IRS Publication 1075 Compliance: Protecting Federal Tax Information (FTI)

Last Reviewed: March 2026

IRS Publication 1075, formally titled "Tax Information Security Guidelines for Federal, State, and Local Agencies," is the authoritative document that governs how federal, state, and local government agencies, their contractors, and subcontractors must protect Federal Tax Information (FTI). FTI includes any tax return data or return information received directly from the IRS or obtained through an authorized secondary source. Publication 1075 establishes mandatory safeguard requirements rooted in the Internal Revenue Code (IRC) Section 6103, which restricts the disclosure of tax returns and return information to authorized recipients under strict conditions. Any agency that receives FTI from the IRS, whether a state department of revenue, a child support enforcement agency, a workforce development office, or a health and human services department, must comply with the safeguard requirements in Publication 1075. Failure to comply can result in criminal penalties under IRC Sections 7213, 7213A, and 7431, suspension of data sharing, and significant reputational damage. As of the 2024 revision cycle, Publication 1075 aligns its technical controls with NIST SP 800-53 Revision 5 at the Moderate baseline, supplemented by IRS-specific overlays that add stricter requirements in areas such as encryption, audit logging, and breach notification.

Who Must Comply with IRS Publication 1075?

IRS Publication 1075 applies to a broad range of organizations that receive, process, store, or transmit FTI. Understanding whether your agency or business falls under this mandate is the critical first step toward compliance. Petronella Technology Group (PTG) works with agencies and contractors across the southeastern United States to assess and close IRS 1075 compliance gaps.

• State tax agencies and departments of revenue that receive FTI to administer state tax programs
• State and local human services agencies (HHS, TANF, Medicaid) that use FTI for eligibility determinations
• Child support enforcement agencies that access FTI through the Federal Parent Locator Service
• Workforce and unemployment agencies that verify income data
• Federal agencies authorized under IRC 6103 to receive returns or return information
• Contractors and subcontractors hired by any of the above agencies to develop, maintain, or operate systems that process FTI
• Cloud service providers hosting FTI on behalf of agencies (must use FedRAMP-authorized environments)

If your organization touches FTI in any capacity, Publication 1075 compliance is not optional. The IRS Office of Safeguards conducts regular on-site reviews to verify compliance, and agencies that fail these reviews risk losing access to the data they depend on to deliver services to citizens.

The Statutory Foundation: IRC Section 6103

Publication 1075 exists because of IRC Section 6103, which provides the statutory authority for protecting tax return information. Section 6103 defines who may receive FTI, under what conditions, and what safeguards must be in place. It also establishes criminal and civil penalties for unauthorized disclosure or inspection of tax information.

• IRC Section 7213: Unauthorized disclosure of FTI is a felony punishable by up to five years in prison and a fine of up to $5,000
• IRC Section 7213A: Unauthorized inspection (browsing) of returns or return information is a misdemeanor punishable by up to one year in prison and a fine of up to $1,000
• IRC Section 7431: Provides for civil damages when FTI is unlawfully disclosed or inspected, including $1,000 per act of unauthorized inspection or disclosure, or actual damages, plus costs and attorney fees

These penalties apply to individual employees, not just organizations. This means every person who handles FTI must understand the rules, and agencies must have robust training and access control programs in place. PTG's cybersecurity services include security awareness training programs tailored to the specific requirements of agencies handling sensitive government data.

How IRS 1075 Maps to NIST SP 800-53

IRS Publication 1075 does not create its security controls from scratch. Instead, it builds directly on the NIST SP 800-53 Revision 5 Moderate baseline, which includes approximately 325 controls across 20 control families. The IRS then applies agency-specific overlays that strengthen certain controls beyond the standard Moderate baseline. This approach mirrors how other federal programs like FedRAMP and CJIS use NIST 800-53 as their foundation with program-specific enhancements.

Understanding this relationship is critical because it means organizations already working toward NIST 800-53 Moderate compliance have a significant head start on IRS 1075. Conversely, agencies that treat IRS 1075 as an isolated requirement miss the opportunity to build a unified security program that satisfies multiple frameworks simultaneously.

Key NIST 800-53 Control Families in IRS 1075

Craig Petronella, CMMC Registered Practitioner and holder of an MIT Artificial Intelligence Certificate, leads PTG's compliance practice. With 23 years in cybersecurity, Craig understands how NIST 800-53 controls translate into practical implementations for agencies of every size. PTG's patented technology stack automates the mapping process between IRS 1075 requirements and NIST 800-53 controls, reducing assessment timelines from months to weeks.

Core IRS 1075 Technical Requirements

Publication 1075 specifies detailed technical safeguards that go beyond general security best practices. Agencies and their contractors must implement each of these requirements and document their implementation in the Safeguard Security Report (SSR).

Encryption Standards

All FTI must be encrypted using FIPS 140-2 (or FIPS 140-3) validated cryptographic modules. This applies to FTI at rest (stored on servers, databases, backup media) and FTI in transit (transmitted over networks). Agencies cannot use proprietary or non-validated encryption algorithms. Common compliant implementations include AES-256 for data at rest and TLS 1.2 or higher for data in transit.

Multi-Factor Authentication

IRS 1075 requires MFA for all users accessing systems that contain FTI. This requirement applies to both privileged and non-privileged accounts. Acceptable second factors include hardware tokens, smart cards (PIV/CAC), and authenticator applications. SMS-based second factors are discouraged due to known vulnerabilities in the SS7 protocol.

Audit Logging and Monitoring

Agencies must log all access to FTI, including successful and failed authentication attempts, data queries, data exports, and administrative actions. Logs must be retained for a minimum period defined in the agency's records retention schedule and must be reviewed regularly for anomalous activity. PTG's AI-powered monitoring solutions use on-premise large language models to analyze audit logs in real time, identifying suspicious access patterns that manual review would miss.

Access Controls

Access to FTI must follow the principle of least privilege and need-to-know. Agencies must maintain current lists of authorized users, conduct background investigations before granting FTI access, and promptly revoke access when personnel depart or change roles. Role-based access control (RBAC) is the standard implementation approach.

Media Protection and Sanitization

Physical and electronic media containing FTI must be tracked, stored securely, and sanitized or destroyed when no longer needed. Publication 1075 requires sanitization methods consistent with NIST SP 800-88 Revision 1, "Guidelines for Media Sanitization." This includes clearing, purging, or destroying media depending on the sensitivity level and intended disposition. Craig Petronella, a Licensed Digital Forensic Examiner (#604180), brings forensic-grade expertise to media handling and data destruction, ensuring that sanitization procedures will withstand IRS scrutiny.

45-Day Breach Notification Requirement

When a breach involving FTI occurs or is suspected, the agency must notify the IRS Office of Safeguards within 45 days. The notification must include a description of the incident, the type and volume of FTI potentially compromised, the corrective actions taken, and the plan to prevent recurrence. This 45-day window is stricter than many state breach notification laws, which may allow 60 or 90 days. PTG's incident response team has managed breach investigations for organizations handling sensitive government data and can guide agencies through the notification process while preserving forensic evidence.

The Safeguard Security Report (SSR)

The Safeguard Security Report is the primary compliance document that agencies must maintain for IRS 1075. The SSR describes the agency's security posture, documents the implementation of required controls, and identifies any compensating controls or planned remediation activities. The IRS Office of Safeguards uses the SSR as the starting point for on-site safeguard reviews.

An effective SSR includes:

• A complete system inventory identifying all systems, applications, and databases that receive, process, store, or transmit FTI
• Network diagrams showing the flow of FTI through the agency's infrastructure
• Documentation of implemented security controls mapped to NIST SP 800-53 Moderate baseline requirements
• Identification of IRS-specific overlay requirements and how they are met
• Personnel security procedures, including background check requirements and access authorization processes
• Incident response procedures specific to FTI breaches
• Media sanitization and disposal procedures
• Annual training documentation

PTG uses its private AI fleet, including on-premise large language models running on dedicated GPU infrastructure, to accelerate SSR preparation. Our AI-powered compliance tools automatically map existing security controls to IRS 1075 requirements, identify gaps, and generate draft documentation that human reviewers refine. No other firm in the Triangle offers this capability. This approach reduces SSR preparation time by approximately 60% compared to traditional manual methods.

IRS Office of Safeguards Reviews

The IRS Office of Safeguards conducts periodic on-site reviews of agencies that receive FTI. These reviews are not optional; agencies must cooperate fully or risk suspension of their data-sharing agreements. During a review, IRS examiners will:

1. Review the agency's current SSR for completeness and accuracy
2. Interview key personnel responsible for FTI security
3. Inspect physical facilities where FTI is processed or stored
4. Examine technical controls through live demonstrations and configuration reviews
5. Review audit logs and access control records
6. Verify that background checks have been completed for all personnel with FTI access
7. Test incident response procedures and notification capabilities
8. Issue findings and corrective action plans for any deficiencies

Agencies typically receive advance notice of scheduled reviews, but the timeline is often tight. Organizations that maintain a continuous compliance posture rather than scrambling before a review are far more likely to pass without significant findings. PTG's continuous monitoring solutions, built on our patented technology stack, maintain real-time compliance dashboards that keep agencies audit-ready year-round.

Annual Safeguard Activity Report

In addition to the SSR and on-site reviews, agencies must submit an Annual Safeguard Activity Report to the IRS. This report summarizes the agency's safeguard activities during the reporting period, including any security incidents, changes to the IT environment, training completed, and corrective actions taken in response to prior findings. The Annual Safeguard Activity Report demonstrates the agency's ongoing commitment to protecting FTI and provides the IRS with a longitudinal view of the agency's security posture.

Cloud Computing and FTI: The FedRAMP Requirement

Publication 1075 includes specific guidance on using cloud computing services to process or store FTI. Any cloud service provider (CSP) hosting FTI must use a FedRAMP-authorized environment at the Moderate baseline or higher. This requirement ensures that cloud environments meet the same rigorous security standards as on-premise systems.

Agencies migrating FTI workloads to the cloud must:

• Verify that the CSP holds a current FedRAMP Moderate (or higher) authorization
• Ensure that the specific cloud services being used are within the FedRAMP authorization boundary
• Implement agency-side controls for access management, key management, and monitoring
• Maintain the ability to audit CSP activities related to FTI
• Include cloud environments in the SSR and ensure IRS has visibility into the cloud architecture

PTG's on-premise AI infrastructure demonstrates our commitment to data sovereignty. Our GPU clusters and private cloud systems process sensitive compliance data without sending it to third-party cloud providers. For agencies that must use cloud services for FTI, we help evaluate FedRAMP-authorized options and implement the required agency-side controls.

IRS 1075 and Related Federal Frameworks

IRS Publication 1075 does not exist in isolation. It intersects with several other federal security frameworks, and agencies often face requirements from multiple mandates simultaneously. Understanding these relationships helps organizations build efficient, unified compliance programs rather than siloed efforts.

IRS 1075 and FISMA

Federal agencies that receive FTI are also subject to the Federal Information Security Modernization Act (FISMA), which requires agencies to implement the NIST Risk Management Framework (RMF) and apply NIST SP 800-53 controls. Since IRS 1075 builds on 800-53 Moderate, federal agencies can address both FISMA and IRS 1075 through a single control implementation with supplementary IRS overlays.

IRS 1075 and NIST SP 800-171

While IRS 1075 addresses FTI protection, NIST SP 800-171 addresses the protection of Controlled Unclassified Information (CUI) in non-federal systems. Both frameworks derive from NIST SP 800-53, but they target different data types and different organizational contexts. Agencies and contractors handling both FTI and CUI can leverage overlapping controls, but must address the unique requirements of each framework independently.

IRS 1075 and CJIS

State and local agencies that handle both FTI and Criminal Justice Information (CJI) face dual compliance obligations under IRS 1075 and the CJIS Security Policy. Both frameworks require background checks, MFA, encryption, and audit logging, but each has unique thresholds and procedures. PTG helps agencies identify overlapping controls and build streamlined compliance programs that satisfy both mandates.

IRS 1075 and SOC 2

Contractors providing IT services to agencies that handle FTI may also pursue SOC 2 certification to demonstrate their security posture to multiple customers. SOC 2 Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) overlap substantially with the NIST 800-53 controls underlying IRS 1075. A SOC 2 Type II report can provide evidence of control effectiveness that supports an agency's SSR documentation, though SOC 2 alone does not satisfy IRS 1075 requirements.

Comparison: IRS 1075 vs. FedRAMP Moderate vs. CJIS vs. NIST 800-171

This comparison demonstrates why organizations subject to multiple frameworks benefit from a unified approach anchored in NIST SP 800-53. PTG builds compliance programs that satisfy IRS 1075, FedRAMP, CJIS, and NIST 800-171 through a single integrated control framework, eliminating duplicated effort and reducing total compliance costs. Call 919-348-4912 to discuss how a unified approach can work for your agency.

State Agency Challenges with IRS 1075 Compliance

State and local agencies face unique challenges in meeting IRS 1075 requirements. Budget constraints, legacy infrastructure, workforce turnover, and competing compliance mandates create obstacles that federal agencies with larger budgets may not face.

Common Challenges

• Legacy Systems: Many state agencies operate on aging infrastructure that predates modern encryption and MFA standards. Retrofitting FIPS 140-2 encryption onto legacy mainframe systems or outdated web applications requires specialized expertise.
• Budget Limitations: State agencies rarely have the budget to hire dedicated compliance teams. Security and compliance responsibilities often fall on IT staff who also manage day-to-day operations.
• Contractor Oversight: Agencies must ensure that contractors and subcontractors who access FTI meet the same safeguard requirements. Many agencies lack the resources to conduct meaningful contractor security assessments.
• Cloud Migration Complexity: Moving FTI workloads to FedRAMP-authorized cloud environments requires careful planning, particularly around data flows, key management, and shared responsibility models.
• Documentation Burden: The SSR, Annual Safeguard Activity Report, and supporting documentation require significant effort to prepare and maintain.
• Staff Turnover: When experienced security personnel leave, institutional knowledge about IRS 1075 requirements and the agency's compliance posture often leaves with them.

PTG makes enterprise-grade compliance accessible to small and mid-size agencies. Our AI-powered compliance tools automate what competitors do manually, reducing the labor burden on agencies with limited staff. We combine AI development capabilities (custom AI agents, private LLMs, GPU hosting) with deep cybersecurity and compliance expertise, a combination that no other firm in the Triangle offers.

How PTG Helps with IRS 1075 Compliance

Petronella Technology Group brings a distinctive combination of capabilities to IRS 1075 compliance engagements.

Gap Assessment and Roadmap

PTG begins every engagement with a thorough gap assessment that compares your current security posture against IRS 1075 requirements and the underlying NIST SP 800-53 Moderate controls. Our assessment identifies specific deficiencies, prioritizes remediation activities by risk level, and produces a clear roadmap to compliance. View our compliance service tiers to find the right engagement model for your organization.

SSR Preparation and Review

Our team prepares or reviews your Safeguard Security Report to ensure completeness, accuracy, and alignment with current IRS guidance. We use our private AI fleet to accelerate the documentation process, cross-referencing your existing policies and procedures against IRS 1075 requirements to identify gaps and inconsistencies.

Technical Remediation

When gaps exist in technical controls, PTG's managed IT services team implements the required solutions: deploying FIPS-validated encryption, configuring MFA, establishing comprehensive audit logging, implementing access controls, and hardening system configurations. Our patented security tools automate ongoing compliance monitoring.

IRS Safeguard Review Preparation

PTG conducts mock safeguard reviews that replicate the IRS review process, including document review, personnel interviews, facility inspections, and technical control verification. Our mock reviews identify and resolve issues before the IRS arrives, dramatically improving review outcomes.

Incident Response and Forensics

When a breach involving FTI occurs, the 45-day notification clock starts ticking. Craig Petronella, Licensed Digital Forensic Examiner (#604180) and Cisco CCNA/CWNE, leads PTG's incident response team. We investigate breaches, preserve forensic evidence to chain-of-custody standards, assess the scope of compromised FTI, and prepare the documentation required for IRS notification. Most compliance firms cannot offer forensic investigation capabilities; PTG can.

Continuous Compliance Monitoring

Compliance is not a one-time project. PTG's continuous monitoring solutions maintain your compliance posture between IRS reviews. Our AI-driven tools track configuration changes, monitor access patterns, flag policy violations, and generate real-time compliance dashboards that keep agency leadership informed.

IRS 1075 Compliance Checklist

PTG maintains an open-source IRS 1075 Compliance Checklist on GitHub that agencies and contractors can use as a starting point for self-assessment. The checklist covers all major requirement areas, including access controls, encryption, audit logging, media protection, incident response, and personnel security.

The checklist is organized by NIST SP 800-53 control family and includes IRS-specific overlay requirements so that agencies can track both the baseline controls and the IRS enhancements in a single document. Craig Petronella, Amazon #1 Best-Selling Author of 14 cybersecurity books, developed this resource to give agencies practical tools they can put to work immediately.