10.8.26 Wireless and Mobile Device Security Policy

Manual Transmittal

December 23, 2024

Purpose

(1) This transmits the revised IRM 10.8.26, Information Technology (IT) Security, Wireless and Mobile Device Security Policy.

Material Changes

(1) Applied content from reissued Interim Guidance (IG) Memo IT-10-0724-0011, “AC-18 and MP-7 Section Update”, dated 07-09-2024. This interim guidance revises IRM 10.8.26 to remove guidance that contradicts with IRM 10.8.1 and is devised from a DISA STIG that is no longer published.

(2) Applied content from Interim Guidance (IG) Memo IT-10-1022-0011, “IoT Checklist”, dated 12-14-2022. This guidance adds the IoT Security Requirements Checklist.

(3) IRM 10.8.26.3 - Created new section: Mobile Device Roles and Responsibilities.

(4) IRM 10.8.26.3.1 - Moved Government-Furnished Mobile Device Users.

(5) IRM 10.8.26.3.2 - Moved Non-Government Furnished/Personally Owned (BYOD) Mobile Device Users.

(6) IRM 10.8.26.4.1.11, AC-18 Wireless Access - Provided clarification text in the guidance and notes.

(7) IRM 10.8.26.4.18.3.1 - Updated section title, “Bluetooth Headsets”, to “Bluetooth Headsets for Smartphones”.

(8) IRM 10.8.26.4.18.3.2 - Updated section title, “Peripheral Devices” to “Wireless Peripheral Devices for Laptops”.

(9) Entire IRM - Added the leading zero to the control numbers to align with NIST.

(10) Terms and Acronyms - Added definitions for CISA and CMMI.

(11) Editorial changes (including grammar, spelling, and clarification) were made throughout the IRM.

Effect on Other Documents

IRM 10.8.26 dated November 06, 2023, is superseded. This IRM supersedes all prior versions of IRM 10.8.26, and supplements: IRM 10.8.1, IT Security, Policy and Guidance and IRM 10.8.2, IT Security, IT Security Roles and Responsibilities. This IRM incorporates reissued Interim Guidance (IG) Memo IT-10-0724-0011, “AC-18 and MP-7 Section Update”, dated 07-09-2024, and Interim Guidance (IG) Memo IT-10-1022-0011, “IoT Checklist”, dated 12-14-2022.

Audience

IRM 10.8.26 applies to and must be distributed to all employees, contractors, vendors, and volunteers responsible for ensuring the security of government furnished mobile devices and approved non-government furnished/personally owned (BYOD) mobile devices.

Effective Date

(12-23-2024)


Rajiv Uppal
Chief Information Officer

Program Scope and Objectives

  1. Overview: This Internal Revenue Manual (IRM) lays the foundation to implement and manage security controls and guidance for the use of government furnished mobile devices and non-government furnished/personally owned mobile devices that have been approved for use by employees participating in the Bring Your Own Device (BYOD) program, and the data stored on them, within the Internal Revenue Service (IRS).

    1. This policy is subordinate to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance and augments the existing requirements identified within IRM 10.8.1, as they relate to IRS government furnished mobile devices and non-government furnished/personally owned mobile devices for on-premise systems, including on-premise cloud deployments.

    2. This policy is subordinate to IRM 10.8.24, Information Technology (IT) Security, Cloud Computing Security Policy and augments the existing requirements identified within IRM 10.8.24, as they relate to IRM government furnished mobile devices and non-government furnished/personally owned mobile devices for off-premise cloud deployments.

  2. Purpose of the Program: Develop and publish policies to protect the IRS against potential Information Technology (IT) threats and vulnerabilities and ensure compliance with federal mandates and legislation.

  3. Audience: The provisions in this manual apply to:

    1. All offices and business, operating, and functional units within the IRS.

    2. IRS personnel and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, volunteers and outsourcing providers, who use or operate information systems or mobile devices that store, process, or transmit IRS information or connect to an IRS network or system.

    3. When the terms "mobile devices" and "mobile device users" are used within this IRM, they refer to both government furnished and approved non-government furnished/personally owned mobile devices and users unless otherwise noted.

    4. Bring Your Own Device (BYOD) participants, unless otherwise specified as only government furnished mobile devices.

    5. Government furnished or approved non-government furnished/personally owned mobile devices used to accomplish the IRS mission.

    6. Laptops are categorized as a mobile device with computing and communication (e.g., wireless, local area network (LAN)) capability, and must comply with all IRM 10.8.1, Treasury Directive Publication (TD-P) 85-01, and other related IRM policy requirements for mobile devices. (IRS-defined)

    7. All IRS information and information systems. For information systems that store, process, or transmit, classified information, please refer to IRM 10.9.1, Classified National Security Information (NSI), for additional procedures for protecting classified information.

  4. Policy Owner: Chief Information Officer (CIO)

  5. Program Owner: Cybersecurity Threat Response and Remediation (an organization within Cybersecurity)

  6. Program Goals: To protect the confidentiality, integrity, and availability of IRS information and information systems.

Background

  1. IRM 10.8.26 is part of the IRM Part 10.8 Security, Privacy and Assurance series for IRS IT Cybersecurity. Government furnished and non-government furnished/personally owned mobile devices are vulnerable to theft and the loss of all data stored on them, which places the information they contain at risk of disclosure or compromise. Many theft rings operating today at airports, hotels, and other public places target mobile devices. Additionally, the use of mobile devices in public places (e.g., airports, restaurants, conferences, public transportation) and transmitting information through public telecommunications networks, presents a significant risk of unauthorized persons observing and gaining access to the information that is being processed. Therefore, IRS employees, contractors, and volunteers must abide by all requirements provided within this policy to help protect their government furnished and non-government furnished/personally owned mobile devices, and the information contained on them, from these risks.

  2. The IRS has implemented the "Bring Your Own Device" (BYOD) program to permit IRS personnel to use non-government furnished/personally owned mobile devices for business purposes. This program offers the convenience of using an approved non-government furnished/personally owned mobile device to access, process, transmit, or store IRS information. Therefore, those IRS employees who choose to participate in the program must abide by the requirements specified within this policy. The IRS must be able to ensure that agency data is protected at all places and all times.

  3. IRM 10.8.26 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRM Information Technology, Cybersecurity.

Authority

  1. All IRS systems and applications must be compliant with Executive Orders (EOs), Office of Management and Budget (OMB), Federal Information Security Modernization Act of 2014 (FISMA), National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), National Archives and Records Administration (NARA), Department of the Treasury, and IRS guidelines as they apply.

Roles and Responsibilities

  1. IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and information system security, and is the authoritative source for such information

  2. The supplemental roles and responsibilities provided below are located in the IT Roles and Responsibilities subsection of this IRM.

Program Management and Review

  1. The IRS Security Policy Program establishes a framework of security controls to ensure the inclusion of security in the daily operations and management of IRS IT resources. This framework of security controls is provided through the issuance of security policies via the IRM 10.8 series and the development of technology specific security requirement checklists. Stakeholders are notified when revisions to the security policies and security requirement checklists are made.

  2. It is the policy of the IRS to:

    1. Establish and manage an Information Security Program within all its offices. This policy provides uniform policies and guidance to be used by each office.

    2. Protect all IT resources belonging to, or used by, the IRS at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that IT resource.

    3. Protect its information resources and allow the use, access, disposition, and disclosure of information in accordance with applicable laws, policies, federal regulations, OMB guidance, Treasury Directives (TDs), NIST Publications, NARA guidance, other regulatory guidance, and best practice methodologies.

    4. Use best practices methodologies (such as Capability Maturity Model Integration (CMMI), Enterprise Life Cycle (ELC), Information Technology Infrastructure Library (ITIL), and Lean Six Sigma (LSS)) to document and improve IRS IT process and service efficiency and effectiveness.

Program Controls

  1. Each IRM in the 10.8 series is assigned an author who reviews their IRM annually to ensure accuracy. The IRM authors continuously monitor federal guidance (e.g., OMB, CISA, NIST, DISA) for potential revisions to security policies and security requirement checklists. Revisions to security policies and checklists are reviewed by the security policy team, in collaboration with applicable stakeholders, for potential impact to the IRS operational environment.

  2. Security Policy provides a report identifying security policies and security requirement checklists that have recently been revised or are in the process of being revised.

  3. This IRM applies to all IRS information and information systems, which store, process, or transmit IRS information or connect to an IRS network or system. For systems that store, process, or transmit classified national security information, refer to IRM 10.9.1, Classified National Security Information (CNSI), for additional guidance for protecting classified information.

  4. This IRM establishes the minimum baseline security policy and requirements for all IRS wireless, mobile and BYOD devices and IRS-approved mobile access solutions in order to:

    1. Protect the critical infrastructure and assets of the IRS against attacks that exploit IRS assets.

    2. Prevent unauthorized access to IRS assets.

    3. Enable IRS IT computing environments to meet the security requirements of this policy and support the business needs of the organization.

  5. In the event there is a discrepancy between this policy and IRM 10.8.1, IRM 10.8.1 has precedence, unless the security controls/requirements in this policy are more restrictive.

Terms and Acronyms

  1. Refer to Exhibit 10.8.26-2, Terms and Acronyms, for a list of terms, acronyms, and definitions.

Related Resources

  1. Refer to Exhibit 10.8.26-3, Related Resources, for a list of related resources and references.

Risk Acceptance and Risk-Based Decisions (RBD)

  1. Any exception to this policy requires that the Authorizing Official (AO) make a Risk-Based Decision (RBD).

  2. Users must submit RBD requests in accordance with Cybersecurity’s Security Risk Management (SRM) Risk Acceptance Process within the Risk-Based Decision Standard Operating Procedures (SOP).

    Note:

    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡

  3. Refer to IRM 10.8.1 for additional guidance about risk acceptance.

Mobile Device IT Roles and Responsibilities

  1. IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and information system security, and is the authoritative source for such information.

  2. The supplemental roles and responsibilities provided below are specific to the implementation of government and non-government/personally owned (BYOD) devices.

Government Furnished Mobile Device Users

  1. Government furnished mobile device users must be responsible for ensuring the physical and logical security of their assigned equipment. (IRS-defined)

    Note:

    An example of how an employee must ensure the logical security of a mobile device is by exercising due care in preventing viruses and malware from being installed on their mobile devices by not opening attachments and documents from untrusted sources (i.e., attachments and documents from a personal email).

  2. Managers of employees who have been assigned government furnished mobile devices must ensure their employees exercise due care in safeguarding these devices and the data they contain. (IRS-defined)

  3. Refer to IRM 10.8.27, Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources, for guidance pertaining to the prohibited uses of government furnished mobile devices.

Non-Government Furnished/Personally Owned (BYOD) Mobile Device Users

  1. BYOD participants must: (IRS-defined)

    1. Understand that if their approved non-government furnished/personally owned mobile device is not compliant with IRS security policies or if it presents any unacceptable risk to the IRS’s networks or data, that it will not be allowed to connect to the IRS’s systems.

    2. Consent to remote inspection and monitoring of the IRS-approved mobile access solution on their approved non-government furnished/personally owned mobile device, using technology centrally managed by IRS IT organization.

    3. Ensure they are the only person who has access to their approved non-government furnished/personally owned mobile devices when being used to view or process IRS information.

    4. Ensure a valid password is successfully entered prior to logging onto the mobile device.

    5. Ensure a valid password is successfully entered prior to logging into the IRS-approved mobile access solution.

    6. See the Rules of Behavior for BYOD Participants section within this IRM for further requirements when using their approved non-government furnished/personally owned mobile device to access, process, transmit, or store IRS information.

  2. BYOD participants must not: (IRS-defined)

    1. Use the screen capture function on their mobile device while logged into the IRS-approved mobile access solution.

      Note:

      Using the screen capture function while logged into the IRS-approved mobile access solution could place IRS sensitive information, for example sensitive but unclassified (SBU) data and personally identifiable information (PII), at risk of disclosure.

    2. Share their IRS-approved mobile access solution password with anyone.

IT Security Controls

  1. The security controls in this IRM supplement the requirements found in IRM 10.8.1.

    1. Refer to IRM 10.8.1 for security control families and security controls not addressed within this IRM.

  2. It is acceptable to configure settings to be more restrictive than those defined in this IRM.

  3. To configure less restrictive requirements requires a risk-based decision. Refer to the Risk Acceptance and Risk-Based Decisions subsection within this IRM for additional guidance.

AC - Access Control

  1. In addition to the Access Control guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 and/or IRM 10.8.24, if applicable.

    • AC-01 Access Control Policy and Procedures

    • AC-04 Information Flow Enforcement

    • AC-05 Separation of Duties

    • AC-06 Least Privilege

    • AC-13 Withdrawn by NIST

    • AC-14 Permitted Actions without Identification or Authentication

    • AC-15 Withdrawn by NIST

    • AC-16 Security and Privacy Attributes

    • AC-20 Use of External Systems

    • AC-21 Information Sharing

    • AC-22 Publicly Accessible Content

    • AC-23 Data Mining Protection

    • AC-24 Access Control Decisions

    • AC-25 Reference Monitor

AC-02 Account Management
  1. The Unified Endpoint Managment (UEM) server must provide automated mechanisms for supporting account management functions. (DISA UEM Server SRG: SRG-APP-000023-UEM-000012)

  2. The UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server. (DISA UEM Server SRG: SRG-APP-000024-UEM-000013)

  3. The UEM server must automatically disable accounts after a 35-day period of account inactivity. (DISA UEM Server SRG: SRG-APP-000025-UEM-000014)

  4. The UEM server must automatically audit account creation. (DISA UEM Server SRG: SRG-APP-000026-UEM-000015)

  5. The UEM server must automatically audit account modification. (DISA UEM Server SRG: SRG-APP-000027-UEM-000016)

  6. The UEM server must automatically audit account disabling actions. (DISA UEM Server SRG: SRG-APP-000028-UEM-000017)

  7. The UEM server must automatically audit account removal actions. (DISA UEM Server SRG: SRG-APP-000029-UEM-000018)

  8. The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are created. (DISA UEM Server SRG: SRG-APP-000291-UEM-000165)

  9. The UEM server must notify administrators and the ISSO when accounts are modified. (DISA UEM Server SRG: SRG-APP-000292-UEM-000166)

  10. The UEM server must notify system administrators and the ISSO for account disabling actions. (DISA UEM Server SRG: SRG-APP-000293-UEM-000167)

  11. The UEM server must notify system administrators and the ISSO for account removal actions. (DISA UEM Server SRG: SRG-APP-000294-UEM-000168)

  12. The UEM server must automatically audit account-enabling actions. (DISA UEM Server SRG: SRG-APP-000319-UEM-000192)

  13. The UEM server must notify system administrator and ISSO of account enabling actions. (DISA UEM Server SRG: SRG-APP-000320-UEM-000193)

  14. Refer to IRM 10.8.1 for additional guidance on Account Management.

AC-03 Access Enforcement
  1. Mobile devices connected to IRS networks or processing IRS information must comply with IRM 10.8.1 and the security requirements of those networks. (IRS-defined)

  2. The UEM server must employ an audited override of automated access control mechanisms under organization-defined conditions. (DISA UEM Server SRG: SRG-APP-000327-UEM-000200)

  3. The UEM server must be configured to have at least one user in defined administrator roles. (DISA UEM Server SRG: SRG-APP-000329-UEM-000202)

  4. Refer to IRM 10.8.1 for additional guidance on Access Enforcement.

Access to Sensitive Information
  1. Sensitive information (e.g., SBU and PII) must not be downloaded to mobile devices. (IRS-defined)

    1. Government furnished laptops are the only exception to this requirement.

  2. Sensitive information (i.e., federal taxpayer information (FTI)/ 6103 information) must not be viewed or discussed on mobile devices in public places (e.g., airports, coffee shops, hospitals, malls, etc.). (IRS-defined)

  3. Sensitive information stored or processed on a government furnished laptop must be protected with the same requirements as hard-copy documents (e.g., markings, distribution, destruction) and in accordance with the requirements defined within IRM 10.8.1. (IRS-defined)

  4. Only government furnished laptops may be used to access, process, transmit, or store classified data. (IRS-defined)

AC-06 Least Privilege
  1. The UEM server must audit the execution of privileged functions. (DISA UEM Server SRG: SRG-APP-000343-UEM-000216)

  2. Refer to IRM 10.8.1 for additional guidance on Least Privilege.

AC-07 Unsuccessful Logon Attempts
  1. The UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. (DISA UEM Server SRG: SRG-APP-000065-UEM-000036)

  2. The UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. (DISA UEM Server SRG: SRG-APP-000345-UEM-000218)

  3. Refer to IRM 10.8.1 for additional guidance on Unsuccessful Logon Attempts.

AC-08 System-Use Notifications
  1. The UEM server must display the Standard Mandatory IRS System Use Notification Banner, in accordance with IRM 10.8.1, before granting access to the application. (DISA UEM Server SRG-APP-000068-UEM-000037)

  2. The UEM server must retain the access banner until the user acknowledges acceptance of the access conditions. (DISA UEM Server SRG. SRG-APP-000069-UEM-000038)

  3. Refer to IRM 10.8.1 for additional guidance on System-Use Notifications.

AC-09 Previous Logon (Access) Notification
  1. The UEM server must notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access). (DISA UEM Server SRG: SRG-APP-000075-UEM-000041)

  2. The UEM server must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). (DISA UEM Server SRG: SRG-APP-000076-UEM-000042)

  3. Refer to IRM 10.8.1 for additional guidance on Previous Logon (Access) Notification.

AC-10 Concurrent Session Control
  1. The UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions. For High System, the UEM server must limit the number of concurrent sessions in accordance with IRM 10.8.1 (DISA UEM Server SRG: SRG-APP-000001-UEM000001)

  2. Refer to IRM 10.8.1 for additional guidance on Concurrent Session Control.

AC-11 Device Lock
  1. The UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image. (DISA UEM Server SRG: SRG-APP-000002-UEM-000002)

  2. The UEM server must initiate a session lock after a 15-minute period of inactivity. (DISA UEM Server SRG: SRG-APP-000003-UEM-000003)

  3. The Mobile Device Management (MDM) server must provide the capability for users to directly initiate a session lock. (DISA UEM Server SRG: SRG-APP-000004-UEM-000004)

  4. The MDM server must retain the session lock until the user reestablishes access using established identification and authentication procedures. (DISA UEM Server SRG: SRG-APP-000005-UEM-000005)

  5. Refer to IRM 10.8.1 for additional guidance on Device Lock.

AC-12 Session Termination
  1. The UEM server must automatically terminate a user session after a period of inactivity, in accordance with IRM 10.8.1. (DISA UEM Server SRG: SRG-APP-000295-UEM-000169)

  2. The UEM server must provide logout capability for user-initiated communication sessions. (DISA UEM Server SRG: SRG-APP-000296-UEM-000170)

  3. The UEM server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions. (DISA UEM Server SRG: SRG-APP-000297-UEM-000171)

  4. Refer to IRM 10.8.1 for additional guidance on Session Termination.

AC-17 Remote Access
  1. Remote access must only be accomplished with a government furnished mobile device via an IRS-approved Virtual Private Network (VPN) solution that uses Federal Information Processing Standard (FIPS) 140-validated encryption technology. (IRS-defined)

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  3. The UEM server must use Transport Layer Security (TLS) 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access. (DISA UEM Server SRG: SRG-APP-000014-UEM-000009)

  4. The UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, Secure Sockets Layer (SSL) 2.0, or SSL 3.0. (DISA UEM Server SRG: SRG-APP-000560-UEM-000394)

  5. Refer to IRM 10.8.1 for additional guidance on Remote Access.

AC-18 Wireless Access
  1. IRS employees must be responsible to ensure they only use the intended secured Wi-Fi connection (e.g. hotels, home) (IRS-defined)

    Note:

    The intent of this requirement is to avoid a situation where the employee is inadvertently using a rogue SSID.

  2. IRS employees are permitted to utilize secure public Wi-Fi access for example, hospital, Internet café, coffee shop, public library. (IRS-defined)

  3. Government furnished mobile hotspots are permitted to be used for conducting official business and must adhere to the requirements defined within IRM 10.8.1 and this IRM. For additional guidance on mobile hotspots, refer to IRM 2.28.1, Unified Communications (UC) Overview. (IRS-defined)

  4. Refer to IRM 10.8.1 for additional guidance on Wireless Access.

AC-19 Access Controls for Mobile Devices
  1. Mobile devices must be provisioned with Public Key Infrastructure (PKI) digital certificates, in accordance with IRM 10.8.52, IRS Public Key Infrastructure (PKI) X.509 Certificate Policy, so users can digitally sign and encrypt email notifications or other email messages required by IRS policy. (IRS-Defined)

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. AO approval must be obtained prior to the use of software PKI certificates on mobile devices. (IRS-defined)

  2. IRS or Treasury-issued software certificates must not be used for non-government furnished/personally owned mobile devices, unless they have been approved for use in the BYOD program. (DISA: SRG-MPOL-058; IRS-defined)

  3. Refer to IRM 10.8.1 for additional guidance on Access Control for Mobile Devices.

Travel
  1. Travel requirements pertaining to mobile devices must be implemented in accordance with AC-19 Access Control for Mobile Devices in IRM 10.8.1.

  2. For the purpose of requirements pertaining to overseas or foreign (international) travel with a government furnished mobile device (e.g., laptop, tablet, smartphone) the following apply: (IRS-defined)

    1. IRS personnel permanently stationed overseas are not considered foreign travelers for the purpose of this section.

    2. For IRS employees at U.S. diplomatic facilities abroad, U.S. Department of State requirements prevail for all IT security requirements in lieu of this IRM and TD-P 85-01.

    3. The IRS Tax Attaché with responsibility for the country an employee is traveling to, may advise them of further restrictions for bringing laptops within their jurisdictions.

    Note:

    The term "U.S." is used here to refer to the United States, its possessions, and territories. “Non-U.S. Support” is used here to mean use of contractors or other non-federal service providers located outside the U.S., its possessions, and territories.

Access Controls for Government Furnished Mobile Devices
  1. Mobile devices (GFE and BYOD) must not be used by anyone other than authorized personnel (e.g., The person to whom it is assigned, IT personnel performing maintenance/repairs, the manager of the person to whom it is assigned, personnel conducting an official audit.) (IRS-defined)

Access Control for Non-Government Furnished/Personally Owned (BYOD) Mobile Devices
  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. The IRS IT organization must retain information system connection or processing agreements for approved non-government furnished/personally owned mobile devices that have been approved for use in the BYOD program. (IRS-defined)

AT - Awareness and Training

  1. In addition to the Awareness and Training guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • AT-01 Awareness and Training Policy and Procedures

    • AT-03 Role-Based Training

    • AT-04 Training Records

    • AT-05 Withdrawn by NIST

    • AT-06 Training Feedback

AT-02 Literacy Training and Awareness
  1. All supplemental policies required to implement mobile device security solutions must be documented and provided to mobile device users. (IRS-defined)

  2. Mobile device users must receive training on the following required topics before they are authorized to access an IRS network via a wireless remote access device: (IRS-defined)

    1. User authentication and content encryption requirements.

    2. Enabling wireless interfaces only when needed.

    3. Enabling the VPN connection to the IRS network immediately after establishing a wireless connection (using an approved VPN client).

    4. All internet browsing being done on the IRS network, only after the VPN connection has been established.

    5. Locations where wireless remote access is authorized or not authorized (e.g., home, airport, hotel, etc.).

    6. Wireless client configuration requirements.

    7. Use of Wi-Fi Protected Access 2 (WPA2) Personal (Advanced Encryption Standard [AES]) on home WLAN.

    8. Home WLAN password and Service Set Identifier (SSID) requirements - Discontinue the use of devices suspected of being tampered with and notify the site AO.

  3. Refer to IRM 10.8.1 for additional guidance on Literacy Training and Awareness.

AU - Audit and Accountability

  1. In addition to the Audit and Accountability guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • AU-01 Audit and Accountability Policy and Procedures

    • AU-02 Event Logging

    • AU-06 Audit Review, Analysis, and Reporting

    • AU-07 Audit Reduction and Report Generation

    • AU-11 Audit Record Retention

    • AU-13 Monitoring for Information Disclosure

    • AU-15 Withdrawn by NIST

    • AU-16 Cross-Organizational Audit Logging

AU-03 Content of Audit Records
  1. The UEM server must be configured to produce audit records containing information to establish what type of events occurred. (DISA UEM Server SRG: SRG-APP-000095-UEM-000055)

  2. The UEM server must be configured to produce audit records containing information to establish when (date and time) the events occurred. (DISA UEM server SRG: SRG-APP-000096-UEM-000056)

  3. The UEM server must be configured to produce audit records containing information to establish where the events occurred. (DISA UEM Server SRG: SRG-APP-000097-UEM-000057)

  4. The UEM server must be configured to produce audit records containing information to establish the source of the events. (DISA UEM Server SRG: SRG-APP-000098-UEM-000058)

  5. The UEM server must be configured to produce audit records that contain information to establish the outcome of the events. (DISA UEM Server SRG: SRG-APP-000099-UEM-000059)

  6. The UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event. (DISA UEM Server SRG: SRG-APP-000100-UEM-000060)

  7. The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. (DISA UEM Server SRG: SRG-APP-000101-UEM-000061)

  8. The UEM Agent must record within each UEM Agent audit record the following information: (DISA UEM Agent SRG: SRG-APP-000097-UEM-100005)

    1. Date and time of the event,

    2. Type of event,

    3. Subject identity, and

    4. If relevant, the outcome (success or failure) of the event.

  9. Refer to IRM 10.8.1 for additional guidance on Content of Audit Records.

AU-04 Audit Log Storage Capacity
  1. The UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. (DISA UEM Server SRG: SRG-APP-000358-UEM-000228)

    Note:

    UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.

  2. The UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly. (DISA UEM Server SRG: SRG-APP-000515-UEM-000390)

  3. The UEM Agent must queue alerts if the trusted channel is not available. (DISA UEM Agent SRG: SRG-APP-000358-UEM-100003)

  4. The UEM Agent must be configured to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server. (DISA UEM Agent SRG: SRG-APP-000358-UEM-100013)

  5. Refer to IRM 10.8.1 for additional guidance on Audit Log Storage Capacity.

AU-05 Response to Audit Logging Process Failures
  1. The UEM server must alert the ISSO and System Administrator (at a minimum) in the event of an audit processing failure. (DISA UEM Server SRG: SRG-APP-000108-UEM-000062)

  2. Refer to IRM 10.8.1 for additional guidance on Response to Audit Logging Process Failures.

AU-08 Time Stamps
  1. The UEM server must use host operating system clocks to generate time stamps for audit records. (DISA UEM Server SRG: SRG-APP-000116-UEM-000067)

  2. The UEM server must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). (DISA UEM Server SRG: SRG-APP-000374-UEM-000244)

  3. The UEM server must be configured to record time stamps for audit records that meet a granularity for a minimum degree of precision, in accordance with IRM 10.8.1. (DISA UEM Server SRG: SRG-APP-000375-UEM-000245)

  4. Refer to IRM 10.8.1 for additional guidance on Time Stamps.

AU-9 Protection of Audit Information
  1. The UEM server must protect audit information from any type of unauthorized read access. (DISA UEM Server SRG: SRG-APP-000118-UEM-000068)

  2. The UEM server must protect audit information from unauthorized modification. (DISA UEM Server SRG: SRG-APP-000119-UEM-000069)

  3. The UEM server must protect audit information from unauthorized deletion. (DISA UEM Server SRG: SRG-APP-000120-UEM-000070)

  4. The UEM server must back up audit records, in accordance with IRM 10.8.1, onto a log management server. (DISA UEM Server SRG: SRG-APP-000125-UEM-000074)

  5. Refer to IRM 10.8.1 for additional guidance on Protection of Audit Information.

AU-10 Non-Repudiation
  1. The UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. (DISA UEM Server SRG: SRG-APP-000080-UEM-000044)

  2. Refer to IRM 10.8.1 for additional guidance on Non-Repudiation.

AU-12 Audit Record Generation
  1. The UEM server must provide audit record generation capability for IRS-defined auditable events within all application components. (DISA UEM Server SRG: SRG-APP-000089-UEM-000049)

  2. The UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information. (DISA UEM Server SRG: SRG-APP-000089-UEM-000050)

  3. The UEM server must be configured to allow only specific administrator roles to select which auditable events are to be audited. (DISA UEM Server SRG: SRG-APP-000090-UEM-000051)

  4. The UEM server must generate audit records when successful/unsuccessful attempts to access privileges occur. (DISA UEM Server SRG: SRG-APP-000091-UEM-000052)

  5. The UEM server must generate audit records when successful/unsuccessful attempts to access security objects occur. (DISA UEM Server SRG: SRG-APP-000492-UEM-000367)

  6. The UEM server must generate audit records when successful/unsuccessful attempts to modify privileges occur. (DISA UEM Server SRG: SRG-APP-000495-UEM-000370)

  7. The UEM server must generate audit records when successful/unsuccessful attempts to modify security objects occur. (DISA UEM Server SRG: SRG-APP-000496-UEM-000371)

  8. The UEM server must generate audit records when successful/unsuccessful attempts to delete privileges occur. (DISA UEM Server SRG: SRG-APP-000499-UEM-000374)

  9. The UEM server must generate audit records when successful/unsuccessful attempts to delete security objects occur. (DISA UEM Server SRG: SRG-APP-000501-UEM-000376)

  10. The UEM server must generate audit records when successful/unsuccessful logon attempts occur. (DISA UEM Server SRG: SRG-APP-000503-UEM-000378)

  11. The UEM server must generate audit records for privileged activities or other system-level access. (DISA UEM Server SRG: SRG-APP-000504-UEM-000379)

  12. The UEM server must generate audit records showing starting and ending time for user access to the system. (DISA UEM Server SRG: SRG-APP-000505-UEM-000380)

  13. The UEM server must generate audit records when concurrent logons from different workstations occur. (DISA UEM Server SRG: SRG-APP-000506-UEM-000381)

  14. The UEM server must generate audit records when successful/unsuccessful accesses to objects occur. (DISA UEM Server SRG: SRG-APP-000507-UEM-000382)

  15. The UEM server must generate audit records for all direct access to the information system. (DISA UEM Server SRG: SRG-APP-000508-UEM-000383)

  16. The UEM server must generate audit records for all account creations, modifications, disabling, and termination events. (DISA UEM Server SRG: SRG-APP-000509-UEM-000384)

  17. The UEM agent must provide an alert via the trusted channel to the UEM server in the event of any of the following audit events: (DISA UEM Agent SRG: SRG-APP-000089-UEM-100002)

    1. Successful application of policies to a mobile device,

    2. Receiving or generating periodic reachability events,

    3. Change in enrollment state,

    4. Failure to install an application from the UEM server, and

    5. Failure to update an application from the UEM server

  18. The UEM agent must generate a UEM agent audit record of the following auditable events: (DISA UEM Agent SRG: SRG-APP-000089-UEM-100004)

    1. Startup and shutdown of the UEM agent,

    2. UEM policy update, and

    3. Any modification commanded by the UEM server.

  19. The UEM agent must be configured to enable the following function: read audit logs of the managed endpoint device. (DISA UEM Agent SRG: SRG-APP-000089-UEM-100012)

  20. Refer to IRM 10.8.1 for additional guidance on Audit Record Generation.

AU-14 Session Audit
  1. The UEM server must initiate session auditing upon startup. (DISA UEM Server SRG: SRG-APP-000092-UEM-000053)

  2. Refer to IRM 10.8.1 for additional guidance on Session Audit.

CA - Assessment, Authorization, and Monitoring

  1. In addition to the Assessment, Authorization, and Monitoring guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • CA-01 Assessment, Authorization, and Monitoring Policy and Procedures

    • CA-03 Information Exchange

    • CA-04 Withdrawn by NIST

    • CA-05 Plan of Action and Milestones (POA&M)

    • CA-06 Authorization

    • CA-07 Continuous Monitoring

    • CA-08 Penetration Testing

CA-02 Control Assessments
  1. Mobile devices that access, process, transmit, or store IRS information must:

    1. Be documented in an authorization package in accordance with IRM 10.8.1, TD-P 85-01, Department of the Treasury IT Security Program, and NIST Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems. (IRS-defined)

      Note:

      Each individual mobile device does not need to have an authorization for it; however, each mobile device configuration needs to go through the authorization process and be documented in the package.

  2. Wireless devices connecting directly or indirectly (e.g., ActiveSync, wireless) to a network must be included in the appropriate system’s authorization documentation (i.e., System Security Plan (SSP)). (IRS-defined)

  3. Mobile devices must be approved by the AO prior to accessing IRS networks and data. (IRS-defined)

  4. Mobile devices that process SBU and PII are subject to a full security assessment prior to use. (IRS-defined)

    1. Cybersecurity Security Assessment Services (SAS) must identify any security risk(s) and document the assessment of risk in a Security Assessment Report (SAR).

    2. The AO must make a determination if the identified risk(s) are acceptable or not.

  5. Refer to IRM 10.8.1 for additional guidance on Assessments.

CM - Configuration Management

  1. In addition to the Configuration Management guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • CM-01 Configuration Management Policy and Procedures

    • CM-03 Configuration Change Control

    • CM-04 Impact Analysis

    • CM-08 System Component Inventory

    • CM-09 Configuration Management Plan

    • CM-10 Software Usage Restrictions

    • CM-12 Information Location

    • CM-13 Data Action Mapping

    • CM-14 Signed Components

CM-02 Baseline Configuration
  1. Configuration management procedures must be developed for government furnished mobile devices in accordance with IRM 10.8.1 and this IRM. (IRS-defined)

  2. IRS developed configuration baselines for mobile device security must be developed consistent with NIST 800-124 and NIST 800-37 when setting minimum security standards for mobile devices. (IRS-defined)

    Note:

    The above guidance, including appropriate security controls specified in NIST SP 800-53, is in addition to all existing federal requirements for data protection and remote access for mobile devices.

  3. The IRS must establish and maintain baseline configurations and inventories, including application software, throughout the respective System Development Life Cycle (SDLC) (i.e., IRS Enterprise Lifecycle (ELC)), of government furnished mobile devices that access, process, transmit, or store IRS information. (IRS-defined)

  4. Refer to IRM 10.8.1 for additional guidance on Baseline Configuration.

CM-05 Access Restrictions for Change
  1. The UEM server must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization. (DISA UEM Server SRG: SRG-APP-000131-UEM-000076)

  2. The UEM server must limit privileges to change the software resident within software libraries. (DISA UEM Server SRG: SRG-APP-000133-UEM-000078)

  3. The UEM server must enforce access restrictions associated with changes to the server configuration. (DISA UEM Server SRG: SRG-APP-000380-UEM-000251)

  4. The UEM server must audit the enforcement actions used to restrict access associated with changes to the application. (DISA UEM Server SRG: SRG-APP-000381-UEM-000252)

  5. Refer to IRM 10.8.1 for additional guidance on Access Restrictions for Change.

CM-06 Configuration Settings
  1. Smart card readers (SCRs) used with government furnished mobile devices must have the IRS-approved software version installed. (IRS-defined)

  2. Government furnished and non-government furnished/personally owned mobile devices must be set to implement the security requirements within this IRM and IRM 10.8.1. (IRS-defined)

  3. Non-Government furnished/personally owned mobile devices that are enrolled in the BYOD program that are rooted, jailbroken, or compromised must not be permitted. (IRS-defined)

    1. Mobile device management servers must be configured to detect rooted, jailbroken, or compromised devices.

    2. IRS installed applications and/or software on detected rooted, jailbroken or compromised devices must be wiped.

      Note:

      Rooted and jailbroken are terms that describe the process of modifying the mobile device’s operating system, often with the goal of running unsigned code or performing unsupported customizations to the operating system. Unlocking allows users to operate a mobile device on a cellular network it is not authorized to connect to.

  4. For guidance on operating system-specific configuration settings, see the Mobile Device Technical Security Requirements Exhibits within this IRM.

  5. The UEM server must be configured in accordance with the security configuration settings based on IRS security configuration or implementation guidance, including STIGs. (DISA UEM Server SRG: SRG-APP-000516-UEM-000391)

  6. The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server. (DISA UEM Server SRG: SRG-APP-000516-UEM-000392)

  7. The UEM agent must record the reference identifier of the UEM server during the enrollment process. (DISA UEM Agent SRG: SRG-APP-000516-UEM-100006)

  8. The UEM agent must perform the following functions: (DISA UEM Agent SRG: SRG-APP-000516-UEM-100010)

    1. Enroll in management,

    2. Configure whether users can unenroll from management and

    3. Configure periodicity of reachability events.

  9. The UEM agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management: (DISA UEM Agent SRG: SRG-APP-000516-UEM-100011)

    1. Prevent the unenrollment from occurring,

    2. Wipe the device to factory default settings and

    3. Wipe the work profile with all associated applications and data.

  10. Refer to IRM 10.8.1 for additional guidance on Configuration Settings.

CM-07 Least Functionality
  1. The UEM server must be configured to disable non-essential capabilities. (DISA UEM Server SRG: SRG-APP-000141-UEM-000079)

  2. The firewall protecting the UEM server platform must be configured so only ports, protocols, and services approved by User and Network Services (UNS) and Computer Security Incident Response Center (CSIRC) are enabled. (DISA UEM Server SRG: SRG-APP-000142-UEM-000080)

  3. The UEM server must be configured to use only documented platform APIs. (DISA UEM Server SRG: SRG-APP-000142-UEM-000081)

  4. The UEM server must disable functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure, in accordance with UNS and CSIRC. (DISA UEM Server SRG: SRG-APP-000383-UEM-000254)

  5. Refer to IRM 10.8.1 for additional guidance on Least Functionality.

CM-11 User-Installed Software
  1. The UEM server must verify the digital signature of software before installation and alert the ISSO and other designated personnel if unauthorized software is detected. (DISA UEM Server SRG: SRG-APP-000377-UEM-000247)

  2. The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation. (DISA UEM Server SRG: SRG-APP-000378-UEM-000248)

  3. The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications. (DISA UEM Server SRG: SRG-APP-000378-UEM-000249)

  4. Refer to IRM 10.8.1. for additional guidance on User-Installed Software.

CP - Contingency Planning

  1. Refer to IRM 10.8.1 for guidance on Contingency Planning.

IA - Identification and Authentication

  1. In addition to the Identification and Authentication guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, as applicable:

    • IA-01 Identification and Authentication Policy and Procedures

    • IA-08 Identification and Authentication (Non-Organizational Users)

    • IA-09 Service Identification and Authentication

    • IA-10 Adaptive Authentication

    • IA-12 Identity Proofing

IA-02 Identification and Authentication (Organizational Users)
  1. The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). (DISA UEM Server SRG: SRG-APP-000148-UEM-000082)

  2. The UEM server must be configured to use an IRS Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts. (DISA UEM Server SRG: SRG-APP-000149-UEM-000083)

  3. All UEM server local accounts created during application installation and configuration must be removed. (DISA UEM Server SRG: SRG-APP-000151-UEM-000085)

    Note:

    In this context local accounts refers to user and or administrator accounts on the server that use username and password for user access and authentication.

     

  4. The UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator. (DISA UEM Server SRG: SRG-APP-000153-UEM-000087)

  5. The UEM server must be configured to use IRS PKI for multifactor authentication. This requirement is included in SRG-APP-000149. (DISA UEM Server SRG: SRG-APP-000154-UEM-000088)

  6. The UEM server must use FIPS-validated Secure Hash Algorithm 2 (SHA-2) or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. (DISA UEM Server SRG: SRG-APP-000156-UEM-000090)

  7. The UEM server must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. (DISA UEM Server SRG: SRG-APP-000157-UEM-000091)

  8. Refer to IRM 10.8.1 for additional guidance on Identification and Authentication (Organizational Users).

IA-03 Device Identification and Authentication
  1. Before establishing a connection to any endpoint device being managed, the UEM server must establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated AES cipher block algorithm to authenticate with the device. (DISA UEM Server SRG: SRG-APP-000395-UEM-000266)

  2. The UEM server must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. (DISA UEM Server SRG: SRG-APP-000580-UEM-000398)

  3. If cipher suites using pre-shared keys are used for device authentication, the UEM server must have a minimum-security strength of 112 bits or higher. (DISA UEM Server SRG: SRG-APP-000585-UEM-000399)

  4. Refer to IRM 10.8.1 for additional guidance on Device Identification and Authentication.

IA-04 Identifier Management
  1. The UEM server must disable identifiers (individuals, groups, roles, and devices) after a period of inactivity, in accordance with IRM 10.8.1. (DISA UEM Server SRG: SRG-APP-000163-UEM-000093)

  2. Refer to IRM 10.8.1 for additional guidance on Identifier Management.

IA-05 Authenticator Management
  1. Authentication when accessing IRS systems and data (e.g., email, files) via mobile devices (BYOD or IRS-owned) must be in accordance with IRM 10.8.1 and Homeland Security Presidential Directive 12 (HSPD-12). (IRS-Defined)

  2. Passwords/passcodes must be created and maintained in accordance with IRM 10.8.1 and the appropriate underlying OS security requirements checklist where applicable. (IRS-defined)

  3. A password must be enabled for each wireless client that connects to an IRS network or system. Passwords must comply with IRM 10.8.1. (IRS-defined)

  4. Government furnished mobile device users must be prevented from changing the user profile on their assigned mobile devices. (IRS-defined)

  5. The UEM server must enforce a minimum password length, in accordance with IRM 10.8.1. (DISA UEM Server SRG: SRG-APP-000164-UEM-000094)

  6. The UEM server must prohibit password reuse for a minimum number of generations, in accordance with IRM 10.8.1. (DISA UEM Server SRG: SRG-APP-000165-UEM-000095)

  7. The UEM server must:

    1. Enforce password complexity by requiring that at least one uppercase character be used. (DISA UEM Server SRG: SRG-APP-000166-UEM-000096)

    2. Enforce password complexity by requiring that at least one lowercase character be used. (DISA UEM Server SRG: SRG-APP-000167-UEM-000097)

    3. Enforce password complexity by requiring that at least one numeric character be used. (DISA UEM Server SRG: SRG-APP-000168-UEM-000098)

    4. Enforce password complexity by requiring that at least one special character be used. (DISA UEM Server SRG: SRG-APP-000169-UEM-000099)

  8. The UEM server must require the change of a number of characters, in accordance with IRM 10.8.1, when passwords are changed. (DISA UEM Server SRG: SRG-APP-000170-UEM-000100)

  9. For UEM server using password authentication, the application must store only cryptographic representations of passwords. (DISA UEM Server SRG: SRG-APP-000171-UEM-000101)

  10. For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. (DISA UEM Server SRG: SRG-APP-000172-UEM-000102)

  11. The UEM server must enforce 24 hours/1 day as the minimum password lifetime. (DISA UEM Server SRG: SRG-APP-000173-UEM-000103)

  12. The UEM server must enforce a 60-day maximum password lifetime restriction. (DISA UEM Server SRG: SRG-APP-000174-UEM-000104)

  13. When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. (DISA UEM Server SRG: SRG-APP-000175-UEM-000105)

  14. When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate. (DISA UEM Server SRG: SRG-APP-000175-UEM-000106)

  15. The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key. (DISA UEM Server SRG: SRG-APP-000176-UEM-000107)

  16. The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication. (DISA UEM Server SRG: SRG-APP-000177-UEM-000108)

  17. The UEM server must prohibit the use of cached authenticators after an organization-defined time period. (DISA UEM Server SRG: SRG-APP-000400-UEM-000271)

  18. The UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. (DISA UEM Server SRG: SRG-APP-000401-UEM-000272)

  19. The UEM server must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. (DISA UEM Server SRG: SRG-APP-000605-UEM-000401)

  20. The UEM agent must not install policies if the policy-signing certificate is deemed invalid. (DISA UEM Agent SRG: SRG-APP-000175-UEM-100008)

  21. The UEM agent must use managed endpoint device key storage for all persistent secret and private keys. (DISA UEM Agent SRG: SRG-APP-000176-UEM-100001)

  22. Refer to IRM 10.8.1 for additional guidance on Authenticator Management.

IA-06 Authentication Feedback
  1. The UEM server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. (DISA UEM Server SRG: SRG-APP-000178-UEM-000109)

  2. Refer to IRM 10.8.1 for additional guidance on Authentication Feedback.

IA-07 Cryptographic Module Authentication
  1. The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications. (DISA UEM Server SRG: SRG-APP-000179-UEM-000110)

  2. The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification. (DISA UEM Server SRG: SRG-APP-000610-UEM-000402)

  3. Refer to IRM 10.8.1 for additional guidance on Cryptographic Module Authentication.

IA-11 Re-Authentication
  1. The UEM server must require users (administrators) to reauthenticate when roles change. (DISA UEM Server SRG: SRG-APP-000389-UEM-000260)

  2. The UEM server must require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. Examples include: (DISA UEM Server SRG: SRG-APP-000390-UEM-000261)

    1. After a screen lock,

    2. After device reboot,

    3. Before installation of new device policy or profile, and

    4. Before executing a device reset or wipe.

  3. Refer to IRM 10.8.1 for additional guidance on Re-Authentication.

IR - Incident Response

  1. In addition to the Incident Response guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • IR-01 Incident Response Policy and Procedures

    • IR-02 Incident Response Training

    • IR-03 Incident Response Testing

    • IR-04 Incident Handling

    • IR-05 Incident Monitoring

    • IR-07 Incident Response Assistance

    • IR-08 Incident Response Plan

    • IR-09 Information Spillage Response

    • IR-10 Withdrawn by NIST

IR-06 - Incident Reporting
  1. Employees must cooperate with CSIRC during the investigation of any incidents reported by them. (TD P 85-01 Vol. I, Section 2.15)

  2. Refer to the following resources for additional incident reporting requirements not addressed within this IRM (Departmental Incident Response Plan):

    1. IRM 10.2.8, Physical Security Program, Incident Reporting.

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  3. Refer to IRM 10.8.1 for additional guidance on Incident Reporting.

MA - Maintenance

  1. In addition to the Maintenance guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • MA-01 Maintenance Policy and Procedures

    • MA-02 Controlled Maintenance

    • MA-03 Maintenance Tools

    • MA-05 Maintenance Personnel

    • MA-06 Timely Maintenance

    • MA-07 Field Maintenance

MA-04 Non-Local Maintenance
  1. The UEM server must configure web management tools with FIPS-validated AES cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for non-local maintenance sessions. (DISA UEM Server SRG: SRG-APP-000412-UEM-000283)

  2. The UEM server must verify remote disconnection when non-local maintenance and diagnostic sessions are terminated. (DISA UEM Server SRG: SRG-APP-000413-UEM-000284)

  3. Refer to IRM 10.8.1 for additional guidance on Non-Local Maintenance.

MP - Media Protection

  1. In addition to the Media Protection guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • MP-01 Media Protection Policy and Procedures

    • MP-02 Media Access

    • MP-03 Media Marking

    • MP-04 Media Storage

    • MP-05 Media Transport

    • MP-08 Media Downgrading

MP-06 Media Sanitization
  1. The IRS IT organization must develop procedures for the sanitization and disposal of government furnished mobile devices. (IRS-defined)

    1. Procedures must be followed to ensure that all IRS mobile devices that have processed sensitive information are disposed of.

    2. Government furnished mobile devices must be cleansed by utilizing commercial disk-wiping software.

  2. The IRS IT organization must keep an inventory of all disposed government furnished mobile devices. (IRS-defined)

  3. The IRS IT organization must develop procedures for the sanitization of non-government furnished/personally owned mobile devices. (IRS-defined)

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  5. All mobile devices must follow the device manufacturer’s instructions for wiping user data installed from the device memory and the media card. (IRS-defined)

  6. Refer to IRM 10.8.1 for additional guidance on Media Sanitization.

MP-07 Media Use
  1. BYOD participants must not store any IRS data on a removable memory card. (IRS-defined)

  2. Refer to IRM 10.8.1 for additional guidance on Media Use.

PE - Physical and Environmental Protection

  1. In addition to the Physical and Environmental Protection guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • PE-01 Physical and Environmental Protection Policy and Procedures

    • PE-02 Physical Access Authorizations

    • PE-04 Access Control for Transmission Medium

    • PE-05 Access Control for Output Devices

    • PE-06 Monitoring Physical Access

    • PE-07 Withdrawn by NIST

    • PE-08 Visitor Access Records

    • PE-09 Power Equipment and Cabling

    • PE-10 Emergency Shutoff

    • PE-11 Emergency Power

    • PE-12 Emergency Lighting

    • PE-13 Fire Protection

    • PE-14 Environmental Controls

    • PE-15 Water Damage Protection

    • PE-16 Delivery and Removal

    • PE-17 Alternate Work Site

    • PE-18 Location of System Components

    • PE-19 Information Leakage

    • PE-20 Asset Monitoring and Tracking

    • PE-21 Electromagnetic Pulse Protection

    • PE-22 Component Marking

    • PE-23 Facility Location

PE-03 Physical Access Control
  1. At all times, government furnished and non-government furnished/personally owned mobile device users must: (IRS-defined)

    1. Be responsible for the physical security of their mobile device(s).

    2. Secure their mobile device(s) when not in their possession.

    3. Never leave their powered-on mobile device unlocked when it is not in their presence.

    4. Secure their mobile device(s) (e.g., cable lock, screen lock) from theft or tampering when located in an IRS facility and at an approved telework location (e.g., home).

    5. When traveling, if additional screening is required during the airport screening process, inform the security agent that you cannot be separated from your government furnished mobile device (e.g., laptop) at any time, and that it must be kept in your possession.

  2. The IRS Physical Security organization must develop and implement procedures for physical mobile device security compliance. (IRS-defined)

  3. Passwords/passcodes, hardware tokens, and/or smart cards must not be stored on/or with a mobile device or laptop, unless encrypted or otherwise under the direct and continuous control of the authorized user. (IRS-defined)

  4. Mobile devices with wireless capability (e.g. smart phones, peripheral devices) must be restricted from any area where classified IRS systems process information or where classified information is discussed. (IRS-defined)

  5. Refer to IRM 10.8.1, the IRM 10.2.x, Physical Security Program series of IRMs, and IRM 1.4.6, Managers Security Handbook for additional physical and environmental protection security guidance.

PL – Planning

  1. In addition to the Security Planning guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • PL-01 Planning Policy and Procedure

    • PL-02 System Security and Privacy Plans

    • PL-03 Withdrawn by NIST

    • PL-05 Withdrawn by NIST

    • PL-06 Withdrawn by NIST

    • PL-07 Concept of Operations

    • PL-08 Security and Privacy Architectures

    • PL-09 Central Management

    • PL-10 Baseline Selection

    • PL-Baseline Tailoring

PL-04 Rules of Behavior
  1. In addition to the Rules of Behavior requirements within this IRM, the Rules of Behavior requirements defined in IRM 10.8.1 must be implemented.

Rules of Behavior for BYOD Participants
  1. In order to connect a non-government furnished/personally owned mobile device to the IRS network with the capability of backing up, storing, or otherwise accessing IRS data of any type, BYOD participants must: (IRS-defined)

    1. Understand and acknowledge that they must comply with all rules and procedures made applicable to its use.

    2. Be responsible for the physical security of their mobile device.

    3. Be responsible for backing up their personal data.

    4. Understand that mobile devices which are not in compliance with IRS security policies or represent any unacceptable risk to the IRS network or data will not be allowed to connect to the IRS systems.

    5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. The IRS reserves the right to disconnect any non-government furnished/personally owned mobile device from IRS system resources if the mobile device is used in a way that puts IRS systems or data, or the data of taxpayers or other persons, at an unacceptable risk of harm or disclosure. (IRS-defined)

  3. The government will not be liable for damages to any personal property that may occur during the course of performing IRS-related duties, except to the extent that the government is held liable under the Federal Tort Claims Act or the Military Personnel and Civilian Employee’s Claims Act. (IRS-defined)

PM - Program Management

  1. Refer to IRM 10.8.1 for guidance on Program Management.

PS - Personnel Security

  1. Refer to IRM 10.8.1 for guidance on Personnel Security.

PT - Personally Identifiable Information Processing and Transparency

  1. Refer to IRM 10.8.1 for guidance on Personally Identifiable Information Processing and Transparency.

RA - Risk Assessment

  1. In addition to the Risk Assessment guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • RA-01 Risk Assessment Policy and Procedures

    • RA-02 Security Categorization

    • RA-04 Withdrawn by NIST

    • RA-05 Vulnerability Monitoring and Scanning

    • RA-06 Technical Surveillance Countermeasures Survey

    • RA-07 Risk Response

    • RA-08 Privacy Impact Assessments

    • RA-09 Criticality Analysis

    • RA-10 Threat Hunting

RA-03 Risk Assessment
  1. Risk assessments of mobile devices must adhere to the requirements and be conducted using this manual, IRM 10.8.1, the security checklists pertaining to this IRM, as well those of other pertinent IRMs (e.g., operating system, wireless). (IRS-defined)

    1. Any deficiencies in compliance must be documented in a risk assessment report and brought to the attention of the responsible AO.

  2. Government furnished mobile devices with wireless capabilities must have the additional risks and mitigations associated with non-government facilities, identified in a risk assessment. (IRS-defined)

  3. Refer to IRM 10.8.1 for additional guidance on Risk Assessment.

SA - System and Services Acquisition

  1. In addition to the System and Services Acquisition guidance defined within this IRM, controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • SA-01 System and Services Acquisition Policy and Procedures

    • SA-02 Allocation of Resources

    • SA-04 Acquisition Process

    • SA-05 Information System Documentation

    • SA-06 Withdrawn by NIST

    • SA-07 Withdrawn by NIST

    • SA-08 Security and Privacy Engineering Principles

    • SA-09 External System Services

    • SA-10 Developer Configuration Management

    • SA-11 Developer Testing and Evaluation

    • SA-12 Withdrawn by NIST

    • SA-13 Withdrawn by NIST

    • SA-14 Withdrawn by NIST

    • SA-15 Development Process, Standards, and Tools

    • SA-16 Developer-Provided Training

    • SA-17 Develop Security and Privacy Architecture and Design

    • SA-18 Withdrawn by NIST

    • SA-19 Withdrawn by NIST

    • SA-20 Customized Development of Critical Components

    • SA-21 Developer Screening

    • SA-22 Unsupported System Components

    • SA-23 Specialization

SA-03 System Development Life Cycle (SDLC)
  1. Wireless devices must adhere to the IRS ELC in accordance with IRM 10.8.1. (IRS-defined)

  2. Refer to IRM 10.8.1 for additional guidance on System Development Life Cycle (SDLC).

SA-04 Acquisition Process
  1. Wireless products must be acquired, accounted for, and inventoried in accordance with IRM 10.8.1. (IRS-defined)

  2. Refer to IRM 10.8.1 for additional guidance on Acquisition Process.

SC - System and Communications Protection

  1. In addition to the System and Communications Protection guidance defined within this IRM, controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • SC-01 System and Communications Protection Policy and Procedures

    • SC-02 Separation of System and User Functionality

    • SC-03 Security Function Isolation

    • SC-04 Information in Shared System Resources

    • SC-05 Denial of Service Protection

    • SC-06 Resource Availability

    • SC-07 Boundary Protection

    • SC-09 Withdrawn by NIST

    • SC-10 Network Disconnect

    • SC-11 Trusted Path

    • SC-12 Cryptographic Key Establishment and Management

    • SC-14 Withdrawn by NIST

    • SC-15 Collaborative Computing Devices and Applications

    • SC-16 Transmission of Security and Privacy Attributes

    • SC-17 Public Key Infrastructure (PKI) Certificates

    • SC-18 Mobile Code

    • SC-19 Withdrawn by NIST

    • SC-20 Secure Name /Address Resolution Service (Authoritative Source)

    • SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver)

    • SC-22 Architecture and Provisioning for Name/Address Resolution Service

    • SC-25 Thin Nodes

    • SC-26 Decoys

    • SC-27 Platform-Independent Applications

    • SC-28 Protection of Information at Rest

    • SC-29 Heterogeneity

    • SC-30 Concealment and Misdirection

    • SC-31 Covert Channel Analysis

    • SC-32 System Partitioning

    • SC-33 Withdrawn by NIST

    • SC-34 Non-Modifiable Executable Programs

    • SC-35 External Malicious Code Identification

    • SC-36 Distributed Processing and Storage

    • SC-37 Out-of-Band Channels

    • SC-38 Operations Security

    • SC-39 Process Isolation

    • SC-40 Wireless Link Protection

    • SC-41 Port and I/O Device Access

    • SC-42 Sensor Capability and Data

    • SC-43 Usage Restrictions

    • SC-44 Detonation Chambers

    • SC-45 System Time Synchronization

    • SC-46 Cross Domain Policy Enforcement

    • SC-47 Alternate Communications Paths

    • SC-48 Sensor Relocation

    • SC-49 Hardware-Enforced Separation and Policy Enforcement

    • SC-50 Software-Enforced Separation and Policy Enforcement

    • SC-51 Hardware-Based Protection

SC-08 Transmission Confidentiality and Integrity
  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. The UEM server must connect to IRS approved applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information. (DISA UEM Server SRG: SRG-APP-000439-UEM-000313)

  3. Refer to IRM 10.8.1 for additional guidance on Transmission Confidentiality and Integrity.

SC-11 Trusted Path
  1. The UEM server must be configured to provide a trusted communication channel between itself and authorized IT entities using: (DISA UEM Server SRG: SRG-APP-000191-UEM-000117)

    1. Internet Protocol Security (IPsec),

    2. Secure Shell Protocol (SSH),

    3. Mutually authenticated TLS,

    4. Mutually authenticated Datagram Transport Layer Security (DTLS), and/or

    5. Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)

  2. The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using: (DISA UEM Server SRG: SRG-APP-000191-UEM-000118)

    1. IPsec,

    2. SSH,

    3. TLS, and/or

    4. HTTPS

  3. The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using: (DISA UEM Server SRG: SRG-APP-000191-UEM-000119)

    1. TLS

    2. HTTPS

  4. Refer to IRM 10.8.1 for additional guidance on Trusted Path.

SC-13 Cryptographic Protection
  1. Data exchange must be encrypted in accordance with the encryption standards of this IRM and IRM 10.8.1. (IRS-defined)

  2. The UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes. (DISA UEM Server SRG: SRG-APP-000514-UEM-000389)

  3. The UEM server must be configured to implement FIPS 140-validated mode for all server and agent encryption. (DISA UEM Server SRG: SRG-APP-000555-UEM-000393)

  4. All UEM Agent cryptography supporting IRS functionality must be FIPS 140-validated. (DISA UEM Agent SRG: SRG-APP-000555-UEM-100014)

  5. Refer to IRM 10.8.1 for additional guidance on Cryptographic Protection.

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    Note:

    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      Note:

      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      Note:

      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Global Positioning System (GPS) Devices
  1. The IRS has made a decision to allow the use of taxpayer address information on Global Positioning System (GPS) devices. The Office of Privacy, Governmental Liaison and Disclosure (PGLD), has published specific guidelines for use of taxpayer address data on personally-owned GPS devices. See IRM 10.5.1.6.11, Global Positioning Systems (GPS). (IRS-defined)

  2. Users of GPS devices should be advised that many GPS devices, such as those installed in smartphones and some automobiles, use telematics to transmit address information entered by the user to the GPS vendor. Therefore, IRS personnel must:

    1. Only enter taxpayer address information into the GPS. No other taxpayer-identifiable information must be entered into GPS devices. (IRS-defined)

    2. Immediately delete all taxpayer address information from the GPS device upon arrival at the destination address. (IRS-defined)

  3. If the GPS device requires a corresponding name or identifier for the address, use a made-up number or other moniker that does not include any taxpayer PII or IRS-related information. (IRS-defined)

  4. IRS-owned or personally owned GPS devices must not be connected to an IRS computer.

    1. The ACIO Cybersecurity has made a Risk-Based Decision to allow the connection of IRS-procured GPS devices to personally owned computers for the purpose of updating map information and firmware. (IRS-defined)

SC-23 Session Authenticity
  1. The UEM server must protect the authenticity of communications sessions. (DISA UEM Server SRG: SRG-APP-000219-UEM-000132)

  2. The UEM server must invalidate session identifiers upon user logout or other session termination. (DISA UEM Server SRG: SRG-APP-000220-UEM-000133)

  3. The UEM server must recognize only system-generated session identifiers. (DISA UEM Server SRG: SRG-APP-000223-UEM-000134)

  4. The UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. (DISA UEM Server SRG: SRG-APP-000224-UEM-000135)

  5. The UEM server must sign policies and policy updates using a private key, in accordance with IRM 10.8.1 and IRM 10.8.24. (DISA UEM Server SRG: SRG-APP-000427-UEM-000501)

  6. The UEM server, for each unique policy managed, must validate the policy is appropriate for an agent, in accordance with IRM 10.8.1 and IRM 10.8.24. (SRG-APP-000427-UEM-000502)

  7. The UEM server must only allow the use of IRS PKI established certificate authorities for verification of the establishment of protected sessions. (DISA UEM Server SRG: SRG-APP-000427-UEM-000298)

  8. The UEM server must be configured to use X.509v3 certificates for code signing for system software updates. (DISA UEM Server SRG: SRG-APP-000427-UEM-000299)

  9. The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification. (DISA UEM Server SRG: SRG-APP-000427-UEM-000300)

  10. The UEM server must provide digitally signed policy updates to UEM agent. (DISA UEM Server SRG: SRG-APP-000427-UEM-000500)

  11. The UEM agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server. (DISA UEM Agent SRG: SRG-APP-000427-UEM-100007)

  12. The UEM agent must perform the following functions: Import the certificates to be used for authentication of UEM agent communications. (DISA UEM Agent SRG: SRG-APP-000427-UEM-100009)

  13. Refer to IRM 10.8.1 for additional information on Session Authenticity.

SC-24 Fail in Known State
  1. The UEM server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. (DISA UEM Server SRG: SRG-APP-000225-UEM-000136)

  2. In the event of a system failure, the UEM server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. (DISA UEM Server SRG: SRG-APP-000226-UEM-000137)

  3. Refer to IRM 10.8.1 for additional information on Fail in a Known State.

SI - System and Information Integrity

  1. In addition to the System and Information Integrity guidance defined within this IRM, the following controls must be implemented in accordance with IRM 10.8.1 or IRM 10.8.24, if applicable:

    • SI-01 System and Information Integrity Policy and Procedures

    • SI-03 Malicious Code Protection

    • SI-04 System Monitoring

    • SI-05 Security Alerts, Advisories, and Directives

    • SI-08 Spam Protection

    • SI-09 Withdrawn by NIST

    • SI-12 Information Management and Retention

    • SI-14 Non-Persistence

    • SI-15 Information Output Filtering

    • SI-16 Memory Protection

    • SI-17 Fail-Safe Procedures

    • SI-18 Personally Identifiable Information Quality Operations

    • SI-19 De-Identification

    • SI-20 Tainting

    • SI-21 Information Refresh

    • SI-22 Information Diversity

    • SI-23 Information Fragmentation

SI-02 Flaw Remediation
  1. Wireless application servers must have the latest virus scanning and security patches installed and updated to detect and prevent viruses and other malicious content from infecting the enterprise network, in accordance with IRM 10.8.1 and IRM 10.8.54, Minimum Firewall Administration Requirements. (SI-2(2)_T.235)

  2. Per IRM 10.8.50, Security firmware updates and patches to government furnished mobile device hardware and software components must be fully tested prior to deployment. (IRS-defined)

  3. The UEM server must remove old software components after updated versions have been installed. (DISA UEM Server SRG: SRG-APP-000454-UEM-000328)

  4. The UEM server must be maintained at a supported version. (DISA UEM Server SRG: SRG-APP-000456-UEM-000330)

  5. Refer to IRM 10.8.1 for additional guidance on Flaw Remediation.

SI-06 Security and Privacy Function Verification
  1. The application must notify the ISSO of failed security verification tests. (DISA UEM Server SRG: SRG-APP-000275-UEM-000157)

  2. The UEM server must be configured with the periodicity of the following commands to the agent, in accordance with IRM 10.8.1 (DISA UEM Server SRG: SRG-APP-000472-UEM-000347):

    1. - query connectivity status

    2. - query the current version of the managed device firmware/software

    3. - query the current version of installed mobile applications

    4. - read audit logs kept by the managed device.

  3. The UEM server must run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server. (DISA UEM Server SRG: SRG-APP-000473-UEM-000348)

  4. The UEM server must alert the system administrator when anomalies in the operation of security functions are discovered. (DISA UEM Server SRG: SRG-APP-000474-UEM-000349)

  5. Refer to IRM 10.8.1 for additional guidance on Security and Privacy Function Verification.

SI-07 Software, Firmware, and Information Integrity
  1. The UEM server must be configured to verify software updates to the server using a digital signature mechanism prior to installing those updates. (DISA UEM Server SRG: SRG-APP-000479-UEM-000354)

  2. Refer to IRM 10.8.1 for additional guidance on Software, Firmware, and Information Integrity.

SI-10 Information Input Validation
  1. The UEM server must check the validity of all data inputs. (DISA UEM Server SRG: SRG-APP-000251-UEM-000148)

  2. The UEM server must be configured to write to the server event log when invalid inputs are received. (DISA UEM Server SRG: SRG-APP-000447-UEM-000321)

  3. Refer to IRM 10.8.1 for additional guidance on Information Input Validation.

SI-11 Error Handling
  1. The UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. (DISA UEM Server SRG: SRG-APP-000266-UEM-000151)

  2. The UEM server must reveal error messages only to the ISSO. (DISA UEM Server SRG: SRG-APP-000267-UEM-000152)

  3. Refer to IRM 10.8.1 for additional guidance on Information Input Validation.

SI-13 Predictable Failure Prevention
  1. The UEM server must, when a component failure is detected, activate an organization-defined alarm and/or automatically shut down the application or the component. (DISA UEM Server SRG: SRG-APP-000268-UEM-000153)

  2. Refer to IRM 10.8.1 for additional guidance on Predictable Failure Prevention.

SR - Supply Chain Risk Management

  1. Refer to IRM 10.8.1 for guidance on Supply Chain Risk Management.

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      Note:

      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      • ≡ ≡ ≡ ≡ ≡ ≡ ≡

      • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      Note:

      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Terms and Acronyms

Term Definition or Description
A

Advanced Encryption Standard (AES)
A symmetric-key encryption standard adopted by the U.S. government. The standard comprises three block ciphers: AES-128, AES-192, and AES-256. Each of these ciphers has a 128-bit block size, with key sizes of 128, 192, and 256 bits, respectively.
Authorizing Official (AO) Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to an agency.
B  
BIOS (Basic Input/Output System) Software stored on a small memory chip on a computer’s motherboard that loads prior to the operating system and instructs the computer on how to perform a number of basic functions such as booting and keyboard controls.
Bluetooth A proprietary open wireless technology standard for exchanging data over short distances (using short wavelength radio transmissions) from fixed and mobile devices, creating wireless personal area networks (WPANs) with high levels of security. Created by telecoms vendor Ericsson in 1994, it was originally conceived as a wireless alternative to RS-232 data cables. It can connect several devices, overcoming problems of synchronization. A Bluetooth piconet is an ad hoc network linking a user group of devices using Bluetooth technology protocols to allow one master device to interconnect with up to seven active slave devices (because a three-bit MAC address is used). Up to 255 further slave devices can be inactive, or parked, which the master device can bring into active status at any time. Piconet range varies according to the class of the Bluetooth device. Data transfer rates vary between about 200 and 2100 kilobits per second (kbit/s) at the application.
Bring Your Own Device (BYOD) Bring Your Own Device is a concept that allows employees to utilize their personally owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer-provided services and/or data on their personal tablets/eReaders, smartphones, and other devices.
Bluetooth Service Level For Security Mode 4, the Bluetooth specification defines five levels of security for Bluetooth services for use during Secure Simple Pairing. The service security levels are as follows:
  • Service Level 4 – Requires MITM protection and encryption using 128-bit equivalent strength for link and encryption keys; user interaction is acceptable.

  • Service Level 3 – Requires MITM protection and encryption; user interaction is acceptable.

  • Service Level 2 – Requires encryption only; MITM protection is not necessary.

  • Service Level 1 – MITM protection and encryption not required. Minimal user interaction.

  • Service Level 0 – No MITM protection, encryption, or user interaction required.

BR Basic Rate
C  
CISA Cybersecurity and Infrastructure Security Agency
CMMI Capability Maturity Model Integration

Commercial Mobile Device (CMD)
A subset of portable electronic devices (PEDs) that provides one or more commercial wireless interfaces along with a compact user input interface (Touch Screen, Miniature Keypad, etc.) and excludes PEDs running a multi-user operating system (Windows OS, Mac OS, etc.). This definition includes, but is not limited to smart phones, tablets, and e-readers.
Computer Security Incident Response Center (CSIRC) Responsible for monitoring the IRS network 24 hours a day year-round for cyber attacks and computer vulnerabilities and for responding to various security incidents such as the theft of a laptop computer.
Controlled Unclassified Information (CUI) A new category of unclassified categories issued in a directive on May 9, 2008, by President George W. Bush. CUI replaces categories such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU) and Law Enforcement Sensitive (LES) categories. Refers to unclassified information that is to be protected from public disclosure.
D  
Defense Information Systems Agency (DISA) An agency composed of military, federal civilian, and contractors. DISA provides IT and communications support to the President, Secretary of Defense, the military services, the combatant commands, and any individual or system contributing to the defense of the United States.
DRBG Deterministic Random Bit Generators
E  
Encryption Any procedure used in cryptography to convert plaintext into ciphertext to prevent anyone but the intended recipient from reading that data.
Enterprise Lifecycle (ELC) The dynamic, iterative process of changing the enterprise over time by incorporating new business processes, new technology, and new capabilities, as well as maintenance, disposition and disposal of existing elements of the enterprise.
ESP Enterprise Standards Profile
F  

Federal Information Processing Standard (FIPS)
Publicly announced standardizations developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract.
G  

GFE
Government Furnished Equipment.
Global Positioning System (GPS) A space-based satellite navigation system that provides location and time information in all weather conditions, anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites.
GMT Greenwich Mean Time
H  

HMAC
Hash Message Authentication Code
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
I  
Information Technology (IT) The application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data, often in the context of a business or other enterprise.
iOS (previously iPhone OS) A mobile operating system developed and distributed by Apple Inc.
IPSec Internet Protocol Security
Infrared (IR) Uses pulses of infrared light to transmit data from one device to another. This Infrared light is not visible for the human eye. The Infrared technology has a signal range of about 10 yards and requires line-of-sight.
IRM Internal Revenue Manual
IRS Internal Revenue Service
ISSO Information System Security Officer
K  

KDF
Key Derivation Functions
M  

MITM
Man-in-the-middle
Microsoft Intune Company Portal An application that allows employees to access Outlook, Teams, M365, etc. on their mobile devices.
Mobile Device A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable data storage; and is powered on for extended periods of time with a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations. Examples include smartphones, tablets, and e-readers. (NIST SP 800-53)
Mobile Device Management (MDM) Software that secures, monitors, manages and supports devices deployed across mobile operators, service providers and enterprises.
Mobile Hotspot An ad hoc wireless access point that is created by a dedicated hardware device or smartphone feature that shares the cellular network. Mobile hotspots provide Internet connectivity when cellular coverage is available over a secure Wi-Fi network.
Multimedia Messaging Service (MMS) A standard way to send messages that include multimedia content to and from mobile phones.
N  

National Institute of Standards and Technology (NIST)
The federal technology agency that works with industry to develop and apply technology, measurements, and standards.
O  

Operating System (OS)
A collection of software that manages computer hardware resources and provides common service for computer programs.
P  
PC Personal Computer
Peripheral Device A device that connects directly to a computer or other digital device that does not contribute to the computer’s primary function, such as computing. It helps end users access and use the functionalities of a computer. A peripheral device is also called a peripheral, computer peripheral, input-output device, or I/O device.
Personally Identifiable Information (PII) Per OMB Circular A-130: ‘Personally identifiable information’ means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. To determine whether information is PII, the agency must perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever more information becomes available – in any medium and from any source – that would make it possible to identify an individual. PII as defined here falls under the SBU data category called General Privacy, which is subcategory of the Privacy category. General Privacy refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
PIM Personal Information Management
PRNG Pseudo Random Number Generator
Public Key Infrastructure (PKI) A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an internet transaction.
R  

Radio Frequency (RF)
Data transmission technology which is based on electromagnetic radio waves. The advantage of RF is that this technology has a wider signal range, which can be up to 30 yards. RF can go through walls and there is no need to point the remote to the device, as it does not require to be in line-of-sight.
Risk-Based Decision (RBD) RBDs documents various information including the finding or risk, it’s impact, mitigating factors and environment to effectively evaluate the impact of accepting that risk.
RNG Random Number Generator
S  
Sanitization The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Secure Sockets Layer (SSL) Cryptographic protocols that are designed to provide communication security over the Internet.
Security Assessment Report (SAR) Reflects assessment activities conducted by assessors to determine security control effectiveness based on modifications to the security plan and deployed controls.
Security Assessment Services (SAS) Responsible for identifying any security risk and documenting the assessment of risk of a SAR.
Security Technical Implementation Guide (STIG) A methodology for standardized secure installation and maintenance of computer software and hardware.
Sensitive But Unclassified (SBU) Data Any information which, if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act (5 USC 552a). [TD P 15-71] SBU data includes but is not necessarily limited to: Federal Tax Information (FTI), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, system information, enforcement procedures, investigation information. Live data, which is production data in use. Live means that when changing the data, it changes in production. Authorized personnel may extract the data for testing, development, etc., in which case, it is no longer live. Live data often includes SBU data. For more information about security protections of Sensitive But Unclassified (SBU) data, refer to IRM 10.8.1.
Sensitive Information Information in which the loss, misuse, or unauthorized access to, or modification of, could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. 552a (the Privacy Act), but has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept protected in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. 423).
Short Messaging Service (SMS) A text messaging service component of phone, web, or mobile communication systems, using standardized communications protocols that allow the exchange of short text messages between fixed line or mobile phone devices.
Smart Card Reader (SCR) An electronic device that reads smart cards. A smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use.
Smartphone A mobile phone built on a mobile operating system, with more advanced computing capability and connectivity than a feature phone. Smartphones combine the functions of a personal digital assistant (PDA), camera, and mobile phone. They also typically include GPS, touchscreens, web-browsing capabilities, and include a mobile operating system (mobile OS) (e.g., Android OS and Apple iOS).
SRG Security Requirements Guide
SSH Secure Shell Protocol
SSID Service Set Identifier
Standard Operating Procedures (SOP) Established or prescribed methods to be followed routinely for the performance of designated operations or in designated situations.
Systems Development Life Cycle (SDLC) A process of creating or altering information systems, and the models and methodologies that people use to develop these systems.
T  

Tablet
A tablet computer (tablet) is a mobile computer, larger than a mobile phone or mobile computing device, integrated into a flat touchscreen and primarily operated by touching the screen rather than using a physical keyboard. It often uses an onscreen virtual keyboard, a passive stylus pen, or a digital pen. Besides having most PC capabilities, popular typical tablet computers include wireless Internet browsing functions, potential cellular functions, GPS navigation, and video camera functions. In many ways, the functions and purposes of laptops, tablets, and smartphones overlap.
TLS Transport Layer Security
Treasury Directive Publication (TD P) Documents that provide a baseline of IT security standards that apply to the Department of the Treasury bureaus, departmental offices (DO), Office of the Inspector General (OIG), and the Treasury Inspector General for Tax Administration (TIGTA), hereafter referred to collectively as bureaus.
Treasury Inspector General for Tax Administration (TIGTA) Provides oversight of the Department of Treasury matters involving Internal Revenue Service (IRS) activities, the IRS Oversight Board and the IRS Office of Chief Counsel.
U  

UEM
Unified Endpoint Managment
UNS User Network Services
UTC Coordinated Universal Time
V  

Virtual Private Network (VPN)
A computer network that links two computers or devices through an underlying local or wide area network, while encapsulating the data and keeping it private. It is comparable to a pipe within a pipe. Even though the outer pipe contains the inner one, the inner pipe has a wall that blocks other traffic in the outer pipe from mixing with the inner traffic. To the rest of the network, the VPN traffic just looks like another traffic stream.
W  

Wide Area Network (WAN)
A network that covers a broad area (i.e., any telecommunications network that links across metropolitan, regional, or national boundaries) using private or public network transports.
Wi-Fi Wireless Fidelity
Wi-Fi Protected Access (WPA) A security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless computer networks.
WIPE A command or series of commands that resets the mobile device to its default factory condition and deletes all user data, including user-installed applications, stored on the device.
Wireless A technology that enables devices to communicate without physical connections (without requiring network or peripheral cabling).
Wireless Client A system or device that connects to an access point or another client directly via wireless connection.
Wireless Local Area Network (WLAN) Links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio), and usually providing a connection through an access point to the wider Internet.

References

IRS Publications

  • IRM 1.4.6 , Resource Guide for Managers, Managers Security Handbook

  • IRM 10.2.x , Physical Security Program series

  • IRM 10.2.1 , Physical Security Program, Physical Security

  • IRM 10.2.8 , Physical Security Program, Incident Reporting

  • IRM 10.5.1 , Privacy and Information Protection, Privacy Policy

  • IRM 10.8.1 , Information Technology (IT) Security, Policy and Guidance

  • IRM 10.8.2 , Information Technology (IT) Security, IT Security Roles and Responsibilities

  • IRM 10.8.27 , Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources

  • IRM 10.8.50 , Information Technology (IT) Security, Service-wide Security Patch Management

  • IRM 10.8.52 , Information Technology (IT) Security, IRS Public Key Infrastructure (PKI) X.509 Certificate Policy

  • IRM 10.8.54 , Information Technology (IT) Security, Minimum Firewall Administration Requirements

  • IRM 10.9.1 , Classified National Security Information (CNSI)

Department of the Treasury Publications

  • TD P 85-01, Version 3.1.2 Treasury Information Technology (IT) Security Program, November 03, 2020

National Institute of Standards and Technology (NIST) Publications

  • NIST FIPS 199: Standards for Security Categorization of Federal Information and Information Systems

  • NIST FIPS 200: Minimum Security Requirements for Federal Information and Information Systems

  • NIST SP 800-53 Rev 5, Security and Privacy Controls for Information Systems and Organizations, December 10, 2020

  • NIST SP 800-53A Rev 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations, December 2014 (includes updates as of December 18, 2014)

  • NIST SP 800-121 Rev 2, Guide to Bluetooth Security, May 2017

Defense Information Systems Agency (DISA) Publications

  • DISA UEM Agent SRG V1R1, January 3, 2021

  • DISA UEM Server SRG V1R1, January 3, 2021

  • STIGs are used as a basis for producing IRS Exhibit Checklists. The security checklists are updated as DISA releases updated guidance and are posted on the IRS Security Control Exhibit SharePoint site. The DISA version and release for each guide is contained within each checklist. Refer to the Security Requirements Checklists exhibit for additional information.

  • DISA security guides are available at: https://public.cyber.mil/stigs/