Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax32 min readDeep Dive

Physical Security Requirements for FTI: IRS Pub 1075

Which physical security practice is required for FTI? IRS Pub 1075 mandates restricted areas, access controls, and secure media destruction. Get compliant.

Physical Security Requirements for FTI: IRS Pub 1075 — which physical security practice is required for fti?

Which Physical Security Practice Is Required for FTI?

The physical security practice required for Federal Tax Information (FTI) is restricted area control: all FTI must be accessed, processed, and stored exclusively within a formally designated restricted area that is physically separated from public or unauthorized access. Every other physical control under IRS Publication 1075 extends from that foundation.

Federal Tax Information is defined under Internal Revenue Code §6103 as tax returns and return information the IRS shares with authorized agencies. If your agency receives FTI, you are legally required to protect it using the controls in IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies.

This guide covers every physical security practice required for FTI, what IRS auditors examine during Safeguard Reviews, how controls map to NIST SP 800-53, and how to build a defensible compliance program. For tax preparers handling private client data rather than government-received FTI, see our IRS Publication 4557 compliance guide.

What Is FTI and Who Must Comply?

FTI includes any return, return information, or taxpayer identity information the IRS provides to federal or state agencies under IRC §6103 authority. This data flows to state child support enforcement offices (Title IV-D), Medicaid and Children's Health Insurance Program (CHIP) agencies, unemployment insurance programs, federal benefit agencies using tax records for income verification, and others with statutory authorization to receive it.

Every agency, contractor, and sub-contractor that receives, stores, processes, or transmits FTI carries the same physical security obligations under Publication 1075, regardless of size or FTI volume. Small offices with low FTI volume receive no exemptions.

  • State and local tax agencies
  • Child support enforcement agencies (Title IV-D)
  • Medicaid and CHIP program offices
  • Unemployment insurance agencies
  • Federal benefit payment agencies using tax data for income verification
  • Contractors and third-party service providers with access to FTI systems or records

Publication 1075 maps its required controls to the NIST SP 800-53 Rev. 5 control catalog, specifically the Physical and Environmental Protection (PE) control family. Agencies already implementing NIST SP 800-53 for other compliance obligations can align FTI physical security controls with their existing framework rather than building a separate program from scratch.

FTI Compliance: By the Numbers

5 Years
Max Criminal Penalty

Imprisonment for unauthorized FTI disclosure under IRC §7213

$1,000+
Civil Damages Per Act

Minimum civil damages per unauthorized disclosure under IRC §7431

Every 2 Years
Safeguard Review Cycle

IRS audits FTI-receiving agencies on a biennial schedule

Restricted Areas: The Foundational Physical Security Practice

A restricted area under Publication 1075 is a space with physical barriers, such as walls, partitions, or equivalent structures, that prevent unauthorized entry. Every entry point must be controlled by one of these mechanisms:

  • Electronic key card or badge systems with individually assigned credentials. These are preferred because access can be revoked instantly and logs are generated automatically.
  • Combination or cipher locks with codes distributed only to authorized, vetted personnel.
  • Biometric readers such as fingerprint or retinal scanners.
  • Security personnel physically controlling access at staffed checkpoints.

Open-plan offices, shared workspaces, and areas accessible to visitors or general staff do not qualify as restricted areas without additional physical barriers. A workstation processing FTI cannot sit at an open desk even if the broader office building is access-controlled. Publication 1075 is explicit: the restricted area designation applies to the specific space where FTI is handled, not the building perimeter.

Access authorization lists must document every individual permitted to enter the restricted area. These lists require a formal review at least quarterly, and any person whose access is not re-confirmed during that review should be removed. When an employee separates or changes roles, access must be revoked within 24 hours, covering both physical credentials (badge deactivation, code changes) and any associated logical access to FTI systems.

Visitor management is a separate requirement. Every visitor entering the restricted area must be logged with their full name, organization, purpose of visit, the name of their authorized escort, and entry and exit times. Visitors may not enter unescorted under any circumstances, and visitor logs must be retained for the full audit period covered by an IRS Safeguard Review.

How to Establish FTI Physical Security Controls

1

Designate and Document the Restricted Area

Formally designate the specific space where FTI will be accessed, processed, and stored. Document its location, physical boundaries, and the justification for its designation in your agency's security plan.

2

Install and Configure Access Controls

Deploy badge readers, cipher locks, or biometric systems at every entry point. Assign individual credentials rather than shared ones so access logs are attributable to specific personnel.

3

Build and Maintain the Access Authorization List

Create a signed authorization list of every person permitted in the restricted area. Schedule quarterly reviews and assign a responsible party to process revocations within 24 hours of any personnel change.

4

Deploy Monitoring and Logging

Install cameras covering all entry and exit points. Configure systems to retain footage for a minimum of 90 days. Establish a weekly access log review process and document each review.

5

Implement Media Storage and Destruction Controls

Procure GSA-approved or locked containers for all physical FTI. Document your destruction process, including shredding to DIN 66399 P-4 for paper and degaussing plus physical destruction for magnetic media.

6

Train Staff and Test the Program

Train all personnel with restricted area access on clean desk requirements, workstation lock policies, visitor escort procedures, and destruction protocols. Conduct a tabletop exercise simulating an IRS Safeguard Review before your first audit cycle.

FTI Document Handling, Storage, and Destruction

Physical security requirements for FTI extend beyond who can enter a room. They govern how FTI is handled from the moment it is received through the moment it is destroyed. Publication 1075's Media Protection (MP) controls cover this lifecycle in detail.

Storage: Locked Containers Required

When FTI in physical form, such as printed reports, forms, portable drives, or backup tapes, is not actively in use, it must be secured in a locked container that only authorized personnel can open. Acceptable options include GSA-approved security containers and safes, locked steel filing cabinets located inside restricted areas, and dedicated locked server rooms for electronic media. Leaving FTI printouts in an unlocked drawer or an unsecured filing cabinet, even in a locked office, does not meet Publication 1075's storage requirements.

Clean Desk Policy and Workstation Controls

One of the most frequently cited deficiencies in IRS Safeguard Reviews is failure to enforce a clean desk policy. FTI on any desk or workstation must be attended by a vetted, authorized user. The moment that user steps away, FTI must be secured. On-screen FTI is addressed by requiring workstations to auto-lock after no more than 15 minutes of inactivity, with 5-minute timeouts recommended for high-sensitivity environments. Printers that produce FTI output must be located inside restricted areas or staffed by an authorized employee throughout the entire print job.

These controls connect directly to technical safeguards. For staff accessing FTI through agency softwareIRS cybersecurity requirements include multi-factor authentication on every portal and application, creating a technical barrier that complements physical access controls at the system level.

Media Destruction: Standards and Documentation

When FTI reaches end of life, whether on paper or digital media, its destruction must meet specific standards and be fully documented. For paper FTI, cross-cut or micro-cut shredding at a minimum of DIN 66399 level P-4 is required, producing particles no larger than 160 mm². Strip-cut shredders do not meet this standard. Burning and pulping under controlled conditions are also acceptable methods.

For electronic media, Publication 1075 requires degaussing followed by physical destruction for magnetic media (hard drives and tapes), and physical destruction alone for solid-state drives. Standard file deletion and full-disk formatting do not satisfy this requirement. The distinction between erasing and destroying data parallels the difference explained in our breakdown of hashing vs. encryption.

Every destruction event must be logged with the date, media type, quantity, destruction method, and the name of the person who performed or witnessed the event. Agencies using third-party destruction vendors must obtain certificates of destruction and retain them for audit purposes. When selecting a vendor, verify they can provide certified destruction documentation that IRS reviewers will accept during a Safeguard Review.

FTI Physical Security Compliance Checklist

  • Designate a formal restricted area physically separated from public and general staff access
  • Control every entry point with badge reader, biometric system, cipher lock, or staffed checkpoint
  • Maintain a signed access authorization list and review it at least quarterly
  • Revoke physical access within 24 hours of an employee separation or role change
  • Install cameras covering all entry and exit points and retain footage for at least 90 days
  • Review access logs weekly and document each review
  • Escort and log all visitors with name, organization, purpose, escort name, and entry/exit times
  • Store all physical FTI in GSA-approved or locked containers inside restricted areas
  • Enforce a clean desk policy and configure 15-minute maximum workstation auto-lock
  • Shred paper FTI to DIN 66399 P-4 standard and degauss plus physically destroy electronic media
  • Log every destruction event and retain vendor certificates of destruction for audit periods

IRS Safeguard Review: Know Before the Auditors Arrive

IRS Safeguard Reviews occur on a biennial cycle, and more frequently if prior reviews identified deficiencies. A material weakness found during the physical security walkthrough, such as FTI stored in an unlocked area or a missing destruction log, can result in a formal corrective action plan, suspension of FTI access pending remediation, or escalation to the IRS Office of Safeguards. Agencies should treat pre-review self-assessments as a standard part of their annual security calendar.

What IRS Safeguard Reviews Examine for Physical Security

Agencies receiving FTI undergo Safeguard Reviews on a biennial cycle. During the physical security component, IRS reviewers conduct on-site walkthroughs of all FTI-handling areas. They are specifically looking for the following evidence:

  • Physical separation of restricted areas from public or general staff access zones
  • Current, signed access authorization lists reviewed within the past 90 days
  • Visitor logs covering the full review period with all required fields completed
  • Security camera coverage of all entry and exit points
  • Evidence of weekly log reviews, typically demonstrated through a documented review record
  • Locked storage containers for all physical FTI media
  • Destruction logs with required detail covering the past 12 to 24 months

Review findings are categorized by severity. A material weakness can trigger a formal corrective action plan, suspension of FTI access pending remediation, or escalation to the IRS Office of Safeguards. Agencies that identify gaps before a review can typically remediate them without formal findings, making pre-review self-assessments a sound investment. For organizations that also maintain an incident response plan for tax data, the same documentation habits that support IRS reviews also support breach response readiness.

How IRS Pub 1075 Maps to NIST SP 800-53 Physical Controls

Publication 1075 does not create a separate control language. It adopts the NIST SP 800-53 Rev. 5 Physical and Environmental Protection (PE) family and adds FTI-specific parameters. This mapping lets agencies reuse existing NIST documentation and assessments rather than duplicating effort:

  • PE-2 Physical Access Authorizations: the signed authorization list and quarterly review requirement
  • PE-3 Physical Access Control: badge, biometric, or cipher control at every entry point
  • PE-6 Monitoring Physical Access: cameras, weekly log review, and 90-day footage retention
  • PE-8 Visitor Access Records: escorted visitors and complete visitor logs
  • MP-4 / MP-6 Media Storage and Sanitization: locked containers and the DIN 66399 P-4 plus degaussing destruction standards

Because the control numbers are shared, an agency already assessed against NIST SP 800-53 can demonstrate much of its FTI compliance by referencing existing PE and MP control evidence, then layering on the FTI-specific parameters such as the 24-hour access revocation window and 90-day footage retention. This alignment reduces duplicate documentation and simplifies evidence collection ahead of Safeguard Reviews.

Physical and Technical Controls Work Together

Physical security and cybersecurity are inseparable for FTI compliance. An unattended workstation displaying FTI is a physical security failure even if the network is fully encrypted. Publication 1075 requires agencies to address both domains in a single integrated security plan.

Physical controls such as locked server rooms and restricted area badge access directly reinforce technical controls such as encryption and network segmentation. Agencies should also maintain an incident response plan so that any physical or technical lapse is contained quickly and reported within the timelines Publication 1075 requires. For a broader look at how these obligations intersect with data security frameworks, our guide to IRS Written Information Security Plans covers the documentation side of this requirement.

Agencies handling FTI alongside private client records may find the WISP guidance for small tax firms useful for maintaining a coherent security posture across both regulatory requirements. The free 2026 WISP template is a practical starting point for documenting controls across both frameworks.

Bottom Line

Every agency, contractor, and sub-contractor receiving FTI must implement restricted area controls as the foundational physical security requirement under IRS Publication 1075. All other physical controls, including access authorization, monitoring, visitor management, and media destruction, extend from that designation. Agencies that align these requirements with the NIST SP 800-53 PE control family can reduce duplicative documentation and walk into IRS Safeguard Reviews with a defensible, evidence-backed program.

Is Your Agency Ready for an IRS Safeguard Review?

Bellator Cyber Guard's FTI compliance specialists assess your physical and technical controls against IRS Publication 1075 before the auditors arrive. Get a prioritized remediation plan and walk into your next Safeguard Review with confidence.

Frequently Asked Questions About FTI Physical Security

The foundational physical security practice required for Federal Tax Information is restricted area control. Under IRS Publication 1075, all FTI must be accessed, processed, and stored exclusively within a formally designated restricted area that is physically separated from public or unauthorized access. This designation must be enforced with mechanical or electronic access controls at every entry point, and the area must include monitoring, access logs, and visitor management procedures.

A qualifying restricted area must have physical barriers, such as walls or partitions, that prevent unauthorized entry. Every entry point must be controlled by an electronic badge or key card system, combination or cipher lock, biometric reader, or staffed security checkpoint. Open-plan offices, cubicle areas, and rooms accessible to visitors or general staff do not qualify without additional physical barriers. The designation applies to the specific space where FTI is handled, not the building or floor perimeter.

Paper FTI must be destroyed by cross-cut or micro-cut shredding meeting DIN 66399 level P-4, which produces particles no larger than 160 mm². Strip-cut shredders do not meet this standard and should not be used for FTI disposal. Burning and pulping under controlled conditions are also acceptable methods. Every destruction event must be logged with the date, media type, quantity, method, and the name of the person who performed or witnessed it.

IRS Publication 1075 requires FTI physical access to be revoked within 24 hours of an employee separation or role change. This covers both physical credentials, such as badge deactivation and cipher lock code changes, and any associated logical access to FTI systems. The access authorization list must be updated immediately, and the revocation should be documented for audit purposes.

Yes. Every contractor and sub-contractor that receives, stores, processes, or transmits FTI carries the same physical security obligations under Publication 1075 as the primary agency. There are no size or volume exemptions. Contractors must designate restricted areas, implement access controls, maintain authorization lists, enforce clean desk and destruction policies, and be prepared for IRS Safeguard Review scrutiny of their facilities.

Publication 1075 adopts the NIST SP 800-53 Rev. 5 Physical and Environmental Protection (PE) and Media Protection (MP) control families directly, then adds FTI-specific parameters. Key mappings include: PE-2 (Physical Access Authorizations) for the signed authorization list and quarterly review; PE-3 (Physical Access Control) for badge or biometric entry controls; PE-6 (Monitoring Physical Access) for cameras and weekly log review; PE-8 (Visitor Access Records) for visitor logs; and MP-4/MP-6 for locked storage and certified media destruction. Agencies already assessed against NIST SP 800-53 can reuse existing evidence and layer on FTI-specific parameters.

The IRS conducts Safeguard Reviews on a biennial cycle, meaning agencies are reviewed approximately every two years. Reviews occur more frequently if a prior review identified deficiencies or if a significant security incident occurs. During the physical security component, IRS reviewers conduct on-site walkthroughs and examine access logs, visitor records, destruction logs, and physical storage conditions.

Unauthorized disclosure of FTI carries significant legal consequences. Under IRC §7213, criminal penalties include fines up to $1,000 and imprisonment up to five years per violation. Under IRC §7431, civil damages for unauthorized disclosure are $1,000 per act or actual damages, whichever is greater, plus punitive damages and court costs in cases of willful or grossly negligent disclosure. Beyond individual penalties, agencies that fail IRS Safeguard Reviews may have FTI access suspended pending remediation and receive formal corrective action plans administered by the IRS Office of Safeguards.

No. FTI cannot be processed in open-plan offices, shared workspaces, or any area accessible to visitors or unauthorized personnel. Publication 1075 requires that FTI be handled only within a formally designated restricted area with physical barriers and controlled entry. If an existing workspace does not meet these requirements, physical modifications, such as adding walls, secured partitions, or a dedicated lockable room, are required before FTI processing can occur.

Physical FTI, including printed reports, portable drives, and backup tapes, must be stored in locked containers when not actively in use. Acceptable options include GSA-approved security containers and safes, locked steel filing cabinets located inside restricted areas, and dedicated locked server rooms for electronic media. Standard office desks, unlocked drawers, and unsecured filing cabinets, even those inside a locked office, do not satisfy Publication 1075's storage requirements.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.