Oracle Government Cloud and IRS Publication 1075

With the rapid adoption of cloud services by US government entities, procurement and security practices are evolving to address new risks. As a result, customers are faced with implementing new security processes, standards, and controls. This article discusses the US Internal Revenue Service Publication 1075 (IRS 1075) and how the standard and related controls may apply to your use case and deployment.

This article is one in a series that explains the applicability of various security standards relevant to government agencies and commercial entities doing business with the US government. This information can help customers looking to migrate or build a new solution in Oracle US Government Cloud and use infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) to reduce costs and improve availability.

Why?

IRS 1075 exists to ensure that the proper practices and safeguards exist to protect the confidentiality and unauthorized use of personal and financial information furnished to the IRS. The document covers data exchange within and potentially between agencies, while preventing the inappropriate disclosure of Federal Tax Information (FTI). This article helps customers understand how controls defined in IRS 1075 apply to cloud computing providers and how customers can use the proven controls audited by a third-party assessment organization (3PAO) and accredited by FedRAMP.

How?

IRS 1075 applies to all organizations that transmit, process, or maintain US FTI. It addresses any public request for sensitive information and prevents disclosure of data that would put FTI at risk. The IRS Office of Safeguards maintains IRS 1075, which provides guidance for policies, practices, controls, and safeguards for the protection of FTI to recipient agencies, agents, or contractors. Only the government agency or commercial customer processing or storing FTI can achieve IRS 1075 compliance. However, within the shared responsibility model, customers rely on controls that Oracle Cloud Infrastructure (OCI) has accredited through FedRAMP certification.

Oracle Government Cloud, whose regions are located exclusively within the continental US, offers several key security practices that assist customers in meeting IRS 1075 requirements. For example, Oracle staff have no access to customer data, or FTI in this case, and Oracle staff who support, manage, and monitor Oracle Government Cloud regions reside within the US. OCI security also controls provide customer data isolation, tenant data is always encrypted at rest, and Oracle Government Cloud customers can count on the same service level agreements (SLAs) that apply to Oracle commercial regions.

Who?

IRS 1075 is not a certification that an IaaS or PaaS cloud service provider (CSP) can achieve because the CSP isn’t responsible for all the controls required under IRS 1075. However, CSPs like Oracle support IRS 1075 compliance by offering cloud services with demonstration of implemented controls. For example, Oracle Government Cloud has achieved FedRAMP high JAB P-ATO accreditation, as have all the Oracle Cloud Infrastructure and PaaS services generally available in those regions, which supports that the NIST SP 800-53 controls have been tested and are operating effectively. Agencies maintaining FTI in a cloud environment must use a CSP that has achieved FedRAMP certification. The end-user solution provider can use these proven controls, reducing the effort to ensure that their overall solution is compliant.

Whether you’re considering cloud computing to reduce costs or improve performance, Oracle Cloud Infrastructure provides a secure platform to host service and workloads that meet IRS 1075 safeguard requirements. Oracle has a dedicated team and established resources ready to support your migration and help you achieve your accreditation goals.

Want to know more?

For more information, see the following resources:

• Oracle Cloud for Government

• Oracle Government Cloud for Contractors

• OCI Advisory: IRS 1075 Advisory

• IRS Mandatory Requirements for FTI in a Cloud Environment