ÐÇ¿ÕÌåÓýÊÖ»ú¶Ë

To comply with the Department of the Treasury, ISC, and IRS protection policies and standards, the IRS has established physical security methods of providing protection to protect IRS facilities, personnel, and assets.

, June 15, 2011

Homeland Security Presidential Directive (HSPD): Policy for a Common Identification (ID) Standard for Federal Employees and Contractors

, Treasury Security Manual - Treasury Security Functions and Programs

, Insider Threat Program

The Chief, FMSS prescribes and oversees methods of providing protection policies and guidance.

FMSS AD, Security:

BU managers must determine what assets and information within their unit require additional protection using the methods outlined in this policy and implement appropriate protection.

FMSS Operations ADs and Territory Managers (TM) direct FMSS Security Section Chiefs (SSC) and oversee the implementation of this IRM.

FMSS SSCs in each territory implement and enforce IRS policy and procedures for physical security issues within their assigned territory.

All IRS managers:

All employees and contractor employees must:

Program Reports:

Program Effectiveness:

Review security requirement reports located in the system of record to ensure program deliverable are met timely and the SSC is notified of identified deficits.

The following terms and acronyms are used throughout this IRM.

Document 12963, A Guide to the Office of Employee Protection Programs

Document 13402, Desk Guide for Workplace Violence Prevention

IRM 3.10.72, Receiving, Extracting, and Sorting

IRM 1.22.5, Mail Operations

IRM 10.2.1, Physical Security

IRM 10.2.5, Identification Media

IRM 10.2.18, Physical Access Control (PAC)

IRM 10.5.1, Privacy and Information Protection, Privacy Policy

IRM 10.9.1, Classified National Security Information (CNSI)

, Appendix B

The use of specialized security equipment to detect security breaches is an essential component to providing security-in-depth for IRS facilities such as Intrusion Detection Systems (IDS) and VSS.

The IRS utilizes both IDS and duress alarms in IRS facilities. These alarms are tested annually and when deemed necessary, by an FMSS alarm service vendor.

For facilities with alarm keypad operations:

IRS employees who work directly with taxpayers must familiarize themselves with the location and operation of duress alarms.

Only assigned FMSS Physical Security personnel or approved contractor employees are authorized to adjust, relocate, or remove security systems and alarms.

All issues relating to IDS or duress alarms should be reported to the assigned FMSS Physical Security staff, or as noted below in IRM 10.2.14.5.1, Security Hazards.

VSS is an essential IRS physical security countermeasure used for personnel protection, documentation, crime prevention, and investigation. To support these efforts, position and direct VSS viewing fields to achieve the best possible coverage of IRS facilities, properties, or space. Facility or maintenance personnel must trim foliage that obstructs VSS fields of view.

FMSS Physical Security determines IRS VSS requirements using security criterion from The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard Appendix B and IRS-FMSS Physical Security Design Manual. VSS layout will vary at each facility, based on its designated FSL and Facility Security Assessment (FSA).

Cameras must be placed so the employee, their desktop, and computer screen are not observable to ensure the protection of personally identifiable information (PII) and federal taxpayer information (FTI).

Requests for all security recordings will be reviewed and approved or denied by the FMSS SSC or TM.

VSS equipment used in IRS facilities must comply with the requirements outlined in H.R. 5515 - John S. McCain National Defense Authorization Act for Fiscal Year 2019 and subsequent federal guidance. Contact the FMSS AD, Security for a comprehensive list of prohibited telecommunications, VSS, equipment, and other items. The approved manufacturers can be found in the Security Scope of Work Template located on the FMSS Security Program¡¯s SharePoint site.

In accordance with Document 12829, General Records Schedule (GRS) - 5.6: Security Management Records, published by National Archives and Records Administration (NARA), video surveillance footage will be saved for 30 days. For storage requirements beyond 30 days, SSCs may submit justification via email to FMSS AD, Security.

Only authorized video analytics software must be used at IRS facilities.

FMSS AD, Security must approve by email, in advance, video analytics software purchases and installations not previously approved and utilized by IRS. The approved manufacturers can be found in the Security Scope of Work Template located on the FMSS Security Program¡¯s SharePoint site.

Effective safeguarding of IRS facilities, personnel and assets is reliant upon assuring that only authorized personnel, vehicles, and material are authorized for access and/or exit. Examples of access control include:

Facilities equipped with EPACS must utilize this system as the primary method for gaining access. It is crucial to avoid using mechanical keys to bypass EPACS, as electronic access is employed, for example, to determine who is present within a facility during emergencies and to strengthen the Insider Threat Program.

FMSS Physical Security is responsible for managing master keys, IRS perimeter door keys, and unissued controlled/limited area keys.

BUs will manage their own office and storage keys, as well as combinations for door cipher locks, security containers, safes, and vaults. All new keys created for locks in a system will be cut to work with the facility master key.

BU managers should annually conduct an internal key inventory of all office keys within the BU by the end of each fiscal year. Assigned FMSS Physical Security staff are available to provide support, as necessary by the end of each fiscal year.

Use Form 1930-D, Key Custody Receipt, to issue all facility access and limited/controlled area door keys. Complete the Form 1930-D, obtain all required signatures, and the issuing authority (FMSS or BU Manager) will maintain this record until the issued key is returned.

Security area access door lock keys must be:

Store limited/controlled area keys not in personal custody of an authorized IRS employee in a security container.

Keep security area key and combinations issuance to the absolute minimum. Issue keys and combinations only to those individuals, preferably supervisors, who require after-hours access to the area.

The SSC implements key control program policy requirements and guidelines by doing the following:

The FMSS KCO will:

The assigned FMSS SSC or designee must approve duplicate/additional key requests for perimeter doors, and limited/controlled area doors.

FMSS Physical Security staff maintains all master keys (a key that can open all applicable IRS space with the exception of Criminal Investigations space) in a central location. Properly identify master keys to their corresponding doors. Exceptions may exist where the area is required to be ¡°off-master.¡±

BUs must limit key issuance to persons requiring access to an area, room, or container, and keep on-hand and issued keys to a minimum. A ¡°Master Key¡± is issued to a limited number of personnel selected by the facility¡¯s issuing authority. Master keys will not be issued to more than 5% of an office population except when there are a small number of IRS employees in a post of duty.

FMSS Physical Security staff maintains extra locks and padlock cores supplies. FMSS provides two keys for each container (lateral) and padlock (upright with bar lock) to maintain security container (lateral and upright) integrity. If the central core of a security container lock or padlock is replaced with a non-security lock core, or has more than two keys, it is not considered secured.

EPACS is the IRS equipment used to selectively authorize or restrict access to a facility/space in response to Homeland Security Presidential Directive-12 (HSPD-12). HSPD-12 requires all departments and agencies to use HSPD-12 credentials to gain access to federally controlled facilities. EPACS allows or prevents access of personnel to a building, a room, or security area quickly and effectively while minimizing risk.

EPACS is the technical solution for electronic physical access control in the IRS. Where feasible, access to IRS facilities or space will be managed by installing EPACS in accordance with applicable current standards.

The FMSS SSC will determine where EPACS is installed based on space configuration, type of existing hardware, type of partition walls, FSA results, and ISC Standards. Submit requests for policy deviations by email via FMSS AD Operations to FMSS AD, Security for review.

EPACS maintains records of access control system activity, user permissions, and facility configuration. Per Treasury Security Manual (TD P 15-71), ¡°Access control systems must provide auditable records of access.¡± EPACS can notify security staff of attempts to gain unauthorized access or to tamper with or bypass the access control equipment.

Commercial video doorbells may be utilized in IRS to remotely view visitors but may not be used to remotely unlock doors, as it violates Information Technology (IT) and visitor escort policy.

BU managers must use the automated HRConnect SEC Module to certify facility access door key return/recovery from separating employees.

BU managers must:

FMSS Physical Security staff routinely accesses the HRConnect SEC module to:

The IRS has four types of mailrooms per IRM 1.22.5, Mail Operations:

While the threat of attack through the mail is rated low by the ISC, the IRS remains vulnerable to chemical, biological, or radiological (CBR) dispersal, and explosive devices transmitted through mail or delivery services.

All designated mailrooms and mail opening areas must have safe/suspicious mail handling and incident reporting procedures posted for all mail opening employees and/or contractor employees to view.

Reporting an incident:

Incidents other than mail security may be reported per IRM 10.2.8, Incident Reporting, to SAMC through any of the following methods:

X-ray machines and/or metal detectors are leased from FPS and utilized to scan for suspicious or prohibited items in packages, mail, or carried on a person. PSOs assigned to IRS facilities are specifically trained and tasked to screen and identify suspicious objects.

For FSL III - V facilities:

Due to the danger of explosives being shipped and detonated during mail handling, the ISC identifies security criterion based on the FSL of the facility. Refer to ISC Risk Management Process for Federal Facilities Appendix B: Countermeasures.

Drop boxes, or any container used for the purpose of collecting items such as payments, mail, or information without human-to-human interaction are strictly prohibited.

Facility Occupant Emergency Planning - The Occupant Emergency Plan (OEP) is the guide to ensure the IRS workforce is prepared and trained to respond to emergencies within each facility. Refer to IRM 10.2.9, Occupant Emergency Program, for more information.

Workplace Violence - FMSS authored Document 13402, Desk Guide for Workplace Violence Prevention and Response, to assist managers and employees. There are four categories of workplace violence:

Domestic Violence, Sexual Assault, and Stalking - Human Capital Office (HCO) has centralized support information on the Domestic Violence, Sexual Assault, and Stalking website.

Employee Protection - Privacy, Governmental Liaison, and Disclosure (PGLD) oversees two programs to identify taxpayers who represent a potential danger to employees: Caution Upon Contact (CAU) and Potentially Dangerous Taxpayer (PDT). IRS employees who have duties requiring taxpayer contact should be aware of both programs and can find information on the Office of Employee Protection website and Document 12963, A Guide to the Office of Employee Protection Programs.

Trash containers, mailboxes, donation/recycle containers, vending machines, and other similar objects must be positioned a minimum of 33 feet from building exterior and entry/exit points, or implement blast containment measures to mitigate an explosion, in accordance with ISC Standard, Appendix B.

ISC Standard, Appendix B Countermeasures references ¡°Heightened Security Alerts¡± and provides options relating to countermeasures based on the FSL. When localized risk increases, and upon notification of FPS, local law enforcement, or other federal agencies, SSCs must coordinate with FPS to review and implement the below, or other recommended countermeasures.

At least annually, each BU must determine what items and information require protection beyond that of being in secure IRS space and establish internal procedures and controls to safeguard required items. There are four types of protection for consideration:

Normal Security is the IRS standard and is appropriate for the majority of protected items. IRS space is designated as a controlled area and all visitors and contractor employees must be escorted unless they have been granted staff-like access by HCO Personnel Security. Additionally, the IRS has adopted general clean desk and containment objectives for the protection of taxpayer, privacy act, and other protected data.

For some items, such as Sensitive but Unclassified (SBU), Controlled Unclassified Information (CUI), or personal identifiable information (PII), a standard locked container is sufficient.

Locked containers are any lockable metal container with riveted or welded seams. All key and combination locks must be controlled by the BU with oversight of the area with the same level of protection for the items being protected.

A security container will be used for storing items which BUs or applicable federal regulations determine require a higher level of security, IRS utilizes either GSA-approved Class 5 or 6 security containers. All security containers must be marked on the outside of the front face of the containers ¡°GSA Approved Security Container¡± and must be purchased through GSA Global Supply.

Class 5 security containers have several types:

Class 6 security containers are specifically approved for storage of CNSI and must be equipped with a Federal Specification FF-L-2740B compliant combination lock.

Containers in need of repair must be serviced by a GSA certified technician to maintain the certification of the container.

All combinations must be controlled by the BU owning the security container.

The IRS has numerous areas which require additional protection due to the importance of their function or sensitivity of the information or assets. The degree of security and access control these areas require depends on the nature, sensitivity, and/or importance of the information and assets safeguarded. Examples include:

The IRS utilizes two types of security areas to restrict access - Controlled and Limited Areas:

Managers may request their territory SSC to determine if additional levels of access control may be beneficial.

Each BU manages combinations for their door cipher locks, security containers, safes, and vaults.

Door cipher locks must be programmed to a minimum four-digit combination. Three-digit combinations are more susceptible to compromise than four-digit combinations.

In accordance with TD P 15-71, the combination lock must be changed under any of the following conditions:

Use IRS Service Central (IRWorks) to request all combination changes. Limit combination issuance to those with a need to access the area, room, or container. Maintain security container combinations by using Standard Form (SF) 700, Security Container Information (the form has three parts).

Maintain safe and vault combination records (Parts II & III of SF700) centrally within the local BU management office.

Place all completed SF700 forms in a container with the same or higher security classification as the highest classified material stored in the container, or security area.

The IRS has adopted general clean desk and containment objectives for the protection of taxpayer, privacy act, and other protected data. There are certain areas, such as Submission Processing Centers, campuses, and computing centers, where the full implementation of clean desk and/or containerization procedures are not appropriate.

PSO services are provided for IRS facilities by the Department of Homeland Security (DHS)/FPS. DHS/FPS is solely responsible for the management and oversight.

Any incidents or concerns relating to the performance of PSOs must be reported through SAMC and assigned Physical Security staff.

Questions relating to guard services or request for changes will be submitted through IRS Service Central (IRWorks).

Explosive Detection Canine Teams (EDCT) provide support to IRS facilities based on identified risks. EDCT consists of a dog and handler and are utilized to inspect all incoming mail, packages, and other deliveries being made to IRS facilities prior to delivery and receipt by IRS personnel.

EDCTs also conduct roving patrols, random security inspections, and provide emergency response to security incidents. EDCTs may be utilized to support OEPs, Continuity of Operations, and law enforcement partners (e.g., CI, TIGTA, federal or local law enforcement), upon request.

IRS facilities are protected with various security systems and equipment to deter and detect security breaches. To maintain an effective security posture, it¡¯s vital that security hazards are reported and monitored to resolution. Example of security hazards include but are not limited to:

Most security hazards are identified by FPS personnel and PSOs during security patrols but reports from IRS personnel are encouraged and not uncommon.

IRS personnel must report issues directly to PSOs, to assigned Physical Security staff, or open an IRS Service Central (IRWorks) case.

Assigned Physical Security staff will:

All suspicious activity or items must be reported immediately to assigned PSOs, Physical Security staff, or through a SAMC report submission. Examples of suspicious activity or items include but are not limited to: