US Internal Revenue Service Publication 1075

Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for US government agencies and their agents that access federal tax information (FTI) to ensure that they use policies, practices, and controls to protect its confidentiality. IRS 1075 aims to minimize the risk of loss, breach, or misuse of FTI held by external government agencies. For example, a state Department of Revenue that processes FTI in tax returns for its residents, or health services agencies that access FTI, must have programs in place to safeguard that information.

To protect FTI, IRS 1075 prescribes security and privacy controls for application, platform, and datacenter services. For instance, it prioritizes the security of datacenter activities, such as the proper handling of FTI, and the oversight of datacenter contractors to limit entry. To ensure that government agencies receiving FTI apply those controls, the IRS established the Safeguards Program, which includes periodic reviews of these agencies and their contractors.

Microsoft Azure Government and Microsoft Office 365 U.S. Government cloud services provide a contractual commitment that they have the appropriate controls in place, and the security capabilities necessary for Microsoft agency customers to meet the substantive requirements of IRS 1075.

These Microsoft cloud services for government provide a platform on which customers can build and operate their solutions, but customers must determine for themselves whether those specific solutions are operated in accordance with IRS 1075 and are, therefore, subject to IRS audit.

To help government agencies in their compliance efforts, Microsoft:

Offers detailed guidance to help agencies understand their responsibilities and how various IRS controls map to capabilities in Azure Government and Office 365 U.S. Government. The IRS 1075 Safeguard Security Report (SSR) thoroughly documents how Microsoft services implement the applicable IRS controls, and is based on the FedRAMP packages of Azure Government and Office 365 U.S. Government. Because both IRS 1075 and FedRAMP are based on NIST 800-53, the compliance boundary for IRS 1075 is the same as the FedRAMP authorization.

The IRS must explicitly approve the release of any IRS Safeguards document, so only government customers under NDA can review the SSR.
Makes available audit reports and monitoring information produced by independent assessors for its cloud services.
Provides to the IRS Azure Government Compliance Considerations and Office 365 U.S. Government Compliance Considerations, which outline how an agency can use Microsoft Cloud for Government services in a way that complies with IRS 1075. Government customers under NDA can request these documents.
Offers customers the opportunity (at their expense) to communicate with Microsoft subject matter experts or outside auditors if needed.

Frequently asked questions

Expand all

How does Microsoft address the requirements of IRS 1075?

Microsoft regularly monitors its security, privacy, and operational controls and NIST 800-53 rev. 4 controls required by the FedRAMP baseline for Moderate Impact information systems. It provides quarterly access to this information through continuous monitoring reports. Azure Government and Office 365 U.S. Government customers can access this sensitive compliance information through the Service Trust Portal.

In addition, Microsoft has committed to including IRS 1075 controls in its master control set for Azure Government and Office 365 U.S. Government, and to auditing against them annually.

Can I review the FedRAMP packages or the System Security Plan?

Yes, if your organization meets the eligibility requirements for Azure Government and Office 365 U.S. Government. Contact your Microsoft account representative directly to review these documents. You can also refer to the FedRAMP list of compliant cloud service providers.

Can I use the Azure or Office 365 public cloud environments and still be compliant with IRS 1075?

No. The only environments where FTI can be stored and processed are Azure Government or Office 365 U.S. Government. Government customers must meet the eligibility requirements to use these environments.

Audit and authorizations

Compliance with the substantive requirements of IRS 1075 are covered under the FedRAMP audit every year.

Microsoft in-scope cloud services

Expand all

Covered services include:

Azure (at the Moderate Impact Level):

Azure Active Directory, Application Gateway, Cloud Services, Key Vault, Multi-Factor Authentication, Load Balancer, SQL Database, Storage, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway

Azure Government (at the High Impact Level):

App Service: Web Apps, Application Gateway, Automation, Azure Active Directory*, Azure Government Portal, Azure Resource Manager, Backup, Batch, Cloud Services, Compute Resource Manager, Event Hubs, ExpressRoute, HDInsight, Key Vault, Load Balancer, Log Analytics, Media Services, Network Resource Provider, Notification Hubs, Redis Cache, Scheduler, Service Bus, Site Recovery, SQL Data Warehouse, SQL Database, Storage, Storage Resource Provider, StorSimple, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway

*Note: The use of Azure Active Directory within Azure Government requires the use of components that are deployed outside of Azure Government on the Azure public cloud.

Dynamics 365 U.S. Government detailed list
Office 365 and Office 365 U.S. Government detailed list
Office 365 U.S. Government Defense
Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite

Recommended resources

See all resources

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Current cloud services customers
Contact your Microsoft account representative.
Not a cloud services customer?
Contact Microsoft sales and support

Looking for general technical support?

Contact Microsoft support