IRS Publication 1075 – IRS Forms, Instructions, Pubs 2026

IRS Publication 1075 – IRS Forms, Instructions, Pubs 2026 – In today’s data-driven world, protecting sensitive taxpayer information is non-negotiable. IRS Publication 1075, officially titled Tax Information Security Guidelines for Federal, State and Local Agencies, delivers the definitive framework for safeguarding Federal Tax Information (FTI).

Agencies that receive FTI directly from the IRS or secondary sources must follow these strict standards to comply with Internal Revenue Code (IRC) § 6103(p)(4). Failure to do so risks criminal penalties, civil damages, and loss of access to critical tax data.

This comprehensive, SEO-optimized guide explains everything you need to know about Pub. 1075 — including its purpose, key requirements, major 2021 updates, compliance steps, and how to download the latest PDF.

What Is IRS Publication 1075?

IRS Publication 1075 (Rev. November 2021) outlines managerial, operational, and technical security controls that recipient agencies, agents, and contractors must implement to protect the confidentiality of FTI.

• FTI includes tax returns and return information as defined in IRC § 6103(b) — names, addresses, Social Security numbers, income details, tax liabilities, and more.
• The publication ensures agencies meet the safeguard requirements of IRC § 6103(p)(4), which mandates protections for any entity receiving FTI.
• It applies regardless of the medium (paper, electronic, or cloud) and covers federal, state, local agencies, and authorized contractors.

Core Goal: Maintain public confidence in the U.S. tax system by preventing unauthorized inspection, use, or disclosure of taxpayer data. Unauthorized disclosure can trigger criminal penalties under IRC § 7213, misdemeanor charges under § 7213A, and civil damages up to $1,000 per violation (plus actual damages and punitive awards) under § 7431.

Who Must Comply with Publication 1075?

Any federal, state, or local agency, agent, or contractor that:

• Receives FTI under IRC § 6103 disclosures (e.g., for child support enforcement, human services, deficit reduction, or tax administration).
• Stores, processes, transmits, or disposes of FTI.
• Uses contractors or cloud services that touch FTI.

Examples include state revenue departments, child support agencies, Medicaid offices, and third-party vendors under authorized contracts.

Key Definitions in Pub. 1075

• Federal Tax Information (FTI): Returns and return information protected by IRC § 6103.
• Need-to-Know: Access limited strictly to authorized personnel for official duties.
• Unauthorized Disclosure / Access: Any impermissible inspection or release.
• Incident / Data Breach: Terms now clearly defined for reporting.

Major Sections of IRS Publication 1075 (Rev. November 2021)

The 2021 revision completely restructured the document for clarity:

Section 1.0 – Federal Tax Information, Reviews & Other Requirements
Covers authorized use, secure data transfer, safeguards reviews (on-site, remote, or hybrid), termination of FTI access, and mandatory incident reporting.

Section 2.0 – Physical Security Requirements (IRC § 6103(p)(4)(A)–(F))

• Secure storage with minimum protection standards (locked rooms, two-barrier rule).
• Restricted area access logs, authorized access lists (reviewed monthly), visitor controls.
• FTI in transit, office moves, alternate work sites (telework), and media off-site storage.
• Background investigations (now every 5 years in many cases), personnel sanctions, and commingling restrictions.
• Disposal via approved methods (shredding, degaussing, or NIST-compliant sanitization).

Section 3.0 – Cybersecurity Requirements

• Assessment processes, technology-specific rules for cloud computing, email, fax, mobile devices, multifunction printers, networks, and virtual desktops.
• Public-facing systems and network boundary protections.

Section 4.0 – NIST SP 800-53 Revision 5 Security & Privacy Controls
Pub. 1075 adopts a tailored moderate-impact baseline from NIST SP 800-53 Rev. 5. It includes 18 control families (Access Control, Awareness & Training, Audit & Accountability, Incident Response, Media Protection, Physical & Environmental Protection, Risk Assessment, etc.). Privacy controls from former Appendix J are now fully integrated.

Encryption Requirements (Key Highlight)
All cryptographic modules must use the latest FIPS 140-validated encryption. Transmission must follow NIST SP 800-52 (TLS) and SP 800-77 (IPsec VPNs). Remote access requires VPN + multi-factor authentication. Data at rest on portable devices or shared systems must be encrypted.

Reporting & Review Obligations

• Safeguard Security Report (SSR): Annual submission (or more frequently for changes) detailing safeguarding program status.
• Incident Reporting: Immediate notification to the IRS Office of Safeguards for any potential unauthorized access or disclosure (within 24 hours for willful incidents in many cases).
• Internal Inspections & Training: Annual disclosure awareness training for all staff with FTI access; periodic self-inspections.
• Plan of Action & Milestones (POA&M): Track and remediate deficiencies.

Major Updates in the November 2021 Revision

This is the current version (effective ~May 2022; still in force as of 2026). Key changes include:

• Full realignment with NIST SP 800-53 Rev. 5 and integrated privacy controls.
• New structure with IRC § 6103 subsection mapping.
• Strengthened language (“should” → “must” in many places).
• Updated definitions, cloud computing guidance, telework rules, and incident response (including tabletop testing).
• Added Security & Privacy Control Table for quick reference.
• Expanded contractor and external provider security requirements.

No newer revision has been released.

How to Access & Implement IRS Publication 1075?

Download the Official PDF (Free):
https://www.irs.gov/pub/irs-pdf/p1075.pdf

Additional resources:

• IRS Safeguards Program page: https://www.irs.gov/privacy-disclosure/safeguards-program (last reviewed April 2025).
• Encryption guidance: https://www.irs.gov/privacy-disclosure/encryption-requirements-of-publication-1075
• Safeguards mailbox: [email protected] for questions or SSR submissions.

Compliance Tips for Agencies:

1. Appoint a dedicated Safeguards Coordinator.
2. Conduct a gap analysis against the NIST control baseline.
3. Implement FIPS 140-validated encryption everywhere FTI is stored or transmitted.
4. Schedule annual SSR updates and internal inspections.
5. Train all personnel annually and document it.
6. Use IRS-provided templates for logs, visitor access, and corrective action plans.

Why Compliance Matters?

Proper adherence to Pub. 1075 not only avoids severe penalties but also builds trust with taxpayers and the IRS. Non-compliance can result in suspension or termination of FTI access, audits, and public notification requirements in breach cases.

Final Thoughts

IRS Publication 1075 remains the gold standard for tax information security across government agencies. Whether you’re a state revenue department, child support office, or contractor handling FTI, mastering these guidelines is essential for legal compliance and data protection in 2026 and beyond.

Download the latest version today and begin (or refresh) your safeguards program. For questions, contact the IRS Office of Safeguards directly.

Stay compliant. Protect taxpayer trust. Reference IRS Publication 1075 (Rev. November 2021) as your authoritative source.

Keywords for this guide: IRS Publication 1075, tax information security guidelines, safeguarding FTI, Pub 1075 compliance, IRS safeguards program, federal tax information protection, NIST 800-53 Pub 1075, IRC 6103 safeguards.