Background

Following Public Law 116-25, Taxpayer First Act, IRC Section 6103 was amended to incorporate contractors' compliance with confidentiality safeguards. Per Section 2004 of the Taxpayer First Act (TFA 2004), an agency shall not disclose federal tax information (FTI) to any contractor unless the agency makes sure proper safeguards are in place to protect the confidentiality of FTI.

Agency requirements

Effective January 1, 2023, all agencies that redisclose FTI to contractors must have requirements in effect to ensure all contractors keep federal tax information confidential.

To accomplish this, the agency must:

  • Conduct on-site reviews to determine contractor compliance every three years. If the duration of the contract is less than three years, conduct a review at the midpoint of the contract. Contracts with a duration less than six months will not require an on-site review.
  • Annually submit findings from the most recent on-site reviews to the Office of Safeguards.
  • Certify that contractors are following the Safeguards requirements for the most recent annual period.

TFA documentation

TFA 2004 contractor worksheet

All state, local and federal agencies must provide the following information for all contractors or other agents receiving FTI:

  • Contractor name
  • Contractor address
  • Description of the contract or agreement
  • Duration of the contract

Agencies must use the Office of Safeguards' TFA 2004 contractor worksheet and submit the worksheet with the annual Safeguard Security Report (SSR) attachments. Agencies must validate, update and submit the worksheet annually to make sure they're conducting appropriate on-site reviews timely. Safeguards will use the contract dates to determine if the agency conducted timely and appropriate on-site reviews and will validate the accuracy of the contractor data provided. The contractor worksheet will include instructions for completion and the proper naming convention to use when saving the document.

TFA 2004 on-site review template

The Office of Safeguards has prepared the TFA 2004 on-site review template that must be used by agencies when completing the required on-site reviews of their contractors who receive FTI. Completed TFA 2004 on-site review templates must be submitted with the annual SSR attachments. Safeguards will evaluate the on-site review results, take appropriate actions and use the results for the Risk Management Program. The on-site review template will include instructions for completion and the proper naming convention to use when saving the document.

State, local and federal agencies receiving FTI must submit a report of findings to the IRS and annually certify that contractors and other agents are following requirements to safeguard FTI. Additionally, all contracts and service-level agreements must have the appropriate language, per Publication 1075, Exhibit 7. This gives the contractor notice of the confidentiality and security requirements for FTI.

SSR certification of contractors

Agencies are required to include certification that appropriate safeguards are in place for contractors on the SSR annually and include documentation of the reviews conducted by the agency.

The SSR is a living document, so agencies may need to transfer prior report information to the blank SSR template with the TFA Section 2004 certification. If an agency requires the blank SSR template with TFA Section 2004 certification, the agency should contact the SafeguardReports@irs.gov mailbox to request a blank SSR document. As part of the SSR submission, the agency must certify that each contractor for which they conducted an on-site review has or will satisfy the test control failures found during the contractor on-site review to meet Office of Safeguards' requirements. The agency adds the certification statement signed by the head of the agency to the SSR on the certification page.

TFA submission

Agencies must use templates from the Office of Safeguards when submitting the contractor worksheet and on-site review templates as attachments with the SSR. Submit TFA 2004 documents as a separate SecureZip file with the SSR. Send the SSR, SSR attachments and TFA 2004 attachments electronically to the Office of Safeguards using one of these methods:

  • SDT, if the agency participates in the SDT program.
  • Email to Safeguards mailbox at safeguardreports@irs.gov. Send email transmissions by an IRS-approved encrypted method.

Name the TFA 2004 SecureZip file clearly and follow a standardized naming convention, such as the following:

  • Agency Code - XXXXX (ex. ME000)
  • Agency Type - YYY (ex. DOR, SWA, CS, HS, ACA, HS-ACA)
  • Attachment Type - TFA
  • Date – yyyy (2023)
  • Example: ME000-DOR-TFA-2023.zip

TFA resources