Part 10. Security, Privacy and Assurance
Chapter 2. Physical Security Program
Section 15. Minimum Protection Standards (MPS)
10.2.15 Minimum Protection Standards (MPS)
Manual Transmittal
August 16, 2019
Purpose
(1) This transmits revised (Internal Revenue Manual) IRM 10.2.15, Minimum Protection Standards (MPS).
Material Changes
(1) This IRM was updated to reflect current organizational titles, scope, definitions and authorized use.
(2) Removed IRM 10.2.15.3, Protection Methods. For additional information, see IRM 10.2.14, Methods of Providing Protection.
(3) Removed IRM 10.2.15.3.1, Secured Areas. For additional information, see IRM 10.2.14, Methods of Providing Protection.
(4) As of January 1, 2017, the Internal Revenue Service (IRS) instituted a requirement that the IRM address relevant internal controls. This will inform employees about the importance of and context for internal controls by describing the program objectives and officials charged with program management and oversight. Internal controls are the program’s policies and procedures which ensure:
Mission and program objectives are clearly delineated and key terms defined.
Program goals are established and performance is measured to assess the efficient and effective mission and objective accomplishment.
Program and resources are protected against waste, fraud, abuse, mismanagement and misappropriation.
Program operations are in conformance with applicable laws and regulations.
Financial reporting is complete, current and accurate.
Reliable information is obtained and used for decision making and quality assurance.
Effect on Other Documents
This IRM supersedes 10.2.15 dated August 15, 2016.
Audience
Servicewide
Effective Date
(08-16-2019)
Richard L. Rodriguez
Chief
Facilities Management and Security Services
Program Scope and Objectives
(1) The Minimum Protection Standards (MPS) system provides the minimum criterion of physical security requirements for protecting IRS data and property. MPS will be applied on a servicewide basis.
(2) Purpose: This IRM establishes the MPS matrix to reference minimum protection standards, determine security requirements for IRS property and data, and apply local factors that may require additional protection.
(3) Audience: Servicewide.
(4) Policy Owner: Chief, Facilities Management and Security Services (FMSS).
(5) Program Owner: FMSS Associate Director (AD), Security Policy.
(6) Primary Stakeholders: FMSS Field Operations, Business Unit Executives, Senior Managers, Chief Counsel Executives, Managers, Employees and Contractors.
(7) Program Goals: To meet MPS for all IRS assets in accordance with applicable standards.
Background
(1) The MPS was developed to establish and provide minimum physical security requirements in accordance with Executive Order (EO) 13526, Federal Information Security Management Act (FISMA), Physical Security and Environmental (PSE) Control as prescribed within the National Institute Standards and Technology (NIST SP 800-53), and Treasury Department Publication (TDP 15-71), The IRS has adopted the Interagency Security Committee (ISC) Criteria as the basis of our physical security standards. The MPS design provides a comprehensive matrix of applicable standards from all authorities, to reference MPS, determine security requirements for IRS property and data, and apply local factors that may require additional security.
Authority
(1) Treasury Department Publication (TDP) 15-71
(2) National Institute of Standards and Technology (NIST) SP 800-53
(3) Federal Information Security Management Act (FISMA)
(4) Executive Order, Classified National Security Information (EO 13526)
(5) Executive Order, Interagency Security Committee (EO 12977)
Responsibilities
(1) The Chief, FMSS prescribes and is responsible for oversight of MPS policy and guidance.
(2) The FMSS AD, Security Policy has oversight for planning, developing, implementing, evaluating, and controlling the requirements set forth by this IRM.
(3) FMSS Territory Managers (TM) are responsible to confirm Security Section Chiefs (SSC) follow IRS policy and provide oversight in the implementation and enforcement of the MPS Program.
(4) FMSS SSC are responsible for implementing and enforcing the MPS program within their assigned territory, confirming that IRS policy and procedures are followed.
(5) All IRS managers must confirm that MPS are applied within their area of supervision and that those measures meet the established requirements.
(6) All employees and contractors have a responsibility for being aware of MPS and complying with established requirements for protecting information, records, property and documents with which they are entrusted.
Program Management and Review
(1) Program Reports: Facility Security Assessments (FSA).
(2) Program Effectiveness: The FSA Program quarterly reviews of physical security threats, vulnerabilities and risk, consists of:
Compliance with ISC standards, as validated in the FSA reports
Compliance with Treasury and IRS requirements, as validated in the Facility Security Assessment Addendum (FSAA) reports
Completion of required FSA and FSAA reports within the required timeframe prescribed in IRM 10.2.11, Basic Physical Security Concepts
Terms/Definitions/Acronyms
(1) Defined Terms
Word | Definition | Example of using a word that is open to interpretation. |
---|---|---|
Limited Area | Entry to critical areas is controlled and access is limited to those individuals who work in the area or have demonstrated a legitimate need to enter the area | The contractor did not have clearance to enter the Limited Area. |
(Bill of) Lading | A legal document issued by a carrier to a shipper that details the type, quantity, and destination of the goods being carried. A bill of lading also serves as a shipment receipt when the carrier delivers the goods at a predetermined destination | The bill of lading indicated the package was delivered timely. |
Subsidiary | Subordinate to the general ledger | Reports are submitted monthly to report the balancing of the subsidiary accounts to the general ledger accounts. |
Acronym | Definition |
---|---|
AD | Associate Director |
EO | Executive Order |
DIF | Discriminant Function |
FISMA | Federal Information Security Management Act |
FMSS | Facilities Management and Security Services |
FSA | Facility Security Assessments |
FSAA | Facility Security Assessment Addendum |
HS | High Security |
IDRS | Integrated Data Retrieval System |
ISC | Interagency Security Committee |
MPS | Minimum Protection Standards |
NIST | National Institute of Standards and Technology |
NS | Normal Security |
PSE | Physical Security and Environmental |
PSPP | Physical Security Protection Program |
SP | Special Security |
SSC | Security Section Chief(s) |
TDP | Treasury Department Publication |
TM | Territory Manager(s) |
Related Resources
(1) IRM 1.4.6, Managers Security Handbook
(2) IRM 10.2.8, Incident Reporting
(3) IRM 10.2.14, Methods of Providing Protection
(4) IRM 10.2.18, Physical Access Control (PAC)
(5) IRM 10.5.1, Privacy and Information Protection, Privacy Policy
(6) IRM 10.9.1, National Security Information
Protected Items/Data
(1) All tax and privacy data are required to be secured. The MPS has three levels, of security, based on several factors:
Normal Security (NS) — All information which has not been identified as requiring High Security or Special Protection.
High Security (HS) — Items which require greater than normal security, due to their sensitivity and/or the potential impact of their loss or disclosure.
Special Security (SP) — Items which require a specific type of containment, regardless of the area security provided, due to special access control needs. This group of items is divided into three subcategories: Level 1 (SP–1) must be stored in a safe or vault; Level 2 (SP–2) must be stored in a security container or limited area as described in IRM 10.2.14, Methods of Providing Protection, Level 3 (SP–3) must be stored in a locked container.
(2) Exhibit 10.2.15-1, Alternative Chart, identifies storage requirements and Exhibit 10.2.15-2, Protectable Items, provides a listing of protectable items and their security designations.
Note: For additional information on this requirement, see IRM 10.2.14, Methods of Providing Protection.
Protection Methods
(1) Available methods of protection include the use of secured perimeter and/or area space and/or containerization.
Secured Areas
(1) For purposes of providing protection, all space can be classified as either secured or locked (non-secured).
(2) Secured areas are designed to prevent undetected entry by unauthorized persons.
(3) To qualify as a secured area, internal space must meet the following minimum standards:
Space must be enclosed by slab-to-slab wall construction supplemented by periodic inspection. Walls/partitions that do not completely enclose the space to be secured from floor slab to ceiling slab, must be supplemented by Underwriters Laboratories approved electronic intrusion detection, woven wire fabric of a least 10 gauge or heavier, or chain link fence. Due to the complexity of intrusion detection systems, and the related specific annunciation/response requirement, review and approval by the local FMSS Physical Security staff is required prior to implementation.
Unless electronic intrusion detection devices are utilized, all doors entering the space must be locked in accordance with requirements set forth in IRM 10.2.14, Methods of Providing Protection.
(4) Cleaning, or any other contract work to be done in the secured area by non-employees, must be done during duty hours or in the presence of a regularly assigned employee.
Alternative Chart
Protected Item Classification | IRS Perimeter Type | Interior Area Type | Container Type |
---|---|---|---|
Normal Security | Secured | Locked | Locked |
High Security |
|
|
|
Alternative #1 | Secured | Locked | Security |
Alternative #2 | Secured | Secured | Locked |
Special Security |
|
|
|
SP–1 |
|
| Safe/Vault |
SP–2 |
|
| Security |
SP–3 |
|
| Locked |
Protectable Items
Designation | Item |
---|---|
NS | All material not classified as requiring high security or special protection. |
NS | Currency Transaction Reports |
HS | All portable equipment which can be stored in a standard pull drawer or lateral file cabinet. This includes laptop computers, combination padlocks, cameras and similar highly portable items |
HS | Assault and Threat Reports |
HS | Classification Stamps — "accepted as filed" |
HS | Coordinated Examination Records—including all open or closed project files, case files, correspondence, activity reports, and other material which contains taxpayer data or third-party information acquired in connection with a planned, open or closed case |
HS | Disclosure Records relative to disclosures made to Department of Justice, Executive Departments, or Congressional Committees |
HS | Discriminant Function (DIF) formulas, program requirements packages and related materials |
HS | Examination Records — those maintained at the request of Congressional Committees |
HS | Examination Selection, Criteria and Formulas, Cycle Variables and Volume Controls |
HS | Fraud Referrals — all case files, correspondence, or related documents which contain information regarding items referred to Criminal Investigation |
HS | General Ledger and Subsidiary Records —revenue accounting only |
HS | Legal Case Files and Records of Chief Counsel, Deputies Chief Counsel, and their Assistants |
HS | Magnetic Media — all discs, tapes, DVR, CD, VHS tapes, or similar media which contain program, taxpayer or other individual data |
HS | Microfilm — all cartridges, cassettes or other microfilm media which contain taxpayer data or account information |
HS | Received with Remittance Stamps |
HS | Testimony of IRS Employees in non-tax matters |
HS | Unapplied Master File Credit Reports |
HS | Unit Ledger Cards |
SP–1 | Ammunition |
SP–1 | Combination Records Standard Form SF-700, Security Container Information for safe and vaults |
SP–1 | Currency over $1,000 |
SP–1 | Firearms (more than 4) |
SP-2 | Ammunition - less than 60 rounds can be stored in a Security Container |
SP–2 | Checks drawn on U.S. Treasury (except those endorsed to the IRS for the payment of taxes). |
SP–2 | Combination Records Standard Form SF-700, Security Container Information for container doors |
SP–2 | Currency up to and including $1,000 |
SP-2 | Director’s Seals |
SP–2 | Key — to any room, area, secured area, or security container |
SP–2 | LIMITED OFFICIAL USE documents |
SP–2 | Negotiable and Non-negotiable Instruments — including stocks, bonds, securities or other collateral |
SP–2 | Receipts unissued Form 809, Receipt for Payment of Taxes |
SP–2 | Relocated Witness Files |
SP–2* | Grand Jury—Case file and information |
SP–2 | Integrated Data Retrieval System (IDRS) Passwords and Password Registers |
SP–2 | IDRS Security Records (including reports, control documents, audit trail records and computer tapes) |
SP–2 | Identification Media (IRS) — all unused stock and completed media (including SmartID cards, pocket commissions and passports) which is not in the possession of the employee |
SP–2 | Informant Communications File |
SP–2 | Informants’ Claims for Reward |
SP–2 | Informants’ Control File |
SP–3 | Government Bill of Lading |
SP-3 | Adverse Action and Adverse Action Appeal files |
SP–3 | Annual listing of undelivered refund checks |
SP–3 | Checks received for payment—including personal checks, cashier’s checks, bank draft, money orders and U.S. Treasury checks endorsed to the IRS for the payment of taxes. Note: In a service center, checks must be in secured area or containerized. |
SP–3 | Employee Underreporter Program/Cases |
SP–3 | All government issued credit cards |
SP–3 | Grievance Files and Grievance Appeal Files |
SP–3 | IDRS Security Handbook |
SP–3 | Internal Security Records — including all open or closed investigative reports, informant files, and other material that contain investigative information concerning employees and/or taxpayers, or taxpayer data, third party information, tax data, or specific information concerning IRS operations acquired in connection with a planned, open, or closed case. |
SP–3 | Identification Media (IRS) — completed non-photo visitor and temporary cards |
SP–3 | Internal Audit Records — including Internal Audit Reports and work papers, open or closed, and other material containing tax data, taxpayer information, functional records and information concerning service center operations, acquired in connection with planned, open or closed audits. |
SP–3 | Internal Revenue Service Employee — delinquency |
SP–3 | Key — to any locked container |
SP–3 | Law Enforcement Manual (LEM) (Normal Security will apply to service centers) |
SP–3 | Medical Records — employee health records, disability retirement records, and similar files containing personal medical information |
SP–3 | OFFICIAL USE ONLY Documents (unless otherwise increased by the originator) |
SP–3 | Personnel Records — including personnel folders, investigation reports, qualification statements, and other records containing privacy act or sensitive information |
SP–3 | Minority Group Designator Data |
SP–3 | Test Materials — OPM, IRS and commercial |
SP–3 | Training Records — including individual ratings, examination record and register cards, and similar individual test result information |
SP–3 | Undelivered Refund Check Notices |
SP–3 | Unidentified Remittance Record |
*If volume dictates, these items may be stored in a limited room as specified in IRM 10.2.14, Methods of Providing Protection. |