Email Encryption Requirements at CMS
Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe
- #ispg-sec_privacy-policy
What is considered “sensitive information”?
CMS sensitive information is any kind of data or information that, if accessed by the wrong people or used improperly, could:
- Compromise the security or privacy of CMS employees or customers
- Negatively impact CMS or its programs
- Compromise the security of proprietary CMS information or systems
Another way to think of it is, “any information that is not public or is sensitive.” When in doubt, it’s best to be cautious and treat the information as sensitive.
Emails containing CMS sensitive information should only be sent to people on a “need to know” basis.
When do I need to encrypt my email?
You do not need to encrypt emails that will remain within the CMS email environment (i.e.,“jane.doe@cms.hhs.gov”) or trusted domain — even if the email contains CMS sensitive information. If an email with sensitive information will go outside the CMS domain, it should be encrypted.
CMS is no longer part of the HHS email shared service environment. HHS and other OpDivs need to be treated the same as all other non-CMS entities.
How do I encrypt my email?
For recipients outside of the CMS email service environment or trusted domain:
- Encrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.
- Place the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).
- Step-by-step instructions for encrypting your email can be found on CMS Connect.
Passwords for encrypted attachments
Sometimes you may need to share a password for someone to access an encrypted email attachment. The method for sharing the password should protect it from compromise.
The following mediums are not acceptable for sharing these passwords:
- Instant messaging clients that are integrated with Microsoft Outlook (e.g., Lync / Skype)
The following mediums are acceptable for sharing these passwords:
- Over the phone
- Text message
- Shared secret (e.g., “It’s the name of our city’s baseball team”)
Who enforces email encryption policies?
The Operations Executive is responsible for ensuring that CMS employees and contractors keep sensitive information safe. This includes making sure that sensitive emails are always encrypted when going outside the trusted domain.
Related documents and resources
How CMS satisfies federal requirements for the encryption of data to keep sensitive information safe
The IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.
Executive Order that requires the continuous verification of system users to promote system security