Read cybersecurity requirements, policies and guidance before you bid on an IRS contract. IRS Access, Use or Operation of IRS Information Technology (IT) Systems by Contractors PDF (July 20, 2004) IRM 10.5.1, Privacy and Information Protection – Privacy Policy (Sep. 15, 2023) IRM 11.3.24, Disclosure of Official Information – Disclosures to Contractors (Aug. 31, 2023) Cybersecurity requirements contract language (June 27, 2024) Pub. 4465-A, Protecting Federal Tax Information for Contractors PDF (June 2022) Pub. 4812, Contractor Security and Privacy Controls: Handling and Protecting Information and Information Systems PDF (Dec. 2023) Scanning, compliance and vulnerability requirements (May 2024) CISA Cybersecurity Directives BOD 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems (April 29, 2019) BOD 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities (Nov. 3, 2021) BOD 23-02, Implementation Guidance for Mitigating the Risk from Internet-Exposed Management Interfaces (June 13, 2023) Known Exploited Vulnerabilities (KEV) Catalog Secure Software Development Attestation Form Software Bill of Materials (SBOM) Trusted Internet Connections (TIC) 3.0 Core Guidance Documents (Dec. 22, 2023) GSA FedRamp FAQ Laws, Regulations, Standards, and Guidance Reference (June 30, 2023) NIST FIPS 140-3, Cryptographic Module Validation Program (CMVP): Security Requirements for Cryptographic Modules (Mar. 22, 2019) FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (Feb. 1, 2004) SP 800-40r4, Guide to Enterprise Patch Management Planning – Preventive Maintenance for Technology (April 2022) SP 800-53r5, Security and Privacy Controls for Information Systems and Organizations (July 1, 2023) SP 800-53Ar5, Assessing Security and Privacy Controls in Information Systems and Organizations (Jan. 25, 2022) SP 800-57, Recommendation for Key Management: Part 1 – General (May 4, 2020) SP 800-63-3, Digital Identity Guidelines (March 2, 2020) SP 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing (March 2, 2020) SP 800-63B, Incorporating Syncable Authenticators into NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management (April 22, 2024) SP 800-63C, Digital Identity Guidelines: Federation and Assertions (March 2, 2020) SP 800-70r4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (May 2022) SP 800-207, Zero Trust Architecture (Aug. 2020) SP 800-207A, A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments (Sept. 2023) SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (Feb. 2022) OMB M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices PDF (Sept. 14, 2022) M-23-16, Update to Memorandum M-22-18 PDF (June 9, 2023) Office of Federal Procurement Policy (OFFP)