies – Safeguards for Protecting Federal Tax Returns and Return Information.
Put simply, this is the barrier between malicious actors and your tax paperwork.
Naturally, IRS Publication 1075 is a large and comprehensive document, but there’s some good news. If you’re at all familiar with other security frameworks in use by the government (particularly FedRAMP and GovRAMP), you’re already mostly familiar with IRS Publication 1075.
This is because IRS Publication 1075 heavily incorporates the security controls outlined in NIST SP 800-53, the same special publication that forms the basis for FedRAMP and similar frameworks.
The full Publication is over 200 pages long and encompasses everything from the definitions of FTI to the full list of security controls, including physical security, access restriction, encryption, technology-specific rules, rules derived from NIST SP 800-53, and more. You can read the full text of IRS Publication 1075 here.
Who Needs to Comply with IRS Publication 1075?
The official name of IRS Publication 1075 implies that it’s a set of rules for government agencies. However, that’s not the full story. It’s really more about securing specific kinds of information, which means that anyone who handles that information needs to adhere to IRS Publication 1075.
Like how CMMC rules trickle down from the Department of Defense down to the sub-sub-subcontractors throughout the defense industrial base, so too do IRS Publication 1075 rules trickle down from state and federal revenue services to all of the contractors and service providers handling FTI.
For example, if a state-level or even local-level government is using something like Google Workspace to handle and access FTI for residents, Google would need to adhere to IRS Publication 1075. Indeed, they do, through specific versions of their cloud services and apps.
If your company provides services that in any way interact with, transmit, store, handle, transform, or otherwise use tax-related information, you need to comply with IRS Publication 1075.
FTI encompasses a lot of different kinds of information related to taxes and tax returns. While the main forms are the biggest piece of information, FTI also includes information derived from FTI primary information, as well as tax-related information coming from secondary sources. It also includes some generic information that needs protecting, like account transcripts, individual identifiers like name, address, and tax ID number, generalized personally identifiable information, and biometric data.
It’s a very broad net.
Who Conducts IRS Publication 1075 Audits?
Unlike frameworks like FedRAMP, IRS Publication 1075 is not a certification. You need to follow the rules, but you aren’t required to pass an audit before doing business with the government or handling FTI.
That’s not to say you don’t have to comply. Instead, it simply means that there’s no barrier to entry before starting. There’s no IRS equivalent to the FedRAMP organization or JAB.
So, what do you do?
Generally speaking, you will work with a consulting firm that is familiar with IRS Publication 1075 and set up internal (and/or external) auditing on a regular basis. You monitor and maintain your own security, with voluntary external validation from companies like Ignyte. This isn’t exactly voluntary, as much as it might sound like it is. Stipulations to comply with IRS Publication 1075 are generally written into any contract you might sign with an entity that allows you to handle FTI.
Meanwhile, the IRS handles auditing the same way they handle normal tax auditing, in two (soon three) different ways.
The first method is through reactive auditing. This is auditing that happens when an incident is discovered. If tax information is leaked, the IRS will track down where the information came from, uncover the source, and audit that source.
Ideally, this will be easy and voluntary; part of the IRS Publication 1075 rules is disclosure rules, which include notifying the IRS when a breach happens and handing over information to facilitate an investigation into what happened. If a breach is uncovered and wasn’t disclosed, it can lead to very harsh penalties.
The second method is random sample auditing. The IRS can, at any time, decide they want to audit your security, and will ask for information, audit logs, and documentation to prove your security status. This can include everything from dedicated Do Not Access lists, time of day access rules, access logs, audit reports, and other artifacts.
This is all fairly similar to the kinds of documents and artifacts you’ll be required to keep under frameworks like FedRAMP and CMMC, so tools like the Ignyte Assurance Platform can help with keeping track of all of it.
The third method is relatively new to the IRS and is not yet fully implemented: proactive auditing. Proactive auditing is part of an ongoing initiative to improve security across the board, and is historically left to the company to handle themselves. The IRS is working on ways to partner with vendors and agencies to develop more proactive auditing, but has not yet released formalized rules or guidelines for how it works.
What is Required to Pass an IRS Publication 1075 Audit?
Like any security audit, an audit conducted by the IRS will be a thorough review of your security documentation and logs. It will generally include:
- An initial review of your documentation.
- On-site inspections for physical security procedures and control.
- Interviews with personnel to review training and knowledge.
- Sample testing of security controls across various domains.
When your company is going to undergo an audit, you will be notified. The notification comes early enough to give you time to conduct an internal audit and gather all relevant documentation, so you’re both familiar with what will be audited and have a window (albeit a brief one) to fix issues if they arise.
Expect to compile documentation surrounding data flow, user access controls, and security implementations. Likewise, expect to document your incident response plan, your personnel training materials, and your security policies, both internal and external.
This can be a lot of documentation, which is why a centralized repository like the Ignyte Assurance Platform helps a ton. To see exactly how we can help, reach out and get started with a demo and individualized presentation.
When you submit that documentation, there will be a phase where the IRS auditing team reviews it. If there are gaps, inconsistencies, outdated documents, or other issues, they will tell you and will request more as necessary. You want to avoid this happening.
The next phase of the audit is a thorough examination of the protections you have in place to secure FTI. This will explore both physical and digital protection. Expect auditors to look at things like:
- Physical security for data center and server rooms.
- Access controls for sensitive areas where physical and digital FTI is stored.
- Encryption standards for your data both in transit and at rest.
- Network security implementation measures.
- Access control for digital systems that handle and process FTI.
- Intrusion detection and prevention systems.
They will examine the actual implementation, but they will also look to the overall policies and take a holistic view of your security to look for overall gaps. Even if you say you do ten things and have those ten things well-implemented, if there’s an 11th that you missed, that can hurt you.
The next step of an audit is a series of interviews with individuals who interact with FTI. This can include your everyday employees who do the actual work, as well as the higher-level stakeholders who hold responsibility over those systems. This also includes multifaceted examinations, including:
- Looking into your background check policies and the thoroughness of those evaluations.
- Examining the training programs that educate employees on handling FTI.
- Checking if employees understand the repercussions for noncompliance and the severity of breaches.
All of this can also extend to your contractors and third parties that might use your systems and have access to FTI. Again, these responsibilities trickle down to you and through you.
At some point during this process, the IRS auditing team will also look into your incident response and disaster recovery planning. You are expected to have a thorough incident response plan that covers all of the bases of preventing, detecting, isolating, and recovering from incidents, as well as reporting on them. In particular, the IRS will be interested to know your policies on reporting incidents to them when FTI is involved.
It’s important to make sure you’re actively testing your incident response plans. Isolation plans and data backups aren’t valuable if they don’t work. Mock incidents can be run and reported on to validate that your plan works and your employees are prepared to handle them accordingly.
One overall detail here is that the IRS will be comparing all of this to your documentation. They want to know that you’re thorough in keeping auditing logs and documenting everything from policies to incidents appropriately. Where there are gaps, there may be security holes, so those need to be addressed.
What Happens if You’re Found Noncompliant
When the IRS conducts its audit, it will compile a report. This report will give you feedback on what the IRS finds.
If you’re in full compliance, great! You get a gold star and suffer no penalties.
If you’re noncompliant in some areas, the IRS will discuss those areas and inform you on what you need to do to become compliant. These suggestions can vary depending on what aspect of your security was found lacking, and will serve to boost your security to be better aligned with the requirements in IRS Publication 1075.
Depending on the scale of the noncompliance, you may be fine to continue operating while you fix certain minor issues in reporting, documentation, training, or security. In other cases, more severe issues can leave you facing stiff penalties.
- Loss of access to FTI information and systems. If your company is found noncompliant in a way that threatens the security of FTI, you will lose access to FTI until such time as you can fix the problems and pass another audit.
- Fines. Unauthorized access to FTI can carry fines of up to $1,000 per incident. Unauthorized disclosure is worse, with fines of up to $5,000 per incident. These are levied against individuals and businesses alike.
- Imprisonment. Individuals accessing FTI or disclosing it can face up to a year (for access) or five years (for disclosure) imprisonment per incident.
- Civil penalties. Additional civil fines of up to $1,000 per violation can also apply.
- Reputational damage. No one wants to trust your business with FTI once you’ve been found to be improperly securing it.
There can also be even more severe penalties if you are found to be willfully negligent or hiding incidents from the IRS.
It’s no surprise, then, that you really, really want to make sure you’re in full compliance with IRS Publication 1075. While the chances of being audited by the IRS may be low, that’s no excuse to slack on the security.
Here at Ignyte, we’re very familiar with both IRS Publication 1075 and the underlying NIST SP 800-53. We can help you with your compliance in a variety of ways, so contact us and let’s talk about what we can do for you.
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.