Digital Signatures on Email Now a DoD Requirement


Story Number: NNS090220-12Release Date: 2/20/2009 1:35:00 PM
A  A  A   Email this story to a friend   Print this story
By Mass Communication Specialist 2nd Class(SW) Christopher Koons, Naval Network Warfare Command Public Affairs

NORFOLK (NNS) -- The Department of Defense has implemented a policy requiring employees to digitally sign all e-mails containing a link or an attachment Feb. 12.

A digital signature is also required for any e-mail that provides direction or tasking, requests or responds to requests for resources, promulgates organization position, discusses any operational matter, discusses contract or finance matters, or discusses personnel management matters. The need exists to ensure that the originator is the actual author and that the e-mail was not tampered with in transit.

The policy, which was updated for the Navy in September 2008, applies to all unclassified e-mail sent from a DoD-owned, operated or controlled system or account to include desktops, laptops, and personal electronic devices such as BlackBerrys.

"It ensures that the information from links and attachments comes from a trustworthy source," said Lt. Cmdr. Damen Hofheinz, U.S. Fleet Forces deputy for Information Assurance. "For example, if an e-mail contains a link, you need to know that it leads you to a valid web site."

A digital signature is a "stamp" on an e-mail, which is unique to the user and provides an accurate means of identifying the originator of a message. Its toolbar icon is an envelope with a red seal on top. A digital signature assures the recipient that the original content of the message or document is unchanged. It also provides the sender with proof of delivery and the recipient with proof of the sender's identity and reassurance that the e-mail's originator is its actual author.

Some e-mails require added protection in the form of the encryption key, which, like the digital signature key, has an envelope icon but has a blue lock rather than red seal on it. Navy policy requires encryption of all e-mails that contain Privacy Act Information (PII), Health Insurance Portability and Accountability Act Information, contract information, classified as 'for official use only' (FOUO) or that may serve as an OPSEC indicator.

"If you send an e-mail which contains Personally Identifiable Information (PII) such as your social security number or if the message is for official use only (FOUO), you need to encrypt as well as digitally sign it," Hofheinz said. "Encryption provides an extra level of protection."

Encrypting e-mail is made much easier when personnel publish their certificates to the global address list (GAL). This can be accomplished in Outlook by opening the "Tools" menu then selecting "Options." On the "Security" tab there is a "Publish to GAL" button. Clicking on this button will ensure that other users on the network can send encrypted e-mail back to the originator.

OCONUS Navy Enterprise Network (ONE-NET) has already implemented a network policy for all e-mails to be digitally signed and NMCI started implementation on 12FEB09. Users will have to deselect the digitally signed button in Outlook to send unsigned e-mails. "It is one part of our overall Public Key Infrastructure (PKI) implementation, which is designed to prevent bad guys from accessing information we send over the Internet," said Hofheinz.

For more information on the military's digital signature/encryption policy, visit https://www.infosec.navy.mil/PKI.

For more news from Naval Network Warfare Command, visit www.navy.mil/local/nnwc/.

STORY COMMENTS
comments powered by Disqus
Commenting Policy
 
 
RELATED CONTENT
Navy Social Media
Sign up for email updates To sign up for updates or to access your subscriber preferences, please click on the envelope icon in the page header above or click here.