Issues/Risks With “Cloud Email”
- Email and attachments can be stored anywhere in the world
- Cloud email providers typically claim a license on all content including emails
- There are security reports and unclassified but restricted information that can not be sent to these email accounts
- Information assurance regulations in the DoD will preclude using cloud email
- FISMA applies to DoD contractors and requires protection of government information
- Cloud software is acceptable if the provider provides a warranty and security controls which most cloud email providers do not
Emails Stored WorldwideOne issue with cloud based email is you do not know where in the world your emails and attachments are stored. They could easily be stored outside the US. See page 14, NIST SP-800-144 Cloud Computing, section labeled Data Location. Google support says Gmail and Google apps are not ITAR compliant since servers world-wide are used. For export control purposes you can say you are making efforts to control emails if the system is in-house.
Content LicensingRead the terms and conditions closely to be sure you don’t give up rights you can’t give. For example, Google Gmail’s Terms & Conditions includes this statement in section 11.1: “By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.” In Section 11.2 is says “You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.” Be sure these are conditions you can agree to before using cloud based emails.
Restrictions on Report DistributionFrom the DoD non-classified user agreement when connecting to any government computer, Section 12:
“I will not use web based e-mail (e.g., Gmail, Yahoo, AOL, etc.) or Internet "chat" services (e.g.,, Google Chat, America Online (AOL), Microsoft Network (MSN) Instant Messenger, Yahoo, etc.) from my computer.”
There are documents that can not be forwarded to cloud email accounts, mostly security related. Statement from DSS “we can't tell you not to use Gmail accounts but understand that there will be some information that we will not be able to email to Gmail accounts”.
Information Assurance RegulationsArmy Regulation 25-2, Information Assurance:
“f. E-mail security. All personnel will use e-mail systems for transmission of communications equivalent to or less than the classification level of the IS.
(5) All personnel will employ Government owned or provided e-mail systems or devices for official communications.
(6) The use of commercial ISP or e-mail accounts for official purposes is prohibited.”
Federal Information Security Management ActDefense contractors are subject to the Federal Information Security Management Act (FISMA) of 2002 since they are dealing with DoD information (or might be). “FISMA requires federal agencies to adequately protect their information and information systems against unauthorized access, use, disclosure, disruption, modification, or destruction” NIST SP-800-144 Cloud Computing page 15.
Provider Warranty and LiabilityDoD discourages the use of cloud based email systems such as Gmail and Hotmail. Companies are responsible for the safety and security of their data even when stored by cloud providers such as Gmail. Google Gmail Terms & Conditions says usage is at your own risk and provides no warranty.
DoD Directive 8500.01E – Information Assurance, Section 4.19 states “Public domain software products, and other software products with limited or no warranty, such as those commonly known as freeware or shareware, shall only be used in DoD information systems to meet compelling operational requirements. Such products shall be thoroughly assessed for risk and accepted for use by the responsible DAA.”
Google’s Gmail Terms & Conditions says “14.2 YOU EXPRESSLY UNDERSTAND AND AGREE THAT YOUR USE OF THE SERVICES IS AT YOUR SOLE RISK AND THAT THE SERVICES ARE PROVIDED "AS IS" AND “AS AVAILABLE.”
AlternativesThere are alternatives that can be used for email including:
- Apache JAMES - Open source, hosted on in-house server
- Microsoft Exchange – Outlook and Sharepoint integration
- Novell Groupwise
- Ipswitch iMail – less expensive than Exchange, includes integrated messaging, iMail Server includes Outlook calendar and contact sharing
- VMWare Zimbra – open source and paid versions available