As of June 2023, HHS is deprecating Cisco IronPorts for relaying email to external users and requiring all systems that leverage its SMTP server for communications with external users to obtain an email service provider and share the DKIM and SPF records with the HHS DNS team to enable the system to send emails from `.acf.hhs.gov` domains. Their team shared the following list of providers that are currently in use within ACF:  We are exploring 2 service providers along the following dimensions: * technical complexity (aiming for feasible, lowest lift, sustainable solution) * meets compliance standards for FISMA moderate systems * compatibility with cloud.gov ([reference](https://cloud.gov/knowledge-base/2021-09-21-sending-emails-from-clouddotgov/#connecting-to-a-cloud-service-provider-offering)) * costs * Other --- | Requirement | 'SendGrid' | Amazon SES | | -------------- | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | Compliance | FedRamp (unclear), SOC2 (confirmed) - FISMA unclear | [FedRAMP Moderate East/West](https://aws.amazon.com/compliance/services-in-scope/FedRAMP/), FISMA Moderate compliant | | Cost Structure | ~$90 p/mo | [~$65/mo based on expected user count](https://calculator.aws/#/addService/SES) | Also: - from cloud.gov support on 6/20/23: >Hello Alexandra, Thank you for your question. We do not currently offer any email sending tools/an SMTP service, so there is not an obvious cloud.gov solution. We also do not block or filter outbound traffic, so if there is an SMTP server/service (e.g. an agency's SMTP server, or a third-party service) you have access to, you could certainly send email from your application through your relay. You can give your application access to an SMTP/service using an User Provided Service: https://docs.cloudfoundry.org/devguide/services/user-provided.html however this would also mean that you would be responsible for the compliance logistics involved with using your own user provided service. You can also extend the marketplace and run your own broker to make a service available through the cloud.gov marketplace (however you would also be responsible for the compliance logistics involved with this service). We are looking into providing an SMTP service in the future, but it is not currently being actively worked on. Please let us know if you have any other issues/questions. - from cloud.gov support on 6/21/23: >Hey Alexandra,I did want to add that while Arsalan is correct that cloud.gov doesn't offer any official services for SMTP/brokered email, some customers of cloud.gov are maintaining open-source broker code to offer this functionality and using it on the platform: https://github.com/GSA-TTS/datagov-brokerpak-smtp. So you could deploy this broker yourselves as Arsalan mentioned to get the functionality you want. We as the cloud.gov team could not provide any official support if you choose to go this route, but I wanted to mention it as an option.Thanks,Mark - from Michael Ogunnubi (OS/OCIO/Ops) 6/28/23: >In quick summary we will need you to: > 1. Establish a relationship with a third-party email service provider >2. Generate a DKIM + SPF record from the email service provider for you verified domain identity: @acf.hhs.gov >3. Submit DKIM + SPF record to DNS team >4. Point your application to the email service provider’s SMTP server(s) >5. Test sending email from your @acf.hhs.gov mail from address(es) ---- **Questions** (Open Qs out to Tijan + ACF tech team) *Comments returned 7.11* in **bold** - What will need to happen in terms of compliance /ACF tech review for the solution we choose? - Is FITARA review required? CFTs? – **Depend on what you chosen is. If you add a paid for service, then it might need to go to FITARA review. I don’t think we need a CFT since this is just a small config change.** - Are there efficiencies if an ACF program already uses the service? **Sure, since people will already know that it works and how to configure it (which ever service that is). Another program office is already looking into SendGrid.** - Will we need to update our ATO documents? (I assume yes) **Yes. ATO Docs should be reviewed ongoing with your ISSO and updates should always be added.** - If other ACF program offices are in a similar position, would you consider requesting a blanket extension for ACF? Do you know of a “drop dead” date for this change? **No blanket exceptions. Case by Case basis. – Per Amy** - What are the options/implications for where we would host the email service, since it can’t be in cloud.gov? (e.g. ACF AWS or a new TDP AWS) - Can OFA create its own AWS service account or is it necessary to have ACF Tech establish this relationship on behalf of ACF program offices? **I would suggest using a approved service that have security compliance instead. If you started your own AWS account, you would have to hire people to manage it.** - Can TDP’s vendor have access to the AWS service account that would need to be established? If so what are the parameters for their access? **We would not take this route.(OPS managed)** ### Next Steps: - [ ] Extension request, 31 Aug (Feasible) - Jan OOO past 23 Aug - [ ] SendGrid POC - Jan, Lauren registering for a SendGrid account - [ ] Amazon SES POC - connect w/ Ad Hoc team