Current through all regulations passed and filed through September 16, 2024
(A) In accordance with "Internal Revenue
Service (IRS) Publication 1075" (rev.
11/2021), the
office of child support (OCS) is required to conduct a federal tax information
(FTI) safeguarding visit (hereafter "visit") with each agency that has access
to FTI that is related to the child support program. The purpose of the visit
is to ensure that adequate FTI safeguards and security measures are maintained
by the agency.
(1) OCS shall establish a
schedule for each child support enforcement agency (CSEA) with access to FTI,
at the direction of OCS, to either participate in a visit or complete a
safeguarding self inspection at least once every three years.
(2) OCS shall complete a visit at least once
every eighteen months for internal headquarters and facilities housing
FTI.
(B) OCS
notification of the visit.
(1) When the agency
is a CSEA, OCS will notify the director or administrator and tax offset
coordinator of the date and time of the visit.
(2) When the agency is not a CSEA, OCS will
notify the appropriate agency point of contact of the date and time of the
visit.
(C) Visit
procedures.
(1) Fifteen business days prior to
the visit, OCS will send a JFS 07729, "FTI Safeguarding Workbook" (effective or
revised effective date as identified in rule
5101:12-1-99
of the Administrative Code.)
(2)
The agency shall complete and return the JFS 07729 to OCS no later than five
business days prior to the visit.
(3) OCS may perform any or all of the
following activities during the visit:
(a)
Select a random sample of cases to review.
(b) Review and discuss the completed JFS
07729.
(c) Review and discuss the
permanent FTI tracking log.
(d)
Complete a physical walk-through of the building or buildings that have access
to SETS and/or FTI. This could include, but is not limited to;
(i) Offsite storage;
(ii) Satellite offices;
(iii) Prosecutors
offices; and
(iv) Courts.
(D) Visit
follow up procedures for an agency.
(1) OCS
shall send, within fifteen business days from the date of the visit, to the
agency an initial JFS 07729 identifying specific vulnerabilities discovered
during the visit. OCS will identify potential remedies for each
vulnerability.
(2) When the initial
JFS 07729 identifies vulnerabilities, the agency shall send to OCS a written
response that describes the actions the agency shall take to remedy the
vulnerabilities, including a timeline for completing the actions. The agency
shall send the written response to OCS no later than thirty days after the
receipt of the initial JFS 07729 from OCS.
(3) OCS shall respond by issuing the JFS
07729 as interim when the remedy(s) to a vulnerability(s) are pending
completion by the CSEA. OCS may also request additional information from the
agency.
(4) OCS shall respond to
the agency's written response described in paragraph (D)(2) of this rule,
indicating whether the actions proposed to remedy any vulnerabilities meet the
IRS safeguarding regulations as described in the IRS publication 1075. OCS
shall send the final JFS 07729 once all the vulnerabilities have been
closed.
(E) In
accordance with IRS publication 1075, OCS may require that the agency complete
an FTI self-inspection of each location as described in paragraph (C)(3)(d) of
this rule, that has access to FTI. The purpose of the self-inspection is to
ensure that adequate FTI safeguards and security measures are maintained by the
agency.
(1) Self-inspection procedures.
(a) OCS will notify the CSEA director,
administrator, tax offset coordinator or agency point of contact as to the
month in which the agency is required to complete a self-inspection.
(b) OCS will send a JFS 07729 ten days prior
to the beginning of the month in which the self-inspection is
scheduled.
(c) The agency shall
complete the JFS 07729 and return the completed JFS 07729 to OCS by the last
day of the self-inspection month.
(2) Self-inspection follow-up procedures.
(a) Within fifteen days of receipt of the
completed JFS 07729, OCS shall notify the agency as to whether additional
information is required. Should additional information be required, the agency
shall submit the additional information within fifteen days of the request for
information to OCS. If no additional information is required, OCS shall notify
the agency that the JFS 07729 has been accepted.
(b) Should the CSEA fail to return the JFS
07729 or respond to a request for additional information within the required
timeframe, OCS reserves the right to conduct an on-site visit in accordance
with rule 5101:12-1-22.1 of the Administrative Code.
(F) An agency shall comply with
the following reporting requirements, in accordance with the FTI incident
response and incident reporting standards described in IRS publication 1075 for
unauthorized access to or inspection of FTI, including but not limited to:
(1) Training all staff in FTI incident
response procedures.
(2) Routinely
tracking and documenting FTI security incidents.
(3) Promptly reporting any unauthorized
inspection and disclosure or use of FTI to the appropriate authority, as
described in the IRS publication 1075.
