Internal Revenue Service (IRS) Publication 1075

IRS 1075 overview

Internal Revenue Service Publication 1075 (IRS 1075) provides safeguards for protecting Federal Tax Information (FTI) at all points where it is received, processed, stored, and maintained. It applies to federal, state, and local agencies with whom IRS shares FTI, and it defines a broad set of management, operations, and technology specific security controls that must be in place to protect FTI. Additional requirements cover the protection of FTI in a cloud computing environment (also known as Exhibit 16), and place much emphasis on FIPS 140 validated data encryption in transit and at rest.

To protect FTI, IRS 1075 prescribes security and privacy controls for application, platform, and datacenter services. For instance, it prioritizes the security of datacenter activities, such as the proper handling of FTI, and the oversight of datacenter contractors to limit entry. To ensure that government agencies receiving FTI apply those controls, the IRS established the Safeguards Program, which includes periodic reviews of these agencies and their contractors. For more information, see Mandatory Requirements for FTI in a Cloud Environment available from the Safeguards Program Cloud Computing Environment page.

Azure and IRS 1075

The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Microsoft maintains a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB) for both Azure and Azure Government cloud environments. The IRS 1075 core control scope is based on NIST SP 800-53 control requirements that Azure services cover as part of the existing FedRAMP High P-ATOs. Azure services provide extensive controls for data encryption in transit and at rest to support IRS 1075 requirements for the protection of FTI in a cloud computing environment. These controls enable you to encrypt FTI using FIPS 140 validated cryptography and rely on Azure Key Vault to store your encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as customer-managed keys (CMK).

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to IRS 1075 compliance domains and controls:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each IRS 1075 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Microsoft also provides contractual amendments for both Azure and Azure Government to demonstrate that these cloud environments have appropriate security controls and capabilities in place necessary for you to meet the substantive IRS 1075 requirements. Contact your Microsoft account team to obtain these documents.

FTI encryption

Azure enables you to encrypt your data in transit and at rest to support IRS 1075 requirements for the protection of FTI in a cloud computing environment, including FIPS 140 validated data encryption. FTI encryption requirements are part of the Mandatory Requirements for FTI in a Cloud Environment that are described on the Safeguards Program Cloud Computing Environment page. As stated, "Agencies must retain control of the encryption keys used to encrypt and decrypt the FTI at all times and be able to provide information as to who has access to and knows information regarding the key passphrase. If the agency is able to satisfy this requirement, effectively preventing logical access to the data from the cloud vendor, agencies may use cloud infrastructure for data types that have contractor-access restrictions."

You can implement extra security for your sensitive data, such as FTI, stored in Azure services by encrypting it using your own encryption keys you control in Azure Key Vault, which is an Azure service for securely storing and managing secrets, including your cryptographic keys. You can use FIPS 140 validated cryptography and rely on Azure Key Vault to store your encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as customer-managed keys (CMK).

Azure Key Vault offers strong assurances about customer sole control over encryption keys and corresponding data access:

  • Azure Key Vault and Azure Key Vault Managed HSM are designed, deployed and operated such that Microsoft and its agents are precluded from accessing, using or extracting any data stored in the service, including cryptographic keys.
  • With Key Vault, you can import or generate encryption keys in HSMs, ensuring that keys never leave the HSM protection boundary to support bring your own key (BYOK) scenarios.
  • Keys generated inside the Key Vault HSMs aren't exportable – there can be no clear-text version of the key outside the HSMs. This binding is enforced by the underlying HSM.
  • FIPS 140 validation of Key Vault HSMs includes evidence of physical tamper resistance.
  • The Key Vault team explicitly doesn’t have operating procedures for granting such access to Microsoft and its agents, even if authorized by a customer.

Therefore, if you use CMK stored in Azure Key Vault HSMs, you effectively maintain sole ownership of encryption keys, as recommended by the IRS Office of Safeguards. For more information, see Data encryption key management.

Applicability

  • Azure
  • Azure Government

Office 365 and IRS 1075

For more information about Office 365 compliance, see Office 365 IRS 1075 documentation.

Guidance documents

For instructions on how to access guidance documents, see Audit documentation. The following documents are available from the Service Trust Portal (STP) United States Government section:

  • Azure Commercial – IRS Safeguards 45-day Cloud Computing Notification Form
  • Azure Government – IRS Safeguards 45-day Cloud Computing Notification Form

These documents are pre-filled with Microsoft responses to help you submit a 45-day notification form to the IRS Office of Safeguards, as explained on the Safeguards Program cloud computing environment page.

If you're subject to IRS 1075 compliance requirements, you can contact your Microsoft account representative to request the following documents:

  • Microsoft IRS 1075 contractual amendment for Azure
  • Microsoft IRS 1075 contractual amendment for Azure Government

These contractual amendments demonstrate that Azure and Azure Government have appropriate security controls and capabilities in place necessary for you to meet the substantive IRS 1075 requirements.

Frequently asked questions

How do Azure and Azure Government address the requirements of IRS 1075?
Both Azure and Azure Government maintains a FedRAMP High P-ATO issued by the JAB. The IRS 1075 core control scope is based on NIST SP 800-53 control requirements that Azure and Azure Government cover as part of the existing FedRAMP High P-ATO. Azure services enable you to encrypt FTI in transit and at rest using FIPS 140 validated cryptography, and maintain sole control over encryption keys in FIPS 140 validated hardware security modules (HSMs), also known as customer-managed keys (CMK). For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for both Azure and Azure Government, which maps to IRS 1075 compliance domains and controls. Finally, Microsoft can provide you with contractual amendments to demonstrate that Azure and Azure Government have appropriate security controls and capabilities in place necessary for you to meet the substantive IRS 1075 requirements.

Can I review the FedRAMP packages or the System Security Plan?
Yes. You can request Azure and Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP. Azure Commercial FedRAMP System Security Plan is available to customers under NDA from the Service Trust Portal FedRAMP reports section. For instructions on how to access audit reports and certificates, see Audit documentation. Select Azure Government FedRAMP documentation, including the System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), and so on, are available under NDA and pending access authorization from the Service Trust Portal FedRAMP reports section. Contact your Microsoft account representative for assistance.

Can Azure accommodate 5.6 Human Services Agencies—IRC 6103(l)(7) requirements stated in IRS 1075?
Yes. See Section 5 in the FTI 45-day Cloud Notification Form where IRC 6103(l)(7) requirements are clarified, and then review Microsoft responses as explained in Guidance documents. IRC 6103(l)(7) stipulates, among other things, that "Human services agencies may not contract for services that involve the disclosure of FTI to contractors". FTI Cloud Notification Form clarifies that "If the agency is able to encrypt data using FIPS 140 certified solutions and maintain sole ownership of encryption keys, Safeguards will consider this a logical barrier and will allow data types with restrictions (e.g., (l)(7)) to move to a cloud environment." You can encrypt your data stored in Azure services using FIPS 140 validated cryptography and use Azure Key Vault to store your encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as customer-managed keys (CMK).

Should I use Azure or Azure Government for workloads that are subject to IRS Publication 1075 requirements?
If you are subject to IRS 1075 compliance obligations, both Azure and Azure Government can help you meet those obligations. The decision will rest with you based on your business requirements. Both Azure and Azure Government have the same security controls in place, including the same provisions for the safeguarding of FTI in transit and at rest. Most state and local government agencies are best aligned with Azure Government, which provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons. However, the need to meet your IRS 1075 compliance requirements isn't a deciding factor for choosing your cloud environment.

Resources