About the Sandia Environment:
Members of the Sandia Workforce utilize PKI digital identity certificates for secure email (S/MIME) communications. These Digital IDs are obtained by the workforce via internal SNL Entrust accounts, HPSD-12 (PIV) badges, or a third-party ECA (External Collaboration Authority) vendor (such as WidePoint ORC or IdenTrust). By default, end-user systems trust digital ID certificates from other site-specific Department of Energy (DoE) Public Key Infrastructures (PKIs) and from the Federal Public Key Infrastructure (FPKI).
Note, FPKI includes many government agencies (e.g. DoD, NASA, Treasury, etc.), and digital IDs from this include, but are not limited to, PIV and CAC cards.
What Sandia Requires of External Colleagues:
If you are partnering with Sandia and need to exchange encrypted emails you will need a PKI digital identity or in other words encryption & signing certificates/keys. This may be offered to you by your employer’s internal PKI or purchased through a third-party vendor (we would suggest you obtain an ECA digital ID in this case).
Note, even though the External Collaboration Authority (ECA) program was established by DoD for DoD we at SNL do trust and use certificates from this program as well.
How to Exchange Certificates
Once you have a PKI digital ID that has been issued by a trusted Certificate Authority (CA) you can use this to exchange encrypted email with Sandia. Although, you will need to share your public encryption certificate first. How this can be accomplished is by sending a signed email to your Sandia colleague. By default, most email applications will attach your public encryption certificate to a signed email in which the recipient can extract, save, and then utilize to send you encrypted email. Your Sandia colleague should also send you a signed email so you can obtain their public encryption certificate and in turn send them encrypted emails.
Note, if your certificates did not come from a DOE-site PKI or a Federal PKI Certificate Authority (CA) your Sandia colleague may need to complete some extra steps to trust your certificate. This could include working directory with his/her IT support and possibly requesting your certificate trust chain (root and intermediate certificates) from you.
Automated Certificate Request
If a Sandia colleague tried sending you an encrypted email prior to obtaining your public encryption certificate you may have received an email notice from ems@emsa.sandia.gov requesting your public encryption certificate in lieu of your colleague’s original email. In this case reply back to this email with a signed email. Afterwards, you should receive the original email encrypted for you.
Alternative Solutions
If you don’t need to continuously exchange information that needs to be sent with encryption, for instance are simply concerned with one document, there are alternative options to send this data securely. Common solutions include password protecting Microsoft Office or PDF documents or using Sandia’s Managed File Transfer (FTP) tool to securely distribute files. Please work with your Sandia colleague to determine the best alternative solution for your needs.
Note, Sandia has Enforced Transport Layer Security (ETLS) enabled with many of our frequent external colleagues’ email domains. Meaning emails are automatically secured during the transit process only. The email will not be encrypted at rest on your colleague’s email storage space and therefore not require additional mechanisms to access the data. Check with your IT support or SNL colleague to see if ETLS is enabled for your email domain. If so, no additional steps are needed by you or your Sandia colleague to secure Unclassified Controlled Information (UCI) information.
For additional support please work with a Sandia colleague to establish SNL IT support or contact your IT support for localized help.