US Internal Revenue Service Publication 1075

US Internal Revenue Service Publication 1075 overview

Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for US government agencies and their agents that access federal tax information (FTI) to ensure that they use policies, practices, and controls to protect its confidentiality. IRS 1075 aims to minimize the risk of loss, breach, or misuse of FTI held by external government agencies. For example, a state Department of Revenue that processes FTI in tax returns for its residents, or health services agencies that access FTI, must have programs in place to safeguard that information.

To protect FTI, IRS 1075 prescribes security and privacy controls for application, platform, and datacenter services. For instance, it prioritizes the security of datacenter activities, such as the proper handling of FTI, and the oversight of datacenter contractors to limit entry. To ensure that government agencies receiving FTI apply those controls, the IRS established the Safeguards Program, which includes periodic reviews of these agencies and their contractors.

Microsoft and US Internal Revenue Service Publication 1075

Microsoft Azure Government and Microsoft Office 365 U.S. Government cloud services provide a contractual commitment that they have the appropriate controls in place, and the security capabilities necessary for Microsoft agency customers to meet the substantive requirements of IRS 1075.

These Microsoft cloud services for government provide a platform on which customers can build and operate their solutions, but customers must determine for themselves whether those specific solutions are operated in accordance with IRS 1075 and are, therefore, subject to IRS audit.

To help government agencies in their compliance efforts, Microsoft:

  • Offers detailed guidance to help agencies understand their responsibilities and how various IRS controls map to capabilities in Azure Government and Office 365 U.S. Government. The IRS 1075 Safeguard Security Report (SSR) thoroughly documents how Microsoft services implement the applicable IRS controls, and is based on the FedRAMP packages of Azure Government and Office 365 U.S. Government. Because both IRS 1075 and FedRAMP are based on NIST 800-53, the compliance boundary for IRS 1075 is the same as the FedRAMP authorization.
  • The IRS must explicitly approve the release of any IRS Safeguards document, so only government customers under NDA can review the SSR.
  • Makes available audit reports and monitoring information produced by independent assessors for its cloud services.
  • Provides to the IRS Azure Government Compliance Considerations and Office 365 U.S. Government Compliance Considerations, which outline how an agency can use Microsoft Cloud for Government services in a way that complies with IRS 1075. Government customers under NDA can request these documents.
  • Offers customers the opportunity (at their expense) to communicate with Microsoft subject matter experts or outside auditors if needed.

Microsoft in-scope cloud services

FedRAMP authorizations are granted at three impact levels based on NIST guidelines — low, medium, and high. These rank the impact that the loss of confidentiality, integrity, or availability could have on an organization — low (limited effect), medium (serious adverse effect), and high (severe or catastrophic effect).

Audits, reports, and certificates

Compliance with the substantive requirements of IRS 1075 is covered under the FedRAMP audit every year.

Frequently asked questions

How does Microsoft address the requirements of IRS 1075?

Microsoft regularly monitors its security, privacy, and operational controls and NIST 800-53 rev. 4 controls required by the FedRAMP baseline for Moderate Impact information systems. It provides quarterly access to this information through continuous monitoring reports. Azure Government and Office 365 U.S. Government customers can access this sensitive compliance information through the Service Trust Portal.

In addition, Microsoft has committed to including IRS 1075 controls in its master control set for Azure Government and Office 365 U.S. Government, and to auditing against them annually.

Can I review the FedRAMP packages or the System Security Plan?

Yes, if your organization meets the eligibility requirements for Azure Government and Office 365 U.S. Government. Contact your Microsoft account representative directly to review these documents. You can also refer to the FedRAMP list of compliant cloud service providers.

Can I use the Azure or Office 365 public cloud environments and still be compliant with IRS 1075?

No. The only environments where FTI can be stored and processed are Azure Government or Office 365 U.S. Government. Government customers must meet the eligibility requirements to use these environments.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.