US Internal Revenue Service Publication 1075
Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for US government agencies and their agents that access federal tax information (FTI) to ensure that they use policies, practices, and controls to protect its confidentiality. IRS 1075 aims to minimize the risk of loss, breach, or misuse of FTI held by external government agencies. For example, a state Department of Revenue that processes FTI in tax returns for its residents, or health services agencies that access FTI, must have programs in place to safeguard that information.
To protect FTI, IRS 1075 prescribes security and privacy controls for application, platform, and datacenter services. For instance, it prioritizes the security of datacenter activities, such as the proper handling of FTI, and the oversight of datacenter contractors to limit entry. To ensure that government agencies receiving FTI apply those controls, the IRS established the Safeguards Program, which includes periodic reviews of these agencies and their contractors.
Microsoft Azure Government and Microsoft Office 365 U.S. Government cloud services provide a contractual commitment that they have the appropriate controls in place, and the security capabilities necessary for Microsoft agency customers to meet the substantive requirements of IRS 1075.
These Microsoft cloud services for government provide a platform on which customers can build and operate their solutions, but customers must determine for themselves whether those specific solutions are operated in accordance with IRS 1075 and are, therefore, subject to IRS audit.
To help government agencies in their compliance efforts, Microsoft:
Offers detailed guidance to help agencies understand their responsibilities and how various IRS
controls map to capabilities in Azure Government and Office 365 U.S. Government. The IRS
1075 Safeguard Security Report (SSR) thoroughly documents how Microsoft services implement
the applicable IRS controls, and is based on the FedRAMP packages of Azure Government and
Office 365 U.S. Government. Because both IRS 1075 and FedRAMP are based on NIST 800-53, the
compliance boundary for IRS 1075 is the same as the FedRAMP authorization.
The IRS must explicitly approve the release of any IRS Safeguards document, so only government customers under NDA can review the SSR.
- Makes available audit reports and monitoring information produced by independent assessors for its cloud services.
- Provides to the IRS Azure Government Compliance Considerations and Office 365 U.S. Government Compliance Considerations, which outline how an agency can use Microsoft Cloud for Government services in a way that complies with IRS 1075. Government customers under NDA can request these documents.
- Offers customers the opportunity (at their expense) to communicate with Microsoft subject matter experts or outside auditors if needed.
Frequently asked questions
Microsoft regularly monitors its security, privacy, and operational controls and NIST 800-53 rev. 4 controls required by the FedRAMP baseline for Moderate Impact information systems. It provides quarterly access to this information through continuous monitoring reports. Azure Government and Office 365 U.S. Government customers can access this sensitive compliance information through the Service Trust Portal.
In addition, Microsoft has committed to including IRS 1075 controls in its master control set for Azure Government and Office 365 U.S. Government, and to auditing against them annually.
Microsoft in-scope cloud services
Covered services include:
Azure Active Directory, Application Gateway, Cloud Services, Key Vault, Multi-Factor Authentication, Load Balancer, SQL Database, Storage, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway
App Service: Web Apps, Application Gateway, Automation, Azure Active Directory*, Azure Government Portal, Azure Resource Manager, Backup, Batch, Cloud Services, Compute Resource Manager, Event Hubs, ExpressRoute, HDInsight, Key Vault, Load Balancer, Log Analytics, Media Services, Network Resource Provider, Notification Hubs, Redis Cache, Scheduler, Service Bus, Site Recovery, SQL Data Warehouse, SQL Database, Storage, Storage Resource Provider, StorSimple, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway
*Note: The use of Azure Active Directory within Azure Government requires the use of components that are deployed outside of Azure Government on the Azure public cloud.