Increase in large scale, targeted breaches in the U.S. annual average
Of Organizations experienced cyber attacks on operational technology infrastructure.
Malicious Mobile apps blocked daily
Email is ubiquitous with business operations and we’ve established routines and habits for it’s use. But, is the way we use it really trustworthy?
Regular emails can be spoofed at will, with the ‘from’ address changed to any that might be suitable to fool me. Digital signatures are the solution to this problem, and are inferred as part of the requirements for NIST SP 800-171 compliance. For individuals, a digital email signing certificate can be obtained for free, or at reasonable costs with just a credit card (also referred to as S/MIME certificates). There are, however, different levels of trust associated with these certificates and those differences are important to understand. A basic email signing certificate (free or low cost) only confirms that the email address is associated with the certificate. It does not confirm the identity of the user.
The U.S. government recognizes certificates that it issues to its workforce and contractors, and the burden of proof is substantial as is the verification of trust; one can be certain that the owner of the certificate is the sender of the email. But, what about those hoping to do business with the government and protect potential contract information?
There is a U.S. Government program called External Certificate Authority (ECA) that allows organizations to acquire validated digital email certificates for their employees and members. These certificates carry the same burden of proof and verification of trust. They can also be used to protect, via encryption, email correspondence and associated information. The ECA certificate program is another step to NIST SP 800-171 and DFARS Clause 7012 Compliance.