DON Digital Signature and Encryption Policy for Emails Containing PII
By DON CIO Privacy Team - Published, July 18, 2011
The purpose of this tip is to reinforce existing DON policy regarding digitally signing and encrypting emails that contain personally identifiable information (PII).
PII is defined in
DoD5400.11-R, Department of Defense Privacy Program as:
Personal Information. Information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information that can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual).
In October of 2008, DON CIO released a GENADMIN message, DON Policy Updates for Personal Electronic Devices Security and Application of Email Signature and Encryption, that reiterated guidance previously provided in 2004 requiring DON users to digitally sign email messages requiring either message integrity and/or non-repudiation, and encrypt messages containing sensitive information (including privacy information).
A digital signature is a "stamp" on an email that is unique to the user and provides an accurate means of identifying the originator of a message (message authenticity). A digital signature assures the recipient that the original content of the message or document is unchanged (data integrity). A digital signature also provides the sender with proof of the sender's identity (non-repudiation). View NMCI Homeport for more about digital signatures.
Encryption is used as a means of protecting email containing sensitive information, while at rest or in transit, across the global information grid. View NMCI Homeport for information regarding data at rest (DAR).
NMCI Homeport also has instructions on how to digitally sign and encrypt emails.
In addition to digitally signing and encrypting emails containing PII, the body of the email, including any email attachments containing PII, must be marked properly (i.e., "FOR OFFICIAL USE ONLY (FOUO) – PRIVACY SENSITIVE. Any misuse or unauthorized disclosure may result in both civil and criminal penalties" per SECNAVINST 5211.5 series. The email must only be sent to those recipients that have an official need to know.
If the above procedures are not followed, a loss or compromise (i.e., breach) of PII may occur. Consult the breach reporting resources available on the
DON CIO website to determine how to proceed or call the DON Privacy Office at (703) 695-1297 or (703) 697-0045. You may also submit a privacy question via the website.