US Internal Revenue Service Publication 1075
US Internal Revenue Service Publication 1075 overview
Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for US government agencies and their agents that access federal tax information (FTI) to ensure that they use policies, practices, and controls to protect its confidentiality. IRS 1075 aims to minimize the risk of loss, breach, or misuse of FTI held by external government agencies. For example, a state Department of Revenue that processes FTI in tax returns for its residents, or health services agencies that access FTI, must have programs in place to safeguard that information.
To protect FTI, IRS 1075 prescribes security and privacy controls for application, platform, and datacenter services. For instance, it prioritizes the security of datacenter activities, such as the proper handling of FTI, and the oversight of datacenter contractors to limit entry. To ensure that government agencies receiving FTI apply those controls, the IRS established the Safeguards Program, which includes periodic reviews of these agencies and their contractors.
Microsoft and US Internal Revenue Service Publication 1075
Microsoft Azure Government and Microsoft Office 365 U.S. Government cloud services provide a contractual commitment that they have the appropriate controls in place, and the security capabilities necessary for Microsoft agency customers to meet the substantive requirements of IRS 1075.
These Microsoft cloud services for government provide a platform on which customers can build and operate their solutions, but customers must determine for themselves whether those specific solutions are operated in accordance with IRS 1075 and are, therefore, subject to IRS audit.
To help government agencies in their compliance efforts, Microsoft:
- Offers detailed guidance to help agencies understand their responsibilities and how various IRS controls map to capabilities in Azure Government and Office 365 U.S. Government. The IRS 1075 Safeguard Security Report (SSR) thoroughly documents how Microsoft services implement the applicable IRS controls, and is based on the FedRAMP packages of Azure Government and Office 365 U.S. Government. Because both IRS 1075 and FedRAMP are based on NIST 800-53, the compliance boundary for IRS 1075 is the same as the FedRAMP authorization.
- The IRS must explicitly approve the release of any IRS Safeguards document, so only government customers under NDA can review the SSR.
- Makes available audit reports and monitoring information produced by independent assessors for its cloud services.
- Provides to the IRS Azure Government Compliance Considerations and Office 365 U.S. Government Compliance Considerations, which outline how an agency can use Microsoft Cloud for Government services in a way that complies with IRS 1075. Government customers under NDA can request these documents.
- Offers customers the opportunity (at their expense) to communicate with Microsoft subject matter experts or outside auditors if needed.
Microsoft in-scope cloud platforms & services
FedRAMP authorizations are granted at three impact levels based on NIST guidelines—low, medium, and high. These rank the impact that the loss of confidentiality, integrity, or availability could have on an organization—low (limited effect), medium (serious adverse effect), and high (severe or catastrophic effect).
- Azure and Azure Government
- Dynamics 365 U.S. Government
- Office 365, Office 365 U.S. Government
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Windows 365 (U.S. Government)
Azure, Dynamics 365, and IRS 1075
For more information about Azure, Dynamics 365, and other online services compliance, see the Azure IRS 1075 offering.
Office 365 and IRS 1075
Office 365 environments
Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.
This section covers the following Office 365 environments:
- Client software (Client): commercial client software running on customer devices.
- Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
- Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
- Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
- Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.
Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.
Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.
Office 365 applicability and in-scope services
Use the following table to determine applicability for your Office 365 services and subscription:
Applicability | In-scope services |
---|---|
GCC | Activity Feed Service, Bing Services, Delve, Exchange Online Protection, Exchange Online, Intelligent Services, Microsoft Teams, Office 365 Customer Portal, Office Online, Office Service Infrastructure, Office Usage Reports, OneDrive for Business, People Card, SharePoint Online, Skype for Business, Windows Ink |
Office 365 audits, reports, and certificates
Compliance with the substantive requirements of IRS 1075 is covered under the FedRAMP audit every year.
Frequently asked questions
How does Microsoft address the requirements of IRS 1075?
Microsoft regularly monitors its security, privacy, and operational controls and NIST 800-53 rev. 4 controls required by the FedRAMP baseline for Moderate Impact information systems. It provides quarterly access to this information through continuous monitoring reports. Azure Government and Office 365 U.S. Government customers can access this sensitive compliance information through the Service Trust Portal.
In addition, Microsoft has committed to including IRS 1075 controls in its master control set for Azure Government and Office 365 U.S. Government, and to auditing against them annually.
Can I review the FedRAMP packages or the System Security Plan?
Yes, if your organization meets the eligibility requirements for Azure Government and Office 365 U.S. Government. Contact your Microsoft account representative directly to review these documents. You can also refer to the FedRAMP list of compliant cloud service providers.
Can I use the Azure or Office 365 public cloud environments and still be compliant with IRS 1075?
Customers that meet the eligibility requirements can store and/or process Federal Tax Information in Azure Government or Office 365 Government Community Cloud. These customers can also store and/or process Federal Tax Information in Azure Commercial if they manage two controls; restrict data storage to the United States and implement Customer Managed Key (CMK) encryption through FIPS 140 validated hardware security modules (HSMs) under their control.
Use Microsoft Purview Compliance Manager to assess your risk
Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.