Email Security and NIST SP 800-171 Compliance

Email Security and NIST SP 800-171 Compliance

email security Nist compliance

Like most everyone else, we use email services daily in our small business activities. From general announcements to document and file sharing, email is ubiquitous. Adversaries have long known this fact as well and is evidenced by the amount of spam and malicious email we see in our inboxes. In fact, worldwide, more than half of the email we receive can be attributed to unwanted spam, advertising or phishing. Phishing, of course, being one of the most concerning as senders attempt to extract important information or credentials from victims.

In the midst of all this noise, we’re trying to do business. For those of us that support U.S. Government activities and contracts, we have additional responsibilities to operate securely and protect sensitive information. Ensuring that we can trust the email we receive, the sender and its contents, is an important consideration. In fact, part of our obligations include controlling access to sensitive information, which includes to and from whom we correspond via email. How can we apply controls to email to help meet these responsibilities?

NIST Update

The National Institute of Standards and Technology (NIST) recently released an update to Special Publication 800-177 Trustworthy Email. A welcome update, this guideline provides great information on how to make email more secure and reliable. One of the key takeaways from this publication is that we can become more secure by changing the way we use email. It doesn’t necessarily demand new hardware or software, rather that we think about how to verify sender, recipient and content. Then, we create and execute operational policies by which our use of this valuable communications tool is modified to be more trustworthy.

At Assured Bridge, we use email security certificates to sign and, when appropriate, encrypt email contents. This allows us to know, with great certainty, who the email is from, or to whom we’re sending. If the contents of the email include information sensitive to operations or contracts, we encrypt it to ensure that only the recipient will be able to decode it. Further, this also helps to protect those contents when residing in external servers or in an inbox.

For our customers, our system security policy templates include email security to meet the compliance requirements of NIST SP 800-171 and DFARS Clause 7012.

NIST SP 800-177 Trustworthy Email

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Read our previous blog: Email Digital Signatures – Do you know who it’s from?

Dan bjorklund - cyber security specialist

Daniel Bjorklund


With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner, mentor and innovator. He serves as a principal vCISO at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. He is also active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in Information Technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.

Search our Blog
Subscribe to our Newsletter
We’ve got a lot of good info to share! Sign up for the Assured Bridge newsletter and receive tips on how to remain compliant with Federal CUI standards.