Part 2. Information Technology
Chapter 25. Integrated Enterprise Portal - Web Services
Section 2. IRS Integrated Enterprise Portal Usage Standard
2.25.2 IRS Integrated Enterprise Portal Usage Standard
Manual Transmittal
June 04, 2024
Purpose
(1) This transmits revised IRM 2.25.2, Managed Service for IRS, IRS Integrated Enterprise Portal (IEP) Usage Standard.
Material Changes
(1) IRM 2.25.2.1 This IRM has been updated to reflect changes in IMD policy regarding format and proper fields
(2) Update links, contact information and organizational updates throughout IRM.
(3) The IEP program services provided to IEP Stakeholders needed to be identified and policy regarding use was in need of updating.
Effect on Other Documents
IRM 2.25.2, dated February 26, 2018, is superseded.
Audience
All Operating Divisions & Functions, all ACIO Areas, IT organizations, Enterprise Operations (EOps), Enterprise Services (ES), Application Development (AD), Cybersecurity (CS), Online Services (OLS) and Application's Program Management Offices (PMO) are required to use this IRM.
Effective Date
(06-04-2024)
Rajiv Uppal
Chief Information Officer
Program Scope and Objectives
(1) Purpose This IRM section details policy, processes and procedures stakeholders will follow in order to acquire and utilize web services provided by the Integrated Enterprise Portals (IEP) program.
(2) Audience This IRM section is applicable to all IT organizations and Business units that rely on the IEP for web services
(3) Policy Owner Web Infrastructure Services Division (WISD), under Enterprise Operations, Information Technology
(4) Program Owner The WISD Director is the Program Manager and is accountable for oversight, operations, funding and sustainment of the IEP program
(5) Primary Stakeholders All IRS organizations requiring IEP web-services in order to accomplish their mission
(6) Contact Information To recommend changes or to make any suggestions to this IRM section, email WISD it. acioeops.wiso.direct.reports@irs.gov
Background
(1) The IEP is the solution for IRS internal and external facing websites and web applications. The IEP is provided to the IRS via a Managed Service Provider (MSP) contract. The MSP ensures all IRS portals meet IRS IRM’s and Standards for operational capability, security, resiliency and additional requirements per the vendors contract. The IEP is the consolidation of the following portals: Public User Portal (PUP), Register User Portal (RUP), Employee User Portal (EUP), Affordable Care Act Transactional Portal Environment (ACA-TPE) and Web Content Management System (WCMS).
Authority
(1) The Director, Web Infrastructure Services (WIS) is the executive owner of the IEP Program and responsible for the development, implementation and maintenance of all IEP processes and procedures. The Web Infrastructure Services Division (WISD) is responsible for acquisition and oversight of the IEP contract.
Roles and Responsibilities
(1) In order to effectively manage the IEP services, various stakeholders play a key part to ensure services meet the IRS requirements.
Role | Description |
WISD Director/Program Manager | Accountable for all aspects of the IEP program and MSP contract. Appoints key management and functional leads to ensure vendor provides web services to IEP stakeholders |
WISD/Internet Services Branch |
|
WISD/Internet Acquisitions Services Branch |
|
WISD/Division Management Office |
|
Application Owners |
|
Program Management and Review
(1) WISD is accountable for IEP Program and Contract Management. This is accomplished in the following ways:
Weekly meetings between WISD personnel and IEP Managed Service Provider (MSP) vendor
Monthly meeting between IRS IT Executive Leadership and IEP MSP vendor
WISD review and acceptance of IEP MSP vendor’s deliverables
Program Controls
(1) Program controls are derived from IRS procurement policies and procedures. The IEP is considered an IRS General Support System (GSS) and complies with all IRMs and other governing documents regarding management of IRS GSS’s.
Terms and Acronyms
(1)
Acronym | Description |
ACA-TPE | Affordable Care Act Transactional Portal Environment |
ACIO | Associate Chief Information Officer |
AIIS | Application Infrastructure Integrations Services |
CIO | Chief Information Officer |
CONOPS | Concept of Operations |
CSP | Cloud Service Provider |
DDOS | Distributed Denial of Service (Attack) |
EITE | Enterprise Integration and Test Environment |
EOPS | Enterprise Operations |
EUP | Employee User Portal |
FAR | Federal Acquisition Regulation |
FISMA | Federal Information Security Modernization Act |
IAM | Identity Access Management |
IEP | Integrated Enterprise Portal |
IEP CD | Integrated Enterprise Portal Control Document |
IMP | Investment Management Plan |
IP | Internet Protocol |
IRAP | Information Resources Access Program |
IRM | Internal Revenue Manual |
IRS | Internal Revenue Service |
ITIL | Information Technology Infrastructure Library |
LAN | Local Area Network |
MSP | Managed Service Provider |
OneSDLC | One System Development Life Cycle |
PUP | Public User Portal |
PWS | Performance Work Statement |
QASP | Quality Assurance Surveillance Plan |
RAFT | Risk Acceptance Form Tool |
RBD | Risk Based Decision |
RFI | Request for Information |
RFP | Request for Proposal |
RUP | Registered User Portal |
SLA | Service Level Agreement |
SLO | Service Level Objective |
SOW | Statement of Work |
SQL | Structured Query Language |
TRB | Technical Review Board |
UNAX | Unauthorized Access |
VPN | Virtual Private Network |
VROM | Very Rough Order of Magnitude |
WAF | Web Application Firewall |
WISD | Web Infrastructure Services Division |
Definitions
(1) A "Portal" as used in this standard is defined as the web-based infrastructure (hardware and software) that serves as the entry point for web access to IRS applications and data. The portal provides communications services, platform services, security services and applications services, content management services, common services, and secure methods for accessing/updating IRS application and data. The various portals are distinguished by whether their users are internal or external, by the nature of the interaction or exchange, and by the nature of threats, risks, and protections required by the data or applications, including the method of authentication and authorization.
(2) The Integrated Enterprise Portals (IEP) combines the infrastructure of the Public User Portal (PUP) (formerly the Digital Daily), and the Registered User Portal (RUP), to leverage efficiencies, and the Employee User Portal (EUP), to streamline processes.
(3) The IEP-PUP (IRS.GOV) is the IRS external portal that allows unrestricted public access to non-sensitive materials and applications, including forms, instructions, news, and tax calculators. No authentication is required for access to any materials on the IEP-PUP.
(4) The IEP-RUP is the IRS external portal that allows registered individuals and third party users (registration and login authentication required) and other individual taxpayers or their representatives (self authentication with shared secrets required) to access IRS for interaction with selected tax processing and other-sensitive systems, applications, and data. User interactions are encrypted from the user’s workstation or system to the portal, across the Internet or via direct circuits. The IEP-RUP, via the Common Communication Gateway, also supports IRS extranets, such as the exchange of bulk files of information with the IRS and the Virtual Private Network (VPN) (both inbound and outbound), by registered and authorized external entities.
(5) The IEP-EUP is the internal IRS portal that allows IRS employee users to access IRS data and systems, such as tax administration processing systems, financial information systems, and other data and applications, including mission critical applications. Modernization registration and authentication are required for access to sensitive and mission critical applications, and all user interactions with those systems are encrypted from workstation to portal across the IRS internal network. The IEP-EUP allows IRS employee users with LAN accounts (Windows Network Login) to access Intranet sites, selected applications, non-sensitive data and selected sensitive processing where network encryption and modernization logon are not required (e.g., employee access to selected elements of their own personnel data). IRS network authentication is a basic requirement for access to any materials or services, and is also required to access modernization registration and authentication.
(6) The ACA-TPE is a portal that hosts several Affordable Care Act applications and is a secure conduit between IRS and Health and Human services (HHS).
(7) The term Managed Service with respect to IEP means that the system, hardware, software, cloud service providers (CSP) and other components that make up the IEP are owned and managed by the IEP vendor in order to provide IT services to the IRS. All services provided by the contractor follow an ITIL model ensuring all necessary services are provided to the IRS and it’s stakeholders. The goal of the managed service is to find efficiency while also obtaining leading edge technology in order to support the IRS and it’s stakeholders. Since the contractor performs all necessary functions to support the IEP, there is no need for Federal employees to duplicate the work done by the contractor. The managed service provider uses various technologies and products to provide these services. In accordance with the FAR, decision on the technologies and products and the way the system is designed is at the discretion of the IEP vendor so long as it meets contract requirements for service, performance and security.
Portal Standard Guidelines
(1) All proposed and design-phase business applications requiring end-user interactions (human-computer interactions) or external file transfer and system-to-system capabilities shall conform to this IRM.
(2) This standard does not cover stand-alone workstation software applications (e.g., office automation) which do not interact with separate systems or applications beyond standard network file sharing. Also, this standard does not apply to top security level organizations that have exceptions or have been permitted certain access to systems with the appropriate approval.
(3) The following standard statements shall be adhered to:
All data and applications, which do not require authentication and are/will-be available to the general public, shall be accessed through the Integrated Enterprise Portal - Public User Portal.
All interaction by external entities, which requires authentication, will be accessed through the Integrated Enterprise Portal - Registered User Portal.
All internal tax administration processing involving taxpayer data and subject to unauthorized access (UNAX) restrictions shall be accessed through the Integrated Enterprise Portal (IEP) -Employee User Portal (EUP) and require modernization authentication and workstation to portal encryption.
All other internal IRS employee interactions with IEP hosted applications should also be accessed through the IEP services as provided by the IEP MSP, with modernization logon and encryption requirements determined by the respective application data sensitivity and risk profile
IEP Service Request and Application On-boarding
(1) All IEP services should be requested by using the IEP Service Catalog in accordance with the WISD customer support processes
(2) All service requests that impact cost, scope, security posture or risk to portals must go through the IEP TRB. WISD will appoint a point of contact to ensure IEP stakeholders are informed of the necessary information and documentation in order to receive a Very Rough Order of Magnitude (VROM) estimate document. VROM’s consist of development and operations costs, level of effort to provide services, and time for delivery of services.
(3) IEP CD Processes: All customers needed to make updates to applications that reside in the IEP following the IEP CD and/or standard IEP deployment process. This process is fully documented in the IEP service catalog that is provided by the managed service
Note: Specific projects or systems may use multiple portals
IEP Usage Standard Governance
(1) The IRS IEP Usage Standard will be managed and enforced by the Web Infrastructure Services Division, Enterprise Operations within Information Technology.
(2) WISD will:
Facilitate communication and information flow across the Enterprise for the IEP.
Provide guidance and communication to stakeholders across the IEP.
Ensure decisions regarding the IEP are executed in a timely manner.
Ensure that appropriate procedures, processes, and guidelines are in place for the management of the IEP.
(3) The office of Online Services (OLS) is responsible for the standards and guidelines as it relates to portal web sites and will:
Provide standards and guidance to IRS users submitting web applications to the IEP.
Ensure correct hosting environments are used based on Security standards and guidance for IRS application security levels.
Provide guidance to IRS users for portal environments and ensure that consistent reviews apply appropriate criteria. Support all portal standards and guideline documentation governed by IT.
Information Resources Accessibility Program (IRAP)
(1) The primary roles and responsibilities for IRS accessibility guidance belong to IRAP. The IRAP Program Manager serves as the official Section 508 Coordinator for the IRS. As such, IRAP will:
1. Proactively seek and bring together Section 508 related updates (laws, regulations, policies, guidelines, etc.).
2. Notify Integrated Enterprise Portal (IEP) directly of these updates.
3. Promulgate and market accessibility requirements throughout the agency, as necessary.
4. Assist the Managed Service contractor or the application in preparing the accessibility portion of a web development life cycle framework that can be integrated into day-to-day operations.
5. Participate with Managed Service contractors or the application in the evaluation of automated testing tools that support 508 web accessibility for possible use in the web development life cycle.
6. Endorse selected Section 508 software tools that assist site owners in making their web sites compliant with this IRM.
7. Support Managed Service contractor or the application Accessibility Plan for technical support.
ELC
(1) The Integrated Enterprise Portal (IEP) uses the OneSDLC Managed Service Path. The Managed Services Path is designed to capitalize on the benefits of Managed Services provided by either an outside service (3rd party); internal intra-business processes; and/or existing infrastructure (operational) service provider. This could include software package(s), integrated software packages, shared-services and/or infrastructure components (assets) e.g., servers, web hosting, network centric, workstations, support services and/or web hosting. The managed service is: (a) proprietary; and/or, (b) not maintained by the IRS. The standard detailed reviews required in the development of new solutions or the purchase of a service is not required when the solution is being provided and maintained by a service provider. The Managed Services Path is oriented toward selection and acceptance of the managed services solution, i.e., outside source (3rd party), intra-business processes, and/or infrastructure (operational) service provider.
IEP Core Services
(1) IEP services provided by the IEP MSP vendor
(2) The major IEP service areas available for use by IRS application owners/developers are outlined in the following sections
IEP Hosting Services
(1) Portal Hosting Services provide comprehensive application hosting support for development, testing, integration and production, including provisions for capacity management, incident management, performance monitoring and infrastructure integration support
(2) Portal Hosting services include processes and procedures for periodic backup and restoration of all components within Portal Hosting environments. The IEP processes for storing, retrieving, and archiving IRS data comply with the IRM 1.15, Records and Information Management and the Federal Information Security Management Act (FISMA), Title III of the e-Government Act of 2002
(3) Specific Portal Hosting Services available for use include the following:
Portal Hosting Support services provide IEP production and non-production environments. Currently the following categories of IEP environments can be provisioned for application hosting via service catalog service requests. There are currently 4 types of environments available: Sandbox, Development, Test and Production.
Capacity Management services manage the overall capacity of the IEP services. IEP application stakeholders will participate in the IEP capacity management by providing key sizing criteria factors as a part of the capacity management process. Reference IEP Capacity Management Plan for details
Application Infrastructure Integration Services (AIIS) provide application integration support to ensure applications are correctly configured in the IEP environments. This support includes performance tuning, application deployment, and configuration and troubleshooting support. Additionally, AIIS provides a Guide for Application Developers to assist application developers to successfully deploy, test, and integrate applications to the IEP environments.
Service Catalog Services provides a set of standardized service offerings and make them available in a Service Catalog. IEP IRS users use the IEP Service Catalog to submit service requests to request IEP services to include environment provisioning request, application deployments, and application performance testing. Reference the IEP Service Catalog training materials for details
IEP Technical Review Board (TRB) is where all service requests are reviewed by WISD in order validate that requests are within the scope of the MSP contract and if the work can be accomplished. Please refer to the IEP-TRB Charter for additional information
IEP Security Services
(1) Portal Security Services provide enhancements to secure web applications hosted on the IEP. These services are tuned to each application in order to ensure there is no loss of capability of the applications while increasing protection from known cyber threats. IEP security services available for use for IRS application owners/developers include the following:
Web-Application Scanning: This service meets the FISMA requirements for each application to ensure the web app is scanned in the IEP’s EITE environment prior to deployment. This service is requested by the application owner via the IEP 1.5 Service Catalog. Scans can be scheduled on a monthly basis or can be done ad-hoc. Reports are made available to the customer via the service catalog
Security Vulnerability and Configuration Reporting: This service provides scans of servers that host applications in the IEP. These reports are provided to Cybersecurity assessment teams in order to show FISMA compliance. Offices needing these reports must use the IEP service catalog to make the request as early as possible in order to allow the IEP team to provide the reports on time
Bot-management: This service is used to detect scripted cyber attacks on a particular application. There are two methods (Active and Passive) used which ensure security of IEP applications. Testing is done in the IEP lower environments before applications move to productions. There are two modes of operation, monitor and mitigate. Monitor mode just observes activity and mitigate mode blocks scripted attacks. This is a CIO mandated service and all IEP hosted applications must implement capability unless there is an approved RAFT or RBD to forego the protection
Web Application Firewall (WAF): The WAF provides protections to all IEP applications from several types of cyber attacks and exploits to include but not limited to SQL injection, cross site scripting and DDOS. WAF also employs rate limiting, IP reputation and blocking capability. WAF is a CIO mandated tool and all IEP hosted applications will implement WAF unless there is an approved RAFT or RBD to forego the protections
Log analytics: The outputs of this can be provided to applications owners as well as IRS cybersecurity. This is a CIO mandated capability and all IEP hosted applications are mandated to implement unless there is an approved RAFT or RBD to forego the protection
(2) To gain a detailed understanding of the existing infrastructure controls a prospective application can consult the IEP System Security Plan, IEP Security Patch Management Plan, IEP Incident Handling Monitoring and Response Plan, IEP Security Audit Plan, IEP Continuous Monitoring Plan, IEP Security Configuration and IEP Change Management Plan and the IEP Systems Access Process
IEP Application Services
(1) Portal Application Services provide the enhancement and break/fix support for IEP MSP managed applications. IRS business owners and application owners can request IEP services to develop MSP managed applications to satisfy specific business requirements within the IEP hosted environment. These MSP provided services will include maintenance of all tools/applications, continue optimization of the site based on user experience, working with customers to identify requirements and design, development, testing and releasing of the application
(2) Portal Application Services provide the capability of accelerating delivery and deployment of business applications, including web services and service virtualization, web applications, identity and access management, databases, messaging, portal & content management, and fully automated application environment deployments. The main functionality provided by Portal applications and their interactions with front-end external users and back-end inventory systems include Identity Access Management (IAM), Forms Submission, Customer Service, Data Management, and Content Management
(3) Request for a MSP managed application can be submitted via service request in the IEP Service Catalog