NIST SP 800-177 Rev. 1 was written with federal email security in mind, but SMBs can also use the guidance to secure their email systems.
Email breaches can be just as destructive to organizations as customer data breaches; just ask Sony Pictures and the Democratic National Committee. A breach of a federal government agency’s email system may not just be embarrassing or scandalous to the agency; it could put national security at risk. To help agencies protect sensitive and classified information from being stolen in an email hack, the National Institute of Standards and Technology (NIST) has released a finalized revision of SP 800-177 (Revision 1).
Titled Trustworthy Email, the framework outlines best practices for federal email security and updates the minimum standards for FISMA compliance. SP 800-177 complements SP 800-45, which was published in 2007, by providing more up-to-date email security recommendations and guidance, including guidelines regarding digital signatures and encryption (via S/MIME), minimizing unwanted email (spam), and other aspects of email system deployment and configuration. It also includes an appendix with an overlay of the NIST SP 800-53 Rev. 4 controls and a detailed description of how email systems can comply with the applicable controls.
While SP 800-177 was designed specifically for federal agencies, NIST notes that small and medium-sized business in the private sector can benefit from using the same email security best practices to protect confidential business information.
Federal Email Security: Beyond SMTP
The internet’s underlying core email protocol, Simple Mail Transport Protocol (SMTP), was first developed in 1982, when email security was not a consideration. SP 800-177 recommends the continued use of SMTP, along with the existing Domain Name System (DNS), but notes that the protocols are increasingly vulnerable to a wide range of cyber threats, including man-in-the-middle content modification and cyber spying. Federal agencies must implement proactive safeguards such as spoofing protection, integrity protection, encryption, and authentication to ensure that their email systems are sufficiently secure for use in government, financial, and medical communications.
The publication describes best practices for authenticating a sending domain and ensuring email transmission and content security using the Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), the Domain based Message Authentication Reporting and Conformance (DMARC) protocol, and the Transport Layer Protocol (TLS). It also recommends using Secure Multipurpose Internet Mail Extensions (S/MIME) for email communications that require end-to-end authentication and confidentiality.
SP 800-177 also outlines best practices for protecting against common email security threats impacting the integrity, availability, and confidentiality of email systems, including email spoofing and forging, phishing and spear phishing, eavesdropping and traffic analysis attacks, content modification of emails in transit, email bombing attacks, and spam.
NIST points out in SP 800-177 that securing an email system is far more complex than securing a website, and there is no magic bullet for email security. Different federal agencies will have different needs, data environments, and risk levels. However, with nation-state hackers funded by foreign governments increasingly targeting federal agencies and government contractors, it is crucial to national security to ensure that sensitive and classified government email communications remain confidential.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.