IRS manual explicitly governs email backup and retention

IRS manual explicitly governs email backup and retention

After the revelation that Lois Lerner’s emails went missing when she spilled coffee on her laptop (I made that part up), I began wondering what type of email infrastructure the Internal Revenue Service (IRS) might be using. Surely, as with nearly every other government agency, all email is stored in a centralized server using something like a Microsoft Exchange platform or equivalent. The messages in your inbox are simply a reflection of your messages as they exist on the server. This model exists for the express purpose of preventing data loss and providing universal access.

For example, I could lose my laptop or the hard drive could catch fire but it doesn’t matter, my emails are safely stored externally on a server somewhere in a data center. That server, undoubtedly, is protected by numerous fail-safe methods such as drive mirroring, daily (if not hourly) backups of data, and the ability to be replicated and restored should that server itself fail or suffer hardware damage. In short, there is no conceivable way that an entire chunk of emails from a specific period in question have gone entirely missing simply because a desktop or laptop computer “crashed,” as the IRS put it.

Luckily, you don’t have to go further than Google to learn a little something about how the IRS expects employees and their own internal information technology department to handle email and other sensitive data. Do a little searching and you’ll come across something called the Internal Revenue Manual, or IRM. This publication includes information divided into thirty-nine parts, which are then subdivided into hundreds of sections and subsections governing every single aspect of the tax-collecting agency.

Of particular interest to me were the sections on email guidelines, data archiving, and security compliance. According to Part 1, Chapter 10, Section 3, “Standards for Using Email,” there is in fact an email archiving procedure in place. In subsection of Section 3 title Don’t Slow Down the System, the manual instructs all IRS employees to refrain from sending large attachments since they will be archived with the message and will eventually fill up the server causing performance issues as well as headaches for systems administrators.

Refrain from sending large attachments to work groups or audiences. Remember every email message and any attachments, embedded graphics and photographs require a copy for each Exchange server store where each recipient’s mailbox resides. [Emphasis added]

Instead store the document on an IRS public web archive or SharePoint repository and insert a hyperlink into the message. Ensure the permissions allow access by all recipients prior to sending the message.

This confirms that the IRS is in fact using the Microsoft Exchange platform for email within the organization. We’ve affirmed that all email is in fact being stored on external servers outside an individual desktop or laptop computer of any particular user.

The next question concerns whether those email servers are being backed up and maintained pursuant to other sections of the IRM governing data backup and security. Luckily, Part 10, Chapter 8, Section 60, Subsection, explains how data backups occur with regard to the Federal Information Security Management Act of 2002 (FISMA).

System/Application Backups

All FISMA-reportable systems and applications and non-applications (as defined by FISMA) shall be backed up in a restorable format on a regular basis, encrypted, and stored offsite. [Emphasis added]

Frequency and type of backups shall be defined in the Operations/Customer SLA and documented in applicable SA&A documents.

Why does this matter, you ask? It’s very simple. FISMA governs the retention and storage of government data, specifically including email and all other electronic correspondence. Simply put, under the banner of FISMA, the emails of Lois Lerner, which were stored by the IRS on an Exchange server store, should have been backed up externally at regular intervals as governed by FISMA. A simple crash of a laptop or desktop computer should not be enough to erase sensitive communications from an individual at the highest levels of a major government agency.

Furthermore, as also required by FISMA and implemented by the IRS according to the Internal Revenue Manual, items such as email must be archived in a way that is easily retrievable in the event of data loss or as needed during a criminal investigation.

Based merely on these small sections of the massive IRS manual, there are only two possibilities with regard to Lois Lerner’s missing emails.

1. They’re gone due to a simple laptop or desktop computer hard drive crash. This must assume that IRS information technology personnel were not following their own set standards for data retention and security. In this case, more heads should be rolling as there may be federal law violated by an agency which is not in compliance with security policies laid out in FISMA.

2. Lois Lerner, in collusion with personnel at the IRS, is lying.

In either case, there is far more to this story than a hard drive crash.



Nate is founder of the blog He is a software developer by day.


For your convenience, you may leave commments below using Disqus. If Disqus is not appearing for you, please disable AdBlock to leave a comment.