About the Sandia Environment:
Members of the Sandia Workforce utilize PKI digital identity certificates for secure email (S/MIME) communications. These Digital IDs are obtained by the workforce via internal Sandia National Laboratories (SNL) HPSD-12 (PIV) badges, or a third-party ECA (External Collaboration Authority) vendor (such as WidePoint ORC or IdenTrust). By default, end-user systems trust digital ID certificates from other site-specific Department of Energy (DOE) Public Key Infrastructures (PKIs) and from the Federal Public Key Infrastructure (FPKI).
Note: FPKI encompasses various government agencies, including the Department of Defense (DoD), NASA, and the Treasury. Digital IDs issued under FPKI include, but are not limited to, Personal Identity Verification (PIV) cards and Common Access Cards (CAC).
What Sandia Requires of External Colleagues:
If you are partnering with Sandia and need to exchange encrypted emails, you will require a PKI digital identity, which includes encryption and signing certificates/keys. This may be provided by your employer’s internal PKI or purchased through a third-party vendor. In this case, we recommend obtaining an ECA digital ID.
Note: Although the ECA program was established by the DoD for DoD, Sandia does trust and use certificates from this program as well.
How to Exchange Certificates
Once you have a PKI digital ID issued by a trusted Certificate Authority (CA) you can use it to exchange encrypted emails with Sandia. First, you need to share your public encryption certificate by sending a signed email to your colleague. Most email applications will automatically attach your public encryption certificate to the signed email. Your Sandia colleague should also send you a signed email so you can obtain their public encryption certificate, enabling you to send them encrypted emails in return.
Alternative Solutions
If you only need to send one document securely and do not require continuous encrypted communication, there are alternative options available. Common solutions include password-protecting Microsoft Office or PDF documents or using Sandia’s Managed File Transfer (FTP) tool to securely share files. Please collaborate with your colleague to determine the best alternative solution.
Sandia has Enforced Transport Layer Security (ETLS) enabled with many of our frequent external colleagues’ email domains. Meaning emails are automatically secured during the transit process. The email will not be encrypted at rest on your colleague’s email storage space and therefore not require additional mechanisms to access the data. Collaborate with your IT support and Sandia colleague to verify if ETLS is an option.
For additional support please work with a Sandia colleague to establish SNL IT support or contact your IT support for localized help.