Much of the information we send in emails across the NDU network requires protection. Digital signatures and encryption are email tools we use to maintain the confidentiality, authentication, and integrity of this information. Knowing how to use these tools, when they are needed, and how to resolve issues that may arise helps NDU faculty, staff and students to better protect their own information and NDU’s network.
NDU technically supports encrypting and digitally signing out-going email using Microsoft Outlook 2010 and a DoD-issued Common Access Card (CAC) on NDU's network email servers ("email@example.com").
NDU does not provide technical support for encrypting and digitally signing email -- with or without a CAC -- using cloud-based and/or commercial email clients (O365, Gmail, Hotmail, Yahoo) on students' personal computing devices; however, the use of commercial email clients does not obviate the requirement that you encrypt and digitally sign email containing PII or sensitive information.
Alternatives to Email
Alternatives to emailing sensitive data include delivering it via the AMRDEC Safe Access File Exchange (SAFE), in person, by courier, or by secure Fax. The secure Fax number for NDU Security is (202) 685-3765. Information submitted via any of these methods must include a DD Form 2923, "Privacy Act Data Cover Sheet."
Emailing Sensitive Information
DoD policy requires digital signatures and/or encryption for emails containing the following:
|Examples of Email that Must be Digitally Signed
||Examples of Email that Must be Digitally Signed AND Encrypted
- Messages containing formal direction to government employees or contractors
- Messages stipulating an official NDU position
- Messages that commit to, authorize or deny the use of funds and,
- Messages that contain an embedded hyperlink or attachment, as these are often used to conceal malware or viruses.
- Controlled Unclassified Information (CUI)
- For Official Use Only (FOUO)
- Personally Identifiable Information (PII) – Examples include social security numbers (SSNs), alien registration numbers, biometric identifiers, and financial account numbers.
- Health Insurance Portability and Accountability Act (HIPAA)
- Proprietary Data
- Contracting Data
In addition, encrypted emails containing privacy sensitive information must be appropriately labeled as follows:
- Include the subject line: "FOUO: PRIVACY SENSITIVE."
- Include the attachment file name (if any): "FOUO: PRIVACY SENSITIVE."
- Include in the body of both the email and the attachment (if any): "FOUO: PRIVACY SENSITIVE. Any misuse or unauthorized disclosure may result in both criminal and civil penalties.
Email, CACs and Public/Private Keys
A CAC contains one or more sets of public/private cryptographic key pairs that are uniquely associated with the identity of the person to whom the card was issued. These two keys are used to assure non-repudiation, integrity and confidentiality:
- Non-repudiation and Integrity: A private key stored in a PKI certificate on your CAC is used when you digitally sign an outgoing email. The corresponding public key associated with that private key is delivered to the recipient in the email you send. The recipient then uses your public key to verify your identity (non-repudiation) and that the email has not been altered in transit (integrity).
- Confidentiality: Encrypting an outgoing email requires the use of the intended recipient's public key from a PKI certificate previously sent to you by the intended recipient. The only key that will decrypt your email is the private key that corresponds to the recipient's public key. This is how message confidentiality is maintained: no-one but the recipient has the private key that can decrypt it. This means that -- in order to send an encrypted email to someone -- you must first have received a digitally signed email from that person.
Digital signatures confirm that the message comes from the sender who signed the message, and that it has not been altered at any point during transmission. Digital signatures also ensure that the sender cannot deny sending the message, since it required access to the private key on their CAC. You may choose to digitally sign all of your email messages by default, using an Outlook setting, or you may choose to turn your digital signature on and off depending upon the content of the email you are sending.
Email encryption protects information confidentiality by ensuring that no one but the intended recipient can read it. When you encrypt an email message, you rely on your ability to access the recipient's public key, usually from within a directory or access list, or from a previously received email from which you added the recipient to your contact list. When the recipient receives and decrypts your email, they use their private key , which resides on their common access card (CAC). Likewise, your own public key resides on your CAC. Public keys can be transmitted between users via emails that are digitally signed using CAC certificates.
The ability to encrypt email does NOT enable users to send classified information over unclassified systems. Doing so constitutes a classified messaging incident (CMI) that must be reported to DoD’s Privacy Manager, and which may result in disciplinary action against the violator.
Smart Card (CAC) Readers and DoD Certificates
To access CAC-restricted websites such as the Defense Travel Service, military service personnel files, etc., from your personal device, you will need to install a Smart Card (CAC) Reader and DOD Certificates on your computer.
Pro MacOS X 10.12.6 or Newer
Beginning with MacOS 10.12 (Sierra), Apple has introduced a new API, "Crypto Token Kit," to support Smart Cards (CACs). At this time, however, there is not universal support for this API in many third-party applications such as Outlook, Firefox and others. NDU recommends that users disable Crypto Token Kit, and instead use the older, more compatible "TokenD" software for greater Smart Card (CAC) support in MacOS.
NDU also recommends the use of a specific Smart Card (CAC) software solution developed for DoD. While other Third-party software exists to enable TokenD support for MacOS, NDU can only provide support DoD-compliant software at this time.
PC Windows 10 or Newer
If you need to exchange an encrypted email with someone using a private, non-NDU or non-DoD email address, that person will need to ensure that their email program is configured to send and receive signed and encrypted email messages. DISA offers instructions for the most widely used email programs at https://iase.disa.mil/pki-pke/Pages/email.aspx, and for specific mobile devices at https://iase.disa.mil/pki-pke/Pages/mobile.aspx
A common issue preventing the use of encrypted email is that the sender may not have the recipient’s public key (preventing the recipient from opening the encrypted email). The NDU global address list (GAL) may not contain the recipient's public key, or the recipient may exist outside of NDU.
If you aren’t sure whether you have the recipient’s public key:
- Open a digitally signed message from the recipient;
- Right-click the sender's name in the “From” field; and,
- Select “Add to Outlook Contacts.”
CAC-enabled email senders can also retrieve an NDU or DoD recipient's email address and public key from DISA’s DoD Global Directory Service. The service opens an email window and automatically provides the recipient’s public encryption key for the sender’s use.
Reporting the Spillage of Sensitive Information
The transmission of unencrypted information requiring encryption must be reported immediately. See "PII Breach Reporting" on the NDU Privacy Program page.