WebSDR E-mail EncryptionWebSDR E-mail Encryption

2

WebSDR E-mail EncryptionWebSDR E-mail Encryption

• Background

– WebSDR SDRs designated For Official Use Only (FOUO) since 2006

– DoD 5200.1-R (Appendix 3) says the data which is FOUO should be sent by secure communications where practical

– Encryption of FOUO e-mail required by DLA in 2008

– DLA Information Security office reviewed DoD WebSDR (March 25, 2009)

• Confirmed SDRs meet OPSEC criteria for unclassified FOUO and, therefore, require encryption

• Determined that no amount of information could be removed from the e-mail SDRs to negate the need for FOUO designation (April 7, 2009)

3

Purpose of E-mail within DoD Purpose of E-mail within DoD WebSDR ProgramWebSDR Program

• Email used extensively to facilitate multiple business processes– Action Copy Distribution: Used transmit SDRs to organizations not supported by

application capable of interfacing with DAASC. Principally, interim measure for Components where DLMS implementation is delayed

– Electronic Submitter Record: Customers using the Web-originated SDR for submission receive an automatic confirmation copy of the SDR for their records

– Customer Response: Customers using the Web for submission receive the action activity’s response via e-mail to either their email account

– Distribution Copies: Customers may designate up to two additional distribution copies to be sent to interested parties by identifying the activity or the email address during submission. Distribution copies may also be triggered by specific pre-programmed business rules

– Air Force Security Assistance: Multiple parties must review Foreign Military Sales (FMS) SDRs which have a wider scope of reportable events than U.S. customer SDRs. These are routed to the appropriate AFMC office using WebSDR email distribution

– Unique Business Processes: Facilitates expedited processing for frustrated freight SDRs reported by transshippers (pending system enhancements for DLA ICP and depot distribution)

4

Breakdown of E-mails Sent Breakdown of E-mails Sent by DoD WebSDRby DoD WebSDR

Using 1 March to 30 March, 2009

Category E-mails Sent %Unique

AddressesUnique

Domains

MIL 32,519 90.9% 1,927

273

GOV 466 1.3% 39

15

OTHER 2,788 7.8% 304

106

35,773 2,270

121

5

WebSDR E-mail EncryptionWebSDR E-mail Encryption POAM Under DevelopmentPOAM Under Development

• DAAS Secure/Multipurpose Internet Mail Extensions (S/MIME) capability under development

• July 31, 2009: Begin encryption for specific high volume DoD e-mail users.

– Four AF IM e-mail addresses receiving 1,000 - 4,000 SDR messages monthly.

– 45 DoD email addresses receiving > 75 messages monthly, roughly 2/3 of WebSDR e-mail

• Develop message center approach

– E-mail users will be able to access SDRs from their in-box account within message center

– Subject line display with key information so that users can better prioritize workload prior to opening each SDR

– User select SDRs for review or initiates further action directly from the message center

6

WebSDR E-mail EncryptionWebSDR E-mail Encryption POAM Under DevelopmentPOAM Under Development

• Dual transmission style: encrypted SDR vs. “you’ve got mail” message

– Application determines suitability of encryption for each specific e-mail address

• Encrypted SDRs will carry full data content plus hyperlink to message center to facilitate web-based processing

• Users without encryption capability will receive notification with hyperlink indicating SDR e-mail is in available in a new external web repository

– Alternative reply format: limited content -- document number and reply code w/POC

• Significant areas of concern

– Require new communication approach for very low volume users that report discrepancies via the DLA Customer Interaction Center (CIC)

• Alternative: print/fax/conversion: DAAS mailer or CIC action– Distribution Copy SDRs for e-mail addresses identified without prior registration

• Requested POAM completion date: December 31, 2009