Comply with Australian Government Email Protective Marking Standard (EPMS)

Stay compliant with a trusted tool for protective markings

What is EPMS?

Text

The Australian Government Email Protective Marking Standard (EPMS) is a set of requirements that organizations must follow in order to protect sensitive and classified information that is sent or received by email.

According to the Email Protective Marking Scheme, governmental agencies must ensure that all official emails are marked with a protective marking that identifies the maximum classification and protection requirements for that information.

The EPMS v2018.6 was updated on 30 January 2023. Fortra’s Data Classification Suite (DCS) supports version 2018.6 of the standard and is in use by over 30 federal agencies in Australia.

What's Changed with EPMS v2018.6?

The new Email Protective Marking Standard introduces a number of changes from the previous standard, including:

 

Security classifications

The new standard introduces three new security classifications: Protected, Secret, and Top Secret. These classifications replace the previous classifications of Confidential, Secret, and Top Secret.

Caveat requirements

The new standard requires organizations to mark email with a caveat if the email contains information that is subject to export controls, is protected by intellectual property rights, or is otherwise subject to special handling requirements.

Requirements for email

The new standard includes new requirements for how organizations must handle, store, and dispose of email containing sensitive or classified information.

Penalties for non-compliance

The new standard includes new penalties for organizations that fail to comply with the requirements. Organizations that fail to comply with the law may be fined up to $10 million.

What is Sensitive or Classified Information?

Text

The EPMS defines sensitive or classified information as information that, if disclosed, could have a negative impact on the national security, economic interests, or public safety of Australia. Sensitive or classified information can include the following:

Information about government policies or programs

Information about military or intelligence operations

Information about trade secrets or other confidential business information

Information about personal or financial information

How to Mark Email

Text

The EPMS requires all email that contains sensitive or classified information to be marked with the appropriate security classification. The security classifications are as follows:

Protected
Secret
Top Secret
Text

The email must also be marked with a caveat, if necessary, to indicate any additional special protections that are required. For example, if the email contains information that is subject to export controls, the email must be marked with a caveat that indicates this.

How to Handle, Store, and Dispose of Email

The EPMS also requires organizations to:

Handle, store, and dispose of email containing sensitive or classified information in a secure manner.

Have a process in place for reviewing and approving the security classifications of email.

Have a process in place for monitoring and auditing the handling, storage, and disposal of email containing sensitive or classified information.

How Fortra’s Data Classification Suite can help?

Identify technical or other sensitive data

Discover and identify ITAR-controlled technical or PII data in emails, documents and files quickly and easily with user-driven, guided and automatic data identification. Our data classification solutions automatically scan all your content and warn users if ITAR-restricted information is found. 

Optimize your existing security

Military units are most effective when they have good intel on what they’re protecting. The same goes for data loss prevention programs: you can boost the overall effectiveness of your entire security software stack by identifying and tracking all your sensitive data with data classification. 

Audit and archive effectively

Data classification provides audit files that can help identify users breaking ITAR rules in emails and documents, along with providing proof that your organization has taken steps to prevent those violations. An ITAR-retention mailbox makes archiving and e-discovery a breeze. 

Implement with ease

Introducing new software to hundreds if not thousands of staff can be a challenge, but not if it piggybacks on what’s already well known. Fortra’s ITAR solutions are built on Microsoft Office and SharePoint, ensuring seamless employee uptake and minimal training. Whether you’re still planning your ITAR compliance program, or if it’s already in place but needs better tools to be effective, we can help you deliver on business and compliance objectives. 

Text

Fortra has a wide range of cybersecurity solutions that can help organizations achieve the EPMS compliance. In particular, DCS can help organizations to achieve EPMS compliance by automating many of the tasks that are required to comply with the standard.

Fortra's Data Classification Suite (DCS) can help to:

  • Identify sensitive and classified information: DCS can help organizations to identify sensitive and classified information by automatically scanning documents, emails, and other files for keywords and patterns that are associated with sensitive or classified information.

  • Classify sensitive and classified information: DCS can help organizations to classify sensitive and classified information by assigning the appropriate security classification to each piece of information.

  • Protect sensitive and classified information: DCS can help organizations to protect sensitive and classified information by encrypting it using Fortra’s DCS that provides a secure collaboration capability.

  • Track the handling of sensitive and classified information: DCS can help organizations to track the handling of sensitive and classified information by recording who has labelled the content, who accessed it and when it was accessed, and where it was sent or stored.
  • DCS has created user-friendly classification tools that clearly and accurately classify emails, documents and other files with user-selected, system-suggested or automatically applied settings, based on your data security policies.
  • DCS has released tailored solutions for Australian government agencies and contractors, which can assist agencies looking to comply with the new standard and ease the transition from previous versions of the standard.
  • Not only does the DCS solution meet the new standards, but it is also interoperable with previous versions of the standard, allowing organisations to transition either gradually or immediately.