Emails Containing PII (in the body or in an attachment):
- Should only be sent to recipients with an official need-to-know.
- The SUBJECT line must include the marking "CUI".
- If the attachments contains PII, the attachment file name and the top and bottom of each page must including the marking "CUI", and the first page of the attachment should conatin a CUI indicator block.
- If the body of the email contains PII, the top and bottom of the email must include the marking "CUI", and it should include a CUI indicator block.
- Must be digitally signed and encrypted. (Note: Digitally signing an email is NOT the same as appending a “signature block” to the bottom of the outgoing message contents.)
USNA supports encrypting and digitally signing email using Microsoft Outlook and your government-issued Common Access Card (CAC).
Your use of an email client other than Outlook does not obviate the requirement that you encrypt and digitally sign email containing PII.
A CAC contains one or more sets of public/private pair cryptographic key pairs that are uniquely associated with the identity of the person to whom the card was issued. These two keys are used to assure non-repudiation, integrity,and confidentiality. Non-repudiation and Integrity: Your private key stored in a PKI certificate on your CAC is used when you digitally sign an outgoing email. Your public key associated with that private key then gets delivered along with the email. The recipient then uses that public key to verify your identity (non-repudiation) and that the email has not been altered in transit (integrity). Confidentiality: When you encrypt an outgoing email you use the recipient’s public key from a PKI certificate previously sent to you. The only key that will decrypt it is the recipient’s associated private key. This is how message confidentiality is maintained: no-one but the recipient has the private key that can decrypt it.
Acceptable Methods to Email PII:
1 . Digitally sign and encrypt . This method requires: the use of the Outlook interface, both parties (recipient and sender) to have valid CAC email certificates that are linked to their current official email addresses, and the sender to have the other party's certificate saved in their contacts before encrypting. Information about using this method and setting up your account can be found on the Information Technology Service Center's How To Guide. (Note: you can search for, download, and save DoD personnel’s digital certificates using the DoD Enterprise White Pages found at https://www.whitepages.mil/ . You must have a valid CAC card to access the DoD White Pages.)
2. Department of Defense Safe Access File Exchange (DoD SAFE). The Department of Defense Safe Access File Exchange (DoD SAFE) is an authorized way to send UNCLASSIFIED files to include Privacy Act Data, PII, CUI, PHI, and large files up to 8GB. Guest users (non-CAC holders) can use DoD SAFE to send files to authorized users (CAC holders) as long as an authorized user first solicits the file using DoD SAFE. To use DoD SAFE, visit https://safe.apps.mil.
Recovering a Previously used CAC Certificate in order to read Encrypted Emails (DoD PKI Recovery):
Only the CAC certificate used when sending an encrypted email can be used to deccrypt/read the email. If you get a new CAC, the new certificate will not decrypt previously encrypted emails. To read emails sent using your previous certificates, you will have to reload the certificates to your CAC card every time you get a new card or those emails will fail to decrypt when you try and read them. In order to recover your previous certificates, please follow the directions and links provided in the DoD PKI Automatic Key Recovery slide deck. Please use the DREN VPN when trying to access the recovery site address or you will get an error message and be unable to reach the site.