ࡱ> TVKLMNUg 6bjbjVV 7r<r<.D D 8$laFtz!:!4!!!0#.^#r# EEEEEEE$HK*F#0#0###F!!HF%%%#!!E%#E%%5F7! ;\$R"6E1F0aF66K$K(F7F7fK9 ~##%# #S~#~#~#FF%|~#~#~#aF####K~#~#~#~#~#~#~#~#~#D d:  Report InformationAgency Name:[Insert legal agency name]Agency Number:[Insert agency code]Date Submitted:[Insert date of SPR submission]IRS Reviewer:[Leave blank]IRS Reference Number and Date Received:[Leave blank] IRS Comments:[Leave blank] Agency Instructions:The following guidance is provided to aid agencies with completing this report. Report Guidance Provide a response for all sections of this report unless instructed otherwise in individual section(s) by the IRS Office of Safeguards. Recommended and required attachments to accompany this report are indicated in each section, if applicable. Please include attachments as separate files. Submission Guidance Agencies shall submit their SPR on the template developed by the IRS Office of Safeguards. The most current template may be downloaded from IRS.GOV, keyword Safeguards or requested by emailing HYPERLINK "mailto:SafeguardReports@irs.gov"SafeguardReports@irs.gov. The SPR should be accompanied by a letter on the agencys letterhead signed and dated by the head of the agency or delegate. Files must be sent encrypted via IRS approved encryption techniques using the standard Safeguards password. The password may be requested by contacting HYPERLINK "mailto:SafeguardReports@IRS.gov"SafeguardReports@IRS.gov. Upon receipt of your report submission, you should receive a confirmation of receipt. If an automated confirmation is not sent back to you, there was an error in your submission. If this occurs, please send an e-mail back to the IRS Office of Safeguards mailbox without attachments and request assistance. Please note that the IRS Office of Safeguards does not accept hard copy submissions.  #Publication 1075 Requirement Reference pages 38-40, Section 7.2 Safeguard Procedures Report Agency SPR ContentAdditional Information Needed to be Submitted by Agency Additional information requested in red must be submitted within 30 days, Information in blue must be submitted with next SAR1. Responsible Officer(s)1.1Provide the name, title, address, email address and telephone number of the agency official, including but limited to: agency director or commissioner authorized to request FTI from the IRS, the SSA, or other authorized agency. 1.2Provide the name, title, address, email address and telephone number of the agency official responsible for implementing the safeguard procedures, including but not limited to the agency information technology security office or equivalent and the primary IRS contact. 2. Location of the Data2.1Provide an organizational chart or narrative description of the receiving agency, which includes all functions within the agency where FTI will be received, processed, stored and/or maintained. If the information is to be used or processed by more than one function, then the pertinent information must be included for each function. Note: The description must account for off-site storage, consolidated data centers, disaster recovery organizations, and contractor functions. Attachments: Organization chart (recommended) 3. Flow of the Data3.1Provide a flow chart or narrative describing: the flow of FTI through the agency from its receipt through its return to the IRS or its destruction how it is used or processed how it is protected along the way Note: Off-site storage and/or disaster recovery staff, consolidated data center staff or contractor functions must be described. 3.2Describe whether FTI is commingled with agency data or separated. If FTI is commingled with agency data, please describe how the data is labeled and tracked. If FTI is separated from all other agency data, please describe the steps that have been taken to keep it in isolation. 3.3Provide a list of the FTI extracts the agency receives and whether the data is received through electronic or non-electronic methods. 3.4Describe the paper or electronic products created from FTI (e.g. letters, agency reports, data transcribed, spreadsheets, electronic database query results). 3.5Describe where contractors are involved in the flow of FTI including, but not limited to, data processing, disposal, analysis, modeling, maintenance, etc. 3.6Describe the following for each contractor: Name of each Contractor Contractor Work Location (Address) Support contractor provides for the agency Identify the FTI the contractor has access to (data files, data elements, systems, applications) State whether or not contractor's employees have completed required disclosure awareness training and signed confidentiality agreements. If not, explain State whether or not the legal contract between the agency and the contractor includes the Publication 1075, Exhibit 7 language. If not, explain State whether or not any FTI is provided to contractors or contractor information systems off-shore. If yes, explain. If IT support is provided by a state run data center, state whether or not there an SLA in place between the agency and the data center operations. If not, explain Note: If an agency intends to disclose FTI to contractors, they must notify the IRS prior to executing any agreement to disclose to such a person (or contractor), but in no event less than 45 days prior to the disclosure of FTI. See Publication 1075, Section 11.3 for additional guidance. 4. System of Records4.1Describe the permanent record(s) (logs) used to document requests for, receipt of, distribution of (if applicable), and disposition (return to IRS or destruction) of the FTI (including tapes or cartridges or other removable media) (e.g. FTI receipt logs, transmission logs, or destruction logs in electronic or paper format.) Please include a sample of the agency logs. Note: Agencies are expected to be able to provide an "audit trail" for information requested and received, including any copies or distribution beyond the original document or media. Attachments: Sample agency logs (recommended) 5. Secure Storage of the Data5.1Describe how the agency meets minimum protection standards (including compliance with two barriers between FTI and someone unauthorized to access FTI). Include a description of how the agency controls physical access to FTI, controls access to computer facilities, offsite storage, and interior work environments. Note: Secure storage encompasses such considerations as locked files or containers, secured facilities, key or combination controls, offsite storage, and restricted areas. For federal agencies, it is requested that they submit a Vulnerability Assessment based on General Services Administration standards for their building(s) as it addresses physical security. 5.2Describe the policies and procedures in place for protecting the facilities or rooms containing or accessing FTI. Describe how the agency maintains key records (e.g. key issuance, how many keys are available) Describe how the agency regularly conducts periodic reconciliation on all key records 5.3Describe the policies and procedures in place for meeting minimum protection standards for alternative work sites (e.g. employees homes or other non-traditional work sites). 6. Restricting Access to the Data6.1Describe the procedures taken to ensure that access to FTI is restricted to those that have a need to know. This includes a description of: How the information will be protected from unauthorized access when in use by the authorized recipient Systemic or procedural barriers 6.2Describe any existing agreements created under the authority of IRC 6103 (p) (2) (B), if applicable. Identify the agency to whom your agency is providing the data to and the type of data received. 7. Other Safeguards7.1Describe the agencys process for conducting internal inspections of headquarters, field offices, data center, offsite storage, and contractor sites. Attachments: Internal Inspections Plan (recommended) 7.2Describe the process for detecting and monitoring deficiencies identified during audits and internal inspections and how they are tracked in a Plan of Actions and Milestones (POA&M). 8. Disposal8.1Describe the method(s) of FTI disposal (when not returned to the IRS) and a sample of the destruction log. For example, burning and shredding are acceptable methods of FTI disposal. Identify the specifications for each destruction method used (e.g. shred size). If FTI is returned to the IRS, provide a description of the procedures. Note: The IRS will request a written report documenting the method of destruction and that the records were destroyed. Attachments: Destruction Log Template (recommended) 9. Information Technology (IT) SecurityNote: Agencies that store, process or transmit FTI electronically are asked to fill out Section 9 in its entirety to conform to Publication 1075 requirements. Agencies that do not store, process or transmit FTI electronically, are asked to fill out some of the requirements in Section 9 that pertain to the physical security and disclosure enforcement of the requirements set forth in Publication 1075. These requirements are flagged with Agencies with Non-electronic FTI must provide a response for this control notation. These sections include 9.2.2 (RA-3), 9.4.3 (SA-3), 9.6.1 (PS-1), 9.6.2 (PS-2), 9.6.3 (PS-3), 9.6.6 (PS-6), 9.6.8 (PS-8), 9.7.4 (CP-6), 9.11.1 (IR-1), 9.11.2 (IR-2), 9.11.4 (IR-5), 9.11.5 (IR-6), 9.11.6 (IR-7), 9.12.1 (AT-1), 9.12.2 (AT-2), 9.12.3 (AT-3), 9.12.4 (AT-4), 9.13.1 (MP-1), 9.13.2 (MP-2), 9.13.3 (MP-3), 9.13.4 (MP-4), 9.13.5 (MP-5), 9.13.6 (MP-6), 9.22.1 (ADE1), and 9.23.1 (ADF1). (Please remove this instructional row upon completion of this report)9.1.1Provide the name and address where the agencys IT equipment resides (e.g. data center, computer room). 9.1.2Describe the following pertaining to data center or computer room operations: Identify if the facility is operated by a consolidated state-wide data center, a private contractor, or entirely by the agency Describe other state agencies and/or departments that have access to this facility Describe whether FTI access is granted to other agencies or tribes 9.1.3Provide the name, title, address, telephone number, and e-mail address of the IT Security Administrator or other IT contact responsible for administering the equipment. 9.1.4Provide a brief description of the electronic flow of FTI within all IT equipment and network devices that process, receive, store, transmit and/or maintain the data. 9.1.5Provide an inventory of all IT equipment and network devices that process, receive, store, transmit and/or maintain the data (e.g. routers, switches, firewalls, servers, mainframes, and workstations). For each device, identify the following: Platform (e.g. Mainframe, Windows, Unix/Linux, Router, Switch, Firewall) If mainframe, number of production LPARs with FTI, security software (e.g. RACF, ACF2) If not mainframe, number of production servers or workstations that store or access FTI. Operating System (e.g. zOS v1.7, Windows 2008, Solaris 10, IOS) Application Software (Commercial Off The Shelf or custom) used to access FTI Software used to retrieve FTI (e.g. SDT (Tumbleweed), CyberFusion, Connect:Direct) 9.2Management Security Controls: Risk Assessment Control Family9.2.1RA-1: Risk Assessment Policy and Procedures Describe how the agency develops, documents, disseminates, and updates, as necessary, risk assessment policy and procedures to facilitate implementing risk assessment controls. Such risk assessment controls include risk assessments and risk assessment updates. 9.2.2RA-3: Risk Assessment Describe how agencies conduct assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency regarding the use of FTI. Describe how the agency updates the risk assessment periodically or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system. Note: Agencies with Non-electronic FTI must provide a response for this control addressing the scope, frequency, and methodology used for internal inspections related to FTI safeguarding. 9.2.3RA-5: Vulnerability Scanning Describe how the agency scans systems containing FTI, at a minimum, quarterly to identify vulnerabilities in the information system. Describe how the agencys vulnerability scanning tool(s) must be updated with the most current definitions prior to conducting a vulnerability scan. 9.3Management Security Controls: Security Planning Control Family9.3.1PL-1: Security Planning Policy and Procedures Describe how the agency develops, documents, disseminates, and updates, as necessary, security planning policy and procedures to facilitate implementing security planning controls. Such security planning controls include system security plans, system security plan updates and rules of behavior. 9.3.2PL-2: System Security Plan Describe how the agency develops, documents, and establishes a system security plan (see Publication 1075 Section 7.2, Safeguard Procedures Report) by describing the security requirements, current controls and planned controls, for protecting agency information systems and federal tax information (FTI). Describe how the agencys system security plan is updated to account for significant changes (see Publication 1075 Section 7.4, Annual Safeguard Activity Report) in the security requirements, current controls and planned controls for protecting agency information systems and FTI. 9.3.3PL-4: Rules of Behavior Describe how the agency develops, documents, and establishes a set of rules identifying their responsibilities and expected behavior for information system use for users of the information system. 9.3.4PL-5: Privacy Impact Assessment For Federal agencies, describe how the agency conducts a privacy impact assessment on the information system in accordance with OMB policy. Note: This control is only required for Federal agencies. 9.3.5PL-6: Security-Related Activity Planning Describe how the agency plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals. 9.4Management Security Controls: System and Services Acquisition Control Family9.4.1SA-1: System and Services Acquisition Policy and Procedures Describe how the agency develops, documents, disseminates, and updates, as necessary, system and services acquisition policy and procedures to facilitate implementing system and services acquisition controls. Such system and services acquisition controls include information system documentation and outsourced information system services. Describe how the agency ensures that there is sufficient information system documentation, such as a Security Features Guide. Also, describe how the agency ensures third-party providers of information systems, who are used to process, store and transmit FTI, employ security controls consistent with Safeguard computer security requirements. 9.4.2SA-2: Allocation of Resources Describe how the agency documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system. 9.4.3SA-3: Life Cycle Support Describe how the agency manages the information system using a system development life cycle methodology that includes information security considerations, whenever information systems contain FTI. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.4.4SA-4: Acquisitions Describe how the agency includes security requirements and/or security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk, whenever information systems contain FTI. Ensure the description acknowledges that the contract for the acquisition must contain IRS Publication 1075 Exhibit 7 language as appropriate. 9.4.5SA-5: Information System Documentation Describe how the agency obtains, protects as required, and makes available to authorized personnel, adequate documentation for the information systems, whenever information systems contain FTI. 9.4.6SA-6: Software Usage Restrictions Describe how the agency complies with software usage restrictions, whenever information systems contain FTI. 9.4.7SA-7: User-Installed Software Describe how the agency enforces explicit rules governing the installation of software by users, whenever information systems contain FTI. 9.4.8SA-8: Security Engineering Principles Describe how the agency designs and implements the information system using security engineering principles, whenever information systems contain FTI. 9.4.9SA-10: Developer Configuration Management Describe how the agency performs configuration management during information system design, development, implementation, and operation; and manages and controls changes to the information system. Describe how the agency implements only agency-approved changes, documents approved changes to the information system(s) and tracks security flaws and flaw resolution. 9.4.10SA-11: Developer Security Testing Describe how agency information system developers create a security test and evaluation (ST&E) plan, implement the plan, and document the results. 9.5Management Security Controls: Security Assessment and Authorization Control Family9.5.1CA-1: Security Assessment and Authorization Policies and Procedures Describe how the agency develops and updates a policy that addresses the processes used to test, validate, and authorize the security controls used to protect FTI. While state and local agencies are not required to conduct a NIST compliant certification & accreditation (C&A), the agency shall accredit in writing that the security controls have been adequately implemented to protect FTI. Describe how the agency institutes a written accreditation process, constituting the agencys acceptance of the security controls and associated risks. Note: For federal agencies that receive FTI, a NIST compliant C&A is required in accordance with FISMA. For state or local agencies that receive FTI, a third-party accreditation is not required. Instead these agencies may internally attest. 9.5.2CA-2: Security Assessments Describe how the agency conducts, periodically but at least annually, an assessment of the security controls in the information system to ensure the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This assessment shall complement the certification process to ensure that periodically the controls are validated as being operational. The assessment must be documented in writing. 9.5.3CA-3: Information System Connections Describe how the agency authorizes and documents all connections from the information system to other information systems outside of the accreditation boundary through the use of system connection agreements and monitors/controls the system connections on an ongoing basis. Describe how the agency conducts a formal assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. 9.5.4CA-5: Plan of Action and Milestones Describe how the agency develops and updates a Plan of Action & Milestones (POA&M) that identifies any deficiencies related to FTI processing. Describe how the POA&M identifies planned, implemented, and evaluated remedial actions to correct deficiencies noted during internal inspections. Also, ensure to address the Corrective Actions Plan (CAP) that identifies activities planned or completed to correct deficiencies identified during the on-site safeguard review. Both the POA&M and the CAP shall address implementation of security controls to reduce or eliminate known vulnerabilities in the system. 9.5.5CA-6: Security Authorization Describe how owners of FTI accredit the security controls used to protect FTI before initiating operations. This shall be done for any infrastructure associated with FTI. The authorization shall occur every three (3) years or whenever there is a significant change to the control structure. A senior agency official shall sign and approve the security authorization. All information regarding the authorization shall be provided to the Office of Safeguards as part of the Safeguard Activity Report. Note: While the Safeguard Procedures Report shall identify the security controls, the authorization of the system must come from an agency official validating that the system is ready for operation. This control requirement does not apply to non-federal systems. 9.5.6CA-7: Continuous Monitoring Describe how the agency periodically, at least annually, monitors the security controls within the information system hosting FTI to ensure that the controls are operating, as intended. 9.6Operational Security Controls: Personnel Security Control Family9.6.1PS-1: Personnel Security Policy and Procedures Describe how the agency develops, documents, disseminates, and updates as necessary, personnel security policy and procedures to facilitate implementing personnel security controls. Such personnel security controls include position categorization, personnel screening, personnel termination, personnel transfer, and access agreements. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.6.2PS-2: Position Categorization Describe how the agency assigns risk designations to all positions and establish screening criteria for individuals filling those positions. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.6.3PS-3: Personnel Screening Describe how individuals are screened before authorizing access to information systems and information. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.6.4PS-4: Personnel Termination Describe how the agency terminates information system access, conduct exit interviews, and ensures return of all information system-related property when employment is terminated. 9.6.5PS-5: Personnel Transfer Describe how the agency reviews information system access authorizations and initiates appropriate actions when personnel are reassigned or transferred to other positions within the agency. 9.6.6PS-6: Access Agreements Describe how appropriate access agreements are completed before authorizing access to users requiring access to the information system and FTI. Note: Agencies with Non-electronic FTI must provide response for this control. 9.6.7PS-7: Third-Party Personnel Security Describe how personnel security requirements are established for third-party providers and monitored for provider compliance. 9.6.8PS-8: Personnel Sanctions Describe how the agency establishes a formal sanctions process for personnel who fail to comply with established information security policies, as this relates to FTI. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.7Operational Security Controls: Contingency Planning Control Family9.7.1CP-1 & CP-2: Contingency Planning Policy and Procedures Describe how the agency develops applicable contingencies for ensuring that FTI is available, based upon their individual risk-based approaches. If FTI is included in contingency planning; policy and procedures must be developed, documented, disseminated, and updated as necessary to facilitate implementing contingency planning security controls. Note: All FTI information that is transmitted to the states is backed up and protected within IRS facilities. As such, the controls of IT Contingency Planning are not required at the federal, state, or local agency. The primary contingency shall be to contact the IRS to obtain updated FTI data. If this timeframe extends beyond the IRS normal 60 day recovery period, agencies may not have immediate recovery of this information. 9.7.2CP-3: Contingency Training For Federal agencies, describe how personnel are trained in their contingency roles and responsibilities with respect to the information system and provide refresher training at least annually. Note: This control is only required for Federal agencies. 9.7.3CP-4: Contingency Plan Testing and Exercises Describe how the agency periodically tests contingency plans to ensure procedures and staff personnel are able to provide recovery capabilities within established timeframes. Such contingency planning security controls include alternate storage sites, alternate processing sites, telecommunications services, and information system and information backups. 9.7.4CP-6: Alternate Storage Site Describe how the agency identifies alternate storage sites and initiates necessary agreements to permit the secure storage of information system and FTI backups. Note: Agencies with Non-electronic FTI must provide a response for this control if FTI is backed up at an alternate secure storage location. 9.7.5CP-7: Alternate Processing Site Describe how the agency identifies alternate processing sites and/or telecommunications capabilities, and initiates necessary agreements to facilitate secure resumption of information systems used to process, store and transmit FTI if the primary processing site and/or primary telecommunications capabilities become unavailable. 9.8Operational Security Controls: Configuration Management Control Family9.8.1CM-1: Configuration Management Policy and Procedures Describe how the agency develops, documents, disseminates, and updates as needed, configuration management policy and procedures to facilitate implementing configuration management security controls. 9.8.2CM-2: Baseline Configuration Describe how the agency develops, documents, and maintains a current baseline configuration of the information system. 9.8.3CM-3: Configuration Change Control Describe how the agency authorizes, documents, and controls changes to the information system. 9.8.4CM-4: Security Impact Analysis Describe how the agency analyzes changes to the information system to determine potential security impacts prior to change implementation. 9.8.5CM-5: Access Restrictions for Change Describe how the agency approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system and generates, retains, and reviews records reflecting all such changes. 9.8.6CM-6: Configuration Settings Describe how the agency establishes mandatory configuration settings for information technology products employed within the information system, which (i) configures the security settings of information technology products to the most restrictive mode consistent with operational requirement; (ii) documents the configuration settings; and (iii) enforces the configuration settings in all components of the information system. Note: IRS Office of Safeguards requires mandatory system configuration settings identified in Computer Security Evaluation Matrices (SCSEM). These tools are available on IRS.gov, keyword Safeguards Program. 9.8.7CM-7: Least Functionality Describe how the agency implements the following least functionality requirements: Describe how the agency restricts access for change, configuration settings, and provides the least functionality necessary. Describe how the agency enforces access restrictions associated with changes to the information system. Describe how the agency configures the security settings of information technology products to the most restrictive mode consistent with information system operational requirements. (For additional guidance see NIST SP 800-70 Security Configuration Checklists Program for IT Products- Guidance for Checklists Users and Developers) Describe how the agency configures the information system to provide only essential capabilities. Describe how the agency identifies and prohibits the use of functions, ports, protocols, and services not required to perform essential capabilities for receiving, processing, storing, or transmitting FTI. 9.8.8CM-8: Information System Component Inventory Describe how the agency develops, documents, and maintains a current inventory of the components of the information system and relevant ownership information. 9.9Operational Security Controls: Maintenance Control Family9.9.1MA-1: System Maintenance Policy and Procedures Describe how the agency develops, documents, disseminates, and updates, as necessary, maintenance policy and procedures to facilitate implementing maintenance security controls. Such maintenance security controls include identifying and monitoring a list of maintenance tools and remote maintenance tools. 9.9.2MA-2: Controlled Maintenance Describe how the agency ensures that maintenance is scheduled, performed, and documented. Describe how the agency reviews records of routine preventative and regular maintenance (including repairs) on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements. 9.9.3MA-3 & MA-4: Maintenance Tools and Non-Local Maintenance Describe how the agency approves, controls, and routinely monitors the use of information system maintenance tools and remotely-executed maintenance and diagnostic activities. 9.9.4MA-5: Maintenance Personnel Describe how the agency allows only authorized personnel to perform maintenance on the information system. 9.10Operational Security Controls: System and Information Integrity Control Family9.10.1SI-1: System and Information Integrity Policy and Procedures Describe how the agency develops, documents, disseminates and updates, as necessary, system and information integrity policy and procedures to facilitate implementing system and information integrity security controls. Such system and information integrity security controls include flaw remediation, information system monitoring, information input restrictions, and information output handling and retention. 9.10.2SI-2: Flaw Remediation Describe how the agency identifies, reports, and corrects information system flaws. 9.10.3SI-3: Malicious Code Protection Describe how the agencys information systems implement protection against malicious code (e.g., viruses, worms, Trojan horses) that, to the extent possible, includes a capability for automatic updates. 9.10.4SI-4: Information System Monitoring Describe how the agencys intrusion detection tools and techniques are employed to monitor system events, detect attacks, and identify unauthorized use of the information system and FTI. 9.10.5SI-5: Security Alerts, Advisories, and Directives Describe how the agency receives and reviews information system security alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and takes appropriate actions in response. 9.10.6SI-9: Information Input Restrictions Describe how the agency restricts information system input to authorized personnel (or processes acting on behalf of such personnel) responsible for receiving, processing, storing, or transmitting FTI. 9.10.7SI-12: Information Output Handling and Retention Describe how the agency handles and retains output from the information system, as necessary to document that specific actions have been taken. 9.11Operational Security Controls: Incident Response Control Family9.11.1IR-1: Incident Response Policy and Procedures Describe how the agency develops, documents, disseminates, and updates as necessary incident response policy and procedures to facilitate the implementing incident response security controls. These policies and procedures must cover both physical and information system security relative to the protection of FTI. Such incident response security controls include incident response training and incident reporting and monitoring. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.11.2IR-2: Incident Response Training Describe how the agency trains personnel with access to FTI, including contractors and consolidated data center employees if applicable, in their incident response roles on the information system and FTI. Incident response training must provide individuals with an understanding of incident handling capabilities for security events, including preparation, detection and analysis, containment, eradication, and recovery. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.11.3IR-3: Incident Response Testing and Exercises Describe how the agency tests and/or exercises the incident response capability for the information system at least annually to determine the incident response effectiveness and document the results. 9.11.4IR-5: Incident Monitoring Describe how the agency routinely tracks and documents all physical and information system security incidents potentially affecting the confidentiality of FTI. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.11.5IR-6: Incident Reporting Describe the agencys policy to immediately report incident information any time there is a compromise to FTI to the appropriate Agent-in-Charge, TIGTA and the IRS following the requirements of Publication 1075, Section 10. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.11.6IR-7: Incident Response Assistance Describe how the agency provides an incident response support resource (e.g. help desk) that offers advice and assistance to users of the FTI and any information system containing FTI for the handling and reporting of security incidents. Describe how the support resource is an integral part of the agencys incident response capability. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.12Operational Security Controls: Security Awareness and Training Control Family9.12.1AT-1: Security Awareness and Training Policy and Procedures Describe how the agency develops, documents, disseminates, and updates as necessary, awareness and training policy and procedures to facilitate implementing awareness and training security controls. Such awareness and training security controls include security awareness and security training. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.12.2AT-2: Security Awareness Describe how the agency ensures all information system users and managers are knowledgeable of security awareness material before authorizing access to the system. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.12.3AT-3: Security Training Describe how the agency identifies personnel with significant information system security roles and responsibilities, documents those roles and responsibilities, and provides sufficient security training before authorizing access to the information system and FTI. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.12.4AT-4: Security Training Records Describe how the agency documents and monitors individual information system security training activities including basic security awareness training and specific information system security training. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.13Operational Security Controls: Media Access Protection Control Family9.13.1MP-1: Media Protection Policy and Procedures Describe how the agency develops, documents, disseminates, and updates as necessary, media access policy and procedures to facilitate implementing media protection policy. Policies shall address the purpose, scope, responsibilities, and management commitment to implement associated controls. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.13.2MP-2: Media Access Describe how the agency restricts access to information system media to authorized individuals, where this media contains FTI. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.13.3MP-3: Media Marking Describe how the agency labels removable media (CDs, magnetic tapes, external hard drives, flash/thumb drives, DVDs) and information system output containing FTI (reports, documents, data files, back-up tapes) indicating FTI. Notice 129-A and Notice 129-B can be used for this purpose. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.13.4MP-4: Media Storage Describe how the agency physically controls and securely stores information system media within controlled areas, where this media contains FTI. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.13.5MP-5: Media Transport Describe how the agency protects and controls information system media during transport outside of controlled areas and restricts the activities associated with transport of such media to authorized personnel. Describe the agencys use of transmittals or equivalent tracking method to ensure FTI reaches its intended destination. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.13.6MP-6: Media Sanitization Describe how the agency sanitizes information system media prior to disposal or release for reuse. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, Information System can be replaced with FTI. 9.14Technical Security Controls: Identification and Authentication Control Family9.14.1IA-1: Identification and Authentication Policy and Procedures Describe how the agency develops, documents, disseminates, and updates, as necessary, identification and authentication policy and procedures to facilitate implementing identification and authentication security controls. 9.14.2IA-2 & IA-3: Identification and Authentication (Organizational Users) Describe how the agencys information system(s) must be configured to uniquely identify users, devices, and processes via the assignment of unique user accounts and validates users (or processes acting on behalf of users) using standard authentication methods such as passwords, tokens, smart cards, or biometrics. 9.14.3IA-4: Identifier Management Describe how the agency manages user accounts assigned to the information system. Examples of effective user-account management practices include (i) obtaining authorization from appropriate officials to issue user accounts to intended individuals; (ii) disabling user accounts timely; (iii) archiving inactive or terminated user accounts; and (iv) developing and implementing standard operating procedures for validating system users who request reinstatement of user account privileges suspended or revoked by the information system. 9.14.4IA-6: Authenticator Feedback Describe how the agencys information system(s) obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. 9.14.5IA-7: Cryptographic Module Authentication Whenever agencies are employing cryptographic modules, describe how the agency works to ensure these modules are compliant with NIST guidance, including FIPS 140-2 compliance. 9.15Technical Security Controls: Access Control Family9.15.1AC-1: Access Control Policy and Procedures Describe how the agency develops, documents, disseminates, and updates, as necessary, access control policy and procedures to facilitate implementing access control security controls. Security controls include account management, access enforcement, limiting access to those with a need-to-know, information-flow enforcement, separation of duties, least privilege, unsuccessful login attempts, system use notification, session locks, session termination, and remote access. 9.15.2AC-2: Account Management Describe how the agency manages information system user accounts, including establishing, activating, changing, reviewing, disabling, and removing user accounts. 9.15.3AC-3 & AC-4: Access and Information Flow Enforcement Describe how the agencys information system(s) enforce assigned authorizations for controlling system access and the flow of information within the system and between interconnected systems. 9.15.4AC-5: Separation of Duties Describe how the agency ensures that only authorized employees or contractors (if allowed by statute) of the agency receiving the information has access to FTI. For example, human services agencies may not have access to FTI provided to child support enforcement agencies or state revenue agencies. 9.15.5AC-6: Least Privilege Describe how agency information system(s) enforce the most restrictive access capabilities users need (or processes acting on behalf of users) to perform specified tasks. 9.15.6AC-7: Unsuccessful Login Attempts Describe how agency information system(s) limit the number of consecutive unsuccessful access attempts allowed in a specified period and automatically perform a specific function (e.g., account lockout, delayed logon) when the maximum number of attempts is exceeded. 9.15.7AC-8: System Use Notification Describe how the agencys information system(s) display an approved system usage notification or warning banner before granting system access informing potential users that - The system contains U.S. Government information Users actions are monitored and audited Unauthorized use of the system is prohibited Unauthorized use of the system is subject to criminal and civil sanctions. The warning banner must be applied at the application, database, operating system and network device level for all system types that receive, store, process and transmit FTI. (See Publication 1075, Exhibit 13 for example warning banners). Describe how the policy is enforced so that a workstation and/or application are locked after a pre-defined period. This will ensure that unauthorized staff or staff without a need-to-know cannot access FTI. Attachments: Sample warning banner in use (required) 9.15.8AC-14: Permitted Actions without Identification or Authentication Describe how the agency identifies and documents specific user actions that can be performed on the information system without identification or authentication. Examples of access without identification and authentication would be instances in which the agency maintains a publicly accessible web site for which no authentication is required. 9.15.9AC-17: Remote Access Describe how the agency authorizes, documents, and monitors all remote access capabilities used on the system, where these systems containing FTI. Remote access is defined as any access to an agency information system by a user communicating through an external network, for example: the Internet. Agencies must develop policies for any allowed wireless access, where these systems contain FTI. 9.15.10AC-18: Wireless Access Describe how the agency develops policies for any allowed wireless access, where these systems contain FTI. As part of the wireless access, the agency shall authorize, document, and monitor all wireless access to the information system. Agencies must develop policies for any allowed wireless access, where these systems contain FTI. 9.15.11AC-19: Access Control for Mobile Devices Describe how the agency develops policies for any allowed portable and mobile devices, where these systems contain FTI. As part of this, the agency shall authorize, document, and monitor all device access to organizational information systems accessing FTI. 9.15.12AC-20: Use of External Information Systems Describe how the agency develops policies for authorized individuals to access the information systems from an external system, such as access allowed from an alternate work site. Describe how the agencys policy addresses the authorizations allowed to receive, transmit, store, and/or process FTI. As part of this, describe how the agency authorizes, documents, and monitors all access to organizational information systems, where these systems contain FTI. Note: For specific guidance on the use of web portals and IVR systems, see Publication 1075 Sections 9.18.9 and 9.18.10. 9.16Technical Security Controls: Audit and Accountability Control Family9.16.1AU-1: Audit and Accountability Policy and Procedures Describe how the agency develops, documents, disseminates, and updates as necessary, audit and accountability policy and procedures to facilitate implementing audit and accountability security controls. Such audit and accountability security controls include auditable events; content of audit records; audit storage capacity; audit processing; audit review, analysis and reporting; time stamps; protecting audit information and audit retention. 9.16.2AU-2: Auditable Events Describe how the agencys information system(s) generate audit records for all security-relevant events, including all security and system administrator accesses. An example of an audit activity is reviewing the administrator actions whenever security or system controls may be modified to ensure that all actions are authorized. Audit logs must enable tracking of activities taking place on the information system. Publication 1075, Exhibit 9, System Audit Management Guidelines, contains requirements for creating audit-related processes at both the application and system levels. Within the application, auditing must be enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user. This auditing requirement also applies to data tables or databases embedded in or residing outside of the application. 9.16.3AU-3: Content of Audit Records Describe how the agencys identified security-relevant events enable the detection of unauthorized access to FTI data. System and/or security administrator processes will include all authentication processes to access the system, for both operating system and application-level events. Describe how audit logs enable tracking of activities to take place on the system. 9.16.4AU-4: Audit Storage Capacity Describe how the agency configures the information system to allocate sufficient audit record storage capacity to record all necessary auditable items. 9.16.5AU-5: Response to Audit Processing Failures Describe how the agencys information system(s) alert appropriate organizational officials in the event of an audit processing failure and take additional actions. 9.16.6AU-6: Audit Review, Analysis, and Reporting Describe how the agency routinely reviews audit records for indications of unusual activities, suspicious activities or suspected violations, and report findings to appropriate officials for prompt resolution. 9.16.7AU-7: Audit Reduction and Report Generation Describe how the agencys information system(s) provide an audit reduction and report generation capability to enable review of audit records. 9.16.8AU-8: Time Stamps Describe how the agencys information system(s) provide date and time stamps for use in audit record generation. 9.16.9AU-9: Protection of Audit Information Describe how the agencys information system(s) protect audit information and audit tools from unauthorized access, modification, and deletion. 9.16.10AU-11: Audit Record Retention Describe how the agency ensures that audit information is archived for six years to enable the recreation of computer-related accesses to both the operating system and to the application wherever FTI is stored. 9.17Technical Security Controls: System and Communications Protection Control Family9.17.1SC-1: System and Communications Protection Policy and Procedures Describe how the agency develops, documents, disseminates and updates as necessary, system and communications policy and procedures to facilitate implementing effective system and communications. 9.17.2SC-2: Application Partitioning Describe how the agencys information system(s) separate front end interfaces from the back end processing and data storage. 9.17.3SC-4: Information in Shared Resources Describe how the agencys information system(s) prevent unauthorized and unintended information transfer via shared system resources. 9.17.4SC-7: Boundary Protection Describe how the agencys information system(s) are configured to monitor and control communications at the external boundary of the information system and at key internal boundaries within the system. 9.17.5SC-9: Transmission Confidentiality Describe how the agencys information system(s) protect the confidentiality of FTI during electronic transmission. The agency must encrypt all media containing FTI during transmission. 9.17.6SC-10: Network Disconnect Whenever there is a network connection, describe how the agencys information system(s) terminate network connections at the end of a session or after no more than fifteen minutes of inactivity. 9.17.7SC-12: Cryptographic Key Establishment and Management Whenever Public Key Infrastructure (PKI) is used, describe how the agency establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures. 9.17.8SC-13: Use of Cryptography Whenever cryptography (encryption) is employed, describe how the agencys information system(s) perform all cryptographic operations using Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules with approved modes of operation. Cryptographic data transmissions are ciphered and consequently unreadable until deciphered by the recipient. 9.17.9SC-15: Collaborative Computing Devices Describe how the agencys information system(s) prohibit remote activation of collaborative computing mechanisms without explicit indication of use to the local users. Collaborative mechanisms include cameras and microphones that may be attached to the information system. Users must be notified if there are collaborative devices connected to the system. 9.17.10SC-17: Public Key Infrastructure Certificates Whenever Public Key Infrastructure (PKI) is used, describe how the agency establishes PKI policies and practices. 9.17.11SC-18: Mobile Code Describe how the agency establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously. All mobile code must be authorized by the agency official. 9.17.12SC-19: Voice Over Internet Protocol (VoIP) Describe how the agency establishes, documents, and controls usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies. 9.17.13SC-23: Session Authenticity Describe how the agencys information system(s) provide mechanisms to protect the authenticity of communications sessions. 9.17.14SC-32: Session Authenticity For Federal agencies, describe how information system components reside in separate physical domains (or environments) as deemed necessary. Note: This control is only required for Federal agencies. 9.18Additional Information Technology Controls Data Warehouse Environment Note: Data Warehouse controls are only applicable if the Data Warehouse is implemented in the computer system(s) that store, transmit, or process FTI. If a Data Warehouse environment is not applicable to your agencys use of FTI, please mark each Data Warehouse section as Not Applicable. (Please remove this instructional row upon completion of this report) 9.18.1DW-RA: Data Warehouse Risk Assessment Describe how the agency implements a risk management program to ensure each aspect of the data warehouse is assessed for risk. Describe how the agencys risk documents identify and document all vulnerabilities, associated with the data warehousing environment. 9.18.2DW-PL: Data Warehouse Planning Planning is crucial to the development of a new environment. Describe the agencys implementation of a security plan to address organizational policies, security testing, rules of behavior, contingency plans, architecture/network diagrams, and requirements for security reviews. While the plan will provide planning guidelines, this will not replace requirements documents, which contain specific details and procedures for security operations. Policies and procedures are required to define how activities and day-to-day procedures will occur. This will contain the specific policies, relevant for all of the security disciplines covered in this document. As this relates to data warehousing, any data warehousing documents can be integrated into overall security procedures. A section shall be dedicated to data warehouses to define the controls specific to that environment. Describe how the agency implements policies and procedures to document all existing business processes. The agency must ensure that roles are identified for the organization and develop responsibilities for the roles. Within the security planning and policies, the purpose or function of the warehouse shall be defined. The business process shall include a detailed definition of configurations and the functions of the hardware and software involved. In general, the planning shall define any unique issues related to data warehousing. The agency must define how legacy system data will be brought into the data warehouse and how the legacy data that is FTI will be cleansed for the ETL transformation process. The policy shall ensure that FTI will not be subject to public disclosure. Only authorized users with a demonstrated need to know can query FTI data within the data warehouse. 9.18.3DW:SA: Data Warehouse System and Services Acquisition Acquisition security needs to be explored. As FTI is used within data warehousing environments, describe how services and acquisitions have adequate security in place, including blocking information to contractors, where these contractors are not authorized to access FTI. 9.18.4DW-CA: Certification, Accreditation, and Security Assessments Certification, accreditation, and security and risk assessments are accepted best practices used to ensure that appropriate levels of control exist, are being managed and are compliant with all federal and state laws or statutes. Describe how the agency implements a process or policy to ensure that data warehousing security meets the baseline security requirements defined in the current revision of NIST SP 800-53. The process or policy must contain the methodology being used by the state or local agency to inform management, define accountability and address known security vulnerabilities. Risk assessments must follow the guidelines provided in NIST Publication 800-30 Risk Management Guide for Information Technology Systems. 9.18.5DW-PS: Data Warehouse Personnel Security Describe personnel security controls for the data warehouse environment. Personnel clearances may vary from agency to agency. As a rule, personnel with access to FTI shall have a completed background investigation. In addition, when a staff member has administrator access to access the entire set of FTI records, additional background checks may be determined necessary. All staff interacting with DW and DM resources are subject to background investigations in order to ensure their trustworthiness, suitability and work role need-to-know. Access to these resources must be authorized by operational supervisors, granted by the resource owners, and audited by internal security auditors. 9.18.6DW-CP: Data Warehouse Physical and Environmental Protection There are no additional physical security controls for a data warehousing environment. However, describe the physical security requirements throughout Publication1075 which do apply to the physical space hosting the data warehouse hardware. 9.18.7DW-CP: Data Warehouse Contingency Planning On line data resources shall be provided adequate tools for the back-up, storage, restoration, and validation of data. Agencies will ensure the data being provided is reliable. Both incremental and special purpose data back-up procedures are required, combined with off-site storage protections and regular test-status restoration to validate disaster recovery and business process continuity. Standards and guidelines for these processes are bound by agency policy, and are tested and verified. Describe the content of the agencys contingency plan. Ensure that the data warehouse is addressed to allow for restoration/recreation of data to take place. 9.18.8DW-CM: Data Warehouse Configuration Management During the life cycle of the DW, on-line and architectural adjustments and changes will occur. Describe the process for managing these DW configuration changes. Ensure that the agency documents these changes and assures that FTI is always secured from unauthorized access or disclosure. 9.18.9DW-MP: Data Warehouse Media Protection Describe the policy and procedures in place for the cleansing process at the staging area and how the ETL process cleanses FTI when it is extracted, transformed, and loaded. Additionally, describe the process of object re-use once FTI is replaced from data sets. IRS requires all FTI to be removed by a random overwrite software program. 9.18.10DW-IR: Data Warehouse Incident Response Describe the agencys policy and procedures for incident response as it pertains to the data warehousing environment. 9.18.11DW-AT: Data Warehouse Awareness & Training Describe the agencys disclosure awareness training program. Ensure that training addresses how FTI security requirements will be communicated for end users. Training shall be user specific to ensure all personnel receive appropriate training for a particular job, such as training required for administrators or auditors. 9.18.12DW-IA: Data Warehouse Identification and Authentication The agency shall configure the web services to be authenticated before access is granted to users via an authentication server. The web portal and 2-factor authentication requirements in Publication 1075 Section 9 apply in a data warehouse environment. Business roles and rules shall be imbedded at either the authentication level or application level. In either case, roles must be in place to ensure only authorized personnel have access to FTI information. Describe the identification and authentication policy and procedures as they pertain to the data warehousing environment. Authentication shall be required both at the operating system level and at the application level, when accessing the data warehousing environment. 9.18.13DW-AC: Data Warehouse Access Control Access to systems shall be granted based upon the need to perform job functions. Agencies shall identify which application programs use FTI and how access to FTI is controlled. The access control to application programs relates to how file shares and directories apply file permissions to ensure only authorized personnel have access to the areas containing FTI. The agency shall have security controls in place that include preventative measures to keep an attack from being a success. These security controls shall also include detective measures in place to let the IT staff know there is an attack occurring. If an interruption of service occurs, the agency shall have additional security controls in place that include recovery measures to restore operations. Within the DW, describe how the agency protects FTI and grants access to FTI as it relates to aspects of a users job responsibility. Describe how the agency enforces effective access controls so that end users have access to programs with the least privilege needed to complete the job. Describe how the agency configures access controls in their DW based on personnel clearances. Access controls in a data warehouse are generally classified as 1) General Users; 2) Limited Access Users; and 3) Unlimited Access Users. FTI shall always fall into the Limited Access Users category. All FTI shall have an owner assigned so that there is responsibility and accountability in protecting FTI. Typically, this role will be assigned to a management official such as an accrediting authority. The agency shall configure control files and datasets to enable the data owner to analyze and review both authorized and unauthorized accesses. The database servers that control FTI applications will copy the query request and load it to the remote database to run the application and transform its output to the client. Therefore, access controls must be done at the authentication server. Web-enabled application software shall: Prohibit generic meta-characters from being present in input data Have all database queries constructed with parameterized stored procedures to prevent SQL injection Protect any variable used in scripts to prevent direct OS commands attacks Have all comments removed for any code passed to the browser Not allow users to see any debugging information on the client Be checked before production deployment to ensure all sample, test and unused files have been removed from the production system 9.18.14DW-AU: Data Warehouse Audit and Accountability Describe the agencys audit and accountability policy and procedures as it pertains to creating and reviewing audit reports for data-warehousing-related access attempts. A data warehouse must capture all changes made to data, including additions, modifications, or deletions by each unique user. If a query is submitted, the audit log must identify the actual query being performed, the originator of the query, and relevant time/stamp information. For example, if a query is made to determine the number of people making over $50,000, by John Doe, the audit log would store the fact that John Doe made a query to determine the people who made over $50,000. The results of the query are not as significant as the types of query being performed. 9.18.15DW-SC: System & Communications Protection Whenever FTI is located on both production and test environments, these environments will be segregated. This is especially important in the development stages of the data warehouse. Describe how the agency segregates the data warehouses production and test environments. The agency shall ensure the following: All Internet transmissions should be encrypted using HTTPS protocol utilizing Secure Sockets Layer (SSL) encryption based on a certificate containing a key no less than 128 bits in length, or FIPS 140-2 compliant, whichever is stronger. This will allow information to be protected between the server and the workstation. During the Extract, Transform and Load stages of data entering a warehouse, data is at its highest risk. Encryption shall occur as soon as possible. All sessions shall be encrypted and provide end-to-end encryption, i.e., from workstation to point of data. Web server(s) that receive online transactions shall be configured in a Demilitarized Zone (DMZ) in order to receive external transmissions but still have some measure of protection against unauthorized intrusion. Application server(s) and database server(s) shall be configured behind the firewalls for optimal security against unauthorized intrusion. Only authenticated applications and users shall be allowed access to these servers. Transaction data shall be swept from the web server(s) at frequent intervals consistent with good system performance, and removed to a secured server behind the firewalls, to minimize the risk that these transactions could be destroyed or altered by intrusion. Anti-virus software shall be installed and maintained with current updates on all servers and clients that contain tax data. For critical online resources, redundant systems shall be employed with automatic failover capability. 9.19Additional Information Technology Controls Transmitting FTI9.19.1ADT1: Encryption of FTI Data in Transit Describe the policy and procedures in place that address how the agency secures FTI data while in transit. All FTI data in transit must be encrypted, when moving across a Wide Area Network (WAN) and within the agencys Local Area Network (LAN). If encryption is not used, the agency must use other compensating mechanisms (e.g., switched vLAN technology, fiber optic medium, etc.) to ensure that FTI is not accessible to unauthorized users. 9.19.2ADT2: Unencrypted Cable Circuits Indicate whether or not unsecured cable circuits are used by the agency. If in use, describe measures being taken to secure unencrypted cable circuits. Unencrypted cable circuits of copper or fiber optics is an acceptable means of transmitting FTI. Measures must be taken to ensure that circuits are maintained on cable and not converted to unencrypted radio (microwave) transmission. Additional precautions must be taken to protect the cable, (e.g., burying the cable underground or in walls or floors and providing access controls to cable vaults, rooms, and switching centers). In instances where encryption is not used, the agency must ensure that all wiring, conduits, and cabling are within the control of agency personnel and that access to routers and network monitors are strictly controlled. 9.20Additional Information Technology Controls Remote Access9.20.1ADR1: Encryption Over Public Telephone Lines Describe how the agency secures communications over public telephone lines. Authentication should be provided through ID and password encryption for use over public telephone lines. 9.20.2ADR2: Key Management Describe how the agency controls and enforces key management. Authentication is controlled by centralized Key Management Centers/Security Management Centers with a backup at another location. 9.20.3ADR3: Remote Telephone Access Describe the agencys remote telephone access procedures. Standard access is provided through a toll-free number and through local telephone numbers to local data facilities. Both access methods (toll free and local numbers) require a special (encrypted) modem and/or Virtual Private Network (VPN) for every workstation and a smart card (microprocessor) for every user. Smart cards must have both identification and authentication features and must provide data encryption as well. Two-factor authentication is required whenever FTI is being accessed from an alternate work location or if accessing FTI via the agencys web portal. 9.21Additional Information Technology Controls Internet9.21.1ADIA1: Restricted Access via Internet Federal, state, and local agencies that have Internet capabilities and connections to host servers are cautioned to perform risk analysis on their computer system before subscribing to their use. Connecting the agency's computer system to the Internet will require that adequate security measures are employed to restrict access to sensitive data. Describe the agencys policy and procedures for restricting access to sensitive data on systems that connect to the Internet. Describe the types of security measures employed. 9.22Additional Information Technology Controls Electronic Mail (E-mail)9.22.1ADE1: Transmitting FTI via Electronic Mail (E-mail) Describe the agencys policy and procedures toward transmitting FTI via E-mail. If E-mail is used to transmit FTI, describe the secure measures implemented to safeguard FTI. Generally, FTI must not be transmitted or used on the agencys internal e-mail systems. FTI must not be transmitted outside of the agency, either in the body of an email or as an attachment. If transmittal of FTI within the agencys internal e-mail system is necessary, the following precautions must be taken to protect FTI sent via E-mail: Do not send FTI unencrypted in any email messages The file containing FTI must be attached and encrypted Ensure that all messages sent are to the proper address Employees must log off the computer when away from the area. Note: Agencies with Non-electronic FTI must provide a response for this control. In this case, .how is FTI data being protected from unauthorized accessed if it is being scanned and e-mailed. 9.23Additional Information Technology Controls Facsimile Mail (FAX)9.23.1ADF1: Transmitting FTI via Facsimile Mail (FAX) Describe the agencys policy and procedures for transmitting FTI via FAX. Securing FAX transmissions will include: Having a trusted staff member at both the sending and receiving fax machines. Maintaining broadcast lists and other preset numbers of frequent recipients of FTI. Placing fax machines in a secured area. Including a cover sheet on fax transmissions that explicitly provides guidance to the recipient, which includes: A notification of the sensitivity of the data and the need for protection and a notice to unintended recipients to telephone the sendercollect if necessaryto report the disclosure and confirm destruction of the information. Note: Agencies with Non-electronic FTI must provide a response for this control. 9.24Additional Information Technology Controls Multi-Functional Printer-Copier Devices9.24.1ADM1: Transmitting FTI via Multi-Functional Printer-Copier Devices Describe the agencys policy and procedures for transmitting FTI via multi-functional printer-copier devices. If the agency uses a multi-functional printer-copier device, specific requirements regarding FTI must be followed. FTI must be encrypted in transit either to or from the device. FTI must not be emailed or faxed from the device. If FTI is scanned into the device, the user must authenticate on the device with a unique username and password. FTI may not be stored locally on the device 9.25Additional Information Technology Controls Live Data Testing9.25.1ADL1: Live Data Testing Describe the agencys policy and procedures for testing with live data. If the agency uses IRS data in the testing stage, need and use statements must be revised to cover this use of IRS data, if not already addressed. State taxing agencies must check their statements (agreements) to see if testing purposes is covered. The agency must also submit a request to the IRS Office of Safeguards for authority to use live data for testing, providing a detailed explanation of the safeguards in place to protect the data and the necessity for using live data during testing. 9.26Additional Information Technology Controls Web Portal9.26.1ADW1: Web Portal Describe the agencys policy and procedures for use of web portals when providing FTI over the Internet to customers. To utilize a web portal that provides FTI over the Internet to a customer, the agency must meet the following requirements: The system architecture is configured as a three-tier architecture with physically separate systems that provide layered security of the FTI and access to the database through the application is limited. Each system within the architecture that receives, processes, stores or transmits FTI to an external customer through the web portal is hardened in accordance with the requirements of Publication 1075 and is subject to frequent vulnerability testing. Access to FTI via the web portal requires a strong identity verification process. The authentication must use a minimum of two pieces of information although more than two are recommended to verify the identity. One of the authentication elements must be a shared secret only known to the parties involved and issued by the agency directly to the customer. Examples of shared secrets include: a unique username, PIN number, password or passphrase issued by the agency to the customer through a secure mechanism. Case number does not meet the standard as a shared secret because that case number is likely shown on all documents the customer receives and does not provide assurance that it is only known to the parties involved in the communication. 9.27Additional Information Technology Controls Integrated Voice Response (IVR) Systems9.27.1ADI1: Integrated Voice Response (IVR) Systems Describe the agencys policy and procedures for IVR system usage. To utilize an IVR system that provides FTI over the telephone to a customer, the agency must meet the following requirements: The LAN segment where the IVR system resides is firewalled to prevent direct access from the Internet to the IVR system. The operating system and associated software for each system within the architecture that receives, processes, stores or transmits FTI to an external customer through the IVR is hardened in accordance with the requirements of Publication 1075 and is subject to frequent vulnerability testing. Independent security testing must be conducted on the IVR system prior to implementation. Access to FTI via the IVR system requires a strong identity verification process. The authentication must use a minimum of two pieces of information although more than two are recommended to verify the identity. One of the authentication elements must be a shared secret only known to the parties involved and issued by the agency directly to the customer. Examples of shared secrets include: a unique username, PIN number, password or passphrase issued by the agency to the customer through a secure mechanism. Case number does not meet the standard as a shared secret because that case number is likely shown on all documents the customer receives and does not provide assurance that it is only known to the parties involved in the communication. 9.28Additional Information Technology Controls Emerging Technologies9.28.1ADET1: Emerging Technologies Describe the agencys policy and procedures for maintaining FTI safeguards standards when using emerging technologies. Requirements for safeguarding FTI when using emerging technologies to receive, process, store and transmit FTI will be developed by the Office of Safeguards in conformation with the applicable NIST standards. Requirements for these emerging technologies may be issued via a directive issued by the Office of Safeguards and posted to the IRS.gov web site as an addendum to the Publication 1075 (see Section 1.2). Agencies planning to or in the process of implementing an emerging technology, such as cloud computing, virtualization and Voice over IP (VoIP), to receive, process, store or transmit FTI must contact the Office of Safeguards via their mailbox, HYPERLINK "mailto:SafeguardReports@IRS.gov"SafeguardReports@IRS.gov, to request technical assistance. 10. Disclosure Awareness Program10.1Describe the agencys formal disclosure awareness program. Provide procedure information for initial and annual certification. Provide a sample copy of training materials presented to employees and contractors. As part of the awareness training and certification program employees and contractors must be advised of the provisions of IRC Sections 7431, 7213, and 7213A (see Exhibit 6, IRC Sec. 7431 Civil Damages for Unauthorized Disclosure of Returns and Return Information and Exhibit 5, IRC Sec. 7213 Unauthorized Disclosure of Information). Note: Each agency receiving FTI must have an awareness program that annually notifies all employees having access to FTI of the confidentiality provisions of the IRC, a definition of what returns and what return information is, and the civil and criminal sanctions for unauthorized inspection or disclosure. Attachments: Sample copy of training materials (required)      Safeguard Procedures Report (SPR) PAGE  Template v4.0 (4/16/2011) Page  PAGE \* Arabic \* MERGEFORMAT 1 of  NUMPAGES \* Arabic \* MERGEFORMAT 67 "=Labcdt     n ~ q r { | ƷƷƷƷƢҗҌxmxmejhr &UhUhG CJaJhG CJaJhJ)h >*CJaJhJ)h CJaJhC{h CJaJh 5CJaJh B*CJaJphhJ)h B*CJaJphhJ)h 5CJaJ hJ)h hJ)h CJaJhJ)h 56CJaJheh55<CJaJ&"=Lalkd$$IfTs44:f;  t 0644 s4+af4p ytrT $IfgdVgdeabcdtQHHH? $Ifgd $IfgdVkd$$IfTs44\^"T-:`8 `  t0644 s4+af4ytrTQHH?H $Ifgd $IfgdVkd{$$IfTs44\^"T-: 8   t0644 s4+af4ytrT QHH $IfgdVkdC$$IfTs44\^"T-:8   t0644 s4+af4ytrT    upg $IfgdVgd kd$$IfTs44=0:8 .2 t0644 s4+af4ytrT  n ~  @ zoobbooUb & F$IfgdG & F$Ifgd x$IfgdVkd$$IfTs44:9  t 0644 s4+af4p ytrT |      !ѵzqzqzqzhzhz\heh5CJaJh 6CJaJhe6CJaJh``he6CJaJhe56CJaJheh56CJaJheh5CJaJhC{h CJaJ hJ)h h;5h 0JCJaJh CJaJhJ)h CJaJhUhG CJaJh/dhG 0JCJaJjhr &Uhr &!@ ! UkfaU $$Ifa$gdegdegd }kdZ$$IfTs444:9 t0644 s4+af4p ytrT $IfgdV & F$Ifgd "[ $$Ifa$gde $$Ifa$gde!"[{no̻̪̞{th]RJR?Rheh'ICJaJh< 2CJaJhehO5CJaJhehn$CJaJhehO55CJaJ hehE9hehE956CJaJh hE956CJaJ hehheh5CJaJ h``he6B*CJaJph h``he6B*CJaJphh``he6CJaJhJ)he6CJaJhC{he56CJaJheh56CJaJ& $$Ifa$gdekd$$IfTl44\0*:jB  t(044 laf4p(yt Tyyyyy $Ifgde}kd $$IfTl4:X;  t 044 laf4p yt T bcirk``RDhehO556CJaJheh'k56CJaJhehZCJaJ hehE9hehE956CJaJh hE956CJaJ hehhehCJaJhehA CJaJheh5CJaJhehO5CJaJhehCJaJheh]1CJaJhehn$CJaJheh5CJaJ hehO5hehO5CJaJC:,: $7$8$H$Ifgde $Ifgdekd$$IfTl4\0*:jB t044 laf4p(yt T:. $$Ifa$gdekd{$$IfTl4\0*:jB t044 laf4p(yt T $Ifgdeb!"#$ynnyyyy x$Ifgde $Ifgde}kdL$$IfTl4:X;  t 044 laf4p yt Tiy}~ !"$%89:>?EHMĸwlaVlVKV?heh6CJaJheh_1?CJaJhehCJaJheh]1CJaJhehn$CJaJheh5CJaJ hehE9hehE956CJaJh hE956CJaJ hehhehCJaJhehA 6CJaJheh'k6CJaJhehZ56CJaJhehe6CJaJhe6CJaJhehZ6CJaJ$%9XL $$Ifa$gdekd$$IfTl4\0*:jB t044 laf4yt T9:>lyy___yyyy & F //$If^/`gdvt $Ifgde}kd $$IfTl4:X;  t 044 laf4p yt T ~ 89@\cٸٸxmxmxbWxmxmxKhehS55CJaJheh4~WCJaJhehmCJaJheh_1?CJaJhehKCJaJhehn$CJaJheh5CJaJ hehhehCJaJhehR6CJaJheh_1?6CJaJhehe6CJaJhe6CJaJheh?6CJaJhehG56CJaJheh W6CJaJ9XOOO55 & F //$If^/`gdvt $Ifgdekd4 $$IfTl4\0*:jB t044 laf4yt T?@ABOkd $$IfTl4\0*:jB t044 laf4yt T $Ifgde >?@BCEFGThq'˿|qj^^SHheh WCJaJhehn$CJaJhehq5CJaJ hehhehCJaJhehA CJaJheh UCJaJheh_1?CJaJhehCJaJhehOCJaJhehS55CJaJheh5CJaJ hehohehoCJaJhehoCJaJhehS5CJaJheho5CJaJBCGXOOOOO $Ifgdekd $$IfTl4\0*:jB t044 laf4yt TXOOOOO $Ifgdekd& $$IfTl4\0*:jB t044 laf4yt T' 3st]r˿˴zoheh[CJaJhehih_1?6CJaJh[6CJaJheh[6CJaJheh[56CJaJh&CJaJheh[CJaJhehS55CJaJheh[5CJaJ hehqhehqCJaJheh_1?6CJaJhehqCJaJ)XOOO55 & F //$If^/`gdvt $Ifgdekd $$IfTl4\0*:jB t044 laf4yt T#' $Ifgde & F //$If^/`gdvt  XL $$Ifa$gdekdr $$IfTl4\0*:jB t044 laf4yt T   07ST:;<HJ\kʿqh_QE_Eheh 26CJaJheh 256CJaJh 26CJaJhO6CJaJhehO56CJaJhehO6CJaJheho{CJaJheh_1?CJaJheh*UxCJaJh 2CJaJhehOCJaJheh*~CJaJhehO5CJaJ hehE9hehE956CJaJh hE956CJaJ heh[  ;<klmnyyyyypyyy $Ifgd 2 $Ifgde}kd$$IfTl4:X;  t 044 laf4p yt T klno' ( {!|!!!!!!!!!""/"0":"žvhhZKKKhehO56CJ\aJhehO6CJ\aJheh'I56CJaJhehS56CJaJhehO6CJaJhehO56CJaJheh:;CJaJhehOCJaJhehO5CJaJ hehE9hehE956CJaJh hE956CJaJ hehOhehOCJaJheho{6CJaJnoXL $$Ifa$gdekd$$IfTl4\0*:jB t044 laf4yt T {!|!:";"<"="yyyyyyyyy $Ifgde}kd_$$IfTl4:X;  t 044 laf4p yt T :";"=">"B"t"""""""""### #>#i#j#l#m#q#~#####$ $!$#$$$E$F$ʿտvhZh hE956CJaJh hE956CJaJheh/}CJaJ heh>heh>CJaJheho{h8CJaJhdCJaJheho{CJaJheh~-.CJaJheh>CJaJheh= XCJaJheh>5CJaJ hehOhehOCJaJheho{6CJaJ#=">"B""#i#j#XOO55O & F //$If^/`gdvt $Ifgdekd$$IfTl4\0*:jB t044 laf4yt Tj#k#l#m#q# $!$"$#$Okd$$IfTl4\0*:jB t044 laf4yt T $Ifgde#$$$F$XL $$Ifa$gdekdL$$IfTl4\0*:jB t044 laf4yt TF$G$K$$C%c%d%e%f%yy__yyy & F //$If^/`gdvt $Ifgde}kd$$IfTl4:X;  t 044 laf4p yt TF$G$K$$$$$$$%B%C%b%c%d%f%g%i%j%k%%%%%%%1&2&4&5&H&̸xxămb[Mh h[56CJaJ heh Wheh WCJaJheh[CJaJheh3\CJaJheh WCJaJheh35CJaJheh W5CJaJ hehOhehOCJaJhehS56CJaJh)iCJaJhehOCJaJhehnCJaJheh9CJaJhehO5CJaJ hehE9f%g%k%1&2&3&4&C::::: $Ifgdekd$$IfTl4\0*:jB t044 laf4p(yt T4&5&I&C7 $$Ifa$gdekdd$$IfTl4\0*:jB t044 laf4p(yt TH&I&J&M&N&&&&& '''''"'#'''''''''ŽzrgYzK=h h W56CJaJh h[56CJaJheh[h WCJaJheh WCJaJh)iCJaJ heh Wheh WCJaJheh)ih WCJaJh)i6CJaJheh)i6CJaJheh)i56CJaJh WCJaJheh[CJaJheh Wh W5CJaJheh[5CJaJ heh[heh[56CJaJI&J&N&&&''''yyypyyy $Ifgd)i $Ifgde}kd5$$IfTl4:X;  t 044 laf4p yt T''#'''''C::::: $Ifgdekd$$IfTl4\0*:jB t044 laf4p(yt T'''C7 $$Ifa$gdekd$$IfTl4\0*:jB t044 laf4p(yt T''''''(((@)A)G)m)x)))))))))))Ƚȵ}ocZcNCheh WCJaJheh)i6CJaJh)i6CJaJheh)i6CJaJheh)i56CJaJh)i6CJaJhS56CJaJheh_:6CJaJheh W56CJaJheh W6CJaJhsCJaJheh WCJaJheh[CJaJheh W5CJaJheh[5CJaJ heh Wheh W56CJaJ'''((@)A)))))))yyyyyyypyyy $Ifgd)i $Ifgde}kdx$$IfTl4:X;  t 044 laf4p yt T ))*XL $$Ifa$gdekd$$IfTl4\0*:jB t044 laf4yt T)) *****!*{*|*******1+2+9+:+X+d+++++ ,',9,q`Rh@dR6B*CJaJph hehDd6B*CJaJphhDd6B*CJaJphh+6B*CJaJph heh9C6B*CJaJph heh[6B*CJaJph heh W6B*CJaJph#heh W56B*CJaJph heh Wheh WCJaJh h W56CJaJh h[56CJaJ****---yyyyy $Ifgde}kd$$IfTl4:X;  t 044 laf4p yt T9,A,----------.... .%.&.@.N.O.S.T.Y.j.k.l.´xmbWbmWmbmbWbHheh"Jnh?J6CJaJhehoCJaJheh WCJaJhehn$CJaJheh35CJaJheh W5CJaJhehn$5CJaJ heh W heh%h6B*CJaJphhDd6B*CJaJph hehDd6B*CJaJphh@dR6B*CJaJph h}h}6B*CJaJphh}6B*CJaJph--.k.l.m.n. $Ifgdemkdh$$IfTl4:X; t044 laf4yt Tl.n.o.p.s.t.u.v........//'/B////////////0000000000·|⡎|ppheho5CJaJ hehn$hehn$CJaJhehn$CJaJh)iCJaJhehoCJaJheh%hCJaJhehYDCJaJh)]CJaJheh35CJaJheh9C5CJaJhehn$5CJaJ heh Wheh WCJaJ'n.o.u...C//XOOO55 & F //$If^/`gdvt $Ifgdekd$$IfTl4\0*:jB t044 laf4yt T///////5kd$$IfTl4\0*:jB t044 laf4yt T $Ifgde & F //$If^/`gdvt/000000>1?1@1Okd0$$IfTl4\0*:jB t044 laf4yt T $Ifgde 000000001=1>1?1A1B1F1G1H1P1h22K3N3m3r3t3334444Y4Z4[4ƿzƿnc\ heh2heh2CJaJheh25CJaJhehlgCJaJheh3\CJaJheh9CCJaJheho5CJaJheh35CJaJheh9C5CJaJ hehohehoCJaJhehoh?JCJaJhehYDCJaJhehoCJaJhehenCJaJ!@1A1B1H122;2Okd$$IfTl4\0*:jB t044 laf4yt T $Ifgde;22243t334444 $Ifgde & F $If^`gdvt & F //$If^/`gdvt 444Z4XMM x$Ifgdekd|$$IfTl4\0*:jB t044 laf4yt TZ4[4a445555d[P[[G[ $Ifgd)] x$Ifgde $Ifgdekd"$$IfTl40:h7  t044 laf4pyt T[4a445555555556667777788888888899圑tcU圑hehMh?JCJaJ hehai6B*CJaJph#h@dRh@dR56B*CJaJphhehaiCJaJhehrCJaJhsnwCJaJ hehaihehaiCJaJheh)]CJaJhehrh?JCJaJhehMCJaJh)]h)]CJaJhehai56CJaJhehai5CJaJ5555778XOD66O $7$8$H$Ifgde x$Ifgde $Ifgdekd$$IfTl4\0*:jB t044 laf4yt T88888889OD x$Ifgdekd$$IfTl4\0*:jB t044 laf4yt T $Ifgde999T9m999999991:2:3:9:h:::;;;;;;;;;;;;;<#<<<<=ɾ~sɾ~k`heh'ICJaJh+CJaJh)]hsnwCJaJhehai56CJaJhehai5CJaJ hehVZthehr5CJaJhehVZt5CJaJ hehaihehaiCJaJhehrh?JCJaJhehMCJaJhehrCJaJhsnwCJaJhehsnwCJaJ%9999992:F;; x$Ifgdekd-$$IfTl4\0*:jB t044 laf4yt T $Ifgdsnw $Ifgde2:3:9:h:;;;;d[PGGGG $Ifgdsnw x$Ifgde $Ifgdekd$$IfTl40:h7  t044 laf4pyt T;;;;>> > >XODOOOO x$Ifgde $Ifgdekd$$IfTl4\0*:jB t044 laf4yt T===N=_=>>>> > >>*>A>I>J>T>U>d>f>v>>>>>>>>>??/?=?>?Q??seZZZheh_CJaJheh_56CJaJheh_5CJaJhehMCJaJhehrh?JCJaJh4OCJaJhehai56CJaJhehai5CJaJ hehaihehaiCJaJhehaih?JCJaJheh'ICJaJh+CJaJhsnwCJaJhehrCJaJ# > >>*>>>>>XODOOOO x$Ifgde $Ifgdekd8 $$IfTl4\0*:jB t044 laf4yt T>>>????XOD666 $7$8$H$Ifgde x$Ifgdz2u $IfgdGkd $$IfTl4\0*:jB t044 laf4yt T???????@.@2@3@B@C@9A:A;A=A>AAAAA`B*CACHCICCCCC)D,DDDDDDDDDDDDDDƺ򲧲ƺƺ򆧆{ƺssshGCJaJheh'ICJaJhCJaJhehrh?JCJaJhehMCJaJhehrCJaJh4OCJaJheh_5CJaJ heh_heh_CJaJhehM56CJaJheh_6CJaJheh_56CJaJ-??????A8 $Ifgdekd!$$IfTl4\0*:jB t044 laf4yt T $IfgdG $7$8$H$Ifgde?@:A;AABADkd*"$$IfTl4\0*:jB t044 laf4yt T $Ifgde x$IfgdeBAAAAADDDDYPPPPP $Ifgdekd"$$IfTl40:h7  t044 laf4pyt T x$IfgdeDDDDbEcEdEeEXODOOOO x$Ifgde $Ifgdekd#$$IfTl4\0*:jB t044 laf4yt TDaEbEcEeEfElEEEF#FJFKFLFMFTFFFFFFFFFFcGGGGHH>H?H@HBHCHIHqH}HʾoaʾʾhehMh?JCJaJ heh_6B*CJaJph#h@dRh@dR56B*CJaJphheh_CJaJhehGCJaJhGCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJhehrh?JCJaJhehMCJaJhehrCJaJ&eEfElEELFMFFXOD66O $7$8$H$Ifgde x$Ifgde $Ifgdekd5$$$IfTl4\0*:jB t044 laf4yt TFFFFFFF?HOD x$Ifgdekd$$$IfTl4\0*:jB t044 laf4yt T $Ifgde?H@HAHBHCHIHqH4IOD x$Ifgdekd%$$IfTl4\0*:jB t044 laf4yt T $Ifgde}HHHHHHHI I1I3I4I5I7I8I>IaImIIIIIIIIIIIJJJ7JYJJJJJJJJJJJJJJK!KHKIKJKKKMKNKTKɾɾɾɾhehFCJaJhFCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJhehrh?JCJaJhehMCJaJhehGCJaJhGCJaJhehrCJaJ64I5I6I7I8I>IaIIOD x$Ifgdekd'&$$IfTl4\0*:jB t044 laf4yt T $IfgdeIIIIIIIJOD x$Ifgdekd&$$IfTl4\0*:jB t044 laf4yt T $IfgdeJJJJJJJJKOD x$Ifgdekds'$$IfTl4\0*:jB t044 laf4yt T $IfgdeJKKKLKMKNKTKKLOD x$Ifgdekd($$IfTl4\0*:jB t044 laf4yt T $IfgdeTKKKKKLLL LDL[LeLfLlLrLLLLLLLLLLLLLM.MsMzMMMMMM N NNVNmNuNvNNNOPP!P+P.PvPwPƻߠƻߘߘߘߐߐ߅heh#,CJaJhCJaJh.CJaJhjCJaJheh_5CJaJ heh_heh_CJaJheh,Lh?JCJaJhehMCJaJheh,LCJaJhFCJaJheh_56CJaJ4LLLLLLMMOD x$Ifgdekd($$IfTl4\0*:jB t044 laf4yt T $IfgdeMMMMMM NODD x$Ifgdekde)$$IfTl4\0*:jB t044 laf4yt T $Ifgde N NNVNwPxPmQnQoQd[P[[G[[ $Ifgd,L x$Ifgde $Ifgdekd *$$IfTl40:h7  t044 laf4pyt TwPxPPkQlQmQnQpQqQwQQQQQ_ScS}S~SSSSSSSSSSSTTTTUU羳wl^VVVVVhvXCJaJheh67Ah?JCJaJhehrCJaJheCJaJheh67ACJaJh/CJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJheh,Lh?JCJaJheh,Lh?J6CJaJheh,L6CJaJheh,L56CJaJheh,LCJaJ!oQpQqQwQQ~SSOD66 $7$8$H$Ifgde x$Ifgdekd*$$IfTl4\0*:jB t044 laf4yt T $IfgdeSSSSSSUUOD x$Ifgdekdp+$$IfTl4\0*:jB t044 laf4yt T $IfgdeUUUUUV4V$$IfTl40:h7  t044 laf4pyt T{{{{'}(})}*}XODOOOO x$Ifgde $IfgdekdH?$$IfTl4\0*:jB t044 laf4yt T{{{{{2|I|P|Q|&}'}(}*}+}1}k}}}}}}}}~~~~~%~B~R~~~~~~Lcklvwƻƻƻ򠕠heh [CJaJhehwCJaJh [CJaJheh_5CJaJ heh_heh_CJaJheh/h?JCJaJheh_CJaJheh/CJaJh%CJaJheh_56CJaJ5*}+}1}k}~~~~XODOOOO x$Ifgde $Ifgdekd?$$IfTl4\0*:jB t044 laf4yt T~~%~B~~~~~XODOOOO x$Ifgde $Ifgdekd@$$IfTl4\0*:jB t044 laf4yt T~~~XMM x$Ifgdekd:A$$IfTl4\0*:jB t044 laf4yt TLd[PGG[[ $Ifgde x$Ifgde $IfgdGkdA$$IfTl40:h7  t044 laf4pyt T "*-56CD^_`bcjUVWYZaɂ̂@ABDEL)*KLMOPW}GHJKRƾƾƾƾƾheh_CJaJhehwCJaJh [CJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJhehwh?JCJaJ@ _`aXOD;;O $Ifgde x$Ifgde $IfgdGkdB$$IfTl4\0*:jB t044 laf4yt TabcjVWOD;; $Ifgde x$IfgdekdEC$$IfTl4\0*:jB t044 laf4yt T $IfgdGWXYZaAOD; $Ifgde x$IfgdekdC$$IfTl4\0*:jB t044 laf4yt T $IfgdGABCDELF; x$IfgdekdD$$IfTl4\0*:jB t044 laf4yt T $IfgdG $IfgdeLMNOPWFkd7E$$IfTl4\0*:jB t044 laf4yt T $IfgdG $IfgdeW}GHIJK;kdE$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgde x$IfgdeKR $Ifgde x$Ifgde $IfgdG^_f͆Άچۆtxyˇ·CDEJ¶¶핊m\ heh_6B*CJaJph#heh_56B*CJaJphheh'ICJaJheheCJaJheCJaJhehzCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJhehwh?JCJaJheh_CJaJhehwCJaJhzCJaJ$^XMM x$IfgdekdF$$IfTl4\0*:jB t044 laf4yt T^_fDEd[PBB9 $Ifgde $7$8$H$Ifgde x$Ifgde $IfgdGkd)G$$IfTl40:h7  t044 laf4pyt TÈF; x$IfgdekdG$$IfTl4\0*:jB t044 laf4yt T $IfgdG $IfgdeÈڈijkrȊ$%‹Ëʋƾ|k]UUU]Uhy[CJaJhehwh?JCJaJ heh_6B*CJaJph#heh_56B*CJaJphhehwB*CJaJphheh_CJaJheh'ICJaJhehwCJaJhzCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJheh?h?JCJaJ!ÈjkȊFkdH$$IfTl4\0*:jB t044 laf4yt T $IfgdG $IfgdeȊ‹Ë;kd4I$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgde x$Ifgdy[Ëʋ،ٌڌی $Ifgde x$Ifgde $IfgdG ،ٌی܌EGkލߍ2356=axп}r}grrпY}r}rheh_:h?JCJaJhehQCJaJheh?CJaJhQCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJhehwh?JCJaJ heh_6B*CJaJph#heh_56B*CJaJphheh_CJaJhy[CJaJhehwCJaJ ی܌ߍXOD66 $7$8$H$Ifgde x$Ifgde $IfgdGkdI$$IfTl4\0*:jB t044 laf4yt T23456=FkdJ$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgde=a $IfgdG $Ifgde x$IfgdeP` `ahĐŐϐАݐސ&̑͑ΑՑ !#$+E\ŴzoŴzhehCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJheh_:h?JCJaJ heh_6B*CJaJph#heh_56B*CJaJphheh_CJaJheh'ICJaJheh?CJaJhCJaJ+ `XMM x$Ifgdekd&K$$IfTl4\0*:jB t044 laf4yt T`ah͑Α !"d[PGGGG[ $Ifgde x$Ifgde $IfgdGkdK$$IfTl40:h7  t044 laf4pyt T"#$+EOD;; $Ifgde x$IfgdekdL$$IfTl4\0*:jB t044 laf4yt T $IfgdG\cdxy{|IJ3467>_v()*1=T\]ghuvпппheh_56CJaJheh_5CJaJ heh_heh_CJaJheh_:h?JCJaJ heh_6B*CJaJph#heh_56B*CJaJphheh_CJaJhCJaJheh?CJaJ4xyz{|Fkd1M$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgde3456 $IfgdG $Ifgde x$Ifgde67>_)*XOD66 $7$8$H$Ifgde x$Ifgde $IfgdGkdM$$IfTl4\0*:jB t044 laf4yt T*F; x$Ifgdekd}N$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgde=cdYPGGPP $IfgdPg $IfgdGkd#O$$IfTl40:h7  t044 laf4pyt T x$Ifgdebcdjk'01!")>U[\^_`gŶykťyk`heh'ICJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJheh_:h?JCJaJ heh_6B*CJaJphheh_B*CJaJph#heh_56B*CJaJphheh_CJaJhehCJaJheh?CJaJhCJaJ%OD; $IfgdPg x$IfgdekdO$$IfTl4\0*:jB t044 laf4yt T $IfgdG !")FkdP$$IfTl4\0*:jB t044 laf4yt T $IfgdG $IfgdPg)>_` $IfgdG $IfgdPg x$Ifgdeg $78KL-.018Ofno{|ϝН#8<?*+-.5OfopABDEõõõ#heh_56B*CJaJphheh_CJaJheh?CJaJhCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJheh_:h?JCJaJ heh_6B*CJaJph4 -XOD;;O $IfgdPg x$Ifgde $IfgdGkd.Q$$IfTl4\0*:jB t044 laf4yt T-./018OOD x$IfgdekdQ$$IfTl4\0*:jB t044 laf4yt T $IfgdGO"#*+,- $IfgdG $Ifgd?-.5OAXOD;;O $IfgdPg x$Ifgde $IfgdGkdzR$$IfTl4\0*:jB t044 laf4yt TABCDEJOD9 x$Ifgde x$IfgdPgkd S$$IfTl4\0*:jB t044 laf4yt T $IfgdG¡ád[P[[[[ x$Ifgde $IfgdGkdS$$IfTl40:h7  t044 laf4pyt T %&57máġˡ+>AMNOQRYvҥȦ y̶̶̶ߕ߶hCJaJheh_CJaJhehz2uh?JCJaJheh_CJaJhehCJaJhehz2uCJaJhCJaJheh_56CJaJheh_5CJaJ heh_:áġˡNOPQXODOOOO x$Ifgde $IfgdGkdT$$IfTl4\0*:jB t044 laf4yt TQRYvXODOOOO x$Ifgde $IfgdGkd+U$$IfTl4\0*:jB t044 laf4yt TXODOOOO x$Ifgde $IfgdGkdU$$IfTl4\0*:jB t044 laf4yt TȦyz{|XODOOOO x$Ifgde $IfgdGkdwV$$IfTl4\0*:jB t044 laf4yt Tyz|} "#/0@AeƩǩȩʩ˩ҩ Ъȫ֫׫,/ƾƾƾƕƕh)=CJaJheh_CJaJhehCJaJhehz2uCJaJhCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJhehz2uh?JCJaJ:|}XMB x$Ifgde x$IfgdPgkdW$$IfTl4\0*:jB t044 laf4yt Tǩȩɩʩd[P[[[[ x$Ifgde $IfgdGkdW$$IfTl40:h7  t044 laf4pyt Tʩ˩ҩXODOOOO x$Ifgde $IfgdGkdX$$IfTl4\0*:jB t044 laf4yt TЪXODOOOO x$Ifgde $IfgdGkd(Y$$IfTl4\0*:jB t044 laf4yt TXOD;;O $Ifgde x$Ifgde $IfgdGkdY$$IfTl4\0*:jB t044 laf4yt TOD x$IfgdekdtZ$$IfTl4\0*:jB t044 laf4yt T $IfgdG /BEƯ֯4JVI[efWceƾƫ{ofofoh1~6CJaJheh1~6CJaJheh1~56CJaJheh_5CJaJhehz2uCJaJhehdCJaJhdCJaJheh_CJaJh)=CJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJhehz2uh?JCJaJ(OD x$Ifgdekd[$$IfTl4\0*:jB t044 laf4yt T $IfgdGůOD; $IfgdPg x$Ifgdekd[$$IfTl4\0*:jB t044 laf4yt T $IfgdGůJVW $IfgdG $Ifgd1~ $IfgdPg & F $If^ `gdd & Fx$If^`gdd ۲ `}24578?Ulvwq'(ֶXY[\dɸ}hehz2uh?JCJaJheh_6CJaJhehz2uCJaJheh_CJaJhdCJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJ;۲|}45XODOOOO x$Ifgde $IfgdGkdf\$$IfTl4\0*:jB t044 laf4yt T5678?UOD x$Ifgdekd ]$$IfTl4\0*:jB t044 laf4yt T $IfgdGOD x$Ifgdekd]$$IfTl4\0*:jB t044 laf4yt T $IfgdGXYZ[\dOkdX^$$IfTl4\0*:jB t044 laf4yt T $IfgdGdDkd^$$IfTl4\0*:jB t044 laf4yt T $IfgdG x$Ifgdeɸ $IfgdG $Ifgde $IfgdPg x$Ifgde}&'12?@_`gǻȻջֻ Z[\^_f~ 2ӹӹzhehz2uCJaJh*'Mh_CJaJheh8CJaJheh_5CJaJ heh_heh_CJaJhehz2uh?JCJaJhehz2u6CJaJheh_6CJaJheh_56CJaJheh_CJaJh8CJaJ0_XMB x$Ifgde x$IfgdPgkd_$$IfTl4\0*:jB t044 laf4yt T_`g[\]^d[P[[[[ x$Ifgde $IfgdGkdJ`$$IfTl40:h7  t044 laf4pyt T^_f~ȾɾXOD;;O $IfgdPg x$Ifgde $IfgdGkd a$$IfTl4\0*:jB t044 laf4yt T-%3LO[byz|}:;=>Er!Nevw !#$+Xr1ǹǹǹǹǹǹheh8CJaJheh_CJaJh8CJaJheh_56CJaJheh_5CJaJ heh_h*'Mh_CJaJhehz2uh?JCJaJheh_6CJaJ=yOD x$Ifgdekda$$IfTl4\0*:jB t044 laf4yt T $IfgdGyz{|}:OD x$IfgdekdUb$$IfTl4\0*:jB t044 laf4yt T $IfgdG:;<=>ErOD x$Ifgdekdb$$IfTl4\0*:jB t044 laf4yt T $IfgdG!N OD x$Ifgdekdc$$IfTl4\0*:jB t044 laf4yt T $IfgdG !"#$+XOD x$IfgdekdGd$$IfTl4\0*:jB t044 laf4yt T $IfgdGwOD x$Ifgdekdd$$IfTl4\0*:jB t044 laf4yt T $IfgdG14uwxz{9:<=Ed{678:; !.1_틀heh*'MCJaJh*'MCJaJh_CJaJhoOJh_>*CJaJheh_56CJaJheh_5CJaJ heh_h*'Mh_CJaJhehz2uh?JCJaJheh_6CJaJheh_CJaJh8CJaJ2wxyz{9OD x$Ifgdekde$$IfTl4\0*:jB t044 laf4yt T $IfgdG9:;<=Ed7OD x$Ifgdekd9f$$IfTl4\0*:jB t044 laf4yt T $IfgdG789:;@OD9 x$Ifgde x$IfgdPgkdf$$IfTl4\0*:jB t044 laf4yt T $IfgdGd[P[[[[ x$Ifgd*'M $IfgdGkdg$$IfTl40:h7  t044 laf4pyt THIJKXODOOOO x$Ifgde $IfgdGkdDh$$IfTl4\0*:jB t044 laf4yt THIKLSz &?RZ8KOy&ATXtu 8HY[fgheh'ICJaJheh*'MCJaJheh_56CJaJheh_5CJaJ heh_h*'Mh_CJaJhehz2uh?JCJaJh*'MCJaJheh_CJaJ=KLSzXODOOOO x$Ifgde $IfgdGkdh$$IfTl4\0*:jB t044 laf4yt T &XODOOOO x$Ifgde $IfgdGkdi$$IfTl4\0*:jB t044 laf4yt TXODOOOO x$Ifgde $IfgdGkd6j$$IfTl4\0*:jB t044 laf4yt TOD x$Ifgdekdj$$IfTl4\0*:jB t044 laf4yt T $IfgdGOD x$Ifgdekdk$$IfTl4\0*:jB t044 laf4yt T $IfgdG7JN]^`ah/37aq()67}ƻƳƨƳƳheh'ICJaJheh*'MCJaJh*'MCJaJheh_CJaJheh_56CJaJheh_5CJaJ heh_h*'Mh_CJaJheh'Ih?JCJaJ>]^OD x$Ifgdekd(l$$IfTl4\0*:jB t044 laf4yt T $IfgdG^_`ahOD x$Ifgdekdl$$IfTl4\0*:jB t044 laf4yt T $IfgdG/OD x$Ifgdekdtm$$IfTl4\0*:jB t044 laf4yt T $IfgdGOD x$Ifgdekdn$$IfTl4\0*:jB t044 laf4yt T $IfgdGOD x$Ifgdekdn$$IfTl4\0*:jB t044 laf4yt T $IfgdGBCOD x$Ifgdekdfo$$IfTl4\0*:jB t044 laf4yt T $IfgdGBCEFMNko2356x͵p_N_N heh_6B*CJaJph heh36B*CJaJph#heh_56B*CJaJphheh'I56CJaJhehz6CJaJhehzCJaJhehz56CJaJheh_5CJaJhehz5CJaJ heh_h*'Mh_CJaJheh'Ih?JCJaJheh_CJaJh*'MCJaJCDEFNkOD; $Ifgde x$Ifgdekd p$$IfTl4\0*:jB t044 laf4yt T $IfgdG23456Fkdp$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgde6;YPPP $Ifgdz2ukdXq$$IfTl40:h7  t044 laf4pyt T x$Ifgdz2u@#$%'(/OEFGIJQ~~~~~pheh_:h?JCJaJhehBCJaJheh_CJaJheh'Ih?JCJaJheh_CJaJheh'ICJaJhRuCJaJheh_56CJaJheh_5CJaJ heh_ heh_6B*CJaJphhDd6B*CJaJph,$%&'} x$Ifgde $IfgdGmkdr$$IfTl4:X; t044 laf4yt T'(/OXOD;;; $Ifgd'I x$Ifgde $IfgdGkdr$$IfTl4\0*:jB t044 laf4yt TFGHI $IfgdG $Ifgd'I IJQXODOOOO x$Ifgde $IfgdGkd9s$$IfTl4\0*:jB t044 laf4yt T=XOD;;; $Ifgd'I x$Ifgde $IfgdGkds$$IfTl4\0*:jB t044 laf4yt T=>OSGYḇ̦~pdV~~hehB56CJaJhehB5CJaJhehBh?JCJaJhWQCJaJ heh_heh_CJaJheh'Ih?JCJaJheh_CJaJheCJaJhRuCJaJhehBCJaJheh'ICJaJheh_56CJaJh~2h_56CJaJheh_5CJaJ=>Fkdt$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgd'IDkd+u$$IfTl4\0*:jB t044 laf4yt T $IfgdG x$Ifgde;kdu$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgde x$IfgdB!YxOY\Ժ{thԺ````RhehBh?JCJaJh(CJaJheh35CJaJ heh_heh_CJaJheh_:h?JCJaJheh_CJaJh!CJaJh~2CJaJhehBCJaJheh_56CJaJhehB5CJaJheh_5CJaJ hehBhehBCJaJheh_:56CJaJ ! $IfgdG $IfgdB x$Ifgde $Ifgde XOD;2 $IfgdG $Ifgd ? W ȽȌskcch [CJaJh<CJaJheh_h?JCJaJhehv>CJaJh|,RCJaJhehBh?JCJaJheh_CJaJhESCJaJh!CJaJhehBCJaJheh_56CJaJheh35CJaJheh_5CJaJ heh_heh_CJaJ&2EFmjkrsY & F$If^`gdG$7$8$H$If^`gdES & F$7$8$H$If^`gdES $7$8$H$IfgdB x$Ifgde $IfgdeYZ[\]bODD x$Ifgdz2ukd{$$IfTl4\0*:jB t044 laf4yt T $IfgdG     d[PGGGG[ $Ifgde x$Ifgde $IfgdGkdM|$$IfTl40:h7  t044 laf4pyt T     T U OD;; $Ifgdv> x$Ifgdekd }$$IfTl4\0*:jB t044 laf4yt T $IfgdGW [      &'.\4s\ ¶¶¶¶~w~ihehv>56CJaJ hehv>hehv>5CJaJh ;CJaJheh_:h?JCJaJh [CJaJheh_56CJaJheh_5CJaJ heh_heh_CJaJhehv>h?JCJaJheh_CJaJhehv>CJaJheCJaJ)U        Fkd}$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgdv>  &'.\NEEE $IfgdGkdX~$$IfTl40:h7  t044 laf4pyt T x$Ifgde x$Ifgdz2u4OD x$Ifgdekd$$IfTl4\0*:jB t044 laf4yt T $IfgdG[OD x$Ifgdekd$$IfTl4\0*:jB t044 laf4yt T $IfgdG[\Fkdc$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgd $IfgdGkd $$IfTl40:h7  t044 laf4pyt T x$Ifgde x$IfgdG de !hilmpWfj[_Ǽumuumu[Lheh_B*CJaJph#heh_56B*CJaJphheCJaJheh_CJaJh$+CJaJheh_56CJaJ heh_heh35CJaJheh_5CJaJ hehv>hehv>CJaJheh_:CJaJhehwpCJaJha/PCJaJhwpCJaJhv>CJaJhehv>CJaJ efFkdȁ$$IfTl4\0*:jB t044 laf4yt T $IfgdG $Ifgde"hipVWYPGGG $Ifgdz2u $Ifgdekdn$$IfTl40:h7  t044 laf4pyt T x$IfgdeQPQRS $IfgdG & F //$If^/`gdvt $Ifgdz2u PQSTWXJMP kr #gLk÷÷é÷÷é|qhehv>CJaJh7ECJaJ#heh_56B*CJaJphheh_CJaJhFKCJaJheh_56CJaJheh35CJaJheh_5CJaJ heh_heh_CJaJheh_:h?JCJaJ heh_6B*CJaJph,STYXMM x$Ifgdekd-$$IfTl4\0*:jB t044 laf4yt T !Jd[PBBB $7$8$H$Ifgd {V x$Ifgde $IfgdekdӃ$$IfTl40:h7  t044 laf4pyt TJjk $IfgdG $7$8$H$Ifgd {V & F$7$8$H$If^`gdFK XMM x$Ifgdekd$$IfTl4\0*:jB t044 laf4yt T#gKLd[PGGGG $Ifgd {V x$Ifgde $Ifgdekd8$$IfTl40:h7  t044 laf4pyt TL0\]^_ $IfgdG -$If^-gde & F //$If^/`gdvtk0\]_`cd Y ]   """" " "D"E"H"I"L"]"" ( (((((j(k(n(o(r(ʾʾʾʾ~pʾʾheh_h?JCJaJhFCJaJheh_:h?JCJaJheCJaJh7ECJaJheh_56CJaJheh35CJaJheh_5CJaJ heh_heh_CJaJhehv>h?JCJaJheh_CJaJhehv>CJaJ,_`eXMM x$Ifgdekd$$IfTl4\0*:jB t044 laf4yt T  ""d[PGG>> $IfgdG $Ifgd x$Ifgde $Ifgdekd$$IfTl40:h7  t044 laf4pyt TT# $% ( ((( $IfgdG & F //$If^/`gdvt(((j(XMM x$Ifgdekd$$IfTl4\0*:jB t044 laf4yt Tj(k(r((((c)d)d[PGGGG $Ifgdv> x$Ifgde $Ifgdekdg$$IfTl40:h7  t044 laf4pyt Tr((((c)d)M.N.P.Q.T.U......./4/7/9/1111112262׸~sksc_cRcsheh_0JCJaJhr &jhr &UheCJaJheh_CJaJhiCJaJhs4CJaJheh35CJaJheh_5CJaJ heh_heh_CJaJ heh_h?J56CJaJhehv>56CJaJhehv>CJaJhyKCJaJh/.CJaJheh_56CJaJd))+\+M.N.O.P. $IfgdG & F //$If^/`gdvtP.Q.V..XMM x$Ifgdekd&$$IfTl4\0*:jB t044 laf4yt T....8/9/6272d[PGG>> $IfgdG $Ifgd h?JCJaJ728292:2[2OC $$Ifa$gdekd$$IfTl4\0*:jB t044 laf4yt T $IfgdG[2\2a273834455555yppppyggyy $Ifgdi $Ifgd {V $IfgdG}kd1$$IfTl4:X;  t 044 laf4p yt T 55555555555666666 6 6 6 66616263696:6;6<6=6L6U6W6žysysobXbhD20JCJaJh h*'M0JCJaJh*'M h*'M0Jjhr &0JUhIheh*'M5CJ h*'M5CJh2'hoSjhoSUheh\CJaJhehhCJaJ heh_heh_CJaJheh;h?JCJaJhihi6CJaJhi6CJaJhehi6CJaJ!55556666OJECCCgdegdFqkdҌ$$IfTl4\0*:jB t044 laf4yt T $IfgdG666 6 6 6 661626;6<6=666666666gdegdoV$a$gd{W6\6]6~66666666666666666heh\CJaJhoSh2'hI h h*'Mh2'0JCJaJmHnHu!jh h 0JCJUaJh h 0JCJaJ51h0:pe= /!"#$% $$If!vh#vf;:V s44  t 065f;4 s4+f4p ytrT$$If!vh#v8 #v#v #v :V s44 t06++58 55 5 4 s4+f4ytrT$$If!vh#v8 #v#v #v :V s44 t06++58 55 5 4 s4+f4ytrT$$If!vh#v8 #v#v #v :V s44 t0658 55 5 4 s4+f4ytrT$$If!vh#v8 #v.2:V s44= t0658 5.24 s4+f4ytrT$$If!vh#vf;:V s44  t 06594 s4+f4p ytrT$$If!vh#vf;:V s444 t06594 s4+f4p ytrT$$If!vh#v#vj#vB#v:V l44  t(055j5B5f4p(yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4p(yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4p(yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4p(yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4p(yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4p(yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4p(yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5/ f4yt T$$If!vh#vX;:V l4  t 05X;f4p yt Tz$$If!vh#vX;:V l4 t05X;f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt Tz$$If!vh#vX;:V l4 t05X;f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#v#vh7:V l4  t055h7f4pyt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T$$If!vh#vX;:V l4  t 0,5X;f4p yt T$$If!vh#v#vj#vB#v:V l4 t055j5B5f4yt T^ 2 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~_HmH nH sH tH L`L S{Normal$CJOJQJ^J_HaJmH sH tH D@D  Heading 1$@&OJQJ^JaJJ@J UP Heading 3$<@&5CJ\aJDA D Default Paragraph FontRi@R 0 Table Normal4 l4a (k ( 0No List B'`B AMComment ReferenceCJaJ:U`: UP Hyperlink>*B*CJphH@H  Balloon TextCJOJQJ^JaJ0 @"0 oVFooter 2)`12 UP Page NumberCJ>B@B>  Body TextOJQJ^JaJ<PR<  Body Text 2 dxZObZBodyd,(B*CJOJQJ^JaJmHnHphuL@rL AM Comment TextCJ^JaJmHsHtH@j@qr@ AMComment Subject5\ROR `center bold,cboa$5OJQJ^JaJ4@4 Header !n@n UP Table Grid7:V0CJFoF aiComment Text Char OJQJ^JP`Pe0Revision$CJOJQJ^J_HaJmH sH tH PK![Content_Types].xmlN0EH-J@%ǎǢ|ș$زULTB l,3;rØJB+$G]7O٭V$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3N)cbJ uV4(Tn 7_?m-ٛ{UBwznʜ"Z xJZp; {/<P;,)''KQk5qpN8KGbe Sd̛\17 pa>SR! 3K4'+rzQ TTIIvt]Kc⫲K#v5+|D~O@%\w_nN[L9KqgVhn R!y+Un;*&/HrT >>\ t=.Tġ S; Z~!P9giCڧ!# B,;X=ۻ,I2UWV9$lk=Aj;{AP79|s*Y;̠[MCۿhf]o{oY=1kyVV5E8Vk+֜\80X4D)!!?*|fv u"xA@T_q64)kڬuV7 t '%;i9s9x,ڎ-45xd8?ǘd/Y|t &LILJ`& -Gt/PK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 0_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!0C)theme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] .  2=| !i'k:"F$H&')9,l.0[49=?D}HTKwPU[`_Yb+e5jRnrx{\gy}1W  kr(625W66 $)159=AGKRW^bimtza  @ $9B n="j##$F$f%4&I&''')*-n.//@1;24Z45892:; >>??BADeEF?H4IIJJKLM NoQSU}XZ[\^_D``axbecd-evehhiklUnnoJppqrQuvu.yzEz{*}~~aWAWK^ÈȊËی= `"6*)-O-AáQ|ʩů5d_^y: w97K^C6'I=OY U  [ SJL_"D"T#(j(d)P..72[2566     !"#%&'(*+,-./0234678:;<>?@BCDEFHIJLMNOPQSTUVXYZ[\]_`acdefghjklnopqrsuvwxy{|}~{))*.XXX29\~!!T # @H 0(  0(  B S  ? OLE_LINK3 OLE_LINK4...0.0..u{.~.9*urn:schemas-microsoft-com:office:smarttagsplace (}+,,,-...... . . ..2.:.L.U.\.......-. ..2.:.\....... -.... ..2.:.L.U.W.\....... -. ..2.:.L.U.W.\.......AAf ( B P,~zT"?h{И^`B*CJOJQJo(ph^`OJQJ^Jo(o ^`OJQJo( m m ^m `OJQJo(==^=`OJQJ^Jo(o   ^ `OJQJo( ^`OJQJo(^`OJQJ^Jo(o }}^}`OJQJo(80^8`0o(.^`.pL^p`L.@ ^@ `.^`.L^`L.^`.^`.PL^P`L. ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo(^`B*CJOJQJo(ph^`OJQJ^Jo(o ^`OJQJo( m m ^m `OJQJo(==^=`OJQJ^Jo(o   ^ `OJQJo( ^`OJQJo(^`OJQJ^Jo(o }}^}`OJQJo(80^8`0o(()^`.pL^p`L.@ ^@ `.^`.L^`L.^`.^`.PL^P`L. h^h`OJQJo(8^8`OJQJ^Jo(o ^`OJQJo(  ^ `OJQJo( ^ `OJQJ^Jo(o x^x`OJQJo( H^H`OJQJo(^`OJQJ^Jo(o ^`OJQJo( h^h`OJQJo(8^8`OJQJ^Jo(o ^`OJQJo(  ^ `OJQJo( ^ `OJQJ^Jo(o x^x`OJQJo( H^H`OJQJo(^`OJQJ^Jo(o ^`OJQJo( BAf PzT?h{                          v,        n9                          "m~!Mn *O "lI  z-L?< RAY||:qIcb$d*V +2d,b1-1v;/BqJa{XKi0[ienn$0v8r:;mzW{$NT[qI2R2vZ o#Rg(Z9O`*~hGvz| ! /!7!"r"r$#1#IO#W%z%r &2k&'c','P'L(V(a(x( }(k)U1)o)*0*t*#z*}*$+'+s@+5,>?,I,z,8-WJ-K-.'.~-.e./(/5 0m}0k18 11W*161+<1j1j}12< 22/5233u3G4O5&5}686TC6H6R7p7gt788??_1?=?A&A67A{ C9C_R_A`\`5a9b;Zc&[csdWe:Qejfof gnVg[YglgK h%hr0huh i)i^iaijj*jmj'k?1kYlX+mgAmYmYm|mMn)n"JnpKtpwpAqFqKqaqr" r^HJv=BS`TwT?( u1,Qd8ye!n#58I"X`mup"9\1~J7Cl{5UPQZDdnv0= ASezpH1OPf:>}s @C"%/{ <9YDa/.9 ; F`n=eEI\W?M`hs\|>\QTY&)Of]1F+SBWV 2s4f~3WA(?CJO!*&@NvJy/2eKpMx(yoS]~ {Bl~Gc hg=/ rMAxNRb+5`8FKj S<)];t>?O]em3nOpQq @z$-B#&:?Dw("Wo(B9Z[urB{9Ho;iO1|2k4a/ (ifq~:Y Y]#,Z0HP Y\e(9 nQVWy ( U L0IBUnFw6+,"4 }2'7*^#8jV/ahg['>^Ae-gNhcwB-(2i /p% `G $r9`i`Ho"]$d,Ue+D2gNEZdr +F|W2d/3<qc.#7NU ES`7B,l 3FDfut~2 {WwB7BFQV!~*=<#(;/E9sGSf..@ .X@Unknown G*Ax Times New Roman5Symbol3. *Cx Arial5. .[`)TahomaC"UniversArialCTimesNewRomanABook Antiqua?= *Cx Courier New;WingdingsA$BCambria Math"1h``-C$-C$!0f-f-2P  ?#86! xx (       Oh+'0d   , 8DLT\ Normal.dotm1Microsoft Office Word@@(1\@(1\C-՜.+,D՜.+,, hp|  $f-  Title 8@ _PID_HLINKSA`7 mailto:SafeguardReports@IRS.gov7 mailto:SafeguardReports@IRS.gov7 mailto:SafeguardReports@irs.gov  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:<=>?@ABDEFGHIJQRoot Entry F;\SData x1TableKWordDocument7SummaryInformation(;DocumentSummaryInformation8CCompObjr  F Microsoft Word 97-2003 Document MSWordDocWord.Document.89qRoot Entry Fʦ-!YData x1TableKWordDocument7      !"#$%&'()*+,-./0123456789:<=>?@ABXW ocReviewCycleID_NewReviewCycleA`7 mailto:SafeguardReports@IRS.gov7 mailto:SafeguardReports@IRS.gov7 mailto:SafeguardReports@irs.gov2SummaryInformation(;DocumentSummaryInformation8,CompObjr  F Microsoft Word 97-2003 Document MSWordDocWord.Document.89q՜.+,D՜.+,, hp|  $f-  Title0| _PID_HLINKS_AdH