Internal Revenue Service (IRS) Publication 1075

IRS 1075 overview

Internal Revenue Service Publication 1075 (IRS 1075) provides safeguards for protecting Federal Tax Information (FTI) at all points where it is received, processed, stored, and maintained. It applies to federal, state, and local agencies with whom IRS shares FTI, and it defines a broad set of management, operations, and technology specific security controls that must be in place to protect FTI. Additional requirements cover the protection of FTI in a cloud computing environment (also known as Exhibit 16), and place much emphasis on FIPS 140 validated data encryption in transit and at rest.

To protect FTI, IRS 1075 prescribes security and privacy controls for application, platform, and datacenter services. For instance, it prioritizes the security of datacenter activities, such as the proper handling of FTI, and the oversight of datacenter contractors to limit entry. To ensure that government agencies receiving FTI apply those controls, the IRS established the Safeguards Program, which includes periodic reviews of these agencies and their contractors. For more information, see Mandatory Requirements for FTI in a Cloud Environment available from the Safeguards Program Cloud Computing Environment page.

Azure and IRS 1075

The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Microsoft maintains a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB) for both Azure and Azure Government cloud environments. The IRS 1075 core control scope is based on NIST SP 800-53 control requirements that Azure services cover as part of the existing FedRAMP High P-ATOs. Azure services provide extensive controls for data encryption in transit and at rest to support IRS 1075 requirements for the protection of FTI in a cloud computing environment. These controls enable you to encrypt FTI using FIPS 140 validated cryptography and rely on Azure Key Vault to store your encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as customer-managed keys (CMK).

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to IRS 1075 compliance domains and controls:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each IRS 1075 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Azure Government is the recommended cloud environment for customers who are storing or processing FTI. Most US government agencies and their partners are best aligned with Azure Government, which provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons. Moreover, for an Azure Government subscription, Microsoft can provide you with a contractual commitment to demonstrate that Azure Government has appropriate security controls and capabilities in place necessary for you to meet the substantive IRS 1075 requirements. The IRS 1075 contractual commitment is available only for Azure Government.

FTI encryption

Azure enables you to encrypt your data in transit and at rest to support IRS 1075 requirements for the protection of FTI in a cloud computing environment, including FIPS 140 validated data encryption. FTI encryption requirements are part of the Mandatory Requirements for FTI in a Cloud Environment that are described on the Safeguards Program Cloud Computing Environment page. As stated, "Agencies must retain control of the encryption keys used to encrypt and decrypt the FTI at all times and be able to provide information as to who has access to and knows information regarding the key passphrase. If the agency is able to satisfy this requirement, effectively preventing logical access to the data from the cloud vendor, agencies may use cloud infrastructure for data types that have contractor-access restrictions."

You can implement extra security for your sensitive data, such as FTI, stored in Azure services by encrypting it using your own encryption keys you control in Azure Key Vault, which is an Azure service for securely storing and managing secrets, including your cryptographic keys. You can use FIPS 140 validated cryptography and rely on Azure Key Vault to store your encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as customer-managed keys (CMK).

With Azure Key Vault, you can import or generate encryption keys in HSMs, ensuring that keys never leave the HSM protection boundary to support bring your own key (BYOK) scenarios. Keys generated inside the Azure Key Vault HSMs aren't exportable – there can be no clear-text version of the key outside the HSMs. This binding is enforced by the underlying HSM. Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents don't see or extract your cryptographic keys. Therefore, if you use CMK stored in Azure Key Vault HSMs, you effectively maintain sole ownership of encryption keys, as recommended by the IRS Office of Safeguards. For more information, see Data encryption key management.

Applicability

  • Azure Government

Office 365 and IRS 1075

For more information about Office 365 compliance, see Office 365 IRS 1075 documentation.

Attestation documents

You can access audit reports and other documents in the Azure Government portal by navigating to Home > Microsoft Defender for Cloud > Regulatory compliance > Audit reports or by using the following direct link (login required):

You must have an existing subscription or free trial account in Azure Government to download the following document:

If you're subject to IRS 1075 compliance requirements, you can contact your Microsoft account representative to request the following document:

  • Microsoft IRS 1075 contractual commitment to demonstrate that Azure Government has appropriate security controls and capabilities in place necessary for customers to meet the substantive IRS 1075 requirements.

Frequently asked questions

How does Azure Government address the requirements of IRS 1075?
Azure Government maintains a FedRAMP High P-ATO issued by the JAB. The IRS 1075 core control scope is based on NIST SP 800-53 control requirements that Azure Government covers as part of the existing FedRAMP High P-ATO. Moreover, Azure Government provides you with important assurances regarding storage of FTI in the United States and limiting potential access to systems processing FTI to screened US persons. For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiative, which maps to IRS 1075 compliance domains and controls in Azure Government. Finally, Microsoft can provide you with a contractual commitment to demonstrate that Azure Government has appropriate security controls and capabilities in place necessary for you to meet the substantive IRS 1075 requirements.

Can I review the FedRAMP packages or the System Security Plan?
Yes. You can request Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP. Select Azure Government FedRAMP documentation, including the System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), and so on, are available under NDA and pending access authorization from the Service Trust Portal Audit Reports - FedRAMP Reports section. Contact your Microsoft account representative for assistance.

Can Azure Government accommodate 5.6 Human Services Agencies—IRC 6103(l)(7) requirements stated in IRS 1075?
Yes. See Section 5 in the FTI Cloud Notification Form where IRC 6103(l)(7) requirements are clarified, and then review Azure Government responses as explained in Attestation documents. IRC 6103(l)(7) stipulates, among other things, that "Human services agencies may not contract for services that involve the disclosure of FTI to contractors". FTI Cloud Notification Form clarifies that "If the agency is able to encrypt data using FIPS 140 certified solutions and maintain sole ownership of encryption keys, Safeguards will consider this a logical barrier and will allow data types with restrictions (e.g., (l)(7)) to move to a cloud environment." You can encrypt your data stored in Azure services using FIPS 140 validated cryptography and use Azure Key Vault to store your encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as customer-managed keys (CMK).

Resources