When considering the implementation of encryption technology, agencies should verify the cryptographic module of the product being implemented is FIPS 140-2 validated and on the vendor list.When the system implements encryption to protect the confidentiality and/or integrity of the data at rest or in transit then the software or hardware that performs the encryption algorithm must meet FIPS 140-2 standards for encryption keys, message authentication and hashing.For a list of approved security functions and commonly used FIPS-approved algorithms, see the FIPS 140-1 and FIPS 140-2 Cryptographic Module Validation Lists which contains a list of vendors who have cryptographic modules validated as conforming to FIPS 140-2 are accepted by the Federal government for the protection of sensitive information.It can be used to safeguard against unauthorized disclosure, inspection, modification or substitution of FTI.IRS Publication 1075 utilizes the encryption requirements of NIST SP 800-53 and FIPS 140-2 to constitute the encryption requirements agencies in receipt of FTI must comply with.To define in simple terms the encryption requirements of Publication 1075 (NIST controls, FIPS 140-2) and provide recommendations to agencies on how they can comply with the requirements in various scenarios, i.e., remote access, email, data transfers, mobile devices and media, databases and applications.Under the law (Internal Revenue Code Section 6103(p)), IRS must protect all the personal and financial information furnished to the agency against unauthorized use, inspection, or disclosure.
The information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
When cryptography is required and employed within the information system, the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures.
IRS Publication 1075 has adopted a sub-set of the moderate-impact security controls as its security control baseline for its compliance purpose.
Among those, the below table depicts a list of encryption-related security controls that need to be implemented in order to comply with Publication 1075.
Validation certificates issued by the NIST Cryptographic Module Validation Program (including FIPS 140-1, FIPS 140-2, and future amendments) remain in effect and the modules remain available for continued use and purchase until a validation certificate is specifically revoked.User certificates, each agency either establishes an agency certification authority cross-certified with the Federal Bridge Certification Authority at medium assurance or higher or uses certificates from an approved, shared service provider, as required by OMB Memorandum 05-24 FIPS 140-2 is the mandatory standard for cryptographic-based security systems in computer and telecommunication systems (including voice systems) for the protection of sensitive data as established by the Department of Commerce in 2001.