IRS Publication 5433-B – IRS Forms, Instructions, Pubs 2026

IRS Publication 5433-B – IRS Forms, Instructions, Pubs 2026 – In an era of persistent remote and hybrid work, protecting sensitive taxpayer data remains a top priority for CPAs, enrolled agents, tax preparers, and accounting firms. IRS Publication 5433-B (July 2020), titled Working Virtually: Protecting Tax Data at Home and at Work – Part 3 – Use a Virtual Private Network to Secure Remote Locations, delivers concise, actionable guidance from the IRS Security Summit partners on why and how to deploy a Virtual Private Network (VPN).

Although released during the height of COVID-19 telework shifts, its core recommendations align directly with the latest IRS Publication 4557 (Rev. 6-2024), Safeguarding Taxpayer Data, the FTC Safeguards Rule, and current CISA/NIST best practices. This SEO-optimized guide breaks down the publication, explains VPN mechanics, outlines IRS-compliant implementation steps, and shares 2025 updates to help your firm stay secure and compliant.

What Is IRS Publication 5433-B?

Publication 5433-B is the third installment in the IRS and Security Summit’s five-part Working Virtually series. It targets tax professionals handling protected taxpayer information (PTI) who work from home, coffee shops, or client sites.

Key excerpt from the official one-page PDF (download here: https://www.irs.gov/pub/irs-pdf/p5433b.pdf):

“As more tax professionals consider teleworking during COVID-19, it’s important to secure remote locations by using a virtual private network (VPN) to protect against cyber intruders. A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network. VPNs are critical in helping tax professionals protect and secure internet connections.”

The publication emphasizes that skipping a VPN exposes your entire office network to remote takeover attacks—where cybercriminals access one employee’s home connection and pivot to firm-wide systems.

This guidance forms part of the broader “Security Six” (detailed in Publication 5433, Part 1), where VPN use is listed as safeguard #6 alongside antivirus, firewalls, multi-factor authentication (MFA), backups, and drive encryption.

Why VPNs Are Non-Negotiable for Tax Professionals in 2025?

Tax data is a high-value target. Breaches can lead to:

• IRS penalties and loss of e-file privileges
• FTC Safeguards Rule violations (fines up to $100,000+ per violation)
• Reputational damage and client lawsuits

Without a VPN, data transmitted over public Wi-Fi, home networks, or hotel connections travels unencrypted and is vulnerable to interception (man-in-the-middle attacks).

With a VPN:

• All traffic is encrypted end-to-end
• Your IP address is masked
• You create a private tunnel to your firm’s (or cloud provider’s) network
• Compliance with IRS Pub 4557’s “minimum standard” for remote access is achieved when paired with MFA

IRS Publication 4557 (Rev. 6-2024) explicitly states: “Use of multi-factor authentication … and a secure Virtual Private Network (VPN) should be minimum standards for remote access to the firm’s office network.”

CISA’s 2024 Federal Mobile Workplace Security guidance reinforces this: always use authorized VPNs for sensitive data access, especially on non-corporate networks.

How a VPN Actually Works (Simple Explanation)?

A VPN creates an encrypted “tunnel” between your device and a secure server. Data leaving your laptop is scrambled before it reaches your ISP or public network, then decrypted only at the authorized destination.

Secure vs. Insecure Remote Connection:

• Insecure: Direct connection → Data visible to ISP, hackers on public Wi-Fi, or network snoops
• Secure (VPN): Encrypted tunnel → Only authorized endpoints can read the data

Step-by-Step: Implementing an IRS-Compliant VPN Setup

1. Assess Your Needs
   • Solo practitioner or small firm → Business-grade commercial VPN (e.g., providers vetted via “best VPNs for business” searches)
   • Larger firm → Enterprise VPN or Zero Trust Network Access (ZTNA) solution
2. Choose the Right VPN (2025 Criteria)
   • AES-256 encryption (IRS/NIST minimum standard)
   • IKEv2/IPsec or WireGuard protocol (preferred over outdated SSL VPNs per NSA/CISA joint guidance)
   • Kill switch / always-on feature
   • No-logs policy (independently audited)
   • MFA integration for VPN login
   • Split-tunneling option (route only work traffic through VPN)
   • Avoid free VPNs—they often log data or inject ads
3. Deploy Securely
   • Require VPN + MFA for all remote access to tax software, email, cloud storage, and file shares
   • Issue firm-managed devices when possible (Pub 4557 recommendation)
   • Configure auto-connect on home/office Wi-Fi and public networks
   • Document the policy in your written information security plan (FTC requirement)
4. Test and Monitor
   • Verify encryption with tools like Wireshark or browser leak tests
   • Log VPN connections and review for anomalies
   • Update client software and firmware regularly

Additional Best Practices from Trusted Sources (2025)

• CISA Telework Guidance: Use only authorized VPNs; combine with strong passwords (16+ characters), MFA, and device encryption.
• NIST SP 800-46 Rev. 2: Assume alternate worksites are hostile; segment networks and limit privileges.
• Pub 4557 Integration: Pair VPN with drive encryption, regular backups, and employee training on phishing.
• Never use public Wi-Fi without VPN for client data access.
• For cloud-based tax software (e.g., hosted solutions), confirm the provider uses equivalent secure remote access.

Common VPN Mistakes Tax Firms Still Make

• Relying on consumer-grade or free VPNs
• Allowing split-tunneling that bypasses protection for tax apps
• Skipping MFA on the VPN gateway
• Failing to update VPN software (exploits like VPN vulnerabilities are common attack vectors)
• No written remote access policy

Frequently Asked Questions (FAQs)

• Is a VPN required by the IRS?
  It is a recommended minimum standard in Pub 4557 and the Security Six. Non-compliance with overall safeguards can trigger audits, penalties, or loss of e-file status.
• Can I use my tax software’s built-in remote access instead?
  Only if it uses equivalent encryption and MFA. Most reputable hosted tax platforms meet or exceed IRS standards—verify with your vendor.
• How much does a business VPN cost?
  Enterprise solutions start at $5–15 per user/month. Many offer volume discounts for tax firms.
• Does Pub 5433-B still apply in 2026?
  Yes—the principles are timeless and reinforced in the current version of Pub 4557 (2024).

Download the Official IRS Publication

• Publication 5433-B (English)
• Publication 4557 – Safeguarding Taxpayer Data (latest)
• Full Security Summit resources: irs.gov/securitysummit

Conclusion: Secure Your Remote Work Today

IRS Publication 5433-B may be short, but its message is powerful: in the virtual workplace, a properly configured VPN is your first line of defense against cyber intruders targeting tax data.

By following the IRS Security Summit guidance, integrating it with Pub 4557’s Security Six, and applying 2025 CISA/NIST enhancements, your firm can protect clients, maintain compliance, and work confidently from anywhere.

Action Steps Now:

1. Download and review Pub 5433-B and 4557
2. Audit your current remote access setup
3. Deploy or upgrade to an IRS-compliant VPN with MFA
4. Train your team and document everything

Need help selecting or implementing a compliant VPN solution tailored for tax practices? Consult a cybersecurity professional familiar with IRS safeguards—your clients’ data (and your practice) depend on it.

Sources: IRS.gov (Publications 5433-B, 5433, 4557), CISA Federal Mobile Workplace Security (2024), NIST SP 800-46, FTC Safeguards Rule. Last verified February 2026.