U.S. IRS Publication 1075 — Tax Information Security Guidelines for Federal, State, and Local Agencies

Overview

IRS Publication1075 is a federal information security guideline that helpsgovernment agencies and their partners protect Federal TaxInformation (FTI) through robust cybersecurity controls andcompliance practices. The publication sets forth requirements toensure the confidentiality, integrity, and availability of tax datahandled by federal, state, local, and tribal agencies, as well astheir contractors.

Issued by theU.S. Internal Revenue Service (IRS), Publication 1075 applies to anyorganization that receives, processes, stores, or transmits FTI. Itoutlines comprehensive requirements covering areas such as accesscontrol, incident response, risk assessment, physical security, andaudit logging to safeguard sensitive tax information and maintainregulatory compliance.

Agencies andcontractors implement IRS Publication 1075 by embedding itsrequirements into their security programs, conducting regular riskassessments, maintaining detailed documentation, and supporting auditreadiness. The framework commonly aligns with broader securitystandards like NIST SP 800-53, helping organizations strengthencybersecurity posture while fulfilling IRS compliance obligations.

Why it Matters

IRS Publication1075 helps agencies and contractors safeguard Federal Tax Informationthrough comprehensive controls, supporting data confidentiality,regulatory compliance, and audit preparedness.

Key benefitsinclude:

•  Strengthen data protection practices

Ensure theconfidentiality and integrity of tax information with strict accesscontrols and monitoring requirements across IT environments.

•  Enhance regulatory alignment

Align securitymeasures with federal guidelines and standards to support statutoryobligations and facilitate consistent compliance reporting.

•  Increase audit readiness

Maintaindetailed documentation, policies, and procedures to demonstratecompliance and facilitate efficient responses during audits orreviews.

•  Improve incident detection and response

Implement robustincident management protocols, helping organizations quicklyidentify, report, and mitigate security breaches involving tax data.

•  Promote operational resilience

Reduce risks ofservice disruption and data loss by requiring ongoing riskassessments and effective physical and logical safeguards.

How it Works

U.S. IRSPublication 1075 establishes a comprehensive set of regulatoryrequirements and security safeguards aimed at protecting Federal TaxInformation (FTI) handled by federal, state, and local agencies. Theframework structures its guidelines into key domains including accesscontrol, physical security, incident response, media protection, andrisk management, drawing from established best practices andintegrating specific obligations for safeguarding FTI. Theserequirements are mapped to detailed security controls and auditprocedures that facilitate ongoing compliance monitoring.

In practice,agencies implement IRS Publication 1075 by adopting mandated securitycontrols, conducting regular risk assessments, and mapping thesecontrols to their internal governance programs. Organizationsundertake ongoing compliance reviews, monitor their security posture,and maintain procedures for reporting and responding to potentialincidents. This operational approach supports secure handling,sharing, and storage of FTI, and ensures continuous alignment withevolving IRS regulatory expectations.

With SmartSuite,organizations operationalize IRS Publication 1075 by leveragingcontrol libraries tailored to FTI security practices, maintainingrisk registers, and managing policy governance. The platform enablesevidence collection, compliance tracking, and supports remediationworkflows to address audit findings. Dashboards and reportingfeatures facilitate audit readiness by providing visibility intocompliance activities and ongoing monitoring efforts.

Key Elements

•  Access Control Requirements

Specifiesprocedures and mechanisms for managing user identities andrestricting access to Federal Tax Information systems.

•  Audit and Accountability Measures

Describesrequirements for system logging, monitoring, and maintaining recordsto support transparency and compliance.

•  Physical and Environmental Security

Outlinessafeguards to protect physical locations housing FTI, includingfacility access and environmental controls.

•  Risk Assessment Processes

Establishespractices for regularly evaluating threats, vulnerabilities, and theeffectiveness of implemented security controls.

•  Incident Response Protocols

Definesstructured procedures for detecting, reporting, and addressingsecurity incidents involving FTI.

•  Data Protection and Encryption

Organizesrequirements for securing data in transit and at rest to preventunauthorized disclosure.

•  Training and Security Awareness

Details ongoingeducation programs to ensure personnel understand privacy obligationsand secure handling practices for FTI.

Framework Scope

IRS Publication1075 is implemented by federal, state, local, and tribal agencies, aswell as contractors, that access or handle Federal Tax Information(FTI). The framework governs the security of information systems andphysical environments processing tax data and is commonly applied tosupport regulatory compliance and data protection efforts for auditand assurance programs.

Framework Objectives

IRS Publication1075 outlines essential security controls and risk managementpractices for safeguarding federal tax information (FTI).

•  Protect the confidentiality and integrity of tax data throughcomprehensive data protection measures

•  Strengthen cybersecurity governance and oversight fororganizations handling federal tax information

•  Enhance compliance with federal data protection, privacy, andregulatory requirements

•  Establish effective risk management strategies to reduce thelikelihood of data breaches

•  Support consistent audit readiness with documented securitycontrols and compliance processes

•  Promote operational resilience by maintaining robust incidentresponse and recovery procedures IRS Publication 1075 aligns closelywith NIST SP 800-53 and FISMA, focusing on the protection of federaltax information (FTI). Government agencies and contractors implementit to meet federal and state regulatory obligations, oftenintegrating it with frameworks like ISO 27001 or PCI DSS forcomprehensive data security and compliance assurance.

Common Framework Mappings

IRS Publication1075 is often mapped to other widely adopted security and privacyframeworks to streamline compliance, enable shared controls, andreduce audit complexity for organizations handling sensitive taxinformation.

Mappedframeworks include:

CIS Controls

COBIT

FedRAMP

FISMA

HIPAA

ISO/IEC 27001

NISTCybersecurity Framework

NIST SP 800-53

PCI DSS

SOC 2