Ohio Admin. Code 5101:12-1-22.1

Current through all regulations passed and filed through December 2, 2024
Section 5101:12-1-22.1 - Safeguarding visit procedures
(A) In accordance with "Internal Revenue Service (IRS) Publication 1075" (rev. 11/2021), the office of child support (OCS) is required to conduct a federal tax information (FTI) safeguarding visit (hereafter "visit") with each agency that has access to FTI that is related to the child support program. The purpose of the visit is to ensure that adequate FTI safeguards and security measures are maintained by the agency.
(1) OCS shall establish a schedule for each child support enforcement agency (CSEA) with access to FTI, at the direction of OCS, to either participate in a visit or complete a safeguarding self inspection at least once every three years.
(2) OCS shall complete a visit at least once every eighteen months for internal headquarters and facilities housing FTI.
(B) OCS notification of the visit.
(1) When the agency is a CSEA, OCS will notify the director or administrator and tax offset coordinator of the date and time of the visit.
(2) When the agency is not a CSEA, OCS will notify the appropriate agency point of contact of the date and time of the visit.
(C) Visit procedures.
(1) Fifteen business days prior to the visit, OCS will send a JFS 07729, "FTI Safeguarding Workbook" (effective or revised effective date as identified in rule 5101:12-1-99 of the Administrative Code.)
(2) The agency shall complete and return the JFS 07729 to OCS no later than five business days prior to the visit.
(3) OCS may perform any or all of the following activities during the visit:
(a) Select a random sample of cases to review.
(b) Review and discuss the completed JFS 07729.
(c) Review and discuss the permanent FTI tracking log.
(d) Complete a physical walk-through of the building or buildings that have access to SETS and/or FTI. This could include, but is not limited to;
(i) Offsite storage;
(ii) Satellite offices;

(iii) Prosecutors offices; and
(iv) Courts.
(D) Visit follow up procedures for an agency.
(1) OCS shall send, within fifteen business days from the date of the visit, to the agency an initial JFS 07729 identifying specific vulnerabilities discovered during the visit. OCS will identify potential remedies for each vulnerability.
(2) When the initial JFS 07729 identifies vulnerabilities, the agency shall send to OCS a written response that describes the actions the agency shall take to remedy the vulnerabilities, including a timeline for completing the actions. The agency shall send the written response to OCS no later than thirty days after the receipt of the initial JFS 07729 from OCS.
(3) OCS shall respond by issuing the JFS 07729 as interim when the remedy(s) to a vulnerability(s) are pending completion by the CSEA. OCS may also request additional information from the agency.
(4) OCS shall respond to the agency's written response described in paragraph (D)(2) of this rule, indicating whether the actions proposed to remedy any vulnerabilities meet the IRS safeguarding regulations as described in the IRS publication 1075. OCS shall send the final JFS 07729 once all the vulnerabilities have been closed.
(E) In accordance with IRS publication 1075, OCS may require that the agency complete an FTI self-inspection of each location as described in paragraph (C)(3)(d) of this rule, that has access to FTI. The purpose of the self-inspection is to ensure that adequate FTI safeguards and security measures are maintained by the agency.
(1) Self-inspection procedures.
(a) OCS will notify the CSEA director, administrator, tax offset coordinator or agency point of contact as to the month in which the agency is required to complete a self-inspection.
(b) OCS will send a JFS 07729 ten days prior to the beginning of the month in which the self-inspection is scheduled.
(c) The agency shall complete the JFS 07729 and return the completed JFS 07729 to OCS by the last day of the self-inspection month.
(2) Self-inspection follow-up procedures.
(a) Within fifteen days of receipt of the completed JFS 07729, OCS shall notify the agency as to whether additional information is required. Should additional information be required, the agency shall submit the additional information within fifteen days of the request for information to OCS. If no additional information is required, OCS shall notify the agency that the JFS 07729 has been accepted.
(b) Should the CSEA fail to return the JFS 07729 or respond to a request for additional information within the required timeframe, OCS reserves the right to conduct an on-site visit in accordance with rule 5101:12-1-22.1 of the Administrative Code.
(F) An agency shall comply with the following reporting requirements, in accordance with the FTI incident response and incident reporting standards described in IRS publication 1075 for unauthorized access to or inspection of FTI, including but not limited to:
(1) Training all staff in FTI incident response procedures.
(2) Routinely tracking and documenting FTI security incidents.
(3) Promptly reporting any unauthorized inspection and disclosure or use of FTI to the appropriate authority, as described in the IRS publication 1075.

Ohio Admin. Code 5101:12-1-22.1

Effective: 11/1/2022
Five Year Review (FYR) Dates: 8/1/2022 and 11/01/2027
Promulgated Under: 119.03
Statutory Authority: 3125.08, 3125.25, 3125.51
Rule Amplifies: 3125.03, 3125.08, 3125.43, 3125.50
Prior Effective Dates: 08/01/1982, 12/16/1989, 10/01/1990, 04/01/1991, 01/01/1992, 02/11/1993, 09/01/1994, 06/02/2001, 07/01/2002, 01/01/2006, 06/15/2006, 03/01/2012, 04/01/2018