Step by step: Secure email road map meets A&D’s rigorous standards
The Transglobal Secure Collaboration Program (TSCP) released its Secure Email Specification, which seeks to eliminate email’s inherent identity and data transmission security flaws, allowing users to safely send and receive sensitive information user-to-user and desktop-to-desktop.
The requirements were defined and endorsed by TSCP members, including the U.S. Department of Defense (DoD); U.K. Ministry of Defence (MoD); BAE Systems; Boeing; EADS; Lockheed Martin; Northrop Grumman; Raytheon; and Rolls-Royce.
The implementation is based on TSCP-defined specifications available publicly on www.tscp.org . The specification lists step-by-step instructions organizations must follow to assign vetted identity information to all email senders and recipients.
The currently deployed implementation was constructed with commercial-off-the-shelf (COTS) solutions; open-source software; and a commercial trusted third-party service called CertiPath. The resulting architecture guarantees that information only travels to and from trusted parties.
“The most basic collaboration tool is email, but it was never designed for security,” says Jim Cisneros, deputy CIO of Future Combat Systems for Boeing, and chair of the TSCP. “Trusting the authenticity and accuracy of email is imperative for government organizations, prime contractors, and our suppliers to jointly develop new technologies and respond to emerging threats.”
TSCP is in the process of preparing to assist current DoD programs in implementing Secure Email, for information currently classified as Controlled Unclassified Information, which includes For Official Use Only (FOUO) and Sensitive But Unclassified (SBU) information. The MoD also expects to deploy the capability enterprisewide in 2008 for classifications up to “U.K. Restricted.”
Prime contractors will adopt the specifications on an ongoing basis across equivalent levels of proprietary information, thereby increasing the urgency for suppliers to have compatible email frameworks.
“Sending‘Restricted’ email to allies and suppliers is far more complex than it sounds, requiring a proven architecture behind the scenes to ensure maximum safeguards,” says John Cook, info advisor for the U.K. MoD. “Secure Email will become increasingly essential to do business with the MoD.”
How it works
Secure E-mail requires organizations to have three components:
Unlike other secure email implementations, TSCP’s Secure E-mail ensures in real time that the sender’s and receiver’s identities are known at a common level of assurance and are both still valid, and the underlying identity management systems can be trusted. That assurance, once vetted, is used to grant access to sensitive information. This prevents, for example, former employees from logging in and receiving “restricted” data.
“The TSCP is transforming email from one of the most extensively used but least trusted collaboration capabilities to one that can be trusted with sensitive information,” says Paul Grant, deputy information sharing executive, Information Sharing Office, DoD.”
The Secure E-mail specification will be regularly updated to support export control processes, intellectual property protection, and feedback from members and non-members alike.