Posted on

Email Security and NIST SP 800-171 Compliance

email security Nist compliance

Like most everyone else, we use email services daily in our small business activities. From general announcements to document and file sharing, email is ubiquitous. Adversaries have long known this fact as well and is evidenced by the amount of spam and malicious email we see in our inboxes. In fact, worldwide, more than half of the email we receive can be attributed to unwanted spam, advertising or phishing. Phishing, of course, being one of the most concerning as senders attempt to extract important information or credentials from victims.

In the midst of all this noise, we’re trying to do business. For those of us that support U.S. Government activities and contracts, we have additional responsibilities to operate securely and protect sensitive information. Ensuring that we can trust the email we receive, the sender and its contents, is an important consideration. In fact, part of our obligations include controlling access to sensitive information, which includes to and from whom we correspond via email. How can we apply controls to email to help meet these responsibilities?

NIST Update

The National Institute of Standards and Technology (NIST) recently released an update to Special Publication 800-177 Trustworthy Email. A welcome update, this guideline provides great information on how to make email more secure and reliable. One of the key takeaways from this publication is that we can become more secure by changing the way we use email. It doesn’t necessarily demand new hardware or software, rather that we think about how to verify sender, recipient and content. Then, we create and execute operational policies by which our use of this valuable communications tool is modified to be more trustworthy.

At Assured Bridge, we use email security certificates to sign and, when appropriate, encrypt email contents. This allows us to know, with great certainty, who the email is from, or to whom we’re sending. If the contents of the email include information sensitive to operations or contracts, we encrypt it to ensure that only the recipient will be able to decode it. Further, this also helps to protect those contents when residing in external servers or in an inbox.

For our customers, our system security policy templates include email security to meet the compliance requirements of NIST SP 800-171 and DFARS Clause 7012.

NIST SP 800-177 Trustworthy Email

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Read our previous blog: Email Digital Signatures – Do you know who it’s from?

Certified Information System Security Professional Daniel Bjorklund is the information assurance and cybersecurity subject matter expert for Assured Bridge LLC, a company specializing in cybersecurity compliance solutions. With over 20 years’ experience in U.S. military intelligence and security operations, plus significant involvement in government, commercial and private sector cybersecurity initiatives, Dan has comprehensive knowledge of today’s rapidly-evolving cyber-dependent world. A recently-licensed pilot and amateur radio operator, Dan lives with his wife in South Carolina.
Dan can be found on LinkedIn (https://www.linkedin.com/in/dbjorklundcissp/) and Twitter (https://twitter.com/IASE_at_large)