Physical Security Requirements for FTI: IRS Pub 1075

Which Physical Security Practice Is Required for FTI?

The physical security practice required for Federal Tax Information (FTI) is the restricted area control: all FTI must be accessed, processed, and stored exclusively within a formally designated restricted area that is physically separated from public or unauthorized access. Every other physical control under IRS Publication 1075 — access authorization, visitor management, monitoring, secure media storage, and document destruction — extends from that foundation.

Federal Tax Information is defined under Internal Revenue Code §6103 as tax returns and return information the IRS shares with authorized agencies. If your agency receives FTI, you are legally obligated to protect it using the controls prescribed in IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies. This guide explains every physical security practice required for FTI, what IRS auditors examine during Safeguard Reviews, and how to build a defensible compliance program. For the broader picture of protecting taxpayer data, see our guide to tax data protection.

What Is FTI and Who Must Comply?

Federal Tax Information includes any return, return information, or taxpayer identity information the IRS provides to federal or state agencies under IRC §6103 authority. This data flows to a wide range of government programs: state child support enforcement offices (Title IV-D), Medicaid and Children's Health Insurance Program (CHIP) agencies, unemployment insurance programs, federal benefit agencies using tax records for income verification, and others with statutory authorization to receive it.

Every agency, contractor, and sub-contractor that receives, stores, processes, or transmits FTI — regardless of size — carries the same physical security obligations under Publication 1075. There are no exemptions for small offices or low-volume FTI recipients.

Publication 1075 maps its required controls to the NIST SP 800-53 Rev. 5 control catalog, specifically the Physical and Environmental Protection (PE) control family. Agencies that already implement NIST SP 800-53 for other compliance obligations can align FTI physical security controls with their existing framework rather than building a separate program from scratch.

Who Is Typically Subject to FTI Physical Security Requirements?

• State and local tax agencies
• Child support enforcement agencies (Title IV-D)
• Medicaid and CHIP program offices
• Unemployment insurance agencies
• Federal benefit payment agencies using tax data for income verification
• Contractors and third-party service providers with access to FTI systems or records

Related obligations for tax preparers who handle private client information — rather than government-received FTI — are covered in our IRS Publication 4557 compliance resource.

Restricted Areas: The Foundational Physical Security Practice for FTI

A restricted area under Publication 1075 is a space with physical barriers — walls, partitions, or equivalent structures — that prevent unauthorized entry. Every entry point must be controlled by one of these mechanisms:

• Electronic key card or badge systems with individually assigned credentials. These are preferred because access can be revoked instantly and logs are generated automatically.
• Combination or cipher locks with codes distributed only to authorized, vetted personnel.
• Biometric readers such as fingerprint or retinal scanners.
• Security personnel physically controlling access at staffed checkpoints.

Open-plan offices, shared workspaces, and areas accessible to visitors or general staff do not qualify as restricted areas without additional physical barriers. A workstation processing FTI cannot sit at an open desk even if the broader office building is access-controlled. Publication 1075 is explicit: the restricted area designation applies to the specific space where FTI is handled, not just the building perimeter.

FTI Document Handling, Storage, and Destruction Requirements

Physical security requirements for FTI extend beyond who can enter a room — they govern how FTI is handled from the moment it is received through the moment it is destroyed. Publication 1075's Media Protection (MP) controls cover this lifecycle in detail.

Storage: Locked Containers Required

When FTI in physical form — printed reports, forms, portable drives, backup tapes — is not actively in use, it must be secured in a locked container that only authorized personnel can open. Acceptable options include GSA-approved security containers and safes, locked steel filing cabinets located inside restricted areas, and dedicated locked server rooms for electronic media. Leaving FTI printouts in an unlocked drawer or an unsecured filing cabinet — even in a locked office — does not meet Publication 1075's storage requirements.

Clean Desk Policy and Workstation Controls

One of the most frequently cited deficiencies in IRS Safeguard Reviews is failure to enforce a clean desk policy. FTI on any desk or workstation must be attended by a vetted, authorized user. The moment that user steps away, FTI must be secured. On-screen FTI is addressed by requiring workstations to auto-lock after no more than 15 minutes of inactivity, with 5-minute timeouts recommended. Printers that produce FTI output must be located inside restricted areas or staffed by an authorized employee throughout the entire print job.

Media Destruction: Standards and Logging Requirements

When FTI reaches end of life — whether on paper or digital media — its destruction must meet specific standards and be fully documented.

For paper FTI, cross-cut or micro-cut shredding at a minimum of DIN 66399 level P-4 is required, producing particles no larger than 160 mm². Strip-cut shredders do not meet this standard and should not be used for FTI disposal. Burning and pulping under controlled conditions are also acceptable methods.

For electronic media, Publication 1075 requires degaussing followed by physical destruction for magnetic media (hard drives, tapes), and physical destruction alone for solid-state drives. Standard file deletion and even full-disk formatting do not satisfy this requirement. The distinction between erasing and destroying data parallels the difference explained in our breakdown of hashing vs. encryption.

Every destruction event must be logged with the date, media type, quantity, destruction method, and the name of the person who performed or witnessed the event. Agencies using third-party destruction vendors must obtain certificates of destruction and retain them for audit purposes.

IRS Safeguard Reviews: What Auditors Check for Physical Security

Agencies receiving FTI undergo IRS Safeguard Reviews on a biennial cycle — and more frequently if prior reviews identified deficiencies. During the physical security component, IRS reviewers conduct on-site walkthroughs of all FTI-handling areas. They are specifically looking for the following evidence:

• Physical separation of restricted areas from public or general staff access zones
• Current, signed access authorization lists reviewed within the past 90 days
• Visitor logs covering the full review period with all required fields completed
• Security camera coverage of all entry and exit points
• Evidence of weekly log reviews, typically demonstrated through a documented review record
• Locked storage containers for all physical FTI media
• Destruction logs with required detail covering the past 12 to 24 months

Review findings are categorized by severity. A material weakness — such as FTI stored in an unlocked area, no access controls on a restricted area entry point, or a missing destruction log — can trigger a formal corrective action plan, suspension of FTI access pending remediation, or escalation to the IRS Office of Safeguards.

Physical and Technical Controls Work Together

Physical security and cybersecurity are inseparable for FTI compliance. An unattended workstation displaying FTI is a physical security failure even if the network is fully encrypted. Publication 1075 requires agencies to address both domains in a single integrated security plan.

Physical controls such as locked server rooms and restricted area badge access directly reinforce technical controls such as encryption and network segmentation. For staff accessing FTI through agency software, enabling multi-factor authentication on every portal and application provides a technical barrier that complements physical access controls at the system level. Agencies should also maintain an incident response plan so a physical or technical lapse is contained quickly and reported within the timelines Publication 1075 requires.

Agencies handling FTI alongside private client records may find the WISP guidance for small tax firms useful for maintaining a coherent security posture across both regulatory requirements, and the free 2026 WISP template a practical starting point for documenting controls.

How IRS Pub 1075 Maps to NIST SP 800-53

Publication 1075 does not invent a separate control language — it adopts the NIST SP 800-53 Rev. 5 Physical and Environmental Protection (PE) family and adds FTI-specific parameters. This mapping lets agencies reuse existing NIST documentation and assessments:

• PE-2 Physical Access Authorizations — the signed authorization list and quarterly review.
• PE-3 Physical Access Control — badge, biometric, or cipher control at every entry point.
• PE-6 Monitoring Physical Access — cameras, weekly log review, and 90-day footage retention.
• PE-8 Visitor Access Records — escorted visitors and complete visitor logs.
• MP-4 / MP-6 Media Storage and Sanitization — locked containers and the DIN 66399 P-4 plus degaussing destruction standards.

Because the control numbers are shared, an agency already assessed against NIST SP 800-53 can demonstrate much of its FTI compliance by referencing existing PE and MP control evidence — then layering on the FTI-specific parameters such as the 24-hour access revocation window and 90-day footage retention.