Email breaches can be just as destructive to organizations as customer data breaches; just ask Sony Pictures and the Democratic National Committee. A breach of a federal government agency’s email system may not just be embarrassing or scandalous to the agency; it could put national security at risk. To help agencies protect sensitive and classified information from being stolen in an email hack, the National Institute of Standards and Technology (NIST) has released a finalized revision of SP 800–177 (Revision 1).

Titled Trustworthy Email, the framework outlines best practices for federal email security and updates the minimum standards for FISMA compliance. SP 800–177 complements SP 800–45, which was published in 2007, by providing more up-to-date email security recommendations and guidance, including guidelines regarding digital signatures and encryption (via S/MIME), minimizing unwanted email (spam), and other aspects of email system deployment and configuration. It also includes an appendix with an overlay of the NIST SP 800–53 Rev. 4 controls and a detailed description of how email systems can comply with the applicable controls.

While SP 800–177 was designed specifically for federal agencies, NIST notes that small and medium-sized business in the private sector can benefit from using the same email security best practices to protect confidential business information.

Federal Email Security: Beyond SMTP

The internet’s underlying core email protocol, Simple Mail Transport Protocol (SMTP), was first developed in 1982, when email security was not a consideration. SP 800–177 recommends the continued use of SMTP, along with the existing Domain Name System (DNS), but notes that the protocols are increasingly vulnerable to a wide range of cyber threats, including man-in-the-middle content modification and cyber spying. Federal agencies must implement proactive safeguards such as spoofing protection, integrity protection, encryption, and authentication to ensure that their email systems are sufficiently secure for use in government, financial, and medical communications.

The publication describes best practices for authenticating a sending domain and ensuring email transmission and content security using the Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), the Domain based Message Authentication Reporting and Conformance (DMARC) protocol, and the Transport Layer Protocol (TLS). It also recommends using Secure Multipurpose Internet Mail Extensions (S/MIME) for email communications that require end-to-end authentication and confidentiality.

SP 800–177 also outlines best practices for protecting against common email security threats impacting the integrity, availability, and confidentiality of email systems, including email spoofing and forging, phishing and spear phishing, eavesdropping and traffic analysis attacks, content modification of emails in transit, email bombing attacks, and spam.

NIST points out in SP 800–177 that securing an email system is far more complex than securing a website, and there is no magic bullet for email security. Different federal agencies will have different needs, data environments, and risk levels. However, with nation-state hackers funded by foreign governments increasingly targeting federal agencies and government contractors, it is crucial to national security to ensure that sensitive and classified government email communications remain confidential.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.