Encryption requirements of Publication 1075

 

Introduction

Internal Revenue Code Section 6103 stipulates that IRS must protect all the personal and financial information furnished to the agency against unauthorized use, inspection or disclosure. Other Federal, State and local authorities who receive federal tax information (FTI) directly from either the IRS or from secondary sources must also have adequate security controls in place to protect the data received.

In order to ensure the confidentiality and integrity of FTI, data encryption is an essential element to any effective information security system. It can be used to safeguard against unauthorized disclosure, inspection, modification or substitution of FTI. Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies (Pub. 1075) utilizes the encryption requirements of National Institute of Standards and Technology (NIST SP 800-53) and the latest version of Federal Information Processing Standard (FIPS) 140 to constitute the encryption requirements agencies in receipt of FTI must comply with.

Purpose

To define in simple terms the encryption requirements of Pub. 1075, NIST controls and FIPS 140 and provide recommendations to agencies on how to comply with the requirements in technical implementations (e.g., remote access, email, data transfers, mobile devices and media, databases and applications.

Publication 1075 encryption requirements

Pub. 1075 has adopted a subset of moderate impact security controls as its security control baseline for compliance purposes. The table below outlines the encryption-related security controls that must be implemented to comply with Pub. 1075.

Encryption-related security controls for Publication 1075

Security
Control

Publication 1075 Guidance

Reference Document

IA-7: Cryptographic Module Authentication The information system must implement mechanisms for authentication to a cryptographic module that meets the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards and guidance for such authentication.

NIST SP 800-53, Recommended Security Controls for Federal Information Systems

FIPS 140– Security Requirements for Cryptographic Modules

SC-8: Transmission Integrity
The information system protects the integrity of transmitted information.

NIST SP 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations

NIST SP 800-77 – Guide to IPsec VPNs

SC-9: Transmission Confidentiality The information system protects the confidentiality of transmitted information.

NIST SP 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations

NIST SP 800-77 – Guide to IPsec VPNs

SC-12: Cryptographic Key Establishment and Management When cryptography is required and employed within the information system, the organization establishes and        manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures.

NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography

NIST SP 800-56B, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography

NIST SP 800-56C – Recommendation for Key Derivation through Extraction-then-Expansion

NIST SP 800-57, Recommendation for Key Management

SC-13: Cryptographic Protection Determine the following cryptographic uses and implement the following types of cryptography required for each specified cryptographic use: Latest FIPS-140 validated encryption mechanism, NIST 800-52, Guidelines for the selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, Encryption in transit (payload encryption). Use of SHA-1 for digital signatures is prohibited. FIPS 140 – Security Requirements for Cryptographic Modules
SC-17: Public Key Infrastructure Certificates User certificates, each agency either establishes an agency certification authority cross-certified with the Federal Bridge Certification Authority at medium assurance or higher or uses certificates from an approved, shared service provider, as required by OMB Memorandum 05-24. NIST SP 800-32 – Introduction to Public Key Technology and the Federal PKI Infrastructure

Federal Information Processing Standard (FIPS) 140 encryption requirements

FIPS 140 is the mandatory standard for cryptographic-based security systems in computer and telecommunication systems (including voice systems) for the protection of sensitive data as established by the Department of Commerce in 2001. When the system implements encryption to protect the confidentiality and/or integrity of the data at rest or in transit then the software or hardware that performs the encryption algorithm must meet the latest FIPS 140 standards for encryption keys, message authentication and hashing.

Latest FIPS 140 approved security functions

Symmetric
Key
Encryption

Asymmetric
Key
Signature

Message Authentication

Hashing

AES DSA Triple DES Secure Hash Standard
(SHA-1, SHA-224, SHA-256,
SHA-384 and SHA-512,
SHA-512/224, SHA-512/256)
Triple DES RSA AES
ECDSA HMAC  

For a list of approved security functions and commonly used FIPS-approved algorithms, see the latest FIPS 140 Cryptographic Module Validation Lists which contain a list of vendor products with cryptographic modules validated as conforming to latest FIPS 140 are accepted by the Federal government for the protection of sensitive information.

When considering the implementation of encryption technology, agencies should verify the cryptographic module of the product being implemented is validated with the latest FIPS 140 and on the vendor list.

Applicability of encryption requirements: Remote access

NIST SP 800-53 defines remote access as any access to an organization information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).

Pub. 1075 states that accessing systems containing FTI from outside the agency’s network requires the use of a Virtual Private Network (VPN). The key feature of a VPN is its ability to use public networks like the Internet without sacrificing basic security.

Encryption and tunneling protocols are used to ensure the confidentiality of data in transit. Agencies should use IPSec or SSL encrypted VPN solutions and Point-to-Point Tunneling Protocol (PPTP), IPSec or L2TP tunneling protocols to establish VPN connections.

Additionally, two-factor authentication i.e., something you know (e.g., password, PIN), and something you have (e.g., cryptographic identification device, token), is required whenever FTI is being accessed from outside the agency’s network.

Within the agency’s local area network (LAN), a secure network access protocol such as Secure Shell (SSH) should be used in place of traditionally insecure protocols such as telnet, rsh and rlogin for login to a shell on a remote host or for executing commands on a remote host.

Applicability of encryption requirements: Electronic mail

Pub. 1075, Section 3.3.2 Email Communications states that if FTI is included in email, whether the message itself or as an attachment, it must be encrypted using the latest FIPS 140 validated mechanism.

The most commonly used ways to protect electronic messages are:

  • Signing an email message to ensure its integrity and confirm the identity of its sender.
  • Encrypting the body of an email message to ensure its confidentiality.
  • Encrypting the communications between mail servers to protect the confidentiality of both the message body and message header.

When messages require encryption, it is usually digitally signed also to protect its confidentiality. Therefore, the most frequently used way is the combination of the first two methods. The third method is used when two organizations want to protect the entire messages, including email header information sent between them. See NIST SP 800-45, Guidelines on Electronic Mail Security for general recommendations for selecting cryptographic suites for protecting email messages.

Per Pub. 1075, Section E.3, Encryption Requirements, the Office of Safeguards recommends that all required reports, when sent to the Office of Safeguards via email, be transmitted using IRS-approved encryption methods to protect sensitive information.

Agencies are requested to adhere to the following guidelines to use encryption:

  • Compress files in .zip or .zipx formats,
  • Encrypt the compressed file using Advanced Encryption Standard,
  • Use a strong 256-bit encryption key string,
  • Ensure a strong password or pass phrase is generated to encrypt the file and
  • Communicate the password or pass phrase with the Office of Safeguards through a separate email or via a telephone call to your IRS contact person. Do not provide the password or passphrase in the same email containing the encrypted attachment.

Applicability of encryption requirements: FTI data transfers

Internal (within agency LAN)

Per Pub. 1075, Section 4.18, Transmission Confidentiality and Integrity, information systems must implement the latest FIPS 140 cryptographic mechanisms to prevent unauthorized disclosure of FTI and detect changes to information during transmission across the wide area network (WAN) and within the LAN. This includes file transfers, user application sessions, application communication with back-end databases and all other transmissions of FTI.

External (outside agency LAN)

All FTI that is transmitted over the Internet, including via e-mail to external entities must be encrypted. This includes all FTI data transmitted across an agency’s WAN.

Applicability of encryption requirements: FTI data at rest

While encryption of data at rest is an effective defense-in-depth technique, encryption is not currently required for FTI while it resides on a system (e.g., in files or in a database) that is dedicated to receiving, processing, storing or transmitting FTI, is configured in accordance with the IRS Safeguards Computer Security Evaluation Matrix (SCSEM) recommendations and is physically secure restricted area behind two locked barriers.

However, FTI must be encrypted at rest in FedRAMP-certified, vendor operated cloud computing environments.

If a system is used to receive, process, store or transmit FTI that also serves a secondary function not related to FTI processing (e.g., a workstation used to download FTI files from Secure Data Transfer system also serves as an employee’s user workstation), and this system does not meet the IRS SCSEM recommendations for secure configuration and physical security, the FTI residing on that system should be encrypted using the latest FIPS 140 compliant encryption.

Applicability of encryption requirements: Mobile devices and media

All FTI maintained on mobile media shall be encrypted with the latest FIPS 140 validated data encryption and, where technically feasible, user authentication mechanisms. This encryption requirement applies all portable electronic devices, regardless of whether the information is stored on laptops, personal digital assistants, diskettes, CDs, DVDs, flash memory devices or other mobile media or devices.

Full disk encryption is an effective technique for laptop computers containing FTI that are taken out of the agency’s physical perimeter and therefore outside of the physical security controls afforded by the office. Full disk encryption encrypts every bit of data that goes on a disk or disk volume and can be hardware or software based.

The IRS does not recommend full disk encryption over file encryption or vice versa, agencies can make a decision on the type of technology they will employ as long as it is the latest FIPS 140 validated encryption.

Resources