Secure Government Email
Secure Government Email (SGE) secures email traffic between agencies and external partners in line with the associated New Zealand Information Security Manual (NZISM) controls. It protects information classified as IN-CONFIDENCE, SENSITIVE or RESTRICTED.
The SGE framework provides guidance to New Zealand Government agencies on industry practices for securing external email. This will:
- improve the overall security of external email services within the New Zealand Government
- decrease the likelihood of successful spoofing of domains in phishing attacks
- enable the retirement of the SEEMail (Secure Encrypted Email) service.
Service description
The SGE framework is a standards-based email configuration that provides confidentiality, authentication, integrity and non-repudiation for emails between agencies and external partners. This is achieved through Domain Naming System (DNS) security controls, such as:
- Domain-based Message Authentication, Reporting and Conformance (DMARC)
- Domain Keys Identified Mail (DKIM)
- Sender Policy Framework (SPF)
- Message Transfer Agent Strict Transport Security (MTA-STS).
This is also achieved through appropriate Data-Loss Prevention (DLP) settings and email connectors.
How to implement SGE
To implement SGE, participating agencies need to use the DNS standards and email settings listed in the detailed guidance.
Download detailed guidance on implementing SGE
Technical assistance and managed-DMARC reporting services
These can be sourced from an approved Marketplace provider in the Infrastructure Managed Services catalogue which is part of the Managed Services channel. These are recently established services and the first suppliers are still in the process of applying to offer this service.
Infrastructure Managed Services catalogue — Marketplace.govt.nz
SEEMail to be decommissioned in
The legacy solution for secure email for government used a proprietary, gateway-based solution called SEEMail. This solution can run in parallel with the SGE framework but is intended to be decommissioned in . SGE is based on open standards and can be applied by any agencies, not just those who have been part of SEEMail.
Restricted Group
Agencies who communicate by email at the RESTRICTED or SENSITIVE level
These agencies must confirm that their ICT services and infrastructure are formally certified and accredited in writing to RESTRICTED. This must be done by either their Chief Information Officer (CIO) or Chief Information Security Officer (CISO). Relevant ICT services and infrastructure include:
- mail gateways
- servers
- storage
- accessing (user) devices
- communications between these systems.
An agency’s request to be part of the Restricted group needs to be endorsed by the Secure Government Email Working Group — formerly the SEEMail Security Working Group. This is a cross-agency group of representatives providing technical oversight to the SGE framework.
The SGE framework includes additional security controls in the form of mail connectors that are required for exchanging RESTRICTED or SENSITIVE information. Other agencies should block information tagged at this level.
SGE Common Implementation Framework (PDF 513KB)
Benefits of SGE
For agencies who implement SGE, this will ensure:
- all traffic between agencies is secured
- no one outside the sending agency can read or alter messages
- confirmation that email is from the sending agency
- spoofing of your domain is detected easily by the receiving party.
Lead agency
Government Chief Digital Office, Department of Internal Affairs | Te Tari Taiwhenua
Responsibilities of the lead agency
- Oversee the continued development of the SGE standards in conjunction with the Email Security Working Group.
- Monitor the public facing SGE configuration information of agencies who were SEEMail members.
- Report any exceptions detected to the SEEMail member agency concerned.
Status
Operational
More information
For more information about implementing SGE, email sge@dia.govt.nz.
Utility links and page information
Last updated