The New Zealand Government sets its minimum security standards for email, based on the advice of its Government Communications Security Bureau (GCSB).  The standards will change over time. 

The following information is awaiting endorsement by GCSB, therefore no decision has been made about if/when SecureMail will be implemented.  

.

Overview

The implementation will comply with the information management policies of the government's security policy (SIGS).

• INBOUND MESSAGES
• If TLS is available, the message will be accepted securely.
• If unclassified, the message will be processed normally.
• If classified, and received via a non SecureMail server, the message will be flagged as from an insecure source

OUTBOUND MESSAGES

• If unclassified, a message will be sent on a "Best Efforts" basis to use TLS if it is available.  If TLS is not available, the message will be sent anyway.
• If classifed as SENSITIVE, RESTRICTED or IN-CONFIDENCE, then the information will be sent on a "Secure Only" basis, using a SecureMail server.
• If classifed as CONFIDENTIAL, SECRET or TOP SECRET, then the information must be held.

 .

Standards for ALL Government Mail Servers

All Government mail servers will:

For sending

• have valid SPF and SenderID records, so they can authenticated as an approved sender of the message.   
• by default, send messages via a TLS connection, IF the receiving server supports it.

For receiving  

• accept messages via a TLS connection.
• enforce the mail sending policy specified by a sending domain's SPF record (if any).
• enforce the mail sending policy specified by a sending domain's Sender ID record (if any).
• refuse to accept email from apparent SecureMail senders (identified via securemail as the left-most part of their domain name)

.

Standards for Government SecureMail Servers

Government SecureMail servers have additional stringent requirements:

.

For receiving

• have a standard 4th level domain name e.g. securemail.agency.govt.nz
• be advertised with a SecureMail 4th level domain as the email address to send secure email to. 
• refuse to accept email from senders under any of the following conditions:
• the sender's SPF record
• does not exist; or
• does not prohibit all other senders "-all"; or
• upon evaluation, returns any result other than "Pass"
• the sender's Sender ID record
• does not exist; or
• does not prohibit all other senders "-all"; or
• upon evaluation, returns any result other than "Pass"
• the sender's TLS connection
• does not exist; or
• does not meet the government's minimum cryptography standards

.

For sending 

• have valid SPF and SenderID records specifying valid senders and prohibiting all other senders "-all" , so the message header can be authenticated.
• refuse to send email (and return it to the sender) under any of the following conditions:
• the receiver's TLS connection
• does not exist; or
• does not meet the government's minimum cryptography standards.

.

Cryptography Standard

The minimum cryptography standards are defined by the commonly available implementations of TLS. 

• SecureMail servers MUST support Diffie-Helman key exchange, 256-bit AES encryption and SHA1 message digest.  In future these requirements are expected to require ECDSA key exchange and SHA-256.
• Government SecureMail server crypto modules MUST be evaluated to FIPS140-2 and SHOULD be combined with a Common Criteria evaluation of the product to EAL3 or higher, by the Australasian Information Security Evaluation Programme (AISEP) or equivalent. 

.

Certification and Accreditation

• Email systems and their respective internet gateways MUST be certified and accredited in accordance with NZSIT400 to handle policy and privacy information classified up to and including SENSITIVE and national security information classified up to RESTRICTED before SecureMail implementation.
• Upon implementation of SecureMail, the connected system MUST be classified RESTRICTED at minimum.
• If the system behind the SecureMail gateway is classified at the RESTRICTED level, the system SHOULD check for the words CONFIDENTIAL, SECRET and TOP SECRET in outgoing mail and prevent material classified at these levels being sent over the internet. 
• If the system behind the SecureMail gateway is classified at the CONFIDENTIAL level or higher, the system MUST check for the words CONFIDENTIAL, SECRET and TOP SECRET and prevent such material being sent over the internet.

.

Government to Citizen communications

• Agencies MUST implement robust controls to prevent information being sent to the wrong email address(es).

.

E-Mail Distribution

• All users who access a Government SecureMail server (MUST connect to the server using a secure  connection (e.g. POP3/SSL or secure internal network).
• Remote users MUST only connect to such a mail server utilising equipment which has been appropriately certified and accredited for that purpose.
• Non accredited equipment (e.g. home PC, internet cafe PC) MUST not be used.

.

Timekeeping Requirements

• Government servers must maintain synchronisation with UTC (MSL) time, via the NZ Time Source.