Introduction Whether currently in use or planned to be deployed, federal tax information (FTI) safeguarding measures required by the IRS Office of Safeguards must be in place given the security vulnerabilities associated with Integrated Eligibility Systems (IES). This document provides the policy requirements for ensuing the confidentiality of FTI is maintained by agencies that utilize IES. Integrated Eligibility Systems (IES) present opportunities for agencies to provide a convenience to clients as well as replace legacy agency systems. The migration and protection of FTI in this new system creates new risks to FTI and properly restricting access to FTI housed in these new systems is necessary for Internal Revenue Code (IRC) § 6103 compliance. An IES utilizes an efficient single point of entry that will allow seamless eligibility processing for applicants requesting assistance. The system generally supports eligibility for: Medicaid and Children’s Health Insurance Program (CHIP), Temporary Assistance for Needy Families (TANF), the Supplemental Nutrition Assistance Program (SNAP) and Other state-administered assistance programs, such as Women, Infants and Children (WIC), Child Care and the Low Income Home Energy Assistance Program (LIHEAP) as well as Child Support Services. Access to certain federal tax information (FTI) by contractors or by multiple agencies within the same application is generally prohibited. However, with proper approval from the IRS Office of Safeguards, access of FTI utilizing an IES may be granted in situations evaluated by IRS. The following guidelines must be followed. FTI is obtained under various Internal IRC § 6103 disclosure authorities but may not be shared across programs nor accessed by state agency employees for unauthorized program uses. State information technology (IT) officials are generally engaging contractors to design, develop and implement these integrated systems. State agencies authorized to receive FTI from the IRS Disclosure of Information to Federal, State and Local Agencies (DIFSLA) and SSA Beneficiary Earnings Exchange Record (BEER) to administer TANF, SNAP and Medicaid programs under the authority of IRC § 6103(l)(7) are prohibited to contract for services that allow disclosure or access to the FTI. State child Support Enforcement Agencies (CSEA) authorized to use FTI under IRC § 6103 (l)(6), (l)(8), and (l)(10) may only permit contractor access for purposes of collection and disbursement of child support payments with limited access to FTI - only the address, SSN, and the amount of the refund offset, for the purposes of establishing and collecting child support obligations as provided by IRC § 6103(l)(6)(B). Agency contractors with access to FTI received under IRC § 6103(l)(6), (l)(7), (l)(8), or (l)(10) must have an encryption barrier in place during migration. IES may contain FTI received under various code authorities from multiple agencies within the one system. IES can contain information provided to Medicaid/ACA agencies under IRC § 6103(l)(21), SNAP, TANF, Medicaid under IRC § 6103(l)(7), Child Support Agencies FTI provided under IRC § 6103 (l)(6), (l)(8) and (l)(10). The IRC does not permit the sharing or access of FTI with other state agencies. FTI can only be used for the purpose it was provided to the agency under the code authority it was provided. Additionally, information must be segregated so only the authorized individuals have access to the FTI obtained from their perspective code authority. The IRS does not have the authority to “approve” a contractor’s access to FTI (unencrypted) in violation of IRC § 6103, where contractor access is prohibited under IRC § 6103(l)(6), (l)(7), (l)(8) or (l)(10). However, it has been determined in the best interest of tax administration, not under the agency’s existing IRC § 6103 authority, that IRS may authorize an agency’s vendor to perform this data migration activity. Requirements for contractor access to restricted FTI in an integrated eligibility system To utilize an IES that contains FTI, the agency must meet the following requirements: 45 Day Notification process outlined in Publication 1075 must be followed, If a contractor is being utilized with access to FTI, special procedures must be followed, All FTI must be encrypted in transit end-to-end, FTI must be segregated by IRC 6103 code authority, Agency Oversight and Safeguard Security Report (SSR) These requirements are explained in detail in the sections below. 1. 45-day notification reporting requirements IRC § 6103 limits the usage of FTI to only those purposes explicitly defined. Due to the security implications, higher risk of unauthorized disclosure and potential for unauthorized use of FTI based on specific activities conducted, the Office of Safeguards requires advanced notification (45 days) prior to implementing certain operations or technology capabilities that require additional uses of the FTI. All agencies intending to re-disclose FTI to contractors must notify the IRS at least 45 days prior to the planned re-disclosure. Contractors consist of, but are not limited to: cloud computing providers, consolidated data centers, off-site storage facilities, shred companies, IT support and tax modeling/revenue forecasting providers. The contractor notification requirement also applies when the contractor hires additional subcontractor services. Approval is required if the (prime) contractor hires additional subcontractor services in accordance with Exhibit 6, Contractor 45-Day Notification Procedures. 2. Contractor FTI access Agencies must ensure that contractor access to systems that receive, process, store or transmit FTI is restricted. This distinction should be made at an agency level after determination of whether contractors can access FTI. Contractor access to systems for the purposes of development and deployment must also be restricted where FTI is determined to be in use. In this event, specific timeframes for contractor access must be listed on the 45-Day Notification which will be agreed upon by the agency and the Office of Safeguards. The agency must implement encryption as a barrier to contractors and the agency must retain the encryption keys. The only FTI access administrators would have with these methods in place is delete only access. Contractors with access to FTI must receive FTI awareness training and all contracts with the agency must contain the Exhibit 7 Safeguarding Contract Language. This written agreement for services must be documented and included with the 45 Day Notification request. 3. FTI encrypted in transit All electronic transmissions of FTI must be encrypted using the latest FIPS 140 validated mechanism. A product does not meet the latest FIPS 140 requirements by simply implementing an approved security function. Only modules tested and validated to the latest FIPS 140 standards meet the applicability requirements for cryptographic modules to protect sensitive information. NIST maintains a list of validated cryptographic modules on its website. 4. FTI segregated by IRC 6103 code authority The FTI must be physically/logically segregated by code authority (i.e. data set) and access restricted by system processes and applications for authorized program uses. Agency personnel can only have access to FTI provided under the code authority to their agency. FTI is not permitted to be shared among agencies nor re-disclosed to other agencies. Steps must be taken to ensure FTI contained within an IES are segregated by agency for both back end database and front end application access. Access should be authorized for information systems that receive, process, store or transmit FTI based on a valid access authorization, need-to-know permission and under the authority of the provisions of IRC § 6103. 5. Agency oversight For any situations where any FTI received under IRC § 6103 (l)(6), (l)(7), (l)(8) or (l)(10) is unencrypted during data conversion or any other process, security measures to protect the FTI must be in place. An authorized state employee must be present onsite and oversee the vendor providing the service during the process. The work must be performed at an approved state facility, not at a vendor site and all appropriate safeguard controls must be in employed (i.e. production level system controls, training certifications, data segregation, labelling, etc.) 6. Safeguard Security Report (SSR) Agencies must update and submit their annual SSR by the current Publication 1075 deadline. The new IES system must be outlined and information detailing the other agencies who have access to the system and what security measures have been taken to segregate the data on the system as well as limit the roles of each user to their applicable FTI data must be detailed. References Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies PDF NIST SP 800-53 Revision 5, Recommended Security Controls for Federal Information Systems and Organizations PDF NIST SP 800-123, Guide to General Server Security PDF