oversight

Physical Security Controls at the **********8**********

Published by the Office of the Treasury Inspector General for Tax Administration on 2019-07-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
                             Office of Inspections and Evaluations




                          Physical Security Controls at the
                        ******************8*****************



                                             July 9, 2019

                              Reference Number: 2019-IE-R006




 This report has cleared the Treasury Inspector General for Tax Administration disclosure review process
 and information determined to be restricted from public release has been redacted from this document.

 Redaction Legend:
 8 = Danger to Physical Security



 Phone Number | 202-622-6500
 E-mail Address | TIGTACommunications@tigta.treas.gov
 Website       | http://www.treasury.gov/tigta
                                                  DEPARTMENT OF THE TREASURY
                                                         WASHINGTON, D.C. 20220



TREASURY INSPECTOR GENERAL
  FOR TAX ADMINISTRATION




                                                    July 9, 2019


MEMORANDUM FOR COMMISSIONER OF INTERNAL REVENUE SERVICE



FROM:                          Gregory D. Kutz
                               Deputy Inspector General for Inspections and Evaluations

SUBJECT:                       Final Inspection Report – Physical Security Controls at the *8*
                               *****8**** (# IE-19-007)

In March 2019, the Treasury Inspector General for Tax Administration (TIGTA) conducted an
unannounced physical security inspection of the Internal Revenue Service (IRS) *****8*****
*******8******* in ****8****. The objective of this inspection was to determine whether
selected physical security countermeasures (hereafter referred to as countermeasures) were in
place to detect and deter unauthorized entry and to secure restricted areas. The security criteria
for the inspection consisted of the baseline countermeasures established by the Interagency
Security Committee (ISC) 1 for facility security level (FSL) *****8*****. 2 The Risk
Management Process for Federal Facilities: An Interagency Security Committee Standard
(Nov. 2016, 2nd Edition) [hereafter referred to as the ISC Standard] defines the criteria and
processes that those responsible for the security of a facility should use to determine its FSL and
provides an integrated, single source of countermeasures for all Federal facilities. Attachment I
documents the countermeasures included in our inspection and conclusions related to each
countermeasure.
Overall, the countermeasures at the *8* met the ISC baseline countermeasures to detect or deter
unauthorized entry and to secure restricted areas. *******************8*****************
**************************************8************************************



1
  The ISC, established by Executive Order 12977, has authority to establish policies for security in and protection of
nonmilitary Federal facilities in the United States whether owned, leased, or managed by the Government.
Executive Order 12977, Interagency Security Committee (1995), 60 Fed. Reg. 54411.
2
  The FSL is a categorization based on the analysis of several security-related facility factors and serves as the basis
for the implementation of physical security countermeasures. The FSL determination ranges from a Level I (lowest
risk) to Level V (highest risk).
                                     Physical Security Controls at the
                                   ******************8******************



***8***. The *8* is an FSL *8* facility that houses approximately *8* IRS employees.
Figure 1 shows an overhead view of the *8*.
                             Figure 1: Overhead View of the **8**




              Source: Google Maps (google.com).

******************************************************8****************************************
**********8********
*************************************8**************************************
*************************************8**************************************
*************************************8**************************************
*************************************8**************************************
*************************************8**************************************
*************************************8**************************************
*************************. 3 **********8**************************************




3
    ***************************8**************************.
                                                                                                  2
                                 Physical Security Controls at the
                               ******************8******************



 ********************8*****************. Figure 2 shows the *********8**********
*****8******.
                       Figure 2: *****************8********************




         Source: TIGTA photograph, taken March 12, 2019, of the *************8**********
         ***********************************8*************************************.

According to the facility’s August 2015 security risk assessment, physical security
specialists ************************************8*******************************
**************8**********. Facilities Management and Security Services’ personnel **8**
*************************************8**************************************
***************8**************.

Recommendation
Recommendation 1: **************************8**************************
****************************************8*******************************.
       Management’s Response: ********************8****************
       **************************************8*****************************
       ****************8****************.
Attachment II provides the background information for this inspection. Attachment IV
documents IRS management’s complete response.



                                                                                           3
                                 Physical Security Controls at the
                               ******************8******************



If you have any questions about this report, you may contact me or James A. Douglas, Director,
Office of Inspections and Evaluations.


Attachments




                                                                                                 4
                                    Physical Security Controls at the
                                  ******************8******************



                                                                           Attachment I

                             Inspection Checklist

                         ************************8**********************
#     Inspection Question     Does the security If no, was a deviation     Comment
       (Baseline Security     measure meet the        or alternate
           Measures)          baseline criterion?   countermeasure
                                  (Yes/No/         justified and risk
                               Not Applicable)        acceptance
                                                     documented?
1   ********8********      ******8******.
    *******8********
    *******8*********
    *********8******?
2   **********8********    *8*.
    **********8********
    **********8********?
3   ********8********      *8*.                                   ************8************
    *******8********                                              ************8************
    *******8*********                                             ************8************
    ******8******?                                                ************8**********.
4   *******8******         *8*.                                   ************8************
    *******8********                                              ************8************
    *******8*********                                             ************8************
    *********8******?                                             ************8************
                                                                  ************8************
                                                                  **********8*********.
5   **********8********    *8*.
    **********8********
    ********8*******?
6   **********8********    *8*.
    *****8****?
7   **********8********    *8*.
    **********8********
    ***8***?



                                                                                         5
                                     Physical Security Controls at the
                                   ******************8******************




                          ************************8**********************
#      Inspection Question     Does the security If no, was a deviation     Comment
        (Baseline Security     measure meet the        or alternate
            Measures)          baseline criterion?   countermeasure
                                   (Yes/No/         justified and risk
                                Not Applicable)        acceptance
                                                      documented?
8    **********8********    *8*.
     **********8********
     ********8******?
9    **********8********    *8*.                                   ************8************
     *****8****?                                                   ************8************
                                                                   ************8************
     **********8********                                           ************8************
     **********8********                                           ************8************
     **********8*******                                            ************8************
     *********8********.                                           ************8************
                                                                   ************8************
                                                                   ************8***********.
10   ********8********      *****8****                             ************8************
     *******8********       **********.                            ************8************
     *******8*********                                             ************8************
     *********8******?                                             ************8************
                                                                   *******8******.
11   ********8********      *8*.
     *******8********
     *******8*********
     ******8***?
12   ********8********      ******8******.
     *******8********
     *******8*********
     ******8***?
13   ********8********      *8*.
     *******8********
     *******8*********
     *********8******?




                                                                                          6
                                      Physical Security Controls at the
                                    ******************8******************



                          ************************8**********************
#      Inspection Question     Does the security If no, was a deviation     Comment
        (Baseline Security     measure meet the        or alternate
            Measures)          baseline criterion?   countermeasure
                                   (Yes/No/         justified and risk
                                Not Applicable)        acceptance
                                                      documented?
14   **********8********     ******8******.
     **********8********
     ********8******?


                                      ***********8***********
#      Inspection Question   Does the security If no, was a deviation       Comment
        (Baseline Security   measure meet the        or alternate
            Measures)        baseline criterion?   countermeasure
                                 (Yes/No/         justified and risk
                              Not Applicable)        acceptance
                                                    documented?
15   ********8********       *8*.
     *******8********
     *******8*********
     *********8******?


                                         *********8*********
#      Inspection Question   Does the security If no, was a deviation       Comment
        (Baseline Security   measure meet the         or alternate
            Measures)        baseline criterion?    countermeasure
                                 (Yes/No/          justified and risk
                              Not Applicable)         acceptance
                                                     documented?
16   ********8********       *8*.
     *******8********
     *******8*********
     *********8******?
17   **********8********     *8*.
     **********8********
     ******8****?



                                                                                      7
                                      Physical Security Controls at the
                                    ******************8******************



                                         ********8*********
#      Inspection Question   Does the security If no, was a deviation            Comment
        (Baseline Security   measure meet the         or alternate
            Measures)        baseline criterion?    countermeasure
                                 (Yes/No/          justified and risk
                              Not Applicable)         acceptance
                                                     documented?
18   **********8********     *8*.                                       ************8************
     ********8******?                                                   ************8************
                                                                        ************8************
                                                                        *****8****.
19   **********8********     *8*.
     **********8********
     *****8***?
20   ********8********       *8*.
     *******8********
     *******8*********
     *****8****?
21   **********8********     *8*.
     **********8********
     ********8******?




                                                                                               8
                                          Physical Security Controls at the
                                        ******************8******************



                                        ************8*************
#          Inspection Question   Does the security If no, was a deviation             Comment
            (Baseline Security   measure meet the        or alternate
                Measures)        baseline criterion?   countermeasure
                                     (Yes/No/         justified and risk
                                  Not Applicable)        acceptance
                                                        documented?
22       **********8********     *8*.                                       ************8************
         **********8********                                                ************8************
         **********8********                                                ************8************
         **********8********                                                ************8************
         **********8********                                                ************8************
         ***8***?                                                           ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            **********8*********. 1 ***
                                                                            ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            ************8************
                                                                            *************8***********
                                                                            ***8***.
23       ********8*********      *8*.
         ******8*****
         ***8***?
24       **********8********     *8*.                                       ************8************
         **********8********                                                ************8************
         **********8********                                                *************8***********
         *********8*******? 2                                               ***8***.




     1
       *************************************************8***************************************
     ****************8***************.
     2
       ************************8************************.
                                                                                                    9
                                           Physical Security Controls at the
                                         ******************8******************



                                                *******8*******
#           Inspection Question   Does the security If no, was a deviation            Comment
             (Baseline Security   measure meet the         or alternate
                 Measures)        baseline criterion?    countermeasure
                                      (Yes/No/          justified and risk
                                   Not Applicable)         acceptance
                                                          documented?
25        **********8********     *8*.                                       ************8************
          **********8********                                                ************8************.
          *****8****?
26        **********8*********    *8*.
          **********8*******
          ********8******
          **********8*********
          **********8*******
          **********8*********
          **********8*******
          *****8****?
27        **********8*********    ******8******.                             ************8**********
          **********8*******                                                 ************8************
          ********8******                                                    ***8***.
          *****8****?
28        **********8********     *****8****
          *******8****? 3         **********.
29        **********8*********    *****8****                                 ************8************
          **********8*******      *****8****.                                ************8************
          ********8******                                                    ************8************
          *****8****?                                                        ************8*************
                                                                             ***********8************
                                                                             ***8***.
30        **********8*********    *8*.
          **********8*******
          *******8********? 4




     3
         ***************************8******************************.
     4
         **********************************************8*****************************************.
                                                                                                     10
                                          Physical Security Controls at the
                                        ******************8******************



                                               *******8*******
#          Inspection Question   Does the security If no, was a deviation          Comment
            (Baseline Security   measure meet the         or alternate
                Measures)        baseline criterion?    countermeasure
                                     (Yes/No/          justified and risk
                                  Not Applicable)         acceptance
                                                         documented?
31       **********8********     *8*.
         **********8********
         **********8********
         **********8********
         ***8***?


                                     ****************8*************
#          Inspection Question   Does the security If no, was a deviation          Comment
            (Baseline Security   measure meet the        or alternate
                Measures)        baseline criterion?   countermeasure
                                     (Yes/No/         justified and risk
                                  Not Applicable)        acceptance
                                                        documented?
32       **********8********     *8*.
         **********8********
         **********8********
         ***8***? 5
33       **********8********     *8*.
         **********8********
         **********8*********
         **********8*********
         **********8********
         **********8*********
         **********8*********
         *********8******? 6




     5
       ********************************************8****************************************
     ************************************************8*****************************************
     ********************************8*************************************.
     6
       ***********************************************8*******************************************
     **************************8******************************.
                                                                                                 11
                                            Physical Security Controls at the
                                          ******************8******************



                                       ****************8*************
  #      Inspection Question       Does the security If no, was a deviation                   Comment
          (Baseline Security       measure meet the        or alternate
              Measures)            baseline criterion?   countermeasure
                                       (Yes/No/         justified and risk
                                    Not Applicable)        acceptance
                                                          documented?
 34   **********8********          *8*.
      **********8********
      **********8********
      **********8********
      **********8********
      ***8***?
 35   **********8********          *8*.                                           ************8************
      **********8********                                                         ************8************
      **********8********                                                         ************8************
      **********8*********                                                        *********8********.
      *********8********
      **********8********
      **********8********
      **********8********
      ***8***?


Source: The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (Nov.
2016) and observations made during the TIGTA inspection.




                                                                                                               12
                                        Physical Security Controls at the
                                      ******************8******************



                                                                                              Attachment II

                                             Background

Executive Order 12977 established the ISC after the Oklahoma City bombing of the Alfred
Murrah Federal Building in 1995. 1 The ISC has authority to establish policies for security in and
protection of Federal facilities in the United States whether owned, leased, or managed by the
Government. The ISC Standard 2 defines the criteria and processes that those responsible for the
security of a facility should use to determine its FSL and provides an integrated, single source of
physical security countermeasures (hereafter referred to as countermeasures) for all Federal
facilities. The ISC Standard also provides guidance for customization of the countermeasures for
Federal facilities.
Each IRS facility has been designated an FSL I through V in accordance with the ISC Standard.
The ISC Standard has defined security criteria that should be used to implement countermeasures
to effectively protect nonmilitary Federal Government facilities, information, employees,
visitors, and assets. In addition to the security criteria, the ISC has defined a broad range of
undesirable events that security professionals should consider when conducting a facility risk
assessment in order to customize the necessary level of protection and associated
countermeasures to be implemented in and around a facility. 3 For all cases in which the
necessary level or protection cannot be achieved or implemented, documentation must clearly
reflect the reasons why and the rationale for accepting the associated risk as a result of
implementing a lower level of protection and countermeasures.
In March 2019, we conducted an unannounced physical security inspection of the *8* to
determine whether selected countermeasures were in place to detect and deter unauthorized entry
and to secure restricted areas. The IRS is the ****8*** at the *8*, which is a General Services
Administration facility housing an IRS post of duty. The countermeasures selected were
consistent with ISC countermeasures for a baseline level of protection for the determined FSL of
the IRS facility inspected. 4
Prior to arriving at the ****8*****, we reviewed the August 2015 security risk assessment for
the facility to gain a general understanding of the *8*, its occupants, any site-specific risks and



1
  Executive Order 12977, Interagency Security Committee (1995), 60 Fed. Reg. 54411.
2
  ISC, Nov. 2016.
3
  The ISC Standard defines an undesirable event as an incident that has an adverse impact on the facility occupants
or visitors, operation of the facility, or mission of the agency.
4
  The baseline level of protection and associated countermeasures can be customized (lowered or increased)
depending on the results of the facility’s security risk assessment.
                                                                                                                  13
                                  Physical Security Controls at the
                                ******************8******************



 vulnerabilities, and implemented or recommended countermeasures. We did not evaluate the
findings, decisions, and recommendations made in the facility’s security risk assessments. This
inspection is included in the Office of Inspections and Evaluations Fiscal Year 2019 Plan. We
conducted this inspection in accordance with the Council of the Inspectors General for Integrity
and Efficiency’s Quality Standards for Inspection and Evaluation.




                                                                                               14
                                Physical Security Controls at the
                              ******************8******************



                                                                 Attachment III

                          Report Distribution List

Deputy Commissioner for Operations Support
Assistant Deputy Commissioner for Operations Support
Chief, Facilities Management and Security Services
Deputy Chief, Facilities Management and Security Services
Director, Office of Audit Coordination




                                                                             15
    Physical Security Controls at the
  ******************8******************



                                     Attachment IV

Management’s Response




                                                16
  Physical Security Controls at the
******************8******************




                                        17
   To report fraud, waste, or abuse, call our toll-free hotline at:
                         1-800-366-4484


                              By Web:
                      www.treasury.gov/tigta/


                              Or Write:
          Treasury Inspector General for Tax Administration
                           P.O. Box 589
                        Ben Franklin Station
                    Washington, D.C. 20044-0589

Information you provide is confidential and you may remain anonymous.