Using AWS for compliance with Internal Revenue Service (IRS) Publication 1075

Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for US government agencies, agents, and contractors that access Federal Tax Information (FTI), to make sure they use policies, practices, controls, and safeguards to protect FTI confidentiality and integrity of FTI throughout its lifecycle. FTI consists of federal tax returns and return information, and may contain personally identifiable information (PII) such as the taxpayer’s identity, and the nature, source, or amount of their income.

Safeguarding FTI is critical to agencies that receive, process, store or transmit FTI. Amazon Web Services (AWS) and AWS Partner programs enable agencies to protect FTI and the confidential relationship between the taxpayer and the IRS.

IRS 1075 compliance for federal government

IRS 1075 defines 12 mandatory requirements for US government agencies and their agents to receive, transmit, store, or process FTI in the cloud. Agencies maintaining FTI within cloud environments must utilize Federal Risk and Authorization Management Program (FedRAMP) authorized services. FedRAMP uses the security controls defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. All FTI must physically reside in systems located within the US, and all access and support of such data is to be performed from the US. FTI must be encrypted at rest and in transit within the cloud environment using Federal Information Processing Standards (FIPS) 140-2 compliant encryption module(s).

AWS GovCloud (US) and AWS US East-West Regions are FedRAMP compliant systems. AWS US East-West has been granted multiple Agency Authorizations (A-ATO) for moderate impact level. AWS GovCloud (US) has been granted a Joint Authorization Board Provisional Authorization (JAB P-ATO) and multiple A-ATOs for high impact levels including FedRAMP High. FedRAMP authorization includes assessment by an accredited independent third-party assessment organization (3PAO) and subsequent review and authorization by a federally authorized Joint Authorization Board (JAB). For an updated list of FedRAMP authorized services, see AWS Services in Scope by Compliance Program.

AWS has experience working with the IRS to make sure these IRS 1075 requirements for storing and processing FTI are met, enabling customers to host their IRS 1075 compliant workloads in these AWS Regions.

IRS 1075 security guideline nuances for state and local government agencies

There are limitations around obtaining FTI as defined by IRS 1075 for state and local government agencies. Further, IRS 1075 indicates how to develop a process or policy for data warehousing security that meet baseline security requirements as defined in NIST SP 800-53, for state and local government agencies.

The Authority to Operate (ATO) on AWS Program, an initiative focused on accelerating and simplifying security and compliance processes for AWS public sector customers and partners, provides guidance on IRS 1075 compliance to US government agencies for their workloads. The program also offers a community of AWS Partners that offer expertise and resources for customers in regulated markets. Talatek, for instance, delivers governance, risk, and compliance managed services with a focus on compliance goals that are aligned to business outcomes.

Many key members of the AWS Partner Program can enable agencies to show compliance with IRS 1075. TalaTek is an AWS Partner and a member of the ATO on AWS Program. “For the past six years TalaTek has supported government agencies’ implementation of IRS 1075 as part of their workloads and in compliance with their continuous monitoring and risk management programs. Efforts include recommending strategies to keep data secure and accessible according to the IRS requirements, in addition to the NIST 800-53 Rev 4.0 controls. Talatek provides system of record for organization monitoring of said controls through the TalaTek Intelligent Governance and Risk Integrated Solution (TiGRIS) platform,” said Baan Alsinawi, president, TalaTek. “Through the ATO on AWS partnership, AWS has also provided security focused solution offerings and the ability to seamlessly deploy them, as TalaTek continues to deliver security and risk management services for commercial and government entities at the local, state, and federal level. Part of supporting those programs entail continuously meeting new requirements that are put into practice.”

If you are interested in learning more about how AWS can enable your compliance with IRS 1075 for government workloads, or are an AWS Partner Network (APN) Public Sector Partner interested in IRS 1075 on AWS, contact the ATO on AWS team.

AWS customers who are subject to the IRS 1075 requirements can find more information and guidance on how AWS can enable your compliance. Visit our AWS IRS 1075 webpage to learn more and check out our whitepaper.

AWS delivers highly available, secure, and compliant cloud technology with the security, compliance, and reliability government agencies require to carry out their critical mission. Get started with AWS in deploying mission critical, secure, and compliant workloads in the AWS Cloud; contact us and learn more about the cloud for government.