Who enforces IRS Publication 1075?

The IRS Office of Safeguards, part of the IRS Information Technology organization, enforces Publication 1075. The Office of Safeguards conducts on-site reviews, evaluates Safeguard Security Reports, and works with agencies to remediate deficiencies. If an agency fails to meet safeguard requirements, the IRS can suspend or terminate the agency's access to FTI.

How often does the IRS conduct Safeguard Reviews?

The IRS Office of Safeguards conducts reviews on a periodic basis, typically every three to four years for each agency. However, the frequency can increase if prior reviews identified significant findings, if the agency reported a breach, or if the IRS determines that changed circumstances warrant a review. Agencies must also submit Annual Safeguard Activity Reports regardless of review schedule.

What are the penalties for non-compliance with IRS 1075?

Penalties range from corrective action plans for minor deficiencies to suspension of FTI access for significant or unresolved issues. Individual employees who unlawfully disclose FTI face criminal prosecution under IRC Section 7213 (felony, up to five years imprisonment) or IRC Section 7213A (misdemeanor, up to one year imprisonment). Civil damages under IRC Section 7431 can include $1,000 per unauthorized disclosure or inspection.

Does IRS 1075 require FedRAMP for cloud services?

Yes. Any cloud service provider hosting, processing, or transmitting FTI must use a FedRAMP-authorized environment at the Moderate baseline or higher. Agencies cannot store FTI in cloud environments that lack FedRAMP authorization, regardless of the CSP's other security certifications. This requirement applies to IaaS, PaaS, and SaaS deployments.

How does IRS 1075 differ from NIST SP 800-53?

IRS 1075 uses NIST SP 800-53 Moderate as its baseline but adds IRS-specific overlays that strengthen certain controls. For example, IRS 1075 has stricter requirements for background checks before data access, a specific 45-day breach notification timeline, explicit FedRAMP requirements for cloud use, and enhanced audit logging requirements. Think of IRS 1075 as NIST 800-53 Moderate plus an additional layer of IRS-specific protections tailored to the sensitivity of tax information.

What is the Safeguard Security Report (SSR)?

The SSR is the primary compliance document that agencies must prepare and maintain for IRS 1075. It describes the agency's IT environment, documents the implementation of required security controls, identifies all systems that process FTI, includes network diagrams showing FTI data flows, and addresses each applicable NIST SP 800-53 control with IRS overlays. The IRS uses the SSR as the foundation for on-site safeguard reviews.

What is the breach notification timeline under IRS 1075?

Agencies must notify the IRS Office of Safeguards of any confirmed or suspected breach involving FTI within 45 days of discovery. The notification must describe the incident, identify the types and volume of FTI potentially affected, explain the corrective actions taken, and outline the plan to prevent recurrence. Agencies should also follow their state-specific breach notification laws, which may have additional or shorter timelines.

Can contractors access FTI?

Yes, contractors and subcontractors can access FTI if they are working on behalf of an authorized agency and meet all Publication 1075 safeguard requirements. The contracting agency is responsible for ensuring contractor compliance, including background checks, security training, access controls, and system security. Contractor systems that process FTI must be included in the agency's SSR and are subject to IRS Safeguard Review.

How does IRS 1075 relate to GLBA and financial data protection?

IRS 1075 and the Gramm-Leach-Bliley Act (GLBA) both protect financial data, but they operate in different contexts. GLBA applies to financial institutions and protects customer financial information. IRS 1075 applies to government agencies and their contractors and protects federal tax information. An organization subject to both (for example, a state agency that also operates as a financial institution) must comply with each independently, though overlapping controls in areas like encryption, access control, and incident response can be leveraged.

IRS 1075 Compliance

IRS Publication 1075 Federal Tax Information Protection

Q: What is Federal Tax Information (FTI)?

FTI is any tax return or return information received directly from the IRS or obtained through an authorized secondary source, such as the Social Security Administration or another agency that received the data from the IRS. FTI includes names, Social Security numbers, income figures, filing status, deductions, credits, and any other data elements derived from federal tax returns. Even aggregate or statistical data derived from FTI may retain its protected status depending on how it was compiled.

IRS Publication 1075 governs how agencies and contractors protect Federal Tax Information. Built on NIST 800-53 Moderate with IRS-specific overlays, it mandates FIPS encryption, MFA, and 45-day breach notification.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience

Start IRS 1075 Compliance Call 919-348-4912

The Standard

What IRS 1075 Requires

NIST SP 800-53 Moderate baseline plus IRS-specific overlays for encryption, audit logging, background checks, and breach notification.

Technical Requirements

FIPS 140-2 encryption for FTI at rest and in transit
Multi-factor authentication for all FTI system access
Comprehensive audit logging across all FTI touchpoints
FedRAMP-authorized cloud environments for FTI workloads

Administrative Requirements

Safeguard Security Report (SSR) preparation and submission
Background checks for all personnel handling FTI
45-day breach notification to the IRS Office of Safeguards
Security awareness training for all FTI-handling personnel

Services

IRS 1075 Compliance Services

Gap Assessment

Evaluate your environment against NIST 800-53 Moderate controls and IRS-specific overlays with prioritized remediation.

SSR Preparation

Develop and compile your Safeguard Security Report mapping existing controls to IRS 1075 requirements.

Technical Remediation

Implement encryption, MFA, access controls, audit logging, and monitoring to close compliance gaps.

IRS Safeguard Review Prep

Prepare documentation, evidence, and staff for on-site IRS Office of Safeguards compliance reviews.

Incident Response

Licensed Digital Forensic Examiner on staff to investigate FTI breaches and prepare 45-day IRS notification documentation.

Cloud Migration Guidance

Help agencies migrate FTI workloads to FedRAMP-authorized environments with proper access and key management controls.

Who Must Comply

Built For

State Tax Agencies Human Services Agencies Child Support Enforcement Workforce Agencies Government Contractors Cloud Providers (FedRAMP)

FAQ

Frequently Asked Questions

What is Federal Tax Information (FTI)?

FTI includes any tax return data or return information received from the IRS or through authorized secondary sources. Unauthorized disclosure is a felony under IRC Section 7213.

How does IRS 1075 relate to NIST 800-53?

IRS 1075 builds on the NIST 800-53 Rev. 5 Moderate baseline with IRS-specific overlays for encryption, audit logging, and breach notification.

What are the penalties for FTI mishandling?

Unauthorized disclosure is a felony (up to 5 years, $5,000 fine). Unauthorized inspection is a misdemeanor (up to 1 year, $1,000 fine). Civil damages of $1,000 per act also apply.

Can FTI be stored in the cloud?

Yes, but only in FedRAMP-authorized environments with proper agency-side controls for access management, key management, and continuous monitoring.

How does IRS 1075 relate to CJIS?

Both build on NIST 800-53 with program-specific overlays. Organizations compliant with one have a significant head start on the other. See our CJIS compliance services.

Protect Federal Tax Information

Contact Petronella Technology Group for a comprehensive IRS 1075 gap assessment and Safeguard Review preparation.

Schedule a Consultation Call 919-348-4912

IRS Publication 1075 Federal Tax Information Protection

What IRS 1075 Requires

Technical Requirements

Administrative Requirements

IRS 1075 Compliance Services

Gap Assessment

SSR Preparation

Technical Remediation

IRS Safeguard Review Prep

Incident Response

Cloud Migration Guidance

Built For

Frequently Asked Questions

Related Frameworks

NIST 800-53

CJIS Compliance

FedRAMP Compliance

FISMA Compliance

GLBA Compliance

SOC Compliance

Protect Federal Tax Information