10.8.2 IT Security Roles and Responsibilities

10.8.2 IT Security Roles and Responsibilities
- 10.8.2.1 Program Scope and Objectives
  - 10.8.2.1.1 Background
  - 10.8.2.1.2 Authority
  - 10.8.2.1.3 Roles and Responsibilities
  - 10.8.2.1.4 Program Management and Review
  - 10.8.2.1.5 Program Controls
  - 10.8.2.1.6 Terms and Acronyms
  - 10.8.2.1.7 Related Resources
- 10.8.2.2 Risk Acceptance and Risk-Based Decisions (RBD)
- 10.8.2.3 IT Security Roles and Responsibilities
  - 10.8.2.3.1 Key Governance and Related Roles & Responsibilities
    - 10.8.2.3.1.1 Agency Head
    - 10.8.2.3.1.2 Chief Information Officer (CIO)
    - 10.8.2.3.1.3 Chief Data Officer (CDO)
    - 10.8.2.3.1.4 Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO)
      - 10.8.2.3.1.4.1 Security Control Assessor
      - 10.8.2.3.1.4.2 Risk Executive (Function)
      - 10.8.2.3.1.4.3 Common Control Provider
    - 10.8.2.3.1.5 Senior Management/Executives
    - 10.8.2.3.1.6 System Owner
      - 10.8.2.3.1.6.1 Business System Planner (BSP)
        
        10.8.2.3.1.6.1.1 Security Program Management Officer (SPMO)
    - 10.8.2.3.1.7 Mission or Business Owner
    - 10.8.2.3.1.8 Information Owner
    - 10.8.2.3.1.9 Authorizing Official (AO)
      - 10.8.2.3.1.9.1 Authorizing Official Designated Representative (AODR)
    - 10.8.2.3.1.10 Chief Acquisition Officer (CAO)
    - 10.8.2.3.1.11 System Security Officer (SSO)
    - 10.8.2.3.1.12 Manager
    - 10.8.2.3.1.13 Contracting Officer
      - 10.8.2.3.1.13.1 Contracting Officer’s Representative (COR)
    - 10.8.2.3.1.14 Enterprise Architect
    - 10.8.2.3.1.15 Systems Security Engineer
    - 10.8.2.3.1.16 Security and Privacy Architect
    - 10.8.2.3.1.17 Chief Financial Officer (CFO)
    - 10.8.2.3.1.18 Privacy Officer
      - 10.8.2.3.1.18.1 IRS Privacy Offices
      - 10.8.2.3.1.18.2 System Privacy Officer
    - 10.8.2.3.1.19 Physical Security Officer
    - 10.8.2.3.1.20 Personnel Security Officer
    - 10.8.2.3.1.21 Employee
    - 10.8.2.3.1.22 Contractor
    - 10.8.2.3.1.23 Database Administrator (DBA)
    - 10.8.2.3.1.24 Key-Recovery Agent
    - 10.8.2.3.1.25 Network Administrator
    - 10.8.2.3.1.26 Program Developer/Programmer
    - 10.8.2.3.1.27 Web Developer
    - 10.8.2.3.1.28 Resource Access Control Facility (RACF) Specialist
    - 10.8.2.3.1.29 Security Specialist (SecSpec)
    - 10.8.2.3.1.30 System Administrator (SA)
    - 10.8.2.3.1.31 Systems Operations Staff
    - 10.8.2.3.1.32 Telecommunications Specialist
    - 10.8.2.3.1.33 User Administrator (UA)
    - 10.8.2.3.1.34 Integrated Data Retrieval System (IDRS) Security Analyst
    - 10.8.2.3.1.35 Integrated Data Retrieval System (IDRS) Security Account Administrator
    - 10.8.2.3.1.36 Computer Audit Specialist (CAS)
    - 10.8.2.3.1.37 Functional Workstation Specialist
    - 10.8.2.3.1.38 Management/Program Analyst
    - 10.8.2.3.1.39 System Designer
    - 10.8.2.3.1.40 Technical Support Staff (Desktop)
    - 10.8.2.3.1.41 Security Staff (Physical Security)
    - 10.8.2.3.1.42 Cyber Critical Infrastructure Protection (CIP) Coordinator
  - 10.8.2.3.2 Organization/Functional Roles and Responsibilities
    - 10.8.2.3.2.1 IRS Information Technology Cybersecurity Organization
    - 10.8.2.3.2.2 IRS Information Technology (IT) User and Network Services (UNS) Organization
    - 10.8.2.3.2.3 Computer Security Incident Response Center (CSIRC)
    - 10.8.2.3.2.4 Situational Awareness Management Center (SAMC)
    - 10.8.2.3.2.5 IRS Patch and Vulnerability Group (PVG)
- Exhibit 10.8.2-1 Roles That Require Specialized Training
- Exhibit 10.8.2-2 Terms and Acronyms
- Exhibit 10.8.2-3 Related Resources

Part 10. Security, Privacy, Assurance and Artificial Intelligence

Chapter 8. Information Technology (IT) Security

Section 2. IT Security Roles and Responsibilities

10.8.2 IT Security Roles and Responsibilities

Manual Transmittal

April 29, 2025

Purpose

(1) This transmits revised IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities.

Material Changes

(1) 10.8.1.1.1 Background: Original (1) removed as it duplicated language already in the Authority subsection.

(2) 10.8.2.1.4 Roles and Responsibilities: Original (2) incorporated into (1).

(3) IRM 10.8.2.1.4 Program Management and Review: (2) New informative language added.

(4) IRM 10.8.2.1.7 Related Resources: (1) Informative language added to existing paragraph.

(5) IRM 10.8.2.2 Risk Acceptance and Risk-Based Decisions (RBD):

Subsection title updated.
(2) Note - RBD document reference updated.

(6) IRM 10.8.2.3 IT Security Roles and Responsibilities: New (4) Conflict of interest language added from NIST SP 800-37 and 800-100.

(7) IRM 10.8.2.3.1.1 Agency Head:

(1) Updated to align with NIST SP 800-37.
(2) Updated to align with NIST SP 800-37. Original (5)a), (4)c), and (4)d) incorporated.
(3) New language from NIST SP 800-37 added.
(4) New language from NIST SP 800-37 added.
(5) Updated to align with TD P 85-01.
(6) Language from original (4) and (5) combined, and updated to align with FISMA.
(7) New language from P.L. 115-435.

(8) IRM 10.8.2.3.1.2 Chief Information Officer (CIO):

(1) Replaced non-specific language with TD P 85-01 language.
(2) Updated to align with TD P 85-01.
(4) Updated to align with Taxpayer First Act.
(5) Updated to align with NIST SP 800-37.
(6) Added NIST SP 800-37 language and incorporated original (7)c), d), e), f), j).
(7) New RMF language from NIST SP 800-37 added.
(8) Updated to align with Treasury's Incident Response Plan.
(9) Updated to align with Treasury's Incident Response Plan.
(10) Updated to align with TD 85-02.
(11) New language from EO 13833 added.
Original (9) Removed duplicate language already address by TD P 85-01.
(12) Updated to align with FISMA.
(13) Updated to align with NIST SP 800-137.

(9) IRM 10.8.2.3.1.3 Chief Data Officer (CDO): New subsection and CDO responsibilities from Foundations for Evidence-Based Policymaking Act added.

(10) IRM 10.8.2.3.1.4 Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO):

(3) Original (3)b) language.
(4) Updated to align with TD P 85-01.
(6) Removed duplicate CSIRC language.
(7) New Treasury Incident Response Plan language added.
(8) Updated to align with FISMA.
(9) New RMF language from NIST SP 800-37.
Original (7) removed. Duplicated language already address by TD P 85-01.
Original (8) removed. Duplicated language already address by TD P 85-01.
Original (9) removed as part of IGM 10-IT-0824-0013 revisions.
Original (10) removed. Repetitive reference to IRM 10.8.27.
Original (11) removed. Duplicated TD P 85-01 and NIST SP 800-53.

(11) IRM 10.8.2.3.1.4.1 Security Control Assessor:

(1) Updated to align with TD P 85-01 and original (2) incorporated.
(2) New TD P 85-01 language added.
(3) Updated to align with TD P 85-01.
(4) Updated to align with NIST SP 800-37.
(5) New RMF language from NIST SP 800-37 added.
(6) New NIST SP 800-137 language added.
Original (3) removed duplicated language already address by TD P 85-01.
Original (5) removed.

(12) IRM 10.8.2.3.1.4.2 Risk Executive (Function):

(1) Updated to align with TD P 85-01.
(2) New TD P 85-01 language added.
(3) New TD P 85-01 language added.

(13) IRM 10.8.2.3.1.4.3 Common Control Provider:

(1) Updated to align with NIST SP 800-37.
(2) Updated to align with NIST SP 800-37.
(3) New NIST SP 800-37 language added.

(14) IRM 10.8.2.3.1.5 Senior Management/Executives:

(1) Updated to align with OMB A-130 and original (4) incorporated.
Original (3) removed guidance established via the AO responsibilities.

(15) IRM 10.8.2.3.1.6 System Owner:

Subsection title updated; removed Mission or Business Owner from title and aligned with NIST SP 800-37 and 800-53.
(1) Updated to align with NIST SP 800-37.
(1)a) Moved to new Mission or Business Owner subsection.
(2) New NIST SP 800-39 language added.
(3) New NIST SP 800-18 language added.
(4) Original (3)a) relocated to be a separate paragraph.
(6) Updated to align with NIST SP 800-37 and removed redundant language.
(7) New RMF language from NIST SP 800-37 added.
(8) New NIST SP 800-34 language added.
(10) New NIST SP 800-18 language added.
Original (5) removed duplicated language.
Original (6) removed duplicated language in IRM 10.8.60 and 10.8.62.
Original (7) removed duplicated language in IRM 10.8.60 and procedural guidance found in a contingency plan.
Original (8) removed duplicated language.
Original (9) removed duplicated language in IRM 10.8.21.
Original (10) removed duplicated language in IRM 10.8.6.
Original (11) removed duplicated language in IRM 10.8.15.
Original (12) removed duplicated language in IRM 10.8.15.
Original (13) removed duplicated language in IRM 10.8.22.
Original (14) removed duplicated language in IRM 10.8.50.
Original (15) removed IRM 10.8.54 reference.

(16) IRM 10.8.2.3.1.7 Mission or Business Owner:

New subsection created.
(1) New NIST SP 800-37 language added.
(2) New NIST SP 800-37 language added.
(3) Original 10.8.2.3.1.3.5 (1)a) incorporated; conflict of interest language added.

(17) IRM 10.8.2.3.1.8 Information Owner:

(1) Updated to align with NIST SP 800-37.
(2) Original (2)a) relocated to be a separate paragraph.
(4) New NIST SP 800-37 language added.
(6) New RMF NIST SP 800-37 language added.

(18) IRM 10.8.2.3.1.9 Authorizing Official (AO):

(2) Original (2)a) relocated to be a separate paragraph.
(6) Updated to align with NIST SP 800-137.

(19) IRM 10.8.2.3.1.9.1 Authorizing Official Designated Representative (AODR):

(1) Updated to align with NIST SP 800-37.
(5) New RMF NIST SP 800-37 language added.
Original (2) Removed AO responsibility.

(20) IRM 10.8.2.3.1.10 Chief Acquisition Officer (CAO):

New subsection added.
New NIST SP 800-37 language added.

(21) IRM 10.8.2.3.1.11 System Security Officer:

Subsection title changed to align with NIST SP 800-37 and 800-53.
(1) Language from TD P 85-01 added.
(2) Original (5)b) relocated to be a separate paragraph.
(3) Original (1)a) relocated to be a separate paragraph.
(4) Updated to align with TD P 85-01.
(7) Original (8)a) relocated to be a separate paragraph.
(8) Updated to align with Treasury ISCM framework.
(9) New NIST SP 800-12 language added.
(10) New NIST SP 800-37 language added.
(11) New NIST SP 800-37 RMF language added.
(12) New NIST SP 800-37 RMF support language added.
Original (2) Removed redundant language.
Original (3) Removed redundant language addressed by TD P 85-01 and NIST SP 800-37.
Original (4) Removed redundant language addressed by NIST SP 800-37.
Original (5) Removed redundant language addressed by NIST SP 800-37.

(22) IRM 10.8.2.3.1.12 Managers:

Subsection title updated to align with TD P 85-01.
Original (3) Removed obsoleted language; NIST SP 800-16 has been obsoleted.
Original (4) Removed redundant language addressed by TD P 85-01.

(23) IRM 10.8.2.3.1.13 Contracting Officer: (4) Added NIST SP 800-12 language added.

(24) IRM 10.8.2.3.1.13.1 Contracting Officer's Representative (COR):

Subsection title corrected.
(1) Updated to align with FAR.
Original (3) Removed obsoleted language; NIST SP 800-16 has been obsoleted.
Original (4) Removed duplicate language addressed by contracting officer guidance.

(25) IRM 10.8.2.3.1.14 Enterprise Architect:

(1) New NIST SP 800-37 language added.
(3) New RMF NIST SP 800-37 language added.
Original (1) and (2) Removed none enterprise architect language.

(26) IRM 10.8.2.3.1.15 Systems Security Engineer:

Subsection title updated to align with NIST SP 800-37.
(1) Updated to align with NIST SP 800-37.

(27) IRM 10.8.2.3.1.16 Security and Privacy Architect:

New subsection added to align with NIST SP 800-37.
(1), (2), (3), (4), & (5) New NIST SP 800-37 language added.

(28) IRM 10.8.2.3.1.17 Chief Financial Officer (CFO):

(1) Updated to align with NIST SP 800-100.
Original (2) Removed CFO Act of 1990 language relevant to the Treasury CFO.

(29) IRM 10.8.2.3.1.18 Privacy Officer:

(1) Updated to align with OMB A-130.
(3) New NIST SP 800-37 RMF language added.
(4) New OMB A-130 language added.
(5) Updated to align with Treasury Incident Response Plan.
(3) New NIST SP 800-53 language added.
Original (4) Removed reference to an exhibit that has been removed.

(30) IRM 10.8.2.3.1.18.1 IRS Privacy Offices: Original (1)e) Removed reference to an exhibit that has been removed.

(31) IRM 10.8.2.3.1.18.2 System Privacy Officer:

New subsection added.
(1) New NIST SP 800-37 language added.
(2) New RMF NIST SP 800-37 language added.

(32) IRM 10.8.2.3.1.19 Physical Security Officer:

(1) Original (1) & (2) combined and updated to align with NIST SP 800-100.
Original (3) Removed redundant language addressed by NIST SP 800-100.
Original (6) Removed reference.

(33) IRM 10.8.2.3.1.20 Personnel Security Officer:

(1) Updated to align with NIST SP 800-100.
(3) Updated to align with NIST SP 800-100.

(34) IRM 10.8.2.3.1.21 Employee:

(3) Updated to align with TD P 85-01.
(4) New NIST SP 800-37 language added.
(5) Removed duplicate language; language updated for clarification.
Original (5) Removed duplicate guidance; (5)b) incorporated into original (4).
Original (7) Removed language addressed in IRM 10.8.27.
Original (8) Removed reference.

(35) IRM 10.8.2.3.1.22 Contractor:

(2) Added new TD P 85-01 language.
(3) Updated to align with TD P 85-01.
(4) Added new TD P 85-01 language.
(5) Removed duplicate language; language updated for clarification.
(7) Added reference to IRM 10.8.27.
Original (4) Removed duplicate language; original (4)b) incorporate into original (3)

(36) IRM 10.8.2.3.1.24 Key-Recovery Agent:

Subsection title updated to align with NIST SP 800-130.
(1) New NIST SP 800-130 language added.
(2) New NIST SP 800-130 language added.
(3) Updated to align with NIST SP 800-130 language.
Original (1), (2), (3), & (4) Removed generalized (non-responsibility) language.

(37) IRM 10.8.2.3.1.34 Integrated Data Retrieval System (IDRS) Security Analyst: Responsibilities relocated to IRM 10.8.34.

(38) IRM 10.8.2.3.1.35 Integrated Data Retrieval System (IDRS) Security Account Administrator: Responsibilities relocated to IRM 10.8.34.

(39) IRM 10.8.2.3.1.36 Computer Audit Specialist (CAS): Subsection title updated.

(40) IRM 10.8.2.3.2.1 IRS Information Technology Cybersecurity Organization: (5) Language relocated from 10.8.1.4.4.2.1 (5) incorporated into the subsection.

(41) IRM 10.8.2.3.2.2 IRS Information Technology User (IT) and Network Services (UNS) Organization:

Subsection title updated.
(7) Language relocated from 10.8.1.4.4.2.1 (4) incorporated into the subsection.

(42) IRM 10.8.2.3.2.3 Computer Security Incident Response Center (CSIRC): (3)f) Removed reference to exhibit that has been removed.

(43) IRM 10.8.2.3.2.5 IRS Patch and Vulnerability Group (PVG):

(1) Original (1)a) relocated to be a separate paragraph. New language added from NIST SP 800-40 language pertaining to PVG’s function.
(2) Updated to align with NIST SP 800-40r2 language. Note added to provide insight into the NIST SP 800-40 revisions and how they build on each other.

(44) Exhibit 10.8.2-1 Roles that Require Specialized Training: IG Memo IT-10-0424-0008 revisions incorporated. Incorporates NICE Framework language.

(45) Original Exhibit 10.8.2-2 Incident, Breach, and Event Definitions: Definitions incorporated into Exhibit 10.8.2-2 Terms and Acronyms.

(46) Exhibit 10.8.2-2 Terms and Acronyms:

The following acronyms were added: AODR, CAO, CDO, CISA, CNSI, EFO, IRB, NICE, SA, SSE, and SSO.
The following acronyms were removed: BIA, BR, CCRB, CFR, COTS, EC&MA, EOPS OSPMO, EOPS SOSD, FEA, GSP, ISSE, IUUD, KISAM, MOA, MOU, NOSS, NSI, OGE, OPM, SSP, and USR.
ATO acronym corrected.
Availability definition revised.
Breach definition incorporated from original Exhibit 10.8.2-2.
Campus IDRS Security Officer definition removed.
Certification Authority acronym and definition removed.
Chief Information Officer (CIO) definition removed; duplicated language in the CIO subsection.
Contingency Plan definition revised.
Controlled Unclassified Information (CUI) acronym and definition added.
Cyber Event definition incorporated from original Exhibit 10.8.2-2.
Denial of Authorization definition removed.
Department definition removed.
Disaster Recover Plan (DRP) acronym and definition removed.
DMZ definition added to acronym.
Ensure definition added.
FISMA acronym corrected and definition revised.
Form 14201 definition removed.
Identification definition revised.
Impact definition revised.
Impact Level definition added.
Incident definition incorporated from original Exhibit 10.8.2-2.
Incident Handling definition revised.
Information Owner definition removed.
Information System Owner definition removed.
Information System Security Officer (ISSO) definition removed; Reference to new SSO acronym added.
ISCM acronym added to Information Security Continuous Monitoring definition title.
Information Technology (IT) definition revised.
Integrity definition revised.
Key Pair definition removed.
Least Privilege definition revised.
Live Data definition removed.
Major Incident definition incorporated from original Exhibit 10.8.2-2.
MD5 definition added.
Memorandum of Agreement (MOA) acronym and definition added.
Memorandum of Understanding (MOU) acronym and definition added.
Non-repudiation definition revised.
Notable Cyber Event definition incorporated from original Exhibit 10.8.2-2.
Plan of Action and Milestones (POA&M) definition revised.
Private Key definition revised.
Public Information definition removed.
Public Key definition revised.
Public Key Infrastructure (PKI) acronym and definition removed.
Remediation definition revised.
Risk definition revised.
Risk Assessment definition revised.
Safeguards definition revised.
Sensitive Information definition removed; Reference to CUI acronym added.
Significant Cyber Enter definition incorporated from original Exhibit 10.8.2-2.
Suspected Breach definition incorporated from original Exhibit 10.8.2-2.
Suspected Incident definition incorporated from original Exhibit 10.8.2-2.
System definition revised.
SSP acronym added to System Security Plan definition.
Technical Controls definition removed.
UNS acronym corrected.
Vulnerability definition revised.
Vulnerability Assessment definition revised.

(47) Exhibit 10.8.2-3 Related Resources:

TD P 85-01, Treasury Information Technology Security Programs revised.
TD 85-02, Treasury Software Piracy Policy added.
TD 87-04, Personal Use of Government Information Technology Resources revised.
Treasury, Information Security Continuous Monitoring (ISCM) Framework revised.
Treasury, Departmental Incident Response Plan (IRP) revised.
TD P 15-03, Intelligence Information Systems Security Policy Manual removed.
TCIO Memo 17-01 removed.
IRM 10.4.x series removed.
IRM 10.8.1 title revised.
IRM 10.8.12 added.
IRM 10.8.13 added.
IRM 10.8.15 title corrected. IRM 10.8.52 added.
IRM 10.8.60 title corrected.
IRM 10.8.63 added.
IRM 10.9.1 title revised.
FIPS 199 added.
NIST SP 800-12 added.
NIST SP 800-16 removed.
NIST SP 800-18 revised.
NIST SP 800-34 added.
NIST SP 800-37 revised.
NIST SP 800-39 added.
NIST SP 800-40 Revision 2 added.
NIST SP 800-40 Revision 3 revised.
NIST SP 800-53 revised.
NIST SP 800-53A removed.
NIST SP 800-57 removed.
NIST SP 800-60 Revision 1 Volume I added.
NIST SP 800-60 Revision 1 Volume II added.
NIST SP 800-61 removed.
NIST SP 800-64 removed.
NIST SP 800-100 revised.
NIST SP 800-137 added.
NIST SP 800-160 Volume 1 Revision 1 added.
NIST SP 800-160 Volume 2 Revision 1 added.
NIST SP 800-181 added.
CNSSI 4009 added.
Title 48 FAR added.
Executive Order 13833 added.
Executive Order 13103 added.
FISMA URL removed.
OMB M-16-14 added.
OMB M-20-04 added.
OMB M-21-13 added.
OMB A-130 revised.
Privacy Act of 1974 revised.
Taxpayer Browsing Protection Act of 1997 revised.
Chief Financial Officers Act of 1990 added.
Federal Information Security Modernization Act (FISMA) of 2014 added.
Consolidated Appropriations Act, 2016 revised.
Foundations for Evidence-Based Policymaking Act of 2018 added.
Taxpayer First Act added.
U.S. Code Title 5 revised.
U.S. Code Title 31 added.
U.S. Code Title 44 added.
Presidential Policy Directive (PPD) 41 removed.
URLs for public laws, executive orders, OMB memoranda, and U.S. Codes added.

(48) Editorial changes were made throughout the IRM, to include: reviewing and updating for plain language, grammar, spelling, punctuation, titles, website addresses, legal and IRM references.

Effect on Other Documents

This IRM supersedes IRM 10.8.2 dated November 7, 2023. This IRM incorporates the following interim guidance (IG) memorandums: IT-10-1023-0007, Authorizing Official Designated Representative (AODR), dated January 01, 2024; IT-10-0424-0008, NICE Framework Training, dated August 01, 2024; and IT-10-0824-0013, Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO) Responsibilities, dated October 01, 2024. This IRM supplements IRM 10.8.1, Information Technology (IT) Security, Security Policy.

Audience

All personnel responsible for ensuring security is provided for IRS information and systems. This IRM applies to all employees, contractors and vendors of the IRS.

Effective Date

(04-29-2025)

Rajiv Uppal
Chief Information Officer

10.8.2.1 (11-07-2023)

Program Scope and Objectives

Overview: This IRM establishes the information technology (IT) security roles and responsibilities relevant to sensitive information and systems for IRS organizations and employees.
Program Purpose: Develop and publish policies to protect the IRS against potential security threats, risks, and vulnerabilities to ensure compliance with federal mandates and legislation.
Audience: The provisions in this manual apply to:
1. All offices and business, operating, and functional units within the IRS.
2. Individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers, who use or operate systems that store, process or transmit IRS information or connect to an IRS network or system.
Policy Owner: Chief Information Officer
Program Owner: Cybersecurity, Cybersecurity Threat Response and Remediation, an organization within Cybersecurity.
Program Goals: To protect the confidentiality, integrity, and availability of IRS information and systems.

10.8.2.1.1 (04-29-2025)

Background

IRM 10.8.2 has been aligned to the roles and responsibilities described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers and SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
IRM 10.8.2 is part of the IRM 10.8, Information Technology (IT) Security series for IRS IT Cybersecurity.

10.8.2.1.2 (04-29-2025)

Authority

All IRS systems and applications are required to comply with Executive Orders (EOs), Office of Management and Budget (OMB), Federal Information Security Modernization Act of 2014 (FISMA), NIST, Department of Homeland Security (DHS), Treasury, and IRS guidelines as they apply.
Treasury Directive Publication (TD P) 85-01, Department of the Treasury Information Technology Security Program and federal regulations require senior management/executive officials establish an IT security program, which includes the identification of roles and responsibilities that support IT security.

10.8.2.1.3 (04-29-2025)

Roles and Responsibilities

The IRS implements IT security roles and responsibilities to ensure the confidentiality, integrity, and availability of its systems, applications, and information. This IRM covers roles and responsibilities that support the IT security program.

Note:

Refer to IRM 10.5.1, Privacy and Information Protection, Privacy Policy, for a description of privacy roles and responsibilities.
Although IRM 10.8.2 is intended to be the primary source for general IT security roles and responsibilities, all documents in the 10.8 series, additional applicable policy suites of IRMs and applicable business unit procedural guidance (e.g., standard operating procedures (SOP)) must be carefully reviewed for an individual to comprehensively understand their role and specific responsibilities in their environmental context. IRMs in the 10.8 series provide explicit requirements where security roles and responsibilities are delineated.
1. Due to each document having its own update lifecycle, there may be instances where updated roles and responsibilities are published in supplementary policies which have not yet been added to this IRM. In those instances, the newer published roles and responsibilities must be implicitly followed along with those stated in this IRM.

10.8.2.1.4 (04-29-2025)

Program Management and Review

The IRS security policy program establishes a framework of controls to ensure the inclusion of security into the IRS IT environment. This framework is provided through the issuance of security policies via the IRM 10.8 series and the development of security requirements checklists. Stakeholders are notified when revisions to the security policies and security requirements checklists are made.
It is the policy of the IRS to:
1. Establish and manage an information security program within its organizations. This IRM provides uniform policies and guidance to be used by each organization.
2. Protect all IT resources belonging to, or used by, the IRS at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that IT resource.
3. Protect its information resources and allow the use, access, disposition, and disclosure of information in accordance with applicable laws, policies, federal regulations, OMB guidance, Treasury Directives (TDs), NIST Publications, National Archives and Records Administration (NARA) guidance, other regulatory guidance, and best practice methodologies.
4. Use best practice methodologies (e.g., Capability Maturity Model Integration (CMMI), Information Technology Infrastructure Library (ITIL), and Lean Six Sigma (LSS)) to document and improve IRS IT process and service efficiency and effectiveness.

10.8.2.1.5 (11-07-2023)

Program Controls

Each IRM in the 10.8 series is assigned an author who reviews the IRM to ensure accuracy. The IRM authors continuously monitor federal guidance (e.g., OMB, Cybersecurity and Infrastructure Security Agency (CISA), NIST, DISA) for potential revisions to security policies and security requirements checklists. Revisions to security policies and checklists are reviewed by the security policy team, in collaboration with applicable stakeholders, for potential impact to the IRS operational environment.
Security policy provides a report identifying security policies and security requirements checklists that have recently been revised or are in the revision process.
For information systems that store, process, or transmit classified information, refer to IRM 10.9.1 , Classified National Security Information (CNSI), for guidance on protecting classified information.
In the event there is a discrepancy between this IRM and IRM 10.8.1, Information Technology (IT) Security, Security Policy, IRM 10.8.1 has precedence, unless the security controls/requirements in this IRM are more restrictive.

10.8.2.1.6 (11-07-2023)

Terms and Acronyms

Refer to Exhibit 10.8.2-2, Terms and Acronyms for a list of terms, acronyms, and definitions.

10.8.2.1.7 (04-29-2025)

Related Resources

In addition to federal guidance cited throughout this IRM, this IRM incorporates IRS-defined policy, regulatory and mandated guidance, and policy from other sources. Refer to Exhibit 10.8.2-3, Related Resources for a list of related resources and references.

10.8.2.2 (04-29-2025)

Risk Acceptance and Risk-Based Decisions (RBD)

Any exception to this IRM requires that the authorizing official (AO) make a risk acceptance decision.
Users must submit risk-based decision (RBD) requests in accordance with Cybersecurity’s Security Risk Management (SRM) risk acceptance process documented in the Request for Risk Acceptance and Risk Based Decision (RBD) standard operating procedures (SOP).

Note:

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
Refer to IRM 10.8.1 for additional guidance on risk acceptance and RBDs.

10.8.2.3 (04-29-2025)

IT Security Roles and Responsibilities

This IRM establishes the IT security roles and responsibilities for the IRS.
1. In accordance with IRM 10.8.1, the IRS must implement security roles and responsibilities in accordance with federal laws and IT security guidelines that are appropriate for specific operations and functions.
The following roles and responsibilities are based on FISMA, NIST, and Department of the Treasury guidance and policies.
Throughout this IRM, roles may be identified as being responsible for creating, updating, and maintaining documentation. This may be accomplished through agreements and coordination with other organizational entities. When this is done, it does not relieve the individual with the role of the responsibility, but rather requires effective communication between the two parties.
The IRS must ensure there are no conflicts of interest when assigning the same individual to multiple risk management roles. [NIST: SP 800-37 | NIST: SP 800-100]

Example:

Authorizing officials cannot occupy the role of system owner or common control provider for systems or common controls they are authorizing. In addition, combining multiple roles for security and privacy requires care because the two disciplines may require different expertise, and in some circumstances, the priorities may be competing.

Note:

If a conflict of interest is unavoidable, only the agency head can formally waive the conflict of interest.

10.8.2.3.1 (04-29-2025)

Key Governance and Related Roles & Responsibilities

There are several governance stakeholders common to most organizations that span the organization. These stakeholders include senior management/executive official, a chief information officer (CIO), information security personnel, and a chief financial officer (CFO), among others. The specific requirements of each role may differ with the degree of information security governance centralization or in response to the specific missions and needs of an organization. [NIST: SP 800-100]
The following subsections provide functional roles and responsibilities for personnel who have security-related governance responsibility for the protection of information systems they operate, manage and support. These roles are defined in accordance with FISMA, NIST, OMB, Treasury and IRS Policy and Guidelines.

10.8.2.3.1.1 (04-29-2025)

Agency Head

The agency head is a senior official in the agency responsible and accountable for providing information security protections commensurate with the risk to organizational operations and assets, individuals, other organizations, and the Nation—that is, risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; and the information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. [NIST: SP 800-37]

Note:

For the IRS, the agency head is the IRS commissioner, acting commissioner, or senior IRS executive acting on behalf of the IRS.
The agency head ensures that: [NIST SP 800-37]
1. Information security and privacy management processes are integrated with strategic and operational planning processes;
2. Senior management/executive officials provide information security, for the information and information systems supporting the operations and assets under their control;
3. Senior agency officials for privacy are designated who are responsible and accountable for ensuring compliance with applicable privacy requirements, managing privacy risk, and the organization’s privacy program;
4. The agency has adequately trained personnel to assist in complying with security and privacy requirements in legislation, EOs, policies, directives, instructions, standards, and guidelines; and
5. Privacy interests are protected and that personally identifiable information (PII) is managed responsibly within the agency.
The head of agency establishes: [NIST: SP 800-37]
1. The agency commitment and the actions required to effectively manage security and privacy risk and protect the missions and business functions being carried out by the organization.
2. Security and privacy accountability and provides active support and oversight of monitoring and improvement for the security and privacy programs.
The agency head is responsible for the following risk management framework (RMF) tasks: [NIST: SP 800-37]

Note:

The agency head is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For roles identified as having a “Supporting Role” for these tasks, see NIST SP 800-37.
1. Identify and assign individuals to specific roles associated with security and privacy risk management; and
2. Establish a risk management strategy for the organization that includes a determination of risk tolerance.
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡
The agency head is responsible for: [Federal: P.L. 113-283 Sec. 3554]
1. Providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:
  i. Information collected or maintained by or on behalf of the agency.
  ii. Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.
2. Complying with the requirements of FISMA Section 3544 and related policies, procedures, standards, and guidelines, including:
  i. Information security standards promulgated under the U.S. Code Section 11331 of Title 40.
  ii. Information security standards and guidelines for national security systems issued in accordance with law and as directed by the President.
3. Designating the CIO, who reports directly to the agency head;
4. Implementing policies and procedures to cost-effectively reduce risks to an acceptable level;
5. Periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented;
6. Delegating to the CIO, established under Section 3506 of the FISMA Act (or comparable official in an agency not covered by such section), the authority to ensure compliance with the requirements imposed on the agency;
7. Ensuring that the CIO, in coordination with other senior management/executive officials, reports annually to the agency head on the effectiveness of the agency information security program to include progress of remedial actions; and
8. Ensuring that all personnel are held accountable for complying with the IRS-wide information security program.
The agency head designates a nonpolitical appointee employee in the agency as the chief data officer of the agency. [Federal: P.L. 115-435, Section 3520]

10.8.2.3.1.2 (04-29-2025)

Chief Information Officer (CIO)

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The CIO must have Top Secret Sensitive Compartmented Information (TS-SCI) access. [OMB: M-20-04]
The CIO has the following responsibilities: [Federal: Taxpayer First Act, Section 2101]
1. Be responsible for the development, implementation, and maintenance of IT for the IRS;
2. Ensure the IT of the IRS is secure and integrated;
3. Maintain operational control of all IT for the IRS;
4. Be the principal advocate for the IT needs of the IRS;
5. Consult with the chief procurement officer (CPO) to ensure the acquisition of IT for the IRS is consistent with IRS security policies and the strategic plan for the IRS IT needs; and
6. Develop and implement a multiyear strategic plan for the IT needs of the IRS, which:
  (i) Includes performance measurements of such technology and of the implementation of such plan
  (ii) Includes a plan for an integrated enterprise architecture of the IT of the IRS;
  (iii) Includes and takes into account the resources needed to accomplish such plan;
  (iv) Takes into account planned major acquisitions of IT by the IRS; and
  (v) Aligns with the needs and strategic plan of the IRS.
The CIO has the following responsibilities: [NIST: SP 800-37]
1. Designate a SAISO/CISO, who carries out the CIO’s responsibilities for system and program security planning and assessments;
2. Develop and maintain an agency-wide information security program including information security policies, procedures, and control techniques to address system security planning and all applicable requirements;
3. Determines, in conjunction with the AO, the appropriate allocation of resources dedicated to the protection of the organization’s missions and business functions and the information systems supporting those missions/business functions based on organizational priorities;
4. For information systems that process PII, the CIO and AO coordinate any determination about the allocation of resources dedicated to the protection of those systems with the chief privacy officer;
5. Ensure that personnel with significant responsibilities for system and program security plans and assessments are trained;
6. Assists senior management/executive officials concerning their security responsibilities; and
7. Report annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.
The CIO, with the support of the senior accountable official for risk management, the risk executive (function), and the senior agency information security officer/chief information security officer, works closely with authorizing officials and their designated representatives to help ensure that: [NIST: SP 800-37]
1. An IRS-wide security program is effectively implemented resulting in security for all IRS systems and environments of operation;
2. Security and privacy (including supply chain) risk management considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, the system development life cycle (SDLC), and acquisitions;
3. IRS systems and common controls are covered by approved system security plans (SSP)s and possess current authorizations;
4. Security activities required across the IRS are accomplished in an efficient, cost-effective, and timely manner; and
5. There is centralized reporting of security activities.
The CIO is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The CIO is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the AO is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Identify and assign individuals to specific roles associated with security and privacy risk management.
The CIO has the following responsibilities: [Treasury: IRP]
1. Empower IRS CSIRC to investigate and respond to incidents;
2. Ensure that Treasury Shared Services Security Operations Center (TSOC) gets immediate notifications of events/incidents from the incident response teams and/or IRS CISO;
3. Ensure execution of the IRS internal response, including engagement of IRS privacy personnel with respect to breaches and appropriate escalation to senior IRS and Treasury officials; and
4. Notify the Treasury CIO of events and incidents that may be considered for a major incident declaration or have impact to mission essential functions.
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
16. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
17. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
18. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
19. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
20. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
21. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
22. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
23. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
24. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
25. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
26. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
27. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
28. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
29. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
Note:

≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The CIO has the following software piracy responsibilities: [Treasury: TD 85-02]
1. Develop and implement an enterprise-level plan that ensures that the agency is in compliance with EO 13103;
2. Coordinate with Department of Treasury bureaus and offices an initial assessment of the agency’s existing policies and practices with respect to the use and management of computer software through qualified personnel or an outside contractor;
3. Maintain an electronic enterprise list of Treasury Department authorized and supported software. The list indicates by bureaus and offices, terms of licenses, authorized number of users, and physical location of software;
4. Perform spot audits. Periodic audit checks are done to ensure bureaus and offices are in compliance with software license agreements; and
5. Establish centralized software acquisition whenever possible.
The CIO is a member of any investment or related board of the IRS with purview over IT, or any board responsible for setting IRS-wide IT standards. [EO: 13833]
The CIO, as tasked by FISMA, administers training and oversee personnel with significant information security responsibilities. To accomplish this, the CIO works with the SAISO/CISO to: [Federal: P.L. 113-283]
1. Establish overall strategy for the information security awareness and training program;
2. Ensure that the agency head, senior managers, system and information owners, and others understand the concepts and strategy of the information security awareness and training program, and are informed of the progress of the program’s implementation;
3. Ensure that the agency’s information security awareness and training program is funded;
4. Ensure that an effective information security awareness effort is developed and employed such that all personnel are routinely or continuously exposed to awareness messages through posters, email messages, logon banners, and other techniques; and
5. Ensure that effective tracking and reporting mechanisms are in place.
The CIO has the following information security continuous monitoring (ISCM) responsibilities: [NIST: SP 800-137]
1. Lead the organization’s ISCM program;
2. Ensure that an effective ISCM program is established and implemented for the organization by establishing expectations and requirements for the organization’s ISCM program;
3. Work closely with authorizing officials to provide funding, personnel, and other resources to support ISCM; and
4. Maintain high-level communications and working group relationships among organizational entities.

10.8.2.3.1.3 (04-29-2025)

Chief Data Officer (CDO)

The chief data officer (CDO) of an agency is designated on the basis of demonstrated training and experience in data management, governance (including creation, application, and maintenance of data standards), collection, analysis, protection, use, and dissemination, including with respect to any statistical and related techniques to protect and de-identify confidential data. [Federal: P.L. 115-435, Section 3520]
The CDO has the following responsibilities: [Federal: P.L. 115-435, Section 3520]
1. Be responsible for lifecycle data management;
2. Coordinate with any official in the agency responsible for using, protecting, disseminating, and generating data to ensure that the data needs of the agency are met;
3. Manage data assets of the agency, including the standardization of data format, sharing of data assets, and publication of data assets in accordance with applicable law;
4. In carrying out the requirements under paragraphs (2)c and (2)e, consult with any statistical official of the agency (as designated under section 314 of title 5);
5. Carry out the requirements of the agency under subsections (b) through (d), (f), and (i) of section 3506, section 3507, and section 3511 of title 44;
6. Ensure that, to the extent practicable, agency data conforms with data management best practices;
7. Engage agency employees, the public, and contractors in using public data assets and encourage collaborative approaches on improving data use;
8. Support the performance improvement officer of the agency in identifying and using data to carry out the functions described in section 1124(a)(2) of title 31;
9. Support the evaluation officer of the agency in obtaining data to carry out the functions described in section 313(d) of title 5;
10. Review the impact of the infrastructure of the agency on data asset accessibility and coordinate with the CIO of the agency to improve such infrastructure to reduce barriers that inhibit data asset accessibility;
11. Ensure that, to the extent practicable, the agency maximizes the use of data in the agency, including for the production of evidence (as defined in section 3561 of title 44), cybersecurity, and the improvement of agency operations;
12. Identify points of contact for roles and responsibilities related to open data use and implementation (as required by the Director);
13. Serve as the agency liaison to other agencies and the OMB on the best way to use existing agency data for statistical purposes (as defined in section 3561 of Foundations for Evidence-Based Policymaking Act of 2018); and
14. Comply with any regulation and guidance issued under subchapter III, including the acquisition and maintenance of any required certification and training.
Delegation of Responsibilities: [Federal: P.L. 115-435, Section 3520]
1. In general – To the extent necessary to comply with statistical laws, the CDO may delegate any responsibility to the head of a statistical agency or unit (as defined in section 3561 of title 44) within the agency.
2. Consultation – To the extent permissible under law, the individual to whom a responsibility has been delegated to must consult with the CDO of the agency in carrying out such responsibility.
3. Deference – The CDO must defer to the individual to whom a responsibility has been delegated to regarding the necessary delegation of such responsibility with respect to any data acquired, maintained, or disseminated by the agency under applicable statistical law.
The CDO submits to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Government Reform of the House of Representatives an annual report on the compliance of the agency with the requirements of subchapter I of title 44, including information on each requirement that the agency could not carry out and, if applicable, what the agency needs to carry out such requirement. [Federal: P.L. 115-435, Section 3520]

10.8.2.3.1.4 (04-29-2025)

Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO)

The SAISO/CISO is an organizational official responsible for carrying out the CIO security responsibilities under FISMA and serves as the primary liaison for the CIO to the organization’s AOs, system owners, common control providers, and system security officers (SSOs). [NIST: SP 800-37]

Note:

At the IRS, the associate CIO (ACIO), IRS IT cybersecurity organization is the SAISO/CISO.
The SAISO/CISO collaborates with the chief privacy officer to ensure coordination between privacy and security activities. [OMB: A-130 Appendix I (3)(b)(11)]
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
16. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
17. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
18. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
19. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
20. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
21. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
22. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
23. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
24. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The SAISO/CISO must have TS-SCI access. [OMB: M-20-04]
The SAISO/CISO ensures the IRS adheres to Treasury policy, follows best practices, and is adequately prepared to prevent, detect, identify, respond, and recover from cyber security incidents. [Treasury: IRP]
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
16. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
17. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
18. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
19. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
20. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
21. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
22. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
23. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
24. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
25. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
26. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
27. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
28. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
29. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
Note:

≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The SAISO/CISO, through delegation by the CIO, has the following responsibilities: [Federal: P.L. 113-283 Section 3554 | NIST: SP 800-100]
1. Carry out the CIO’s FISMA responsibilities delegated to them;
2. Possess the qualifications, training and experience required to administer information security program functions;
3. Maintain information security duties as their primary responsibility;
4. Head an office with the mission of assisting in achieving FISMA compliance;
5. Develop, document, and implement an agency wide information security program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source;
6. Periodically assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency;
7. Develop and maintain risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements;
8. Facilitate development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems;
9. Periodically test and evaluate the effectiveness of information security policies, procedures, and practices;
10. Establish and maintain a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;
11. Develop and implement procedures for detecting, investigating, reporting, responding, and resolving security incidents;
12. Train and oversee IRS personnel, contractors, and others with significant responsibilities for information security with respect to such responsibilities;
13. Ensure preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; Ensure that contingency plans for IT systems are developed, maintained and tested;
14. Support the agency CIO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions; and
15. Assist senior management/executive officials concerning their responsibilities.
The SAISO/CISO is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The SAISO/CISO is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the SAISO/CISO is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis;
2. Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems;
3. Updated security and privacy plans; updated plans of action and milestones; updated security and privacy assessment reports; and
4. Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy.
The SAISO/CISO has the following ISCM responsibilities: [NIST: SP 800-137 | Treasury: ISCM]
1. Establish, implement, and maintain the organization’s ISCM program;
2. Develop organizational program guidance (i.e., policies/procedures) for continuous monitoring of the security program and information systems;
3. Develop configuration management guidance for the organization;
4. Consolidate and analyzes POA&Ms to determine organizational security weaknesses and deficiencies;
5. Acquire or develop and maintain automated tools to support ISCM and ongoing authorizations;
6. Provide training on the organization’s ISCM program and process;
7. Provide support to information owners/information system owners and common control providers on how to implement ISCM for their information systems; and
8. Develop and maintain any supplemental policy or guidance to the Treasury ISCM framework.

10.8.2.3.1.4.1 (04-29-2025)

Security Control Assessor

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Note:

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Note:

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The control assessor has the following responsibilities: [NIST: SP 800-37]
1. Conduct a comprehensive assessment of controls and control enhancements implemented within or inherited by a system to determine the effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization);
  
  Note:
  
  For system-level control assessments, control assessors do not assess inherited controls, and only assess the system-implemented portions of hybrid controls.
2. Assess the implemented controls using the assessment procedures specified in the security and privacy assessment plans.
3. Prepare security and privacy assessment reports containing the results and findings from the assessment;
4. Provide an assessment of the severity of the deficiencies discovered in the system, environment of operation, and common controls;
5. Provide recommended corrective actions to address identified vulnerabilities;
6. Prepare a security and privacy assessment report containing the results and findings from the assessment.
The control assessor is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The security control assessor is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the AO is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Develop, review, and approve plans to assess implemented controls;
2. Assess the controls in accordance with the assessment procedures described in assessment plans;
3. Prepare the assessment reports documenting the findings and recommendations from the control assessments;
4. Conduct initial remediation actions on the controls and reassess remediated controls; and
5. Update security and privacy assessment reports.
The security control assessor performs the following ISCM responsibilities: [NIST: SP 800-137]
1. Provide input into the types of security-related information gathered;
2. Assess information system or program management security controls;
3. Develop a security assessment plan for each security control;
4. Submit the security assessment plan for approval prior to conducting assessments;
5. Conduct assessments of security controls as defined in the security assessment plan;
6. Update the security assessment report as changes occur during ISCM; and
7. Update/revise the security assessment plan as needed.

10.8.2.3.1.4.2 (04-29-2025)

Risk Executive (Function)

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

10.8.2.3.1.4.3 (04-29-2025)

Common Control Provider

The common control provider is an IRS official or group responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems). [NIST: SP 800-37]

Note:

Organizations can have multiple common control providers depending on how information security responsibilities are allocated organization-wide. Common control providers may also be information system owners when the common controls are resident within an information system.
The common control provider has the following responsibilities: [NIST: SP 800-37]
1. Ensure the documentation of common controls to be utilized in a system’s security documentation (e.g., (SSP));
2. Ensure that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence;
3. Document assessment findings in a security assessment report;
4. Produce a POA&M for all controls having weaknesses or deficiencies; and
5. Make security plans, security assessment reports, and POA&Ms for common controls (or a summary of such information) available to information system owners inheriting those controls after the information is reviewed and approved by the senior management/executive official or executive with oversight responsibility for those controls.
The common control provider is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The common control provider is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the common control provider is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Select the controls for the system and the environment of operation;
2. Tailor the controls selected for the system and the environment of operation;
3. Document the controls for the system and environment of operation in security and privacy plans;
4. Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy;
5. Implement the controls in the security and privacy plans;
6. Document changes to planned control implementations based on the “as-implemented” state of controls;
7. Conduct initial remediation actions on the controls and reassess remediated controls;
8. Prepare the POA&Ms based on the findings and recommendations of the assessment reports;
9. Assemble the authorization package and submit the package to the authorizing official for an authorization decision;
10. Analyze and determine the risk from the operation or use of the system or the provision of common controls;
11. Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system;
12. Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones;
13. Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process; and
14. Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy.
The common control provider has the following ISCM responsibilities: [NIST: SP 800-137]
1. Establish processes and procedures in support of ongoing monitoring of common controls;
2. Develop and document an ISCM strategy for assigned common controls;
3. Participate in the organization’s configuration management process;
4. Establish and maintain an inventory of components associated with the common controls;
5. Conduct security impact analyses on changes that affect the common controls;
6. Ensure security controls are assessed according to the ISCM strategy;
7. Prepare and submit security status reports in accordance with organizational policy/procedures;
8. Conduct remediation activities as necessary to maintain common control authorization;
9. Update/revise the common security control monitoring process as required;
10. Update critical security documents as changes occur; and
11. Distribute critical security documents to individual information owners/system owners, and other senior leaders in accordance with organizational policy/procedures.

10.8.2.3.1.5 (04-29-2025)

Senior Management/Executives

Executive agencies within the federal government shall: [OMB: A-130]
1. Plan for security in all phases of the system life cycle;
2. Ensure appropriate officials are assigned security responsibility;
3. Review security controls annually (i.e., FISMA annual security program review); and
4. Formally authorize (accredit) processing prior to operations (as an AO) and periodically thereafter.
5. Balance mission and business priorities versus any security risks that might be applicable.
FISMA, OMB, Department of Treasury, and FISMA guidance specify that senior management/executive officials are subordinate to the Commissioner and are responsible for:
1. Exercising oversight to ensure that a program manager is assigned for each system;
2. Exercising oversight over cybersecurity awareness training funding; and
3. Annually validating and updating the master inventory of information systems.

10.8.2.3.1.6 (04-29-2025)

System Owner

The system owner is the agency official responsible for the overall procurement, development, integration, modification, operation, maintenance, and disposal of a system. The system owner may rely on the assistance and advice of the SSO, system operators, and other IT staff in the implementation of security responsibilities. [NIST: SP 800-37 | Treasury: TD P 85-01]
The system owner serves both as an owner and as the central point of contact between the authorization process and the owners of components of the system including, for example: (i) applications, networking, servers, or workstations; (ii) owners/stewards of information processed, stored, or transmitted by the system; and (iii) owners of the missions and business functions supported by the system. [NIST: SP 800-39]
The system owner must be identified in the security plan for each system. [NIST: SP 800-18]
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Note:

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
16. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The system owner has the following responsibilities: [NIST: SP 800-37]
1. Address the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements);
2. Ensure compliance with the information security requirements;
3. Develop and maintain, in coordination with the SSO and privacy officer, the security and privacy plans and ensures that the system is deployed and operated in accordance with the selected and implemented controls;
4. Decide, in coordination with the information owner/steward, who has access to the system (and with what types of privileges or access rights);
5. Ensure that system users and support personnel receive the requisite security and privacy training;
6. Inform organizational officials of the need to conduct the authorization, ensure that resources are available for the effort, and provide the required system access, information, and documentation to control assessors;
7. Receive the security and privacy assessment results from the control assessors;
8. Ensure appropriate steps to reduce or eliminate vulnerabilities or security and privacy risks are taken; and
9. Assemble the authorization package and submit the package to the authorizing official or the authorizing official designated representative for adjudication.
The system owner is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The system owner is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the system owner is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system;
2. Identify assets that require protection;
3. Identify the types of information to be processed, stored, and transmitted by the system;
4. Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system;
5. Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis;
6. Define the security and privacy requirements for the system and the environment of operation;
7. Register the system with organizational program or management offices;
8. Document the characteristics of the system;
9. Categorize the system and document the security categorization results;
10. Select the controls for the system and the environment of operation;
11. Tailor the controls selected for the system and the environment of operation;
12. Document the controls for the system and environment of operation in security and privacy plans;
13. Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy;
14. Implement the controls in the security and privacy plans;
15. Document changes to planned control implementations based on the “as-implemented” state of controls;
16. Conduct initial remediation actions on the controls and reassess remediated controls;
17. Prepare the POA&M based on the findings and recommendations of the assessment reports;
18. Assemble the authorization package and submit the package to the authorizing official for an authorization decision;
19. Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system;
20. Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones;
21. Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process;
22. Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy; and
23. Implement a system disposal strategy and execute required actions when a system is removed from operation.
The system owner has the following contingency plan responsibilities: [NIST: SP 800-34]
1. Ensure they’re identified in a system’s contingency plans as the system owner;
2. Conduct tabletop exercises;
3. Facilitate functional exercises; and
4. Carry out responsibilities as defined within a system’s contingency plans.
The system owner has the following ISCM responsibilities: [NIST: SP 800-137]
1. Establish processes and procedures in support of system-level implementation of the organization’s ISCM program. This includes developing and documenting an ISCM strategy for the information system;
2. Participate in the organization’s configuration management process;
3. Establish and maintain an inventory of components associated with the information system;
4. Conduct security impact analyses on changes to the information system;
5. Conduct, or ensuring conduct of, assessment of security controls according to the ISCM strategy;
6. Prepare and submit security status reports in accordance with organizational policy and procedures;
7. Conduct remediation activities as necessary to maintain system authorization;
8. Revise the system-level security control monitoring process as required;
9. Review ISCM reports from common control providers to verify that the common controls continue to provide adequate protection for the information system; and
10. Update critical security documents based on the results of ISCM.
The system owner must: [NIST: SP 800-18]
1. Be identified in the SSP for each system;
2. Be assigned in writing; and
3. Have their contact information contained in the SSP.

10.8.2.3.1.6.1 (07-12-2010)

Business System Planner (BSP)

The business system planner (BSP) performs duties outlined for senior management/executives.

10.8.2.3.1.6.1.1 (05-16-2014)

Security Program Management Officer (SPMO)

The security program management officers (SPMOs) have been established within the business units and IRS IT Cybersecurity organization to support their AO and other staff with the successful completion of that office's security related responsibilities, including the successful completion of all FISMA requirements.
The SPMO supports the BSP functions, system owners, FISMA activities and shall provide other security-related support for other security activities.
The SPMO provides SSOs for the systems owned by their respective business unit.
1. When there is no SSO assigned for a system, the SPMO shall assume the role of the SSO.
The SPMO, in support of FISMA, has the following responsibilities:
1. Ensure development and implementation of the IRS security program strategy to meet FISMA requirements;
2. Ensure currency of the FISMA Master Inventory;
3. Coordinate and ensure completion of annual security reviews;
4. Make security determinations (such as prioritization) for weakness reporting;
5. Ensure timely completion of POA&M weaknesses and obtain AO or AO point of contact (POC) concurrence;
  
  Note:
  
  POA&Ms are approved by the AO (e.g., as a part of the accreditation process or prior to establishing in TFIMS), and are managed, and completed as planned.
6. Collaborate with other SPMOs to ensure consistency of FISMA activities across business units;
7. Serve as the security point of contact for business unit staff supporting FISMA and as the cybersecurity interface into the business unit;
8. Identify needs and implement IT security awareness training to current and newly assigned personnel in the business unit; and
9. Present all training and orientation materials to AOs and various POCs, at minimum, annually.
The SPMO, for weaknesses and POA&Ms, has the following responsibilities:
1. Identify and track, with SSO support, the corrective actions to mitigate the weaknesses in the POA&M through status updates, changes to milestones, and additional comments;
2. Identify the scheduled completion date, cost, and resources needed to mitigate each weakness;
3. Validate the effectiveness of the corrective actions during continuous monitoring or security control assessment (SCA);
4. Combine and review all high level security weaknesses from the self-assessment, risk assessment, Treasury Inspector General for Tax Administration (TIGTA) audits, GAO audits, and internal reviews into POA&M weaknesses;
5. As determined by their business unit, consolidate self-assessment scores for their business unit applications then brief POCs and AOs on results; and
6. Support the development of answers to the self-assessment questions that cross multiple business units.

10.8.2.3.1.7 (04-29-2025)

Mission or Business Owner

The mission or business owner has the following responsibilities: [NIST: SP 800-37]
1. Be the senior official or executive within an organization with specific mission or line of business responsibilities and that has a security or privacy interest in the organizational systems supporting those missions or lines of business;
2. Be a key stakeholder that has a significant role in establishing organizational mission and business processes and the protection needs and security and privacy requirements that ensure the successful conduct of the organization’s missions and business operations;
3. Provide essential inputs to the risk management strategy;
4. Play an active part in a system’s life cycle development; and
5. May also serve in the role of authorizing official.
The mission or business owner is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The mission or business owner is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the mission or business owner is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Establish, document, and publish organizationally-tailored control baselines and/or cybersecurity framework profiles;
2. Identify the missions, business functions, and mission/business processes that the system is intended to support;
3. Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system;
4. Define the security and privacy requirements for the system and the environment of operation; and
5. Determine the placement of the system within the enterprise architecture.
If the mission or business owner has been approved to perform the functions of acquisition, management, and operation and maintenance of an information system, then they perform the system owner responsibilities defined within this IRM.

Note:

To avoid a conflict of interest, the mission or business owner may not serve as the AO for a system in which they’re performing the responsibilities of the system owner.

10.8.2.3.1.8 (04-29-2025)

Information Owner

The information owner is an IRS official with statutory, management, or operational authority for specified information and responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal. [NIST: SP 800-37]

Note:

At the IRS, the information owner is the business and functional unit owner.
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The information owner provides input to system owners regarding the security and privacy requirements and controls for the systems where the information is processed, stored, or transmitted. [NIST: SP 800-37]
The information owner, in collaboration with the AO, must approve (in writing) the following prior to them happening: [NIST: SP 800-37]
1. The physical removal of sensitive but unclassified (SBU) information from IRS facilities.
2. The download and remote storage of SBU information outside of IRS facilities.
Note:

These fall within the area of the information owner’s responsibility to protect information under their purview.
The information owner is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The information owner is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the information owner is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Identify the types of information to be processed, stored, and transmitted by the system;
2. Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system;
3. Define the security and privacy requirements for the system and the environment of operation; and
4. Categorize the system and document the security categorization results.
Refer to the Mission or Business Owner subsection within this IRM for mission or business owner responsibilities.

10.8.2.3.1.9 (04-29-2025)

Authorizing Official (AO)

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The AO has the following responsibilities: [NIST: SP 800-37]
1. Be the only organizational official who can accept the security and privacy risk to organizational operations, organizational assets, and individuals;
2. Typically have budgetary oversight for the system or are responsible for the mission and/or business operations supported by the system;
3. Be in a management position with a level of authority commensurate with understanding and accepting such security and privacy risks;
4. Approve plans (e.g., system security, privacy, assessment), memorandums of agreement or understanding, and plans of action and milestones;
5. Determine whether significant changes in the information systems or environments of operation require reauthorization;
6. Coordinate their activities with common control providers, system owners, chief information officers, senior agency information security officers, senior agency officials for privacy, system security and privacy officers, control assessors, senior accountable officials for risk management/risk executive (function), and other interested parties during the authorization process;
7. May delegate the coordinating and conducting of the day-to-day activities associated with managing risk to information systems and the organization to the authorizing official designated representative (AODR), which includes carrying out many of the activities related to the execution of the RMF.
  
  Note:
  
  Day-to-day activities do not include signing security authorization decision letters. The designated representative is to confer with the AO on decisions where the acceptance of risk to the organization is involved. The AO will then be required to officially accept the risk by signing the associated security authorization decision letter (i.e., the acceptability of risk to the agency).
  
  Note:
  
  The only activity that cannot be delegated by the AO is the security accreditation decision and the signing of the associated security authorization decision letter (i.e., the acceptability of risk to the agency).
8. Be responsible and accountable for ensuring that authorization activities and functions that are delegated to authorizing official designated representatives are carried out as specified;
The AO is responsible for the following RMF tasks the following: [NIST: SP 800-37]

Note:

The AO is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the AO is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Determine the authorization boundary of the system;
2. Review and approve the security categorization results and decision;
3. Review and approve the security and privacy plans for the system and the environment of operation;
4. Select the appropriate assessor or assessment team for the type of control assessment to be conducted;
5. Develop, review, and approve plans to assess implemented controls;
6. Analyze and determine the risk from the operation or use of the system or the provision of common controls;
7. Identify and implement a preferred course of action in response to the risk determined;
8. Determine if the risk from the operation or use of the information system or the provision or use of common controls is acceptable;
  
  Note:
  
  The explicit acceptance of risk is the responsibility of the AO and cannot be delegated to other officials within the organization.
9. Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk;
10. Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in POA&Ms; and
11. Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable.
The AO has the following ISCM responsibilities: [NIST: SP 800-137]
1. Assume responsibility for ensuring the organization’s ISCM program is applied with respect to a given information system under their purview;
2. Ensure the security posture of the information system is maintained;
3. Review security status reports and critical security documents and determines if the risk to the organization from operation of the information system remains acceptable;
4. In consultation with the SSO, determine whether significant information system changes require system reauthorization;
The AO must: [NIST: SP 800-18]
1. Be identified in the SSP for each system;
2. Be assigned in writing; and
3. Have their contact information contained in the system security plan.

10.8.2.3.1.9.1 (04-29-2025)

Authorizing Official Designated Representative (AODR)

The AODR is an organizational official designated by the AO who is empowered to act on behalf of the AO to coordinate and conduct the required day-to-day activities associated with managing risk to information systems and the organization. This includes carrying out many of the activities related to the execution of the RMF. [NIST: SP 800-37]
The AODR can be empowered by the AO (i.e., delegated) to make certain decisions with regard to the planning and resourcing security authorization process, such as: [NIST: SP 800-39]
1. Approval of the security plan and security assessment plan; and
2. Approve and monitor the implementation of POA&Ms, and the assessment/determination of risk.
The AODR has the following responsibilities: [NIST: SP 800-39]
1. Prepare the final authorization package;
2. Obtain the AO’s signature on the authorizing decision document (i.e., authorization letter); and
3. Transmit the authorization package to appropriate organizational officials.
The only activity that cannot be delegated to the AODR by the AO is the authorization decision and signing of the associated authorization decision document (i.e., the acceptance of risk to organizational operations and assets, individuals, other, organizations, and the Nation); to include authorization letters and risk based decision memos. [NIST: SP 800-37]
The AODR is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The AODR is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the AODR is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Review and approve the security categorization results and decision;
2. Review and approve the security and privacy plans for the system and the environment of operation;
3. Select the appropriate assessor or assessment team for the type of control assessment to be conducted;
4. Develop, review, and approve plans to assess implemented controls;
5. Analyze and determine the risk from the operation or use of the system or the provision of common controls;
6. Identify and implement a preferred course of action in response to the risk determined; and
7. Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk.

10.8.2.3.1.10 (04-29-2025)

Chief Acquisition Officer (CAO)

The chief acquisition officer (CAO) is an organizational official designated by the head of agency. [NIST: SP 800-37]
The CAO advises and assists the head of agency and other agency officials to ensure that the mission of the agency is achieved through the management of the agency’s acquisition activities. [NIST: SP 800-37]
The CAO has the following responsibilities: [NIST: SP 800-37]
1. Monitor the performance of acquisition activities and programs;
2. Establish clear lines of authority, accountability, and responsibility for acquisition decision making within the agency;
3. Manage the direction and implementation of acquisition policy for the agency;
4. Establish policies, procedures, and practices that promote full and open competition from responsible sources to fulfill best value requirements considering the nature of the property or service procured; and
5. Coordinate with mission or business owners, AOs, senior accountable official for risk management, system owners, common control providers, SAISO/CISO, SAOP, and risk executive (function) to ensure that security and privacy requirements are defined in organizational procurements and acquisitions.
The CAO is identified as having a support role for several RMF tasks. Refer to NIST SP 800-37 Rev2 for these RMF tasks. [NIST: SP 800-37]

10.8.2.3.1.11 (04-29-2025)

System Security Officer (SSO)

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Note:

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The SSO is a voting member on the CCB for the systems and applications for which they are assigned. [NIST: SP 800-53]

Note:

SPMO is currently the voting member on the CCB.
The SSO supports the SPMO in FISMA activities. [IRS: IRS-defined]
The SSO supports the ISCM program by assisting the system owner in completing ISCM responsibilities and by participating in the configuration management process. [NIST: SP 800-137]
The SSO, in support of the Treasury ISCM framework, has the following responsibilities: [Treasury: ISCM]
1. Establish and maintain processes and procedures in support of system-level implementation of the Treasury ISCM Framework;
2. Oversee and coordinate day-to-day operational ISCM activities associated with ensuring system security as described in NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, and Section 5 - ISCM Operational Security of the Treasury ISCM Framework;
3. Review security control implementations and assessment priority ratings from common control providers to verify that the common controls continue to provide adequate protection for the information system; and
4. Update critical security documents based on the results of ISCM.
The SSO is the agency official assigned responsibility by the SAISO/CISO, AO, or system owner for ensuring that the appropriate operational security posture is maintained for an information system or program. [NIST: SP 800-18]
The SSO has the following responsibilities: [NIST: SP 800-37]
1. Be an individual responsible for ensuring that the security posture is maintained for an organizational system and works in close collaboration with the system owner;
2. Have the knowledge and expertise to manage the security aspects of an organizational system and, in many organizations, is assigned responsibility for the day-to-day system security operations;
  
  Note:
  
  This responsibility includes, but is not limited to, physical and environmental protection; personnel security; incident handling; and security training and awareness.
3. Assist in the development of the system-level security policies and procedures and ensure compliance with those policies and procedures;
4. In close coordination with the system owner, play an active role in the monitoring of a system and its environment of operation to include developing and updating security plans, managing and controlling changes to the system, and assessing the security impact of those changes; and
5. Be responsible for aspects of the system that protect information and information systems from unauthorized system activity or behavior to provide confidentiality, integrity, and availability.
Note:

SSO and system privacy officer responsibilities overlap regarding aspects of the system that protect the security of PII.
The SSO is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The SSO is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles.
1. Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis;
2. Allocate security and privacy requirements to the system and to the environment of operation; and
3. Allocate security and privacy controls to the system and to the environment of operation.
The SSO functions in a “Support Role” for the following RMF tasks: [NIST: SP 800-37]
1. Identify the types of information to be processed, stored, and transmitted by the system;
2. Define the security and privacy requirements for the system and the environment of operation;
3. Register the system with organizational program or management offices;
4. Document the characteristics of the system;
5. Categorize the system and document the security categorization results;
6. Select the controls for the system and the environment of operation;
7. Tailor the controls selected for the system and the environment of operation;
8. Document the controls for the system and environment of operation in security and privacy plans;
9. Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy;
10. Implement the controls in the security and privacy plans;
11. Document changes to planned control implementations based on the “as-implemented” state of controls;
12. Develop, review, and approve plans to assess implemented controls;
13. Assess the controls in accordance with the assessment procedures described in assessment plans;
14. Prepare the assessment reports documenting the findings and recommendations from the control assessments;
15. Conduct initial remediation actions on the controls and reassess remediated controls;
16. Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports;
17. Assemble the authorization package and submit the package to the authorizing official for an authorization decision;
18. Identify and implement a preferred course of action in response to the risk determined;
19. Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk;
20. Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system;
21. Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy;
22. Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones;
23. Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process;
24. Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy; and
25. Implement a system disposal strategy and execute required actions when a system is removed from operation.

10.8.2.3.1.12 (04-29-2025)

Manager

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
In addition to the guidance provided in IRM 1.4.1, Resource Guide for Managers, Management Roles and Responsibilities, managers have the following responsibilities: [IRS: IRS-defined]
1. Enforce the clean desk policy;
  
  Note:
  
  Refer to IRM 10.5.1 for additional clean desk guidance.
2. Ensure employees complete their annual UNAX Awareness certification;
3. Be responsible for notifying via the access control system (e.g., business entitlement access request system (BEARS)) and following up with the responsible organization of the system user status changes (e.g., terminations, transfers); and
4. Receive cybersecurity awareness training.
Managers have the following responsibilities: [IRS: IRS-defined]
1. Ensure employees are informed of appropriate uses of government IT resources as a part of their introductory training, orientation, or the initial implementation of this IRM. These requirements are part of the employees’ mandatory annual cybersecurity awareness training; and
2. Ensure IT resources are being used appropriately and take corrective action, as needed.
Note:

Refer to IRM 10.8.27, Information Technology (IT) Security, Personal Use Of Government Furnished Information Technology and Resources, for additional guidance.

10.8.2.3.1.13 (04-29-2025)

Contracting Officer

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The contracting officer is responsible for managing contracts/acquisitions and overseeing their implementation, in accordance with IRM 1.1.32, Organization and Office of the Chief Procurement Officer.
The contract offices and procurement offices have the following responsibilities: [IRS: IRS-defined]
1. Work in partnership with the SAISO/CISO to ensure that agency contracting policies adequately address the security and privacy requirements;
2. Coordinate with the SAISO/CISO to ensure that all agency contracts and procurements are compliant with the agency’s security and privacy policies;
3. Ensure that all personnel with responsibilities in the agency’s procurement process are properly trained in security and privacy policies; and
4. Collaborate with the SAISO/CISO to monitor contract performance for compliance with the agency’s security and privacy policies.
Note:

Refer to IRM 1.1.32 for additional guidance.
The procurement (or acquisitions) office has the following responsibilities: [NIST: SP 800-12]
1. Ensure that organizational procurements have been reviewed by appropriate approving officials; and
2. Be knowledgeable of security and privacy standards and bring potential security and privacy issues to the attention of those requesting such technology.

10.8.2.3.1.13.1 (04-29-2025)

Contracting Officer’s Representative (COR)

The contracting officer’s representative (COR): [Federal: FAR Subpart 1.6]
1. Must be a federal employee;
2. Must be a qualified employee appointed by the contracting officer; and
3. Act as its technical representative in managing the technical aspects of a particular contract.
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

10.8.2.3.1.14 (04-29-2025)

Enterprise Architect

The enterprise architect is an individual or group responsible for working with the leadership and subject matter experts in an organization to build a holistic view of the organization's missions and business functions, mission/business processes, information, and IT assets. [NIST: SP 800-137]
With respect to information security and privacy, the enterprise architect has the following responsibilities: [NIST: SP 800-137]
1. Coordinate with security and privacy architects to determine the optimal placement of systems/system elements within the enterprise architecture and to address security and privacy issues between systems and the enterprise architecture;
2. Assist with determining appropriate control implementations and initial configuration baselines as they relate to the enterprise architecture;
3. Assist in reducing complexity within the IT infrastructure to facilitate security;
4. Collaborate with system owners and authorizing officials to facilitate authorization boundary determinations and allocation of controls to system elements;
5. Serve as part of the Risk Executive (function); and
6. Assist with integration of the organizational risk management strategy and system-level security and privacy requirements into program, planning, and budgeting activities, the SDLC, acquisition processes, security and privacy (including supply chain) risk management, and systems engineering processes.
The enterprise architect is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The enterprise architect is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the enterprise architect is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Determine the placement of the system within the enterprise architecture.

10.8.2.3.1.15 (04-29-2025)

Systems Security Engineer

The systems security engineer is an individual, group, or organization responsible for conducting systems security engineering activities as part of the SDLC. Systems security engineering is a process that captures and refines security requirements for systems and ensures that the requirements are effectively integrated into systems and system elements through security architecting, design, development, and configuration. [NIST: SP 800-37]
The systems security engineer has the following responsibilities: [NIST: SP 800-37]
1. Are part of the development team, designs and develops organizational systems or upgrades existing systems along with ensures continuous monitoring requirements are addressed at the system level;
2. Employ best practices when implementing security controls within an information system including software engineering methodologies, security engineering principles, secure design, secure architecture, and secure coding techniques;
3. Coordinate their activities with SAISOs/CISOs, security architects, system owners, common control providers, and SSOs;
4. Activities associated with protecting information and information systems from unauthorized system activity or behavior to provide confidentiality, integrity, and availability.
Note:

Systems security engineer and privacy engineer responsibilities overlap regarding activities associated with protecting the security of PII.
The systems security engineer has the following ISCM responsibilities: [Treasury: ISCM]
1. Capture and refine security requirements and ensure that the requirements are effectively integrated into IT component products and systems through purposeful security architecting, design, development, and configuration;
2. Collaborate with system development teams to design and develop organizational systems or upgrade legacy systems;
3. Employ best practices when implementing security controls within an system including software engineering methodologies, system/security engineering principles, secure design, secure architecture, and secure coding techniques; and
4. Coordinate their security-related activities with security architects, CISOs, system owners, common control providers, and SSOs.

10.8.2.3.1.16 (04-29-2025)

Security and Privacy Architect

The security and privacy architect is an individual, group, or organization responsible for ensuring that stakeholder protection needs and the corresponding system requirements necessary to protect organizational missions and business functions and individuals’ privacy are adequately addressed in the enterprise architecture including reference models, segment architectures, and solution architectures (systems supporting mission and business processes). [NIST: SP 800-37]
The security and privacy architect serves as the primary liaison between the enterprise architect and the systems security engineer and coordinates with system owners, common control providers, and SSOs on the allocation of controls. [NIST: SP 800-37]
Security and privacy architects, in coordination with SSOs, advise AOs, CIOs, senior accountable officials for risk management or risk executive (function), SAISOs/CISOs, and SAOPs on a range of security and privacy issues. Examples include establishing authorization boundaries; establishing security or privacy alerts; assessing the severity of deficiencies in the system or controls; developing plans of action and milestones; creating risk mitigation approaches; and potential adverse effects of identified vulnerabilities or privacy risks. [NIST: SP 800-37]
When the security architect and privacy architect are separate roles: [NIST: SP 800-37]
1. The security architect is generally responsible for aspects of the enterprise architecture that protect information and information systems from unauthorized system activity or behavior to provide confidentiality, integrity, and availability.
2. The privacy architect is responsible for aspects of the enterprise architecture that ensure compliance with privacy requirements and manage the privacy risks to individuals associated with the processing of PII.
3. Security architect and privacy architect responsibilities overlap regarding aspects of the enterprise architecture that protect the security of PII.
The security and privacy architect is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The security architect is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the security architect is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Determine the placement of the system within the enterprise architecture;
2. Allocate security and privacy requirements to the system and to the environment of operation; and
3. Allocate security and privacy controls to the system and to the environment of operation.

10.8.2.3.1.17 (04-29-2025)

Chief Financial Officer (CFO)

The CFO is the senior financial advisor to the investment review board (IRB) and the agency head. Information security investments fall within the purview of the CFO and are included in the CFO’s reports. [NIST: SP 800-100]

10.8.2.3.1.18 (04-29-2025)

Privacy Officer

The role of the privacy officer and/or senior agency official for privacy (SAOP) is designated by the head of agency and has agency-wide responsibility and accountability for developing, implementing, and maintaining an agency-wide privacy program to manage privacy risks, develop and evaluate privacy policy, and ensure compliance with all applicable statutes, regulations, and policies regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems. [OMB: A-130 Appendix I (5)(f)]

Note:

This role within the IRS is assigned to the Chief Privacy Officer of Privacy, Governmental Liaison and Disclosure (PGLD).

Note:

For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD) and the PGLD website.
The privacy officer has the following responsibilities: [NIST: SP 800-37]
1. Coordinate with the senior agency information security officer to ensure coordination of privacy and information security activities;
2. Review and approve the categorization of information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of personally identifiable information;
3. Designate which privacy controls will be treated as program management, common, system-specific, and hybrid privacy controls;
4. Identify assessment methodologies and metrics to determine whether privacy controls are implemented correctly, operating as intended, and sufficient to ensure compliance with applicable privacy requirements and manage privacy risks;
5. Review and approve privacy plans for information systems prior to authorization, reauthorization, or ongoing authorization;
6. Review authorization packages for information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of personally identifiable information to ensure compliance with privacy requirements and manage privacy risks;
7. Conduct and document the results of privacy control assessments to verify the continued effectiveness of all privacy controls selected and implemented at the agency; and
8. Establish and maintain a privacy continuous monitoring program to maintain ongoing awareness of privacy risks and assess privacy controls at a frequency sufficient to ensure compliance with privacy requirements and manage privacy risks.
The privacy officer is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The privacy officer is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the privacy officer is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Identify and assign individuals to specific roles associated with security and privacy risk management;
2. Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis;
3. Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems;
4. Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system;
5. Review and approve the security categorization results and decision;
6. Assemble the authorization package and submit the package to the authorizing official for an authorization decision;
7. Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system; and
8. Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy.
The SAOP (i.e., privacy officer) has the following responsibilities: [OMB: A-130 Appendix I (4)(e)]
1. Develop and maintain a privacy program plan that provides an overview of an agency’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the SAOP and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks;
2. Develop and maintain a PCM strategy and PCM program to maintain ongoing awareness of privacy risks and assess privacy controls at a frequency sufficient to ensure compliance with applicable privacy requirements and manage privacy risks;
3. Conduct and document the results of privacy control assessments to verify the continued effectiveness of all privacy controls selected and implemented at the agency across all agency risk management tiers to ensure continued compliance with applicable privacy requirements and manage privacy risks;
4. Identify assessment methodologies and metrics to determine whether privacy controls are implemented correctly, operating as intended, and sufficient to ensure compliance with applicable privacy requirements and manage privacy risks;
5. Designate which privacy controls will be treated as program management, common, information system-specific, and hybrid privacy controls at the agency;
6. Review IT capital investment plans and budgetary requests to ensure that privacy requirements (and associated privacy controls), as well as any associated costs, are explicitly identified and included, with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII;
7. Review and approve, in accordance with FIPS 199 and NIST SP 800-60, the categorization of information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII;
8. Review and approve the privacy plans for agency information systems prior to authorization, reauthorization, or ongoing authorization;
9. Review authorization packages for information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII to ensure compliance with applicable privacy requirements and manage privacy risks, prior to authorizing officials making risk determination and acceptance decisions; and
10. Coordinate with the CIO, the senior agency information security officer, and other agency officials in implementation of these requirements.
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
16. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
17. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
18. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
19. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
20. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
21. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
22. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
23. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
24. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
25. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
26. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
27. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
28. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
29. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
The privacy officer (or designated representative) is a voting member on the CCB. [NIST: SP 800-53]
Refer to IRM 10.5.1 for additional guidance on privacy roles and responsibilities.

10.8.2.3.1.18.1 (04-29-2025)

IRS Privacy Offices

The IRS Privacy Offices have the following responsibilities for managing and executing the IRP: [Treasury: IRP]
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
Note:

Refer to IRM 10.8.1, and Treasury Incident Response Plan (IRP) for additional incident response guidance.

10.8.2.3.1.18.2 (04-29-2025)

System Privacy Officer

The system privacy officer is an individual responsible for ensuring that the privacy posture is maintained for an organizational system and works in close collaboration with the system owner. [NIST: SP 800-37]
The system privacy officer has the following responsibilities: [NIST: SP 800-37]
1. Serves as a principal advisor on all matters, technical and otherwise, involving the privacy controls for the system.
2. Have the knowledge and expertise to manage the privacy aspects of an organizational system and, in many organizations, is assigned responsibility for the day-to-day system privacy operations.
  
  Note:
  
  This responsibility includes, but is not limited to, physical and environmental protection; personnel security; incident handling; and privacy training and awareness.
3. Assist in the development of the system-level privacy policies and procedures and ensure compliance with those policies and procedures.
4. Coordinates with the system owner and plays an active role in the monitoring of a system and its environment of operation to include developing and updating privacy plans, managing and controlling changes to the system, and assessing the privacy impact of those changes.
5. Is responsible for aspects of the system that ensure compliance with privacy requirements and manage the privacy risks to individuals associated with the processing of PII.
Note:

SSO and system privacy officer responsibilities overlap regarding aspects of the system that protect the security of PII.
The system privacy officer is responsible for the following RMF tasks: [NIST: SP 800-37]

Note:

The system privacy officer is identified as having “Primary Responsibility” for these RMF tasks. These tasks may be shared responsibilities with other RMF roles. For tasks in which the system privacy officer is identified as having a “Supporting Role”, see NIST SP 800-37.
1. Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis;
2. Define the security and privacy requirements for the system and the environment of operation;
3. Allocate security and privacy requirements to the system and to the environment of operation; and
4. Allocate security and privacy controls to the system and to the environment of operation.

10.8.2.3.1.19 (04-29-2025)

Physical Security Officer

The physical security officer is responsible for the overall enforcement, implementation and management of physical security controls across an organization, to include integration with applicable information security controls. As information security programs are developed, senior agency officials work to ensure this coordination of complementary controls. [NIST: SP 800-100]

Note:

Within the IRS, the chief, facilities management and security services (FMSS), serves as the senior official with responsibility for ensuring physical security requirements are established and achieved.
In consideration of information security, the physical security officer, serves as the senior official responsible for: [NIST: SP 800-100]
- Developing, promulgating, implementing, and monitoring the organization’s physical security programs, to include appropriate controls for alternate work sites;
- Ensuring organizational implementation and monitoring of access controls (e.g., authorization, access, visitor control);
- Coordinating organizational environmental controls (e.g., ongoing and emergency power support and backups, fire protection, temperature and humidity controls, water damage); and
- Overseeing and managing controls for delivery and removal of assets.
  
  Note:
  
  The delivery and removal of assets relates to physical security, not IT inventory.
Refer to IRM 10.2, Physical Security Program series for additional guidance on physical security officer roles & responsibilities.

10.8.2.3.1.20 (04-29-2025)

Personnel Security Officer

The personnel security officer is responsible for the overall implementation and management of personnel security controls across an organization, to include integration with specific information security controls. [NIST: SP 800-100]
The Director of Personnel Security and Investigations is responsible for the overall implementation and management of personnel security controls across the IRS, including integration with specific information security controls.
In consideration of information security, the personnel security officer serves as the senior official and has the following responsibilities: [NIST: SP 800-100]
1. Develop, promulgate, implement and monitor the organization’s personnel security programs;
2. Develop and implement position categorization (including third-party controls), access agreements, and personnel screening, termination, and transfers; and
3. Ensure consistent and appropriate sanctions for personnel violating management, operation, or technical information security controls.

10.8.2.3.1.21 (04-29-2025)

Employee

The provisions within this IRM apply to individuals and organizations having contractual arrangements with the IRS, including employees (IRS personnel, consultants, detailees, temporary employees, and interns) which use or operate IT systems.
An IRS employee (i.e., system user) is an individual or (system) process acting on behalf of an individual that is authorized to access information and information systems to perform assigned duties. System user responsibilities include, but are not limited to, adhering to organizational policies that govern acceptable use of organizational systems; using the organization-provided information technology resources for defined purposes only; and reporting anomalous or suspicious system behavior. [NIST: SP 800-37]
IRS employees are prohibited from using personal email accounts for official business: [Federal: P.L. 114-113, Section 402]
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
16. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
17. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡
IRS Employees must: [IRS: IRS-defined]
1. Comply with all executive, legislative, Department of Treasury and IRS security policies and procedures;
2. Immediately report any incidents of loss or mishandling of IRS IT resources to the IRS CSIRC, their immediate supervisor, and TIGTA;
3. Contact CSIRC in the event of a suspected incident;
4. Follow directions given from CSIRC during an incident or as suspicious activities are evaluated;
5. Attend/complete initial security and privacy briefings and acknowledge completion in writing;
6. Not access sensitive IT systems until they receive the appropriate clearance for the system;
7. Complete and acknowledge the completion (i.e., Form 11370) of UNAX training;
8. Be responsible for protecting any SBU data including PII or tax information that they have in their possession, whether it is paper-based or in electronic form;
9. Immediately report any incidents of mishandling, tampering, or the loss of a laptop computer to IRS IT cybersecurity organization;
10. Minimize the threat of viruses from portable mass storage devices (including, but not limited to, flash disks, pen drives, key drives, and thumb drives), by ensuring that these devices have no additional software or firmware beyond storage management and encryption. Also, never knowingly circumvent anti-virus safeguards; and
11. Escort visitors of IRS facilities.
Note:

Refer to IRM 10.8.26, Information Technology (IT) Security, Government Furnished and Personally Owned Mobile Device Security Policy, for additional guidance.
Employees with a mobile computing device(s) must follow all requirements as outlined in IRM 10.8.26 and IRM 10.8.1.
Refer to IRM 10.8.27 for user responsibilities pertaining to the use of government furnished IT equipment.

10.8.2.3.1.22 (04-29-2025)

Contractor

The provisions within this IRM apply to individuals and organizations having contractual arrangements with the IRS, including contractors, vendors, and outsourcing providers, which use or operate IT systems.
An IRS employee (i.e., system user), which includes contractors, is an individual or (system) process acting on behalf of an individual that is authorized to access information and information systems to perform assigned duties. System user responsibilities include, but are not limited to, adhering to organizational policies that govern acceptable use of organizational systems; using the organization-provided information technology resources for defined purposes only; and reporting anomalous or suspicious system behavior. [NIST: SP 800-37]
IRS contractors are prohibited from using personal email accounts for official business: [Federal: P.L. 114-113, Section 402]
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
16. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡
Contractors must: [IRS: IRS-defined]
1. Comply with all executive, legislative and Department of Treasury and IRS security policies and procedures;
2. Contact CSIRC in the event of a suspected incident;
3. Immediately report any incidents of loss or mishandling of IRS information technology resources to the appropriate supervisor and CSIRC;
4. Follow directions given from the CSIRC during an incident or as suspicious activities are evaluated;
5. Attend/complete initial security and privacy briefings and acknowledge completion in writing;
6. Not access sensitive or classified IT systems until they have received the appropriate clearance for the system;
7. Complete any acknowledge completion (e.g., Form 11370) of UNAX training;
8. Be responsible for protecting any SBU data including PII or tax information that they have in their possession, whether it is paper-based or in electronic form;
9. Immediately report any incidents of mishandling, tampering, or the loss of a laptop computer to IRS Information Technology Cybersecurity organization; and
10. Minimize the threat of viruses from portable mass storage devices (including, but not limited to, flash disks, pen drives, key drives, and thumb drives), by ensuring that these devices have no additional software or firmware beyond storage management and encryption. Also, never knowingly circumvent anti-virus safeguards.
Note:

Refer to IRM 10.8.26 for additional guidance.
Contractors with government furnished IT equipment (e.g., laptop) must follow all requirements outlined in IRM 10.8.26 and IRM 10.8.1.
Refer to IRM 10.8.27 for user responsibilities pertaining to the use of government furnished IT equipment.

10.8.2.3.1.23 (11-27-2019)

Database Administrator (DBA)

Database administrators (DBAs) perform all activities related to maintaining a correctly performing and secure database environment. Responsibilities include design (in conjunction with application developers), implementation, and maintenance of the database system as described in IRM 10.8.21, Information Technology (IT) Security, Database Security Policy, and associated IRMs.
The primary security role of any DBA is to administer and maintain database repositories for proper use by authorized individuals.
Individuals assigned security responsibilities for database management system (DBMS) environments, including the security specialist (SecSpec) and DBA, must obtain database security technical training necessary to implement the requirements of this IRM. The training must cover the security features specific to the DBMS products the individuals are required to support.
DBA role accounts have the least level of elevated privileges required to perform DBA-related duties and do not include root or root-level access. DBAs who require the ability to perform certain system administrator functions such as account creation or the editing of system configuration files use a separate system administrator role account that provides these capabilities, but do not receive full system administrator privileges.
1. DBA’s system administrator accounts with limited privileges must be monitored and audited in accordance with IRM 10.8.1. The implementing organization is required to coordinate this activity with the ACIO Cybersecurity.
At a minimum, the DBA have the following responsibilities:
1. Establish security for database objects within the database and for the DBMS according to IRS security policies;
2. Support disaster/recovery planning, documentation and implementation efforts for the database(s);
3. Establish database points of consistency;
4. Coordinate with the SA to integrate database backups into the system related backup and recovery, including creating the backups if necessary;
5. Periodically test backup copies of the databases;
6. Recover the database to a current or previous state, if necessary;
7. Recover individual objects (e.g., data rows) to a current or previous state;
8. Identify database requirements of system resources;
9. Provide network requirements for the database to the organizations responsible for designing and implementing network services;
10. Manage the database configuration (e.g., architecture, internal settings) according to the SA&A operating system security configuration;
11. Support Security Assessments and Authorization efforts;
12. Monitor/manage database performance and capacity;
13. Monitor user activities where appropriate; and
14. Enable and configure audit logging on all IRS systems in accordance with IRM 10.8.1, and all other applicable configuration IRMs.

10.8.2.3.1.24 (04-29-2025)

Key-Recovery Agent

A key-recovery agent is established as part of the cryptographic key management system (CKMS) security policy. [NIST: SP 800-130]
A key-recovery agent is allowed to recover keys from backup or archive storage after identity verification and authorization of the requesting entity is performed in accordance with the CKMS security policy. [NIST: SP 800-130]
The key-recovery agent provides support during key recovery procedures. [NIST: SP 800-130]

10.8.2.3.1.25 (11-27-2019)

Network Administrator

Network administrators (NAs) are responsible for the day-to-day administration of the network devices under their purview.
At a minimum, NAs have the following responsibilities:
1. Configure network device parameters within the documented security standards, using the applicable IRMs, policies and system life cycle documentation;
2. Ensure the proper installation, testing, protection and use of network device software, including installing network software fixes and upgrades;
3. Maintain the configuration of wireless networks or network devices under their control in accordance with the requirements of IRM 10.8.55, Information Technology (IT) Security, Network Security Policy;
4. Enable and configure audit logging on all IRS systems in accordance with IRM 10.8.1, and all other applicable configuration IRMs;
5. Maintain current documentation that properly defines the hardware and software configuration of the network devices and connections for which they are responsible;
6. Ensure inventories are accurately maintained;
7. Recommend and implement processes, changes and improvements to programs, procedures and network devices;
8. Monitor network performance; performing network diagnostics; analyzing network traffic patterns; and
9. Support disaster recovery planning, documentation, and implementation efforts for the network.
NAs support CSIRC efforts and security incident handling.
NAs apply patches and hot fixes as directed, following configuration management policies and procedures.

Note:

Refer to IRM 10.8.50, Information Technology (IT) Security, IDRS Security Controls, for security patch management guidance.

10.8.2.3.1.26 (05-16-2014)

Program Developer/Programmer

Program developers/programmers are responsible for the development, testing and maintenance of application programs.
At a minimum, program developers/programmers have the following responsibilities:
1. Develop application programs in accordance with established organizational policies and procedures;
2. Develop application programs in accordance with IRM 10.8.1 and IRM 10.8.6;
3. Adhere to IRS configuration management (CM) practices and OneSDLC requirements; and
4. Create installation scripts, processes, and instructions for production organizations to utilize. The developer incorporates feedback mechanisms into the installation processes as needed.

10.8.2.3.1.27 (05-16-2014)

Web Developer

Web developers have the following responsibilities:
1. Development of websites and applications, including creating/manipulating/implementing graphic images and formulating documentation for websites and web applications in accordance with IRM 10.8.1; and
2. Formulating specification requirements, producing level of effort estimates, providing informational support to security certifications, and performing web server and web application server project planning, scheduling, and testing.
Note:

Refer to IRM 10.8.22, Information Technology (IT) Security, Web Server Security Policy, for additional guidance.

10.8.2.3.1.28 (03-31-2017)

Resource Access Control Facility (RACF) Specialist

The roles and responsibilities for the resource access control facility (RACF) specialist are located in IRM 10.8.33, Information Technology (IT) Security, Mainframe System Security Policy.

Note:

Refer to IRM 10.8.33 for RACF specialist responsibilities.

10.8.2.3.1.29 (11-27-2019)

Security Specialist (SecSpec)

SecSpecs are responsible for reviewing all activities of the SAs, NAs, DBAs, anyone responsible for the operation or administration of IT equipment, anyone involved with user administration, such as the EAA staff, and all other users to ensure they are compliant with security requirements.
SecSpecs oversee any and all user (e.g., system, database, application, etc.) administration regardless of how or who performs it.
Additionally, SecSpecs have the following responsibilities:
1. Ensure the site contingency plans remain up-to-date in response to new security requirements or changes in the IRS IT architecture;
2. Conduct and support all security reviews of IRS systems and networks;
3. Provide or recommend security measures and countermeasures based on the security reviews and security policies;
4. Upon management request, review individual user's access verifying it is the least privilege necessary to perform their job;
5. Inspect and monitor user files, as directed by management;
6. Conduct security audits, verifications and acceptance checks, while maintaining documentation on the results;
7. Promote security awareness and compliance;
8. Report security incidents including those discovered while reviewing audit logs/trails; and
9. Assist with developing a deviation request, such as interpreting policy to determine if a deviation is required, assisting with the risk assessment and possible mitigations.
SecSpecs review all types of audit logs/trails and observe system activity at least weekly in order to:
1. Ensure integrity, confidentiality and availability of information and resources;
2. Detect inappropriate user and system actions that could be construed as security incidents;
3. Investigate possible security incidents; and
4. Monitor user or system activities where appropriate.
SecSpecs do not perform system/security administration on any system/platform/application, etc.
SecSpecs have read-only access to system resources and shall not modify audit settings.
SecSpecs have the following responsibilities:
1. Be familiar with the requirements and procedures specified in IRM 10.8.1;
2. Notify their management of any implementation discrepancies between the requirements of IRM 10.8.1 and the actual audit logging status of systems that the SecSpecs support; and
3. Follow any applicable organizational-level incident reporting procedures (such as contacting management, system administrators, or the Computer Security Incident Response Center) in the event that evidence of suspicious activity is discovered in the course of reviewing security audit log information.
Note:

Refer to IRM 10.8.1 for additional guidance.
SecSpecs are concerned with the security and integrity of the database and be responsible for:
1. Obtaining database security technical training necessary to implement the requirements of this IRM. The training covers the security features specific to the DBMS products the individuals are required to support;
2. Ensuring that the requirements of IRM 10.8.1 and IRM 10.8.21 are met;
3. Ensuring that DBAs, SAs, and others having daily operational responsibilities for IRS databases comply with the security requirements of IRM 10.8.21. In general, the SecSpec is not expected to personally implement the requirements, but rather ensure that others do so; and
4. Reporting IRM non-compliance issues initially to DBAs and SAs for resolution, and escalate non-compliance reporting to IRS management officials (such as the SSO and system owner) as necessary to bring systems into compliance with IRM 10.8.21.
Note:

Refer to IRM 10.8.21 for additional guidance.
SecSpecs are concerned with the security and integrity of Linux/Unix servers, workstations and devices, and are responsible for:
1. Reviewing all activity of administrators and those responsible for administration of IT equipment;
2. Ensuring that SAs and others having daily operational responsibilities for IRS Linux/Unix servers and workstations comply with the security requirements of this IRM. The SecSpec is not expected to personally implement the requirements but ensures that others do so;
3. Reporting Windows IRM non-compliance issues initially to Information System Owner and SAs for resolution, and escalate non-compliance reporting to IRS management officials as necessary to bring systems into compliance with IRM 10.8.15, Information Technology (IT) Security, General Platform Operating System Security Policy; and
4. Not have operating SA privileges.
Note:

Refer to IRM 10.8.15 for additional guidance.
IT SecSpecs are concerned with the security and integrity of Windows servers, workstations and devices, and are responsible for:
1. Reviewing all activity of administrators and responsible for administration of IT equipment;
2. Ensuring that SAs and others having daily operational responsibilities for IRS Windows servers and workstations comply with the security requirements of this IRM. The SecSpec is not expected to personally implement the requirements but ensures that others do so;
3. Reporting Windows IRM non-compliance issues initially to Information System Owner and SAs for resolution, and escalate non-compliance reporting to IRS management officials as necessary to bring systems into compliance with IRM 10.8.15; and
4. Not have operating System Administrator privileges.
Note:

Refer to IRM 10.8.15 for additional guidance.
IT SecSpecs are concerned with the security and integrity of Web application servers and are responsible for:
1. Ensuring that the requirements of IRM 10.8.22 are met;
2. Ensuring that SAs and others having daily operational responsibilities for IRS Web servers and Web application servers comply with the security requirements of IRM 10.8.22; and
3. Reporting IRM non-compliance issues initially to Information System Owner and SAs for resolution, and escalate non-compliance reporting to IRS management officials as necessary to bring systems into compliance with IRM 10.8.22.
Note:

Refer to IRM 10.8.22 for additional guidance.
SecSpecs support security assessments and authorization efforts; security control testing (monthly and annual), contingency testing, documentation development, POA&M weakness correction, and ongoing security vulnerability remediation efforts.

10.8.2.3.1.30 (03-31-2017)

System Administrator (SA)

SAs are technicians who administer, maintain, and operate information systems. They are responsible for implementing technical security controls on computer systems and for being familiar with security technology that relates to their system.
At a minimum, SAs have the following responsibilities:
1. Add, remove, maintain system users and configure their access controls to provide the users necessary access with least privilege, as defined for each user in the access control system (e.g., BEARS);
2. Provide lists of system users for systems under their control and providing the lists to the appropriate users' managers and appropriate SecSpecs for review, update and certification;
3. Configure system parameters within the documented security standards, using the applicable IRMs and system life cycle documentation;
4. Maintain current documentation that properly defines the technical hardware and software configuration of system and network connections for systems they are responsible for;
5. Ensure the proper installation, testing, protection, and use of system and application software;
6. Install and manage application server software including development tools and libraries, software compilers, code builds, and middleware interfaces between servers and application servers and back-end storage media in accordance with IRM 10.8.6;
7. Install and manage servers and workstation software in accordance with the applicable IRM for the OS in use;
8. Start up and shut down the system;
9. Perform regular backups and recovery tests and other associated contingency planning responsibilities for systems for which they are responsible;
10. Enable, configure, and archive audit logs/trails and system logs for review by the SecSpecs for all IRS systems in accordance with IRM 10.8.1, and all other applicable configuration IRMs;
11. Monitor system/user access for performance and security concerns;
12. Establish conditions on the system so that other operational entities can perform application management activities; and
13. Run various utilities and tools in support of the SecSpecs.
  
  Note:
  
  This includes managing additional access controls, configurations, or roles that technologies may require.
SAs are responsible for supporting the SecSpec's needs for read access to system resources as defined in the access control request (e.g., BEARS).
SAs support techniques that allow non-SAs to perform user administration in a controlled and limited manner while still managing access to system resources and other directories and files.
The use of non-SAs for user administration must be documented in the Computer Operations Handbook or equivalent for the system/application and in the security assessments and authorization documentation for the relevant general support system (GSS) and application.
The use of non-SAs for user administration must be established via a memorandum of agreement (MOA) and accepted by the involved AO.
Depending on the environment, the SA may perform user support for password issues. This can include (but is not limited to) resetting or issuing a new password when the user forgets the current one or locks the account.
SAs support CSIRC efforts and security incident handling.
SAs install security patches in a timely and expeditious manner based on CSIRC’s criticality designation.
SAs apply patches and hot fixes as directed, following configuration management policies and procedures and contact IRS IT cybersecurity organization for further information concerning security patch management.
SAs support information system contingency plan (ISCP) and disaster recovery (DR) plan development and accuracy.

10.8.2.3.1.31 (05-16-2014)

Systems Operations Staff

The role of the systems operations staff is assigned to the IRS, Enterprise Operations organization.
Systems operations staff have the following responsibilities:
1. Safeguard equipment, data, and magnetic media during day-to-day performance of their duties: and
2. Be able to perform SA duties delegated them from the SA with associated least privilege permissions to perform those functions.

10.8.2.3.1.32 (05-16-2014)

Telecommunications Specialist

The role of telecommunications specialists is assigned to the IRS, User and Network Services (UNS) organization.
The IT UNS organization is responsible for providing communications services, including voice, data, video, and fax service.
The telecommunications specialists are responsible for the management of the communication systems in compliance with IT security policy and federal regulations.
The telecommunications specialists support ISCP and DR plan development, accuracy, documentation, and implementation efforts for their system(s).

10.8.2.3.1.33 (05-16-2014)

User Administrator (UA)

The user administrator (UA) role pertains only to organizations (e.g., Enterprise Service Desk - Enterprise Account Administration (ESD-EAA)) who provide the service.
UAs have no more capability than appropriate to establish a user on a system or to establish a user within an application.
UAs use the IRS approved access control (e.g., BEARS) process.
An SA or NA establishing user access does not assume the UA role.

10.8.2.3.1.34 (04-29-2025)

Integrated Data Retrieval System (IDRS) Security Analyst

The roles and responsibilities for the integrated data retrieval system (IDRS) security analyst have been relocated to IRM 10.8.34, Information Technology (IT) Security, IDRS Security Controls.

Note:

Refer to IRM 10.8.34 for IDRS security analyst responsibilities.

10.8.2.3.1.35 (04-29-2025)

Integrated Data Retrieval System (IDRS) Security Account Administrator

The roles and responsibilities for the integrated data retrieval system (IDRS) security account administrator have been relocated to IRM 10.8.34.

Note:

Refer to IRM 10.8.34 for IDRS security account administrator responsibilities.

10.8.2.3.1.36 (04-29-2025)

Computer Audit Specialist (CAS)

The computer audit specialist (CAS) security role, which is specific to IRS business units (e.g., Large Business and International (LB&I)), is responsible for working with taxpayer records in which these records are formatted in a usable format for team members. These formats may be unique to the taxpayer and may involve the use of many different tools and programs.
CAS’ loads, runs, and configures software and services on machines to meet examination objectives. This may require them to add and remove device drivers and install/uninstall various programs as needed to work with the taxpayer records.
CAS’ have the ability to add, configure and remove software. This allows them to run multiple types of audits, whose software package may not be compatible with one another as a result; cannot be installed and loaded onto a particular system simultaneously.

10.8.2.3.1.37 (05-16-2014)

Functional Workstation Specialist

The functional workstations specialist responsibilities include, but are not limited to the following:
1. Have a full analytical and operational knowledge of specific software applications to resolve systemic & procedural problems and user errors thereby enabling the user to perform all tasks related to their jobs;
2. Have a working knowledge of operating systems, protocols, and equipment used in business customer organizations;
3. Have a working knowledge of methods and practices for troubleshooting, recovering, modifying, and improving application files;
4. Utilize extensive problem-solving skills and limited elevated permissions in order to diagnose and troubleshoot application problems in the performance of customer support;
5. Have a working knowledge of all BOD processes including field, support functions and the Campuses;
6. Act as a liaison between the Area/Territory Offices, Campus, and National Office;
7. Provide both oral and written communication to all users’ levels (including Area Managers, Territory Managers, Group Managers);
8. Coordinate activities relating to the security posture of the application with responsible business units and IRS IT (UNS, EOPS, AD) staff;
9. Forward problem descriptions to the appropriate personnel as these individuals are often the first to encounter application problems;
10. Coordinate reporting within the business unit to ensure workstations are in compliance for consistency purposes;
11. Ability to perform in an instructor capacity by conducting training and security awareness programs;
12. Educate & communicate to end users security awareness and practices in the context of performing these and other tasks;
13. Analyze and evaluate the effectiveness of system operations and make recommendations to correct deficiencies. Develops plans, goals, & objectives for long-range implementation and administration of program activity;
14. Ensure adequate physical security controls are implemented at the workstation level;
15. Provide technical direction to users who ensure the confidentiality, integrity, and availability of the tax systems;
16. Consult with users to ensure they have applied patches and hot fixes as directed following configuration management policies and procedures in compliance with the IRM for purposes of application support;
17. Escalate IT security matters to the respective party(s) as defined in local guidance; and
18. General knowledge of disaster recovery/contingency planning terminology and concepts.

10.8.2.3.1.38 (05-16-2014)

Management/Program Analyst

The management/program analyst, in support of meeting FISMA requirements, has the following responsibilities:
1. Perform analytical studies affecting agency program operations;
2. Analyze and evaluate the effectiveness of program operations and make recommendations to correct deficiencies; and
3. Develop plans, goals, & objectives for long-range implementation and administration of program activity.

10.8.2.3.1.39 (04-29-2025)

System Designer

System designers (a.k.a. system developers) responsible for developing, implementing, and monitoring polices and controls to ensure data accuracy, security and legal regulatory compliance throughout the system lifecycle.
System designers assist in the:
1. Review and approval of products to ensure they incorporate and meet IRS security requirements; and
2. Planning, documentation and integration of security into a system’s lifecycle from its initiation to its disposal phases.
System designers are responsible for identifying IT assets and determining their value for establishing implementation security safeguard priorities.
System designers ensure security control assessments are conducted during the different stages of a system’s life cycle in accordance with IRM 10.8.1 (e.g., SA-11 Developer Security Testing and Evaluation) and NIST SP 800-160 Volume 1 Revision 1, Engineering Trustworthy Secure Systems, and NIST SP 800-160 Volume 2 Revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach.

Note:

Refer to IRM 10.8.1 (e.g., SA-11 Developer Security Testing and Evaluation) for additional security control assessments guidance.
System designers consult and collaborate with the IRS Enterprise Architect and concerned system security engineer (SSE) and SSO whenever designing new system(s) and/or sub-systems functionality.

10.8.2.3.1.40 (05-16-2014)

Technical Support Staff (Desktop)

The technical support staff is responsible for educating end-users in security procedures and practices in the context of performing their tasks.

10.8.2.3.1.41 (09-30-2021)

Security Staff (Physical Security)

The physical security staff is responsible for developing and enforcing appropriate physical security controls, often in consultation with information security management, program and functional managers, and others. [NIST: SP 800-12]
The physical security staff the following responsibilities:
1. Review, develop, promulgate, implement, and monitor the organization’s physical security programs, for the protection of employees, equipment and property at all IRS facilities; and
2. Review organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging) to ensure they are in accordance with NIST, Treasury and IRS physical security standards and guidance.

10.8.2.3.1.42 (09-12-2022)

Cyber Critical Infrastructure Protection (CIP) Coordinator

The CIP coordinator is designated by the CIO. In this role, the IRS cyber CIP coordinator has the following responsibilities:
1. Act as the primary point of contact for addressing IRS CIP issues with Treasury;
2. Participate in CIP assessments and critical infrastructure for the IRS;
3. Maintain a prioritized list of critical infrastructure for the IRS;
4. Participate in all CIP work group meetings;
5. Provide coordination and collaboration among stakeholders on all IRS Cyber CIP activities; and
6. Determine the IRS cyber security program status relative to the plan’s objectives.

10.8.2.3.2 (07-12-2010)

Organization/Functional Roles and Responsibilities

This section provides functional roles and responsibilities for personnel who have security related responsibility for the protection of information systems they operate, manage and support. These roles are defined in accordance with FISMA, NIST, OMB, TD P 85-01 and IRS policy and guidelines.

10.8.2.3.2.1 (04-29-2025)

IRS Information Technology Cybersecurity Organization

In collaboration with the business and functional unit owner, the IRS IT cybersecurity organization has the following responsibilities:
1. Develop, publish, and disseminate security policy;
2. Develop security controls for systems and applications;
3. Conduct annual testing of the systems and applications;
4. Test and validate the effectiveness of corrective actions;
5. Ensure ISCP and DR requirements are addressed for all applications and systems owned by IRS IT cybersecurity organization;
6. Implement corrective actions and validate fixes to mitigate vulnerabilities assigned to IRS IT cybersecurity;
7. Create and implement configuration management plans that control changes to systems and applications during development; and
8. Track security flaws, require authorization of changes, and provide documentation of the configuration management plan and its implementation.
For DR and ISCP, the IRS IT cybersecurity organization has the following responsibilities:
1. Jointly develop the detailed content of each DR plan to include recovery of the system, the application, and the associated data, including all platforms applicable to the system/application;
2. Ensure requirements, priorities, recovery times, and costs of each DR plan are appropriate and achievable;
3. Support the exercise of the ISCP;
4. Ensure maintenance and update to the content of the DR plans by BU;
5. Support procurement activities to enhance DR capabilities to meet stated business objectives;
6. Ensure DR equipment located at recovery locations for the business units are maintained;
7. Ensure establishment of DR location(s) based on FISMA, NIST, and IRS DR policy and requirements;
8. Ensure offsite storage of data needed for recovery and ongoing backup of data;
9. Establish a schedule and notify IRS IT cybersecurity and the impacted BU of the schedule for coordinating ISCP/DR exercises and tests throughout the year;
10. Annually test each major system and establish DR testing priorities; and
11. Work with business units and IRS IT cybersecurity organization to resolve (if possible) issues identified during DR testing or document reasons/risk/impact.
Note:

Refer to IRM 10.8.60, Information Technology (IT) Security, (IT) Security, IT Service Continuity Management (ITSCM) Policy and Guidance, for additional guidance.
IRS IT cybersecurity organization has the following responsibilities:
1. Develop security controls for systems and applications;
2. Maintain and disseminate IRM 10.8.1;
3. Establish sufficient controls to ensure equipment is used appropriately; and
4. Ensure evidence is preserved for potential prosecution in lieu of immediate eradication; detailed instructions from CSIRC (or possibly TIGTA) shall be given to SAs, NAs, and other key personnel on how to preserve the evidence.
Note:

Refer to IRM 10.8.1 for additional guidance.
IRS IT Cybersecurity organization notifies the CSIRC of suspicious activities and complies with CSIRC directions.
1. IRS IT Cybersecurity organization complies with their internal configuration management requirements.
2. IRS IT Cybersecurity organization performs containment activities.
For interconnections and interconnection service agreements, the IRS IT cybersecurity organization has the following responsibilities:
1. Provide security engineering review of interconnections with external partners and the supporting agreements; and
2. Ensure that all appropriate ISAs (or other approved agreements) are in place before interconnections are allowed to be established and activated.

10.8.2.3.2.2 (04-29-2025)

IRS Information Technology (IT) User and Network Services (UNS) Organization

The IRS IT UNS organization administers the firewall devices comprising the perimeter firewall environment.

Note:

Refer to IRM 10.8.54, Information Technology (IT) Security, Minimum Firewall Administration Requirements, for additional guidance.
The IRS IT UNS organization designs, implements, and maintains the IRS network perimeter demilitarized zone (DMZ).
The IRS IT UNS organization ensures that the IRS minimum firewall requirements and policies are met.
The IRS IT UNS organization provides administration, operation and maintenance for the firewall devices comprising the perimeter firewall environment. This includes, but is not limited to:
1. Implementing CSIRC-approved firewall change requests (FCRs);
2. Troubleshooting access problems;
3. Applying security patches and software updates;
4. Refreshing hardware; and
5. Securing maintenance contracts.
The system owner for IRS IT UNS organization has the following responsibilities:
1. Notify and route information to the appropriate organizational POCs;
2. Notify CSIRC of any ticket needing CSIRC’s attention;
3. Notify CSIRC for a user’s problem that originated with the enterprise service desk; and
4. Report suspicious activity or incidents.
The IRS IT UNS organization monitors the ″up/down″ status of the network and firewall devices in the IRS network perimeter DMZ.
For interconnections and interconnection service agreements, IRS IT UNS organization has the following responsibilities:
1. Engineer, implement, and configure interconnection hardware to connect the communications line between IT systems;
2. Maintain system interconnections, monitor the central list of active system interconnections, and disconnect disconnecting an interconnection when a termination determination is made; and
3. Conduct searches at a minimum yearly for external interconnections and update the centralized inventory accordingly.

10.8.2.3.2.3 (04-29-2025)

Computer Security Incident Response Center (CSIRC)

CSIRC has the following responsibilities: [Federal: P.L. 113-283 Section 3556]
1. Provide timely technical assistance to operators of agency information systems regarding security incidents, including guidance on detecting and handling information security incidents;
2. Compile and analyze information about incidents that threaten information security;
3. Inform operators of agency information systems about current and potential information security threats, and vulnerabilities; and
4. Consult with the NIST, agencies or offices operating or exercising control of national security systems (including the National Security Agency), and such other agencies or offices in accordance with law and as directed by the President regarding information security incidents and related matters.
≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
  
  Note:
  
  ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
Note:

≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡
In preparation for IR and meet compliancy with Treasury TCIO M 22-12, CSIRC has the following responsibilities: [Treasury: IRP]
1. Serve as primary coordination point for IR within the IRS;
  i. It is crucial at the initial analysis stage for CSIRC to identify whether the incident involves PII, including paper or oral disclosures (e.g., unauthorized disclosures to individuals who lack a need to know).
  
  Note:
  
  The term PII, as defined by OMB in Circular No. A-130 as, “Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” This broadly-worded definition encompasses a great deal of information. Therefore, Treasury is required to perform an assessment to determine the risk that an individual can be identified based on the information itself or when the information is combined with other information that is linked or linkable to the individual. The IRS therefore must ensure front-line personnel have a full understanding of the breadth of the OMB definition of PII. Refer to IRM 10.5.1.
2. Oversee IR activities at the IRS level;
3. Serve as the liaison to the TSOC for all communications and follow up activities in response to an incident;
4. Ensure compliance with the Treasury IRP; and
5. Report to TSOC in accordance with IRP section 4.2.3 Reporting and Escalation reporting requirements.
Note:

Refer to IRM 10.8.1 and Treasury Incident Response Plan (IRP) for additional incident response guidance.
CSIRC is responsible for operating and maintaining a wireless intrusion detection system.

Note:

Refer to IRM 10.8.55 for additional guidance.
CSIRC has the following responsibilities: [NIST: SP 800-53]
1. Establish and manage the IRS computer security incident handling capability;
2. Establish and maintain the policies for the IRS security incident handling capability;
3. Have four basic functions defining the Incident Management Lifecycle:
  ?Prevention
  ?Detection
  ?Response
  ?Reporting
4. Track and document information system security incidents on an ongoing basis;
5. Actively and continuously monitor IT resources, to include but not limited to firewalls, wireless, network-based and host-based intrusion detection systems (IDSs) and event records, watching for suspicious cyber activities (termed, "suspicious activities," within IRM 10.8.1);
6. Conduct offline/passive monitoring of logs from IDSs, firewalls, Web servers, and critical hosts, watching for possible security incidents;
7. Inform TIGTA of suspected criminal activities, following established procedures in the memorandum of understanding (MOU) with TIGTA;
8. Perform routine vulnerability assessments (announced and unannounced);
  
  Note:
  
  These assessments include active/passive monitoring, system and network scanning to support Security Assessments and Authorization processes, etc.
9. Serve as front line/1st tier support for security alerts;
10. Perform initial analyses to determine validity, applicability, impact, and risks from potential security incidents;
11. Record all detected intrusion attempts and report such events;
12. Ensure that forensic evidence is properly collected and retained when investigating computer and network security incidents;
13. Promptly report incident information to appropriate authorities;
14. Maintain an Incident Handling Contact List of personnel that are involved in security incident handling activities. The list must include contact information (phone numbers, etc.) so they can be reached in the event of a security incident;
15. Employ automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information;
16. Maintain all incident reports in an incident database (For electronic reporting, the original messages will be retained. For telephonic reporting, the analyst who answered the phone will prepare a summary and enter it into the database. For each incident, the database record will include the date and time the report was received, the person who submitted the report, the handling analyst, and the original message or a summary.);
17. Develop a plan to acquire the data used for analysis;
18. Create a plan (i.e., data acquisition plan) that prioritizes the sources, establishing the order in which the data should be acquired;
19. Respond to government forum of incident response teams (GFIRST) surveys that are of an incidental or routine administrative nature;
20. Not respond to GFIRST surveys inquiring as to the status of Treasury systems, whether certain remediation actions have taken place, future security budget plans, and the like;
21. Participate in an MOA/MOU with the situational awareness management center (SAMC); and
22. Establish an MOA/MOU with TIGTA to: establish formal custody transfer procedures for forensic evidence; and establish reporting procedures for incidents.
Note:

Refer to IRM 10.8.1 for additional guidance.
CSIRC has the following responsibilities:
1. Establish and manage the IRS minimum firewall administration requirements;
2. Oversee and approve all rule sets for the IRS network perimeter firewall environments; and
3. Review and concur with IRS IT UNS organization DMZ efforts.
Note:

Refer to IRM 10.8.54 for additional guidance.

10.8.2.3.2.4 (07-12-2010)

Situational Awareness Management Center (SAMC)

SAMC has the following responsibilities:
1. Process physical security incidents; and
2. Establish a MOA/MOU with CSIRC to establish notification procedures for when either organization discovers an incident affects the other; ensure information is recorded in the incident database for both incidents; and ensure shared staff meets the requirements of each organization.
Note:

Refer to IRM 10.8.60 for additional guidance.

10.8.2.3.2.5 (04-29-2025)

IRS Patch and Vulnerability Group (PVG)

An IRS PVG is created to facilitate the identification and distribution of patches within the IRS. The PVG is tasked to implement the patch and vulnerability management program throughout the IRS. The PVG is the central point for vulnerability remediation efforts, such as OS and application patching and configuration changes. [NIST: SP 800-40r2]
The PVG has the following duties: [NIST: SP 800-40r2]
1. System Inventories: Use existing inventories of the organization’s IT resources to determine which hardware equipment, operating systems, and software applications are used within the organization. The PVG also maintains a manual inventory of IT resources not captured in the existing inventories.
2. Monitor for Vulnerabilities, Remediations, and Threats: Monitor security sources for vulnerability announcements, patch and non-patch remediations, and emerging threats that correspond to the software within the PVG’s system inventory.
3. Prioritize Vulnerability Remediation: Prioritize the order in which the organization addresses vulnerability remediation;
4. Create an Organization-Specific Remediation Database: Create a database of remediations that need to be applied organization-wide;
5. Conduct Generic Testing of Remediations: Test patches and non-patch remediations on IT devices that use standardized configurations. This will avoid the need for local administrators to perform redundant testing. The PVG also works closely with local administrators to test patches and configuration changes on important systems.
6. Deploy Vulnerability Remediations: Oversee vulnerability remediation;
7. Distribute Vulnerability and Remediation Information to Local Administrators: Inform local administrators about vulnerabilities and remediations that correspond to software packages included within the PVG scope and that are in the organizational software inventory.
8. Perform Automated Deployment of Patches: Deploy patches automatically to IT devices using enterprise patch management tools. Alternately, the PVG works closely with the group actually running the patch management tools.
  
  Note:
  
  Automated patching tools allow an administrator to update hundreds or even thousands of systems from a single console. Deployment is fairly simple when there are homogeneous computing platforms, with standardized desktop systems and similarly configured servers. Multi-platform environments, nonstandard desktop systems, legacy computers, and computers with unusual configurations may also be integrated.
9. Configure Automatic Update of Applications Whenever Possible and Appropriate: Many newer applications provide a feature that checks the vendor’s web site for updates. This feature can be very useful in minimizing the level of effort required to identify, distribute, and install patches. However, some organizations may not wish to implement this feature because it might interfere with their configuration management process. A recommended option would be a locally distributed automated update process, where the patches are made available from the organization’s network. Applications can then be updated from the local network instead of from the Internet.
10. Verify Vulnerability Remediation Through Network and Host Vulnerability Scanning: Verify that vulnerabilities have been successfully remediated.
11. Vulnerability Remediation Training: Train administrators on how to apply vulnerability remediations.
Note:

Refer to IRM 10.8.50 for additional guidance.

Note:

NIST SP 800-40 currently has four versions. The original SP 800-40, Procedures for Handling Security Patches (2002), provided basic information on patching procedures and sources of patch and vulnerability information. SP 800-40 Version 2.0, Creating a Patch and Vulnerability Management Program (2005), built on the original by adding content on processes, metrics, and common issues. Although SP 800-40 and SP 800-40 Version 2.0 are primarily of interest from a historical perspective, they address many of the same topics that organizations are still struggling with today. The third version, SP 800-40, Revision 3, Guide to Enterprise Patch Management Technologies (2013), was written under the assumption that readers already understood the basics of patch management and that what they most needed help with was implementing, configuring, securing, and using enterprise patch management technologies. The latest SP 800-40 version is based on the assumption that, in the overall scope of enterprise patch management, organizations would benefit more from rethinking their patch management planning than their patch management technology.

Exhibit 10.8.2-1

Roles That Require Specialized Training

To help ensure that the appropriate number of training hours is addressed, the list includes the minimum number of security-relevant specialized training hours required per role. Individuals who serve in multiple roles are required to complete the highest of the required hours for each of the roles in which the individual serves. For example, if an individual serves in three roles with hourly requirements of 4, 4, and 8 hours respectively, the individual will have to complete, at a minimum, 8 hours of specialized training.

Note:

The roles and specialized training hours listed come from TD P 85-01 Appendix H and NIST SP 800-181 Rev. 1, Workforce Framework for Cybersecurity (NICE Framework).

Roles	Minimum Required Specialized Training Hours
Chief Information Officer (CIO) (National Initiative for Cybersecurity Education (National Initiative for Cybersecurity Education (NICE)) Framework role = Executive Cyber Leadership)	4
Deputy Chief Information Officer (DCIO) (NICE Framework role = Executive Cyber Leadership)	4
Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO) (NICE Framework role = Executive Cyber Leadership)	8
Authorizing Official (AO) (NICE Framework role = Authorizing Official/Designating Representative)	4
System Owner (NICE Framework role = Knowledge Manager)	4
Information Owner (NICE Framework role = Knowledge Manager)	4
System Security Officer (SSO) (NICE Framework role = Information Systems Security Manager)	8
Security Control Assessor	4
System Security Manager (SSM)- Oversees the cybersecurity program of an information system(s). The SSM often works closely with the SSO.	8
Cybersecurity Policy and Guidance Personnel - Individuals responsible for developing and/ or maintaining cybersecurity policy. (NICE Framework role = Cyber Policy and Strategy Planner)	8
Incident Analyst/Handler/Responder/Investigator Individuals responsible for providing security operations center services to part or all of an organization. An individual with this role may or may not be a member of an incident response team (bureau CSIRC) (NICE Framework role = Cyber Defense Incident Responder)	8
Contracting Officer’s Representative for IT Contracts - Individuals IT (NICE Framework role = Investment/Portfolio Manager)	4
Network Administrator - Individuals with the responsibility of oversight and management of a network, including implementation of security requirements. (NICE Framework role name = Network Operations Specialist)	8
System Administrator - Individuals with the responsibility of oversight and management of a system, including implementation of security requirements.	8
Database Administrator - Individuals with the responsibility of oversight and management of a database, including implementation of security requirements.	8
System Programmer/Developer (NICE Framework role = Information Systems Security Developer)	4
Quality Assurance Personnel - Individuals responsible for ensuring the quality of an information system(s) and/ or its data.	4
Change Management Personnel - Individuals with change management (patching, configuration changes, functionality changes, etc.,) responsibilities.	4
Help Desk/IT Services Personnel - Individuals part of the Help Desk or IT Services staff. (NICE Framework role name = Technical Support Specialist)	4

Exhibit 10.8.2-2

Terms and Acronyms

Access Control – The process of granting or denying specific requests: 1) For obtaining and using information and related information processing services. 2) To enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

Accountability – The security objective that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

ACIO – Associate CIO

ACIOCS – Associate CIO for Cybersecurity

AO – Authorizing Official

AODR – Authorizing Official Designated Representative

Asset – A major application, GSS, high impact program, physical plant, mission critical system, or a logically related group of systems.

ATO – Authorization to Operate

Audit – An independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and procedures, and to recommend necessary changes in controls, policies, or procedures.

Authentication – Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Availability – Ensuring timely and reliable access to and use of information.

Awareness – Activities which seek to focus attention on information security or set of issues. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Awareness relies on reaching broad audiences with attractive packaging techniques.

BEARS – Business Entitlement Access Request System

BPA – Blanket Purchase Agreement

Breach – The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) a person accesses or potentially accesses personally identifiable information for an unauthorized purpose (i.e., a purpose unrelated to their official duties/functions). INFORMATIONAL: A breach is a type of incident.

BSP – Business System Planner

CAO – Chief Acquisition Officer

CAS – Computer Audit Specialist

CCB – Configuration Control Board

CDO – Chief Data Officer

Certificate – A digital representation of information which at least: 1) Identifies the certification authority issuing it. 2) Names or identifies its subscriber. 3) Contains the subscriber’s public key. 4) Identifies its operational period. 5) Is digitally signed by the certification authority issuing it.

CFO – Chief Financial Officer

CIO – Chief Information Officer

CIP – Critical Infrastructure Protection

CISA – Cybersecurity and Infrastructure Security Agency

CISO – Chief Information Security Officer

CM – Configuration Management

CNSI – Classified National Security Information

CNSS – Committee on National Security Systems

Confidentiality – Preserving authorized restrictions on access and disclosure, (including means for protecting personal privacy and proprietary information) from unauthorized individuals, entities, or processes.

Contingency Plan – A plan that is maintained for disaster response, backup operations, and post- disaster recovery to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency situation.

Controlled Unclassified Information (CUI) – Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. Note: The CUI categories and subcategories are listed in the .

COR – Contracting Officers Representative

Countermeasures – Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

CPO – Chief Procurement Officer

CSIRC – Computer Security Incident Response Center

Cyber Event – Any observance occurrence in a network or system that may indicate a cyber incident has occurred.

DASPTR – Deputy Assistant Secretary for Privacy, Transparency, and Records

DBA – Database Administrator

DBMS – Database Management System

DHS – Department of Homeland Security

Demilitarized Zone (DMZ) – A host or network segment inserted as a "neutral zone" between an organization's private network and the Internet.

DR – Disaster Recovery

EFO – Enterprise Field Operations

EO – Executive Order

Encryption – The conversion of data into a form, called a ciphertext, which cannot be easily understood by unauthorized people, for the purposes of security or privacy.

Ensure – To make certain that something is done. In some instances, the individual/role whose responsibility is to ensure something is accomplished does not mean they perform the task but rather they are responsible for making sure the task is performed.

FCR – Firewall Change Request

Federal Information Security Modernization Act of 2014 (FISMA) – Directs federal agencies to develop, document, and implement agency- wide programs to provide security for the information and systems that support the agency's operations and assets. This includes the security authorization and accreditation (SA&A) of IT systems that support digital authentication.

FIPS – Federal Information Processing Standard

GFIRST – Government Forum of Incident Response Teams

GSA – General Service Administration

GSS – General Support System

H, I

Identification – The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.

IDRS – Integrated Data Retrieval System

IDS – Intrusion Detection System

Impact – The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or an information system.

Impact Level – The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Incident – An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of an information system, or the information it processes; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Incident Handling – The remediation or mitigation of violations of security policies and recommended practices.

Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

Information System Security Officer (ISSO) – See System Security Officer (SSO).

Information Security Continuous Monitoring (ISCM) – Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

Note:

The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.

Information Security Continuous Monitoring (ISCM) Program – A program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.

Information Technology (IT) – Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which (i) requires the use of such equipment or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

Information System Contingency Plan (ISCP) – Established procedures created and maintained by IRS IT organization and system owners for the assessment and recovery of a system following a system disruption. The ISCP provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures, and testing of a system. The ISCP differs from DR plan primarily in that the information system contingency plan procedures are developed for recovery of the system regardless of site or location. An ISCP can be activated at the system's current location or at an alternate site. In contrast, a DR plan is primarily a site-specific plan developed with procedures to move operations of one or more information systems from a damaged or uninhabitable location to a temporary alternate location. Once the DR plan has successfully transferred an information system site would then use its respective ISCO to restore, recover, and test systems, and put them in operation.

Integrity – Guarding against improper modification or destruction of information; includes ensuring information non-repudiation and authenticity.

Interconnection Security Agreement (ISA) – An agreement established between the organizations that own and operate connected information systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations.

IOC – Indicators of Compromise

IPS – Identity Protection Service

IR – Incident Response

IRB – Investment Review Board

IRP – Incident Response Plan

J, K–

Key Management – The activities involving the handling of cryptographic keys and other related key information during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.

LB&I – Large Business and International

Least Privilege – A security principle that a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks.

Major Application – An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information they hold, however, require special management oversight and shall be treated as major. Adequate security for other applications shall be provided by security of the systems in which they operate.

Major Incident – A major incident is EITHER: [Treasury: IRP]

I. Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. Agencies should determine the level of impact of the incident by using the existing incident management process established in NIST SP 800-61, Computer Security Incident Handling Guide,

OR,

II. A breach that involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. Or an unauthorized modification or unauthorized deletion of unauthorized exfiltration of or unauthorized access to the PII of 100,000 or more people constitutes a “major incident.”

OR

III. Any incident resulting from Advanced Persistent Threat (APT) actors, with attribution from a trusted commercial or external government intelligence source.

MD5 – A widely used cryptographic hash function producing a 16-byte hash value, typically expressed in text format as a 32-digit hexadecimal number. MD5 is commonly used to verify data integrity.

Memorandum of Agreement (MOA) – Used to document agreements and execute or deliver support with or without reimbursement between any two or more parties.

Memorandum of Understanding (MOU) – Used to document a mutual understanding between any two or more parties that do not contain an expectation of payment, and under which the parties do not rely on each other to execute or deliver on any responsibilities.

NA – Network Administrators

NICE – National Initiative for Cybersecurity Education

NIST – National Institute of Standards and Technology

NOM – Network Operations Management

Non-repudiation – Protection against an individual who falsely denies having performed a certain action and provides the capability to determine whether an individual took a certain action, such as creating information, sending a message, approving information, or receiving a message.

Notable Cyber Event – Any deviation from the norm or observable occurrence in a network or system that could have led to a cyber incident but was otherwise mitigated and the source or threat vector poses an ongoing risk to the Department.

OMB – Office of Management and Budget

PGLD – Privacy, Governmental Liaison and Disclosure

PIIRMG – Personally Identifiable Information Risk Management Group

Personally Identifiable Information (PII) – Any information about an individual maintained by an agency, including:

Information that can be used to distinguish or trace an individuals identity, either alone or when combined with other information that is linked or linkable to a specific individual, such as name, social security number, date and place of birth, mothers maiden name, or biometric records.
a. To Distinguish an individual is to identify an individual such as SSN and Passport Number. However, a list of credit scores without any other information concerning the individual does not distinguish the individual.
b. To Trace an individual is to process sufficient information to make a determination about a specific aspect of an individual’s activities or status, for example an audit log.
Information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
a. Linked information is information about or related to an individual that is logically associated with other information about the individual.
b. Linkable information is information about or related to an individual for which there is a possibility of logical association with other information about the individual.
The definition of PII is not anchored to any single category of information or technology. Rather, it demands a case-by-case assessment of the specific risk that an individual can be identified.

Plan of Action and Milestones (POA&M) – A tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

POC – Point of Contact

Privacy Officer – The senior agency official for privacy is the senior official or executive with agency-wide responsibility and accountability for ensuring compliance with applicable privacy requirements and managing privacy risk.

Private Key – A mathematical key (kept secret by the holder) used to create digital signatures and, depending upon the algorithm, to decrypt messages or files encrypted (for confidentiality) with the corresponding public key.

Program – A program is the process of translating broadly stated mission needs into a set of operational requirements from which specific performance specifications are derived. A program consists of a functional area that supports a Treasury or IRS mission and has associated IT systems and budgetary resources. A program is an organized set of activities directed towards a common purpose, objective, goal, or understanding proposed by IRS to carry out responsibilities assigned to the organization. Examples of programs include: Compliance, Accounts Management, Submission Processing, production of U.S. currency, asset forfeiture, and bank supervision.

Public Key – A mathematical key that has public availability and that applications use to encrypt data or to verify signatures created with its corresponding private key.

PVG – Patch and Vulnerability Group

Q, R

RACF – Resource Access Control Facility

RBD – Risk-Based Decision

Remediation – Actions taken to correct known deficiencies and weaknesses once a vulnerability has been identified. The act of mitigating a vulnerability or a threat.

Review – Based on the Government Auditing Standards (2003), the IRS cannot perform self-audits, however, it can perform many of the audit activities in the context of reviews. The IRS reviews are primarily internal control reviews, based on definitions contained within this section, and comprised of assessments. This is a significant concept as it should reduce the amount of redundant work possible to conduct a review.

Risk – A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Risk Assessment – The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

RMF – Risk Management Framework

SA – System Administrator

Safeguards – The protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.

SAISO – Senior Agency Information Security Officer

SAMC – Situational Awareness Management Center

SCA – Security Control Assessment

Scanning – Sending packets or requests to another system to gain information to be used in a subsequent attack.

SecSpec – Security Specialist

Security Assessment and Authorization (SA&A) – A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the requirements for the system.

Security Controls – The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the CIA of the system and its information.

Security Requirements – Requirements levied on an information system that are derived from laws, EOs, directives, policies, instructions, regulations, or organizational (mission) needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

Self-Assessment – A method for agency officials to determine the current status of their information security programs and, where necessary, establish a target for improvement. For a self-assessment to be effective, a risk assessment shall be conducted in conjunction with, or prior to the self-assessment. A self-assessment does not eliminate the need for a risk assessment.

Sensitive But Unclassified (SBU) Information – Originated with the Computer Security Act of 1987. It is defined as “any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, United States Code (USC) (the Privacy Act) but which has not been specifically authorized under criteria established by an EO or an act of Congress to be kept secret in the interest of national defense or foreign policy.”

Sensitive Information – See controlled unclassified information (CUI).

Significant Cyber Incident – A cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. Note, all major incidents are also deemed significant cyber incidents. However, only when a breach of PII that constitutes a “major incident” is the result of a cyber incident will it meet the definition of a “significant cyber incident” and trigger the coordination mechanisms outlined in NSPD-7.

SOP – Standard Operating Procedure

SP – Special Publication

SPMO – Security Program Management Officer

SRM – Security Risk Management

SSE – System Security Engineer

SSM -- System Security Manager

SSO – System Security Officer

Suspected Incident – An occurrence or alert that is under investigation is a potential incident but has yet to be confirmed.

Suspected Breach – An occurrence or alert that is under investigation as a potential breach but has yet to be confirmed.

System – Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions. Note: Systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

System Development Life Cycle (SDLC) – The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

System Security Plan (SSP) – Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.

TCSIRC – Treasury Computer Security Incident Response Center

TD P – Treasury Directive Publication

Threat – Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

TIGTA – Treasury Inspector General for Tax Administration

Training – Training is more formal than "awareness," having the goal of building knowledge and skills to facilitate security in one’s job performance. The training level strives to produce relevant and needed security skills and competency by practitioners whose functional specialties are other than IT security (e.g., management, systems design, development, acquisition, auditing). Current training guidance encourages Role-Based Training.

TS-SCI – Top Secret Sensitive Compartmented Information

TSOC – Treasury Shared Services Security Operations Center

U, V

UA – User Administrator

UNS – User and Network Services

Vulnerability – A known weakness in a system, system security procedures, internal controls, or implementation by which an actor or event may intentionally exploit or accidentally trigger the weakness to access, modify, or disrupt normal operations of a system-resulting in a security incident or a violation of the system's security policy.

Vulnerability Assessment – Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Exhibit 10.8.2-3

Related Resources

Department of the Treasury Publications

TD P 85-01: TD P 85-01 Version 3.1.3, “Treasury Information Technology Security Programs,” issued February 28, 2022.
TD 85-02: TD 85-02, “Treasury Software Piracy Policy,” issued March 23, 2016.
TD 87-04: TD 87–04, “Personal Use of Government Information Technology Resources,” issued January 27, 2012.
ISCM: Department of the Treasury, Version 1.0, “Treasury Information Security Continuous Monitoring (ISCM) Framework,“ issued February 2, 2015.
IRP: Department of the Treasury, Version 6.0, “Departmental Incident Response Plan (IRP),“ issued October 28, 2024.

IRS Publications

IRM 1.1.32, Organization and Staffing, Office of the Chief Procurement Officer
IRM 1.4.1, Resource Guide for Managers, Management Roles and Responsibilities
IRM 10.2.14, Physical Security Program, Methods of Providing Protection
IRM 10.5.1, Privacy and Information Protection, Privacy Policy
IRM 10.8.1, Information Technology (IT) Security, Security Policy
IRM 10.8.5, Information Technology (IT) Security, Domain Name System (DNS) Security Policy
IRM 10.8.6, Information Technology (IT) Security, Application Security and Development
IRM 10.8.11, Information Technology (IT) Security, Application Security Policy
IRM 10.8.12, Information Technology (IT) Security, Container Platform Security Policy
IRM 10.8.13, Information Technology (IT) Security, Business Impact Analysis (BIA) Security Policy
IRM 10.8.15, Information Technology (IT) Security, General Platform Operating System
IRM 10.8.21, Information Technology (IT) Security, Database Security Policy
IRM 10.8.22, Information Technology (IT) Security, Web Server Security Policy
IRM 10.8.23, Information Technology (IT) Security, Application Server Security Policy
IRM 10.8.24, Information Technology (IT) Security, Cloud Computing Security Policy
IRM 10.8.26, Information Technology (IT) Security, Wireless and Mobile Device Security Policy
IRM 10.8.27, Information Technology (IT) Security, Personal Use Of Government Furnished Information Technology and Resources
IRM 10.8.33, Information Technology (IT) Security, Mainframe System Security Policy
IRM 10.8.34, Information Technology (IT) Security, IDRS Security Controls
IRM 10.8.50, Information Technology (IT) Security, Service-wide Security Patch Management
IRM 10.8.52, Information Technology (IT) Security, IRS Public Key Infrastructure (PKI) X.509 Certificate Policy
IRM 10.8.54, Information Technology (IT) Security, Minimum Firewall Administration Requirements
IRM 10.8.55, Information Technology (IT) Security, Network Security Policy
IRM 10.8.60, Information Technology (IT) Security, (IT) Security, IT Service Continuity Management (ITSCM) Policy and Guidance
IRM 10.8.62, Information Technology (IT) Security, Information System Contingency Plan (ISCP) and Disaster Recovery (DR) Test, Training, and Exercise (TT&E) Process
IRM 10.8.63, Information Technology (IT) Security, Central Log Server Security Policy
IRM 10.9.1, Classified National Security Information, (CNSI)

Note:

The IRS’ Office of Service-wide Policy, Directives and Electronic Research (SPDER), in partnership with LEXIS-NEXIS have made all IRMs available to all IRS employees. IRS IRMs are available on the IMD IRM Numerical Index site.

National Institute of Standards and Technology (NIST) Publications

FIPS 199: Federal Information Processing Standard Publication 199, “Standards for Security Categorization of Federal Information and Information,” issued February 2004.
SP 800-12: NIST Special Publication 800-12 Revision 1, “An Introduction to Information Security,” issued June 22, 2017.
SP 800-18: NIST Special Publication 800-18 Revision 1, “Guide for Developing Security Plans for Federal Information Systems,“ issued February 24, 2006.
SP 800-34: NIST Special Publication 800-34 Revision 1, “Contingency Planning Guide for Federal Information Systems,” issued November 11, 2010.
SP 800-37: NIST Special Publication 800-37 Revision 2, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy,“ issued December 20, 2018.
SP 800-39; NIST Special Publication 800-39, “Managing Information Security Risk: Organization, Mission, and Information System View,” issued March 1, 2011.
SP 800-40r2: NIST Special Publication 800-40 Revision 2, “Creating a Patch and Vulnerability Management Program,“ issued November 16, 2005.
SP 800-40r3: NIST Special Publication 800-40 Revision 3, “Guide to Enterprise Patch Management Technologies,“ issued July 22, 2013.
SP 800-40r4: NIST Special Publication 800-40 Revision 4, “Guide to Enterprise Patch Management Technologies: Preventive Maintenance for Technology,“ issued July 22, 2013.
SP 800-53: NIST Special Publication 800- 53 Revision 5.1.1, “Security and Privacy Controls for Federal Information Systems and Organizations,“issued November 7, 2023.
SP 800-60r1vI: NIST Special Publication 800-60 Revision 1 Volume I, “Guide for Mapping Types of Information and Information Systems to Security Categories,” issued August 1, 2008.
SP 800-60r1vII: NIST Special Publication 800-60 Revision 1 Volume II, “Appendices for Mapping Types of Information and Information Systems to Security Categories,” issued August 1, 2008.
SP 800-100: NIST Special Publication 800-100, “Information Security Handbook: A Guide for Managers,“ issued March 7, 2007.
SP 800-137: NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” issued September 30, 2011.
SP 800-160v1r1: NIST Special Publication 800-160 Volume 1 Revision 1, “Engineering Trustworthy Secure Systems,” issued November 16, 2022.
SP 800-160v2r1: NIST Special Publication 800-160 Volume 2 Revision 1, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach,” issued December 9, 2021.
SP 800-181: NIST Special Publication 800-181 Revision 1, “Workforce Framework for Cybersecurity (NICE Framework),” issued November 16, 2020.

Note:

NIST publications are available on the site.

Other References

CNSSI 4009, “Committee on National Security Systems (CNSSI) Glossary,” issued March 2, 2022.
Federal: FAR: Title 48, “Federal Acquisition Regulation (FAR) System Chapter 1,” issued September 30, 2024.
EO: 13833: Executive Order 13833, “Enhancing the Effectiveness of Agency Chief Information Officers,” issued May 15, 2018.
EO: 13103: Executive Order 13103, “Computer Software Piracy,” issued September 30, 1988.
OMB Memorandum for Chief Acquisition Officers - Revisions to the Federal Acquisition Certification for Contracting Officer’s Representatives (FAC-COR), issued September 6, 2011
OMB: M-16-14: OMB Memorandum 16-14, “Category Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response,” issued July 1, 2016.
OMB: M-20-04: OMB Memorandum 20-04, “Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements,” issued November 19, 2019.
OMB: M-21-31: OMB Memorandum 21-31, “Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” issued August 27, 2021.
OMB: A-130: OMB Circular No. A-130, “Management Information as a Strategic Resource,” issued July 27, 2016.
Federal: Privacy Act: Public Law 93-579 (S. 3418), “Privacy Act of 1974,” issued December 31, 1974.
Federal: Taxpayer Browsing Protection Act: Public Law 105-35, “Taxpayer Browsing Protection Act of 1997,” issued August 5, 1997.
Federal: Chief Financial Officers Act: Public Law 101-576, “Chief Financial Officers Act of 1990”, issued November 15, 1990.
Federal: FISMA: Public Law 113-283 (H.R. 2521), “Federal Information Security Modernization Act (FISMA) of 2014,” issued December 18, 2014.
Federal: Consolidated Appropriations Act, Section: Public Law 114-113 (H.R. 2029), “Consolidated Appropriations Act, 2016,” issued December 18, 2015.
Federal: Foundations for Evidence-Based Policymaking Act: Public Law 115-435 (H.R. 4174), “Foundations for Evidence-Based Policymaking Act of 2018” issued January 14, 2019.
Federal: Taxpayer First Act: Public Law 116-25 (H.R. 3151), “Taxpayer First Act,” issued July 1, 2019.
U.S. Code Title 5, “Government Organization and Employees”.
U.S. Code Title 31, “Money and Finance”.
U.S. Code Title 44, Chapter 35, “Public Printing and Documents”.

Note:

Executive Orders and OMB Memoranda are available on web site.

Note:

Public Laws are available on the web site.

Note:

United States Codes are available on the web site.

More Internal Revenue Manual

星空体育手机端

Part 10. Security, Privacy, Assurance and Artificial Intelligence

Chapter 8. Information Technology (IT) Security

Section 2. IT Security Roles and Responsibilities

10.8.2 IT Security Roles and Responsibilities

Manual Transmittal

Purpose

Material Changes

Effect on Other Documents

Audience

Effective Date

Program Scope and Objectives

Background

Authority

Roles and Responsibilities

Note:

Program Management and Review

Program Controls

Terms and Acronyms

Related Resources

Risk Acceptance and Risk-Based Decisions (RBD)

Note:

IT Security Roles and Responsibilities

Example:

Note:

Key Governance and Related Roles & Responsibilities

Agency Head

Note:

Note:

Note:

Chief Information Officer (CIO)

Note:

Note:

Note:

Chief Data Officer (CDO)

Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO)

Note:

Note:

Note:

Note:

Note:

Note:

Security Control Assessor

Note:

Note:

Note:

Note:

Risk Executive (Function)

Common Control Provider

Note:

Note:

Senior Management/Executives

System Owner

Note:

Note:

Note:

Business System Planner (BSP)

Security Program Management Officer (SPMO)

Note:

Mission or Business Owner

Note:

Note:

Information Owner

Note:

Note:

Note:

Note:

Note:

Authorizing Official (AO)

Note:

Note:

Note:

Note:

Authorizing Official Designated Representative (AODR)

Note:

Chief Acquisition Officer (CAO)

System Security Officer (SSO)

Note:

Note:

Note: