The National Institute for Technology and Standards released Draft NIST Special Publication 800-177 Revision 1, Trustworthy Email, Dec. 15. SP 800-177 Rev. 1 (DRAFT) covers and gives recommendations for state-of-the-art email security technologies to detect and prevent phishing and other malicious email messages. The guide was written for email administrators and for those developing security policies for an enterprise email infrastructure, according to a NIST release.
The second comment period for Revision 1 is to allow for comments on a newly included security recommendation dealing with mail confidentiality. This revision also includes more text on new email security protocols currently undergoing specification and finalization as IETF Draft Standards. Reviewers should pay particular attention to Sections 5.2 and 7.3, which has newly added material.
This guideline applies to federal IT systems and will also be useful for small or medium sized organizations. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain: Sender Policy Framework (SPF), Domain Keys Identified Mail(DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Recommendations for email transmission security include Transport Layer Security (TLS) and associated certificate authentication protocols. Recommendations for email content security include the encryption and authentication of message content using S/MIME (Secure/Multipurpose Internet Mail Extensions) and associated certificate and key distribution protocols.
Date Published: December 2017
Comments Due: January 31, 2018
Email Comments to: firstname.lastname@example.org
Scott Rose (NIST), Stephen Nightingale (NIST), Simson Garfinkel (U.S. Census Bureau), Ramaswamy Chandramouli (NIST)
Draft (2nd) SP 800-177 Rev. 1
Comment template (xls)
Related NIST Publications:
SP 800-45 Version 2
Draft SP 800-177 Rev. 1 (9/13/17)
Draft SP 800-177 Rev. 1 (12/15/17)