Organizational Mailboxes Require PKI Encryption

  • Published
  • By Mr. Ralph Milone
  • Eglin Signature Management Officer
EGLIN AIR FORCE BASE, Fla. --  Master Sgt. "Pete Myers," the supervisor of Staff Sgt. "Joseph Mason," forwarded an e-mail message with an attachment to an organizational mailbox.

The attachment included Sergeant Mason's social security number and other personal identifiable information. Sergeant Myers, knowing the attachment contained sensitive and Privacy Act information, sent the message encrypted. However, when he tried to send the message, he received a notice on his computer screen stating that the message could not be sent encrypted and asked him to choose either to send the message unencrypted or to totally cancel the message. Sergeant Myers knew the information was time sensitive so he decided to send the message unencrypted to the organizational mailbox.

A few weeks later, Sergeant Mason received his monthly credit card bill in the mail. He opened the envelope and reviewed his monthly purchases and discovered what appeared to be four erroneous charges made to his credit card, totaling $4,000. After going through countless red tape to remove these charges from his card, Sergeant Mason realized his identity was stolen by a hacker who injected spyware into the organization's mailbox through an e-mail that contained an infected attachment.

The names of Sergeants Myers and Mason are fictious but the story line can potentially happen by not taking the necessary steps to encrypt e-mails that contain information designated as For Official Use Only , privacy act and personal identifiable information transmitted to organizational mailboxes.

According to Shari Carney, Eglin Local Registration Authority, "Team Eglin organizations that have established organizational mailboxes for customers to transmit their messages to one central location within an organization are usually unaware of the appropriate encryption requirements."

Several Air Force instructions address using encryption when e-mailing information which contains sensitive information such as FOUO, PA, etc. AFI 33-332, Privacy Act Program states "when sending personal information over electronic mail it is protected from unauthorized disclosure, loss, or alteration. Protection methods may include encryption or password protecting the information in a separate Word document."

More stringent requirements are specifically outlined in AFI 33-119, Air Force Messaging which states the following: "E-mails shall be encrypted when they contain FOUO and
PA information. Additional protection methods may include password protecting the information in a separate Word document." Besides requiring encryption for e-mails transmitting FOUO and PA information the same instruction stipulates that "Operations Security (OPSEC) critical information and its indicators must also be encrypted before transmission."

Organizations that have established organizational mailboxes must download role-based certificates which provide signature authentication of the sender to include encrypting the e-mail to comply with those specific instructions.

"Role-based certificates are digital certificates issued by a Local Registration Authority to the sponsor of an organizational e-mail account," Ms. Carney said. " All users of the mailbox must be designated with the role-based certificates to send encrypted e-mail from the box. This process is strictly controlled and monitored."

Ms. Carney also said one individual assigned to the organizational mailbox must be designated as the "Org Box Manager" in writing by the commander or director." In addition, a DD Form 2842, Department of Defense Public Key Infrastructure Certificate must be completed along with an Excel Spreadsheet identifying all users. Once all requirements have been satisfied by the requesting agency they can e-mail the information to eglin.lra@eglin.af.mil so the process can get started.

Even when an organizational mailbox has the proper tools to encrypt sensitive information, the sender of personal information must add "FOUO" to the beginning of the subject line followed by the subject, and apply the following statement at the beginning of the e-mail: "This e-mail contains FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Privacy Act and AFI 33-332."

For more details on establishing encryption with organizational mailboxes contact the Eglin Local Registration Authority Office at 883-5961 or e-mail: eglin.lra@eglin.af.mil.