Emails Containing PII (in the body or in an attachment):
- Should only be sent to recipients with an official need-to-know.
- The SUBJECT line must state: "CUI."
- The attachment file name must state: "CUI."
- The top and bottom of the email and the top and bottom of the attachment must state: "CUI" and include a CUI indicator block.
- Must be digitally signed and encrypted. (Note: Digitally signing an email is NOT the same as appending a “signature block” at the bottom of the outgoing message contents.)
USNA supports encrypting and digitally signing email using Microsoft Outlook and your government-issued Common Access Card (CAC).
Your use of an email client other than Outlook does not obviate the requirement that you encrypt and digitally sign email containing PII.
A CAC contains one or more sets of public/private pair cryptographic key pairs that are uniquely associated with the identity of the person to whom the card was issued. These two keys are used to assure non-repudiation, integrity,and confidentiality. Non-repudiation and Integrity: Your private key stored in a PKI certificate on your CAC is used when you digitally sign an outgoing email. Your public key associated with that private key then gets delivered along with the email. The recipient then uses that public key to verify your identity (non-repudiation) and that the email has not been altered in transit (integrity). Confidentiality: When you encrypt an outgoing email you use the recipient’s public key from a PKI certificate previously sent to you. The only key that will decrypt it is the recipient’s associated private key. This is how message confidentiality is maintained: no-one but the recipient has the private key that can decrypt it.
Acceptable Methods to Email PII:
1. Digitally sign and encrypt. This method requires: the use of the Outlook interface, both parties (recipient and sender) to have valid CAC email certificates that are linked to their current official email addresses, and the sender to have the other party's certificate saved in their contacts before encrypting. Information about using this method and setting up your account can be found on the Information Technology Service Center's How To Guide. (Note: you can search for, download, and save DoD personnel’s digital certificates using the DoD Enterprise White Pages found at https://www.whitepages.mil/. You must have a valid CAC card to access the DoD White Pages.)
2. The Department of Defense Safe Access File Exchange (DoD SAFE) is an authorized way to send UNCLASSIFIED files to include Privacy Act Data, PII, CUI, PHI, and large files up to 8GB. Guest users (non-CAC holders) can use DoD SAFE to send files to authorized users (CAC holders) as long as an authorized user first solicits the file using DoD SAFE. To use DoD SAFE, visit https://safe.apps.mil.