Center for Biologics Evaluation and Research SOPP 8119 Appendix A
Page 1 of 9
SOPP 8119 Appendix A: Secure Email Setup
For FDA to send regulatory information via email, the email must be sent to a Secure E-
mail partner, to allow FDA to digitally sign and encrypt the message. Requests to
establish secure email with FDA should be sent to SecureEmail@fda.hhs.gov.
Adequate time should be allotted for Secure Email set-up before expecting email
responses from FDA.
To setup secure email with the FDA you must have a non-ISP email domain. Thus,
@yahoo.com, @gmail.com, @hotmail.com, @earthlink.net, @verizon.net, etc.,
accounts cannot be secured.
If you have a non-ISP email domain:
There are two ways to securely send email to and from the FDA:
1. S/MIME Encryption
a. S/MIME encryption is difficult to setup, use, and maintain as everything is
done at the workstation level.
• Typically, your certificate will need to be repurchased/renewed once-a-
year. This will require the new certificate to be installed on your
workstation and coordination with the FDA to attach it to your Secure
Email profile. Thus, over a 5-year period, you will switch out your
certificate 5 times.
• If you change workstations or when you renew your digital certificate, your
old certificates must be preserved otherwise you will lose the ability to
read old encrypted emails.
• If you have a Blackberry (or other mobile device), you will not be able to
read the encrypted emails unless you install the Blackberry (or similar)
S/MIME application and copy your certificate over. Any new certificates
will need to be copied over.
• For each FDA user or mailbox you wish to securely communicate with, a
one-time setup process is required to create an FDA Outlook contact and
corresponding FDA proxy certificate.
• S/MIME is setup on a per user basis. Thus, if you wish 10 of your users to
send secure email to the FDA, then they each have to be configured
individually.
• Your email server may apply disclaimers or legal notices on all outbound
emails. An exception will need to be applied to the email server’s
transport rule to avoid doing this when sending to the FDA. The reason is
disclaimers affect how S/MIME protected email is repackaged. These
alternations cannot be processed correctly by the FDA S/MIME Email
Firewall. Therefore, add the disclaimers via your email client (i.e. make it
part of your default signature.) If your organization requires these
disclaimers to be appended by your email server, then you cannot use
S/MIME and must use TLS.