NIST Invites Comments on Draft Guide for Improving Email Security

The National Cybersecurity Center of Excellence (NCCoE) invites comments on a draft practice guide to help organizations improve email security and defend against phishing, man-in-the-middle, and other types of email-based attacks.

Email has become the dominant method of electronic communication for both private and public sector organizations, fueled by low costs and fast delivery.  Securing these transactions has been less of a priority, which is one reason why email attacks have increased. 

The draft guide, Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6), demonstrates how commercially available technologies can help email service providers improve the security of email communications. 

“Large email service providers, such as Gmail and Yahoo, have taken steps to reduce the prevalence of email scams by implementing mechanisms to verify the origin of an email,” said William “Curt” Barker, Domestic Guest Researcher, NIST. “However, these mechanisms are difficult to implement, require long lead times, and must integrate into existing systems, making it difficult for organizations without a large IT department to do so. As a result, many enterprises have been slow to embrace these protections.”

Most server-based email security mechanisms are vulnerable to attacks on the integrity of the cryptographic implementations they depend on. This project aims to use currently available technology to close the gaps in email security through the service provider, ultimately reducing the potential for email scams.

The goal of this project is to demonstrate a security platform that provides trustworthy email exchanges and tools that help organizations to encrypt emails between mail servers, allow individual email users to digitally sign and/or encrypt email messages, and allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages.

The draft guide can be downloaded from the NCCoE website, which includes a form for submitting comments. The public comment period is open through December 19, 2016.

While the guide uses as examples a suite of commercial products to address this challenge, it does not endorse any particular products, nor does it guarantee regulatory compliance. A company can adopt this solution or one that adheres fully to these guidelines in whole, or it can use the guide as a starting point for tailoring and implementing parts of a solution.

The guide is part of a new series of publications, called NIST Cybersecurity Practice Guides (Special Publication 1800 series), which target complex cybersecurity challenges in the public and private sectors. The practical, user-friendly guides show members of the information security community how to implement example solutions intended to help them align more easily with relevant standards and best practices.


About the National Cybersecurity Center of Excellence

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address the private sector’s most pressing cybersecurity issues. As a public-private partnership, industry experts and technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security—choose to work with the NCCoE to develop integrated, practical, example cybersecurity solutions using standards, best practices, and commercially available technology.