part1-21

Title III of the E-Government Act, entitled the Federal Information
Security Management Act (FISMA), requires each Federal agency to develop,
document, and implement an agency-wide information security program to provide
information security for the information and information systems that support
the operations and assets of the agency. The mission of the IT Security Policies
and Programs Division includes establishing IT security policy and standards,
and tracking compliance with FISMA requirements. The IT Security Policies
and Programs Division is also charged with managing the IT Security Awareness
Program, managing the IT Security Training Program, managing the security
program for the Integrated Data Retrieval System (IDRS), and Management of
the System Audit Analysis System (SAAS).

The Certification Program Office (CPO) performs the certification and
accreditation support for all IRS applications and systems being deployed,
upgraded, and maintained in the production environment. CPO reviews, analyzes,
and provides feedback concerning customer submitted certification and accreditation
documentation. For certification and accreditation support, CPO coordinates
the security testing and evaluations (ST&Es). The ST&Es are conducted
to provide an independent assessment of the security controls of an information
system, for either a major application or general support system (GSS).

The IRS Computer Systems Incident Response Center (CSIRC) and Information
Systems Disaster Recovery organization is responsible for preventing, detecting,
and responding to cyber security threats targeting IRS enterprise systems
and data. The CSIRC is equipped to identify, contain, and eradicate cyber
threats targeting IRS computing assets. The four major CSIRC operational functions
of prevention, detection, response, and reporting meet FISMA requirements
for incident response and reporting. In addition, CSIRC and the Information
Systems Disaster Recovery organization serve as the coordination point for
information systems disaster recovery planning and management.

The Information Technology Security Field Operations Computing Center
and Campus Security Operations (Eastern and Western Regions) integrates all
the components of IT Security to provide localized service and support in
all aspects of Information Technology Security and to ensure enterprise oversight
and compliance with corporate directives, policies, and requirements.

The Physical Security and Emergency Preparedness Program Office supports
the creation of an operational environment within the IRS that is able to
withstand systemic discontinuities or catastrophic events. The Program Office
develops physical security and emergency management policies and procedures.
Specific areas of responsibility include physical security compliance reviews,
risk assessments, ID media, Occupant Emergency Plans, Security guard services,
Incident Command Training, and support for Business Continuity Exercises.
In addition, the Program Office serves as the coordination point for Continuity
of Operations Planning (COOP) and management for IRS, and works with the Department
of the Treasury to manage the Critical Infrastructure Protection (CIP) program
for IRS.

The Area and Territory Offices ensure that the appropriate level of
physical security is maintained for all IRS facilities, personnel, and assets.
The Area and Territory Offices implement and execute agency-wide policy, procedures,
and standards to ensure that safeguards are in place for the protection of
IRS employees, tax returns, monies, property, facilities, and records. Specific
areas of responsibility include physical security compliance reviews, risk
assessments, ID media, Occupant Emergency Plans. The Area and Territory Offices
serve as the “driver”
in emergency situations to ensure
that the requisite IRS organizations take action to meet customer needs and
minimize disruption to business.

The Policy, Planning, and Adjudications organization provides the overall
administration for Personnel Security and Investigations Office by developing
and implementing policy, procedure, and guidance. The Policy, Planning and
Adjudications organization issues program guidance and direction in accordance
with Treasury standards. In addition, this organization provides the resources
support needed to carry out the investigative workload of Personnel Security
and Investigations, including planning and budgeting, and the management of
information systems.

The Field Operations organization performs investigative activities
for personnel security investigations on applicants, IRS employees, contractor
employees, and other Treasury Bureau employees to provide a basis for determining
suitability for employment, or for access to IRS systems, data, facilities,
or National Security classified information.

National Background Investigations Center (NBIC) performs personnel
security/suitability investigations on applicants, IRS employees, contractor
employees, and other Treasury Bureau employees to provide a basis for determining
suitability for employment, or for access to IRS systems, data, facilities,
or National Security classified information.

The mission of the Office of Privacy is to ensure that IRS policies,
procedures, and programs protect taxpayer and employee privacy. The Office
of Privacy will achieve its mission by institutionalizing privacy as a core
value across the IRS enterprise through its four program areas: Policies and
Procedures, Communications, Operations, and Assurance. The basis of our strategy
is the identification of IRS privacy vulnerabilities in collecting, sharing,
storing, and disposing of personal information, then making risk-based decisions
on privacy risk mitigation. The Office of Privacy has expanded its scope to
include the Unauthorized Access (UNAX) Program, Identity Theft Management
Program, and the Pseudonym Management Project.

The Office of Safeguards provides oversight to recipient external agencies
in protecting Federal tax information (FTI) and to internal customers in protecting
FTI, employee information and other official use only information for contracting
purposes. Safeguards ensures that agencies authorized to receive FTI are protecting
the data in accordance with policy and legal requirements. Safeguards conducts
sensitive but unclassified (SBU) contract document reviews for all new contracts
to ensure that disclosure language is appropriate to protect tax information.
To perform safeguard reviews, Safeguards personnel visit the State child support
and welfare agencies and State and Local taxing authorities, as well as Federal
agencies authorized to receive FTI.

The MA&SS portion of the Lockbox program has been realigned to the
Office of Safeguards commencing FY 2007 to affect a consistent standard. On-site
reviews of Lockbox Banks, who are authorized to process remittances as part
of the IRS mission critical business function, are also conducted in accordance
with the Lockbox Security Standards and in coordination with the Financial
Management Service (FMS).

The Homeland Security Policy Directive – 12 (HSPD-12) Program Office
is a centralized management organization with a charter to lead the implementation
of a Treasury-wide enterprise solution to HSPD-12 compliance. This program
encompasses the Treasury-wide plan for the definition and implementation of
products and operational systems to issue smart-card credentials to all Treasury
employees and contractors. These smart-card credentials will conform to the
HSPD-12 policy and FIPS 201-1 and associated 800 series Special Publications.
The Treasury HSPD-12 Program Management Office (PMO) will coordinate and direct
the establishment of a PIV infrastructure that includes an Identity Management
System (IDMS), a Card Management System (CMS), an Enrollment System, and a
Card Production and Personalization System to issue electronically readable
credentialing smart-cards to Treasury employees and contractors as a common
platform for identity and authentication.