Skip to main content

Email Encryption Requirements at CMS

Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe

Contact: ISPG Policy Team | CISO@cms.hhs.gov
slack logoCMS Slack Channel
  • #ispg-sec_privacy-policy

What is considered “sensitive information”?

CMS sensitive information is any kind of data or information that, if accessed by the wrong people or used improperly, could:

  • Compromise the security or privacy of CMS employees or customers
  • Negatively impact CMS or its programs
  • Compromise the security of proprietary CMS information or systems

Another way to think of it is, “any information that is not public or is sensitive.” When in doubt, it’s best to be cautious and treat the information as sensitive.

Emails containing CMS sensitive information should only be sent to people on a “need to know” basis.

When do I need to encrypt my email?

You do not need to encrypt emails that will remain within the CMS email environment (i.e.,“jane.doe@cms.hhs.gov”) or trusted domain — even if the email contains CMS sensitive information. If an email with sensitive information will go outside the CMS domain, it should be encrypted.

CMS is no longer part of the HHS email shared service environment.  HHS and other OpDivs need to be treated the same as all other non-CMS entities.

How do I encrypt my email?

For recipients outside of the CMS email service environment or trusted domain:

  • Encrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.
  • Place the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).
  • Step-by-step instructions for encrypting your email can be found on CMS Connect.

Passwords for encrypted attachments

Sometimes you may need to share a password for someone to access an encrypted email attachment.  The method for sharing the password should protect it from compromise.

The following mediums are not acceptable for sharing these passwords:

  • Email
  • Instant messaging clients that are integrated with Microsoft Outlook (e.g., Lync / Skype)

The following mediums are acceptable for sharing these passwords:

  • Over the phone
  • Text message
  • Shared secret (e.g., “It’s the name of our city’s baseball team”)

Who enforces email encryption policies?

The Operations Executive is responsible for ensuring that CMS employees and contractors keep sensitive information safe. This includes making sure that sensitive emails are always encrypted when going outside the trusted domain.