Which Physical Security Practice Is Required for FTI?
Federal Tax Information (FTI) — defined under Internal Revenue Code §6103 as tax returns and return information the IRS shares with authorized agencies — is subject to some of the most rigorous physical security requirements in U.S. law. If your agency receives FTI, you are legally obligated to protect it using controls prescribed in IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies.
The direct answer: the physical security practice required for FTI is the restricted area control — all FTI must be accessed, processed, and stored exclusively within a formally designated restricted area that is physically separated from public or unauthorized access. That foundational requirement then branches into a detailed set of controls governing access authorization, visitor management, monitoring, media storage, and document destruction.
This guide explains every physical security practice required for FTI under IRS Publication 1075, what auditors examine during Safeguard Reviews, and how to build a defensible compliance program. For the broader picture of protecting taxpayer data, see our guide to cybersecurity for tax professionals.
FTI Physical Security: Key Compliance Thresholds
Physical access to FTI restricted areas must be removed within 24 hours of staff separation or role change — IRS Pub 1075 PE-2
Agencies must formally review and re-authorize FTI restricted area access lists at minimum every quarter per Pub 1075
Security camera footage covering FTI restricted area entry points must be retained for at least 90 days per Pub 1075 PE-6
What Is FTI and Who Must Comply?
Federal Tax Information includes any return, return information, or taxpayer identity information the IRS provides to federal or state agencies under IRC §6103 authority. This data flows to a wide range of government programs: state child support enforcement offices (Title IV-D), Medicaid and CHIP agencies, unemployment insurance programs, federal benefit agencies using tax records for income verification, and others with statutory authorization to receive it.
Every agency, contractor, and sub-contractor that receives, stores, processes, or transmits FTI — regardless of size — carries the same physical security obligations under Publication 1075. There are no exemptions for small offices or low-volume FTI recipients.
Publication 1075 maps its required controls to the NIST SP 800-53 Rev. 5 control catalog, specifically the Physical and Environmental Protection (PE) control family. Agencies that already implement NIST 800-53 for other compliance obligations can align FTI physical security controls with their existing framework rather than building a separate program from scratch.
Who Is Typically Subject to FTI Physical Security Requirements?
- State and local tax agencies
- Child support enforcement agencies
- Medicaid and CHIP program offices
- Unemployment insurance agencies
- Federal benefit payment agencies using tax data for income verification
- Contractors and third-party service providers with access to FTI systems or records
Related obligations for tax preparers who handle private client information — rather than government-received FTI — are covered in our tax safeguard compliance 4557 resource.
The Core Physical Security Requirement for FTI
IRS Publication 1075 requires that all FTI be accessed, processed, and stored only within formally designated restricted areas. No FTI may be handled in spaces open to the public or accessible to personnel who have not been vetted and authorized. This restricted area requirement is the foundation from which all other FTI physical security controls derive.
Restricted Areas: The Foundational Physical Security Practice for FTI
A restricted area under Publication 1075 is a space with physical barriers — walls, partitions, or equivalent structures — that prevent unauthorized entry. Every entry point must be controlled by one of these mechanisms:
- Electronic key card or badge systems with individually assigned credentials (preferred, because access can be revoked instantly and logs are generated automatically)
- Combination or cipher locks with codes distributed only to authorized, vetted personnel
- Biometric readers such as fingerprint or retinal scanners
- Security personnel physically controlling access at checkpoints
Open-plan offices, shared workspaces, and areas accessible to visitors or general staff do not qualify as restricted areas without additional physical barriers. A workstation processing FTI cannot sit at an open desk even if the broader office building is access-controlled. Publication 1075 is explicit: the restricted area designation applies to the specific space where FTI is handled, not just the building perimeter.
Physical Access Authorizations — PE-2
Agencies must maintain a formal, signed list of every individual authorized to enter each FTI restricted area. That list must specify why each person needs access — tied to specific job duties — and must be reviewed at minimum every quarter. When an employee separates from the agency or moves to a role that no longer requires FTI access, their physical access must be revoked within 24 hours, including key card deactivation, combination code changes if shared credentials were used, and removal from the authorization list.
Monitoring Physical Access — PE-6
Publication 1075 requires that access to FTI restricted areas be actively monitored, not just controlled at the door. Security cameras must cover all entry and exit points. Access logs — whether from electronic badge readers or paper sign-in sheets — must be reviewed at least weekly for anomalies: after-hours entries, repeated failed access attempts, or access by personnel who should no longer be authorized. Camera footage must be retained for a minimum of 90 days.
Visitor Management — PE-8
All visitors to FTI restricted areas must present identification, sign a visitor log, and be escorted by an authorized employee at all times. Visitors may not be left unattended, even briefly. Visitor logs must document the visitor's name, organization, purpose of visit, escort name, and entry and exit times. These records must be retained and available for review during IRS Safeguard Reviews.
Physical Security Controls Required for FTI Under IRS Pub 1075
Restricted Area Designation
All spaces where FTI is accessed, processed, or stored must be formally designated restricted areas with physical barriers and controlled entry points — open-plan spaces do not qualify.
Visitor Management and Escort
Visitors must sign in, present ID, and be escorted at all times inside restricted areas. Logs must document name, purpose, escort identity, and entry and exit times.
Physical Access Monitoring
Security cameras must cover all FTI area entry points. Access logs must be reviewed weekly for anomalies. Camera footage must be retained for at least 90 days.
Clean Desk and Output Controls
FTI must not be left unattended on desks or workstations. Screens must auto-lock within 15 minutes. Printers in restricted areas or attended printing procedures are required for FTI output.
Locked Media Storage
Physical media containing FTI — paper, USB drives, backup tapes — must be stored in locked containers, cabinets, or safes when not actively in use by an authorized user.
Certified Media Destruction
Paper FTI must be cross-cut or micro-cut shredded at DIN P-4 minimum. Electronic media must be degaussed and physically destroyed. All destruction events must be fully logged.
FTI Document Handling, Storage, and Destruction Requirements
Physical security requirements for FTI extend beyond who can enter a room — they govern how FTI is handled from the moment it is received through the moment it is destroyed. Publication 1075's Media Protection (MP) controls cover this lifecycle in detail.
Storage: Locked Containers Required
When FTI in physical form — printed reports, forms, portable drives, backup tapes — is not actively in use, it must be secured in a locked container that only authorized personnel can open. Acceptable options include GSA-approved security containers and safes, locked steel filing cabinets located inside restricted areas, and dedicated locked server rooms for electronic media. Leaving FTI printouts in an unlocked drawer or an unsecured filing cabinet — even in a locked office — violates Publication 1075's physical security requirements.
Clean Desk Policy and Workstation Controls
One of the most frequently cited deficiencies in IRS Safeguard Reviews is failure to enforce a clean desk policy. FTI on any desk or workstation must be attended by a vetted, authorized user. The moment that user steps away, FTI must be secured. On-screen FTI is addressed by requiring workstations to auto-lock after no more than 15 minutes of inactivity, with 5-minute timeouts recommended. Printers that produce FTI output must be located inside restricted areas or staffed by an authorized employee throughout the entire print job.
Media Destruction: Standards and Logging Requirements
When FTI reaches end of life — whether on paper or digital media — its destruction must meet specific standards and be fully documented. For paper FTI, cross-cut or micro-cut shredding at a minimum of DIN 66399 level P-4 is required, producing particles no larger than 160 mm². Strip-cut shredders do not meet this standard and should not be used for FTI disposal. Burning and pulping under controlled conditions are also acceptable methods.
For electronic media, Publication 1075 requires degaussing followed by physical destruction for magnetic media (hard drives, tapes), and physical destruction alone for solid-state drives. Standard file deletion and even full-disk formatting do not satisfy this requirement. Every destruction event must be logged with the date, media type, quantity, destruction method, and the name of the person who performed or witnessed the event. Agencies using third-party destruction vendors must obtain certificates of destruction and retain them for audit purposes.
For the encryption and technical controls that complement these physical protections, see our analysis of online tax filing strongest security encryption 2026. Agencies that also handle private taxpayer data outside the FTI channel should review IRS Publication 4557 safeguarding taxpayer data WISP requirements for parallel obligations.
Building a FTI Physical Security Compliance Program: Seven Steps
Map All FTI Touchpoints
Document every location, workstation, printer, filing cabinet, and server where FTI is received, processed, displayed, stored, or destroyed. This inventory drives every subsequent control decision and is required documentation for Safeguard Reviews.
Designate and Secure Restricted Areas
Formally designate each FTI location as a restricted area. Install electronic access controls at every entry point and document physical boundaries — walls, doors, control mechanisms — in your agency security plan.
Establish Access Authorization Lists
Create signed authorization lists for each restricted area tied to specific job duties. Build a documented process to provision access for new hires and revoke it within 24 hours of separations or role changes.
Deploy Visitor Management Controls
Implement visitor sign-in logs, identification requirements, and a written escort policy. Train all authorized staff on their escort responsibilities before any visitor access to restricted areas is permitted.
Implement Clean Desk and Output Policies
Issue a written clean desk policy, configure workstation auto-lock timeouts (15 minutes maximum, 5 minutes recommended), and designate FTI-capable printers inside restricted areas or establish attended-printing procedures.
Procure Compliant Storage and Destruction Capabilities
Acquire locked storage containers meeting GSA standards, contract with certified destruction vendors, and implement destruction logging procedures. Document the first destruction event before your next IRS audit cycle.
Conduct Quarterly Internal Walkthroughs
Use the IRS Publication 1075 safeguard review checklist to perform internal physical security walkthroughs each quarter. Document findings, assign corrective actions with owners and deadlines, and verify closure before your next biennial IRS audit.
IRS Safeguard Reviews: What Auditors Check for Physical Security
Agencies receiving FTI undergo IRS Safeguard Reviews on a biennial cycle — and more frequently if prior reviews identified deficiencies. During the physical security component, IRS reviewers conduct on-site walkthroughs of all FTI-handling areas. They are specifically looking for the following evidence:
- Physical separation of restricted areas from public or general staff access zones
- Current, signed access authorization lists reviewed within the past 90 days
- Visitor logs covering the full review period with all required fields completed
- Security camera coverage of all entry and exit points
- Evidence of weekly log reviews, typically demonstrated through a documented review record
- Locked storage containers for all physical FTI media
- Destruction logs with required detail covering the past 12 to 24 months
Review findings are categorized by severity. A material weakness — such as FTI stored in an unlocked area, no access controls on a restricted area entry point, or a missing destruction log — can trigger a formal corrective action plan, suspension of FTI access pending remediation, or escalation to the IRS Office of Safeguards.
Physical and Technical Controls Work Together
Physical security and cybersecurity are inseparable for FTI compliance. An unattended workstation displaying FTI is a physical security failure even if the network is fully encrypted. Publication 1075 requires agencies to address both domains in a single integrated security plan. Physical controls such as locked server rooms and restricted area badge access directly reinforce technical controls such as encryption and network segmentation. For staff accessing FTI through agency software, enabling two factor authentication tax software provides a technical barrier that complements physical access controls at the system level. Agencies handling FTI alongside private client records may also find the WISP checklist for CPA firms useful for maintaining a coherent security posture across both regulatory requirements.
Is Your Agency Ready for an IRS Safeguard Review?
Bellator Cyber Guard's FTI compliance specialists assess your physical and technical controls against IRS Publication 1075 requirements — before the auditors arrive. Get a prioritized remediation plan and confidence going into your next Safeguard Review.
Frequently Asked Questions About FTI Physical Security Requirements
The physical security practice required for FTI under IRS Publication 1075 is the restricted area control: all FTI must be accessed, processed, and stored only within formally designated restricted areas that have physical barriers, controlled entry, and documented access authorization lists. Supporting controls include visitor management with escort requirements, physical access monitoring with weekly log reviews, clean desk policies, locked media storage, and certified media destruction with complete event documentation.
A restricted area for FTI must have physical barriers — walls or equivalent partitions — that separate it from public or general staff access. Entry must be controlled by an electronic key card system, cipher lock, biometric reader, or security personnel. The area must have a formal authorization list, security camera coverage of all entry points, and documented visitor management procedures. Open-plan offices and low-partition cubicle environments do not qualify without additional physical access controls at the boundary of the FTI work zone.
IRS Publication 1075 requires paper FTI to be destroyed using cross-cut or micro-cut shredding that meets at minimum DIN 66399 level P-4, producing particles no larger than 160 mm². Strip-cut shredders do not meet this standard and should not be used for FTI disposal. Burning and pulping under controlled conditions are also acceptable. Every destruction event must be logged with the date, media type and quantity, method used, and the name of the person who performed or witnessed the event.
IRS Publication 1075 requires that physical access to FTI restricted areas be revoked within 24 hours of an employee's separation from the agency or a role change that eliminates their FTI access need. This includes deactivating electronic key cards, changing combination codes if shared credentials were used, and removing the individual from the formal access authorization list. Agencies should build automated off-boarding triggers tied to HR actions to meet this timeline consistently.
Yes. Any contractor, sub-contractor, or third-party service provider that receives, accesses, processes, stores, or transmits FTI must implement the same physical security controls required of the receiving agency under IRS Publication 1075. Agencies are responsible for verifying contractor compliance through contract language, on-site inspections, and periodic reviews. Contractors may also be subject to direct IRS Safeguard Review if they handle FTI on their own systems or premises.
IRS Publication 1075 adopts NIST SP 800-53 Rev. 5 as its control baseline and maps required FTI controls to specific NIST identifiers. For physical security, the key controls are in the Physical and Environmental Protection (PE) family: PE-2 (Physical Access Authorizations), PE-3 (Physical Access Control), PE-6 (Monitoring Physical Access), and PE-8 (Visitor Access Records). Media Protection controls — MP-4 (Media Storage) and MP-6 (Media Sanitization) — cover storage and destruction requirements. Agencies already operating under NIST 800-53 for other programs can align FTI physical security requirements with their existing control implementation rather than building a separate compliance structure.
The standard IRS Safeguard Review cycle is biennial — every two years. However, agencies with prior material weakness findings or unauthorized disclosure incidents may be reviewed more frequently. Agencies should treat each two-year window as active preparation time and conduct internal walkthroughs using the Publication 1075 checklist at least quarterly to identify and remediate gaps before IRS auditors arrive.
Unauthorized disclosure of FTI carries penalties under IRC §7213 (criminal) and IRC §7431 (civil). Criminal penalties for willful unauthorized disclosure include up to five years in federal prison, fines up to $5,000 per offense, and removal from federal employment. Civil penalties allow affected taxpayers to sue for actual damages or a minimum of $1,000 per unauthorized disclosure, whichever is greater, plus punitive damages and attorney's fees. These penalties apply to both government employees and contractors who cause or enable the unauthorized disclosure.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
