Case Study: Gov/Federal Section 889 Email Compliance

Written by

Forward Email Team

Published

6/1/25

Time to read

Less than 5 minutes

At Forward Email, we believe in simple, secure, and private email forwarding for everyone. We know that for many organizations, especially those working with the US government, compliance isn't just a buzzword – it's a necessity. Ensuring adherence to federal regulations for email is crucial. That's why we're proud to confirm our secure email forwarding service is built to meet stringent federal requirements, including Section 889 of the National Defense Authorization Act (NDAA).

Our commitment to government email compliance was recently put into practice when the US Naval Academy approached Forward Email. They required secure email forwarding services and needed documentation confirming our adherence to federal regulations, including Section 889 compliance. This experience serves as a valuable case study, demonstrating our readiness and capability to support government-funded organizations and meet their stringent requirements. This dedication extends to all our users seeking a reliable, privacy-focused email solution.

Understanding Section 889 Compliance

What is Section 889? Simply put, it's a US federal law that prohibits government agencies from using or contracting with entities that use certain telecommunications and video surveillance equipment or services from specific companies (like Huawei, ZTE, Hikvision, Dahua, and Hytera). This rule, often associated with the Huawei ban and ZTE ban, helps protect national security.

Note

Section 889 specifically targets equipment and services from Huawei, ZTE, Hytera, Hikvision, and Dahua, including their subsidiaries and affiliates.

For an email forwarding service for government contracts like Forward Email, this means ensuring none of our underlying infrastructure providers use this prohibited equipment, making us Section 889 compliant.

How Forward Email Achieves Section 889 Compliance

So, how is Forward Email Section 889 compliant? We achieve this through careful selection of our infrastructure partners. Forward Email relies exclusively on two key providers for its Section 889 compliant infrastructure:

Cloudflare: Our primary partner for network services and Cloudflare email security.
DataPacket: Our primary provider for server infrastructure (we use Digital Ocean and/or Vultr for failover and will soon transition to solely use DataPacket – of course we did confirm Section 889 compliance in writing from both of these failover providers).

Important

Our exclusive reliance on Cloudflare and DataPacket, neither of which uses Section 889 prohibited equipment, is the cornerstone of our compliance.

Both Cloudflare and DataPacket are committed to high security standards and do not use equipment prohibited under Section 889. Using Cloudflare and DataPacket for Section 889 compliance is fundamental to our service.

Cloudflare's Commitment

Cloudflare explicitly addresses Section 889 compliance in their Third Party Code of Conduct. They state:

"Under Section 889 of the National Defense Authorization Act (NDAA), Cloudflare does not use, or otherwise permit in its supply chain, telecommunications equipment, video surveillance products, or services produced or provided by Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities)."

(Source: Cloudflare Third Party Code of Conduct, retrieved April 29, 2025)

This clear statement confirms that Cloudflare's infrastructure, which Forward Email leverages, meets Section 889 requirements.

DataPacket's Infrastructure

DataPacket, our server provider, utilizes networking equipment exclusively from Arista Networks and Cisco. Neither Arista nor Cisco are among the companies prohibited under Section 889. Both are established vendors widely used in secure enterprise and government environments, known for adhering to stringent security and compliance standards.

By using only Cloudflare and DataPacket, Forward Email ensures its entire service delivery chain is free from Section 889 prohibited equipment, providing secure email forwarding for federal agencies and other security-conscious users.

Beyond Section 889: Broader Government Compliance

Our commitment to government email security and compliance extends beyond Section 889. While Forward Email itself doesn't directly process or store sensitive government data like Controlled Unclassified Information (CUI) in the same way a large SaaS platform might, our open-source email forwarding architecture and reliance on secure, compliant providers align with the principles of other key regulations:

FAR (Federal Acquisition Regulation): By using compliant infrastructure and offering a straightforward commercial service, we provide FAR compliant email forwarding principles suitable for government contractors.
Privacy Act & FISMA: We are privacy-focused by design, offering Privacy Act email principles. We don't store your emails. Emails are forwarded directly, minimizing data handling. Our infrastructure providers (Cloudflare, DataPacket) manage their systems according to high security standards consistent with FISMA compliant email principles.
HIPAA: For organizations needing HIPAA compliant email forwarding, Forward Email can be part of a compliant solution. Since we don't store emails, the primary compliance responsibility lies with the end-point email systems. However, our secure transport layer supports HIPAA requirements when used correctly.

Warning

A Business Associate Agreement (BAA) might be needed with your final email provider, not Forward Email itself, as we do not store your email content (unless you use our encrypted IMAP/POP3 storage layer).

Our Path Forward: Expanding Compliance Horizons

While our Section 889 compliance provides a crucial foundation, especially for federal contractors, we understand that different organizations and government agencies have diverse and evolving regulatory needs. At Forward Email, transparency is key, and we want to share our perspective on the broader compliance landscape and our future direction.

We recognize the importance of frameworks and regulations such as:

System for Award Management (SAM): Essential for direct federal contracting.
FAR (Federal Acquisition Regulation): Including standard clauses like FAR 52.212-4 for commercial services.
DFARS (Defense Federal Acquisition Regulation Supplement): Particularly DFARS 252.239-7010 for DoD cloud services.
CMMC (Cybersecurity Maturity Model Certification): Required for DoD contractors handling Federal Contract Information (FCI) or CUI.
NIST SP 800-171: The basis for CMMC Level 2, focused on protecting CUI. (NIST - National Institute of Standards and Technology)
FedRAMP (Federal Risk and Authorization Management Program): The standard for cloud services used by federal agencies.
FISMA (Federal Information Security Modernization Act): The overarching framework for federal information security.
HIPAA (Health Insurance Portability and Accountability Act): For handling Protected Health Information (PHI).
FERPA (Family Educational Rights and Privacy Act): For protecting student education records.
COPPA (Children's Online Privacy Protection Act): For services dealing with children under 13.

Our Current Position and Future Goals:

Forward Email's core design – being privacy-focused, open-source, and minimizing data handling (especially in our basic email forwarding service) – aligns well with the principles behind many of these regulations. Our existing security practices (encryption, support for modern email standards) and Section 889 compliance provide a strong starting point.

However, achieving formal certification or authorization for frameworks like FedRAMP or CMMC is a significant undertaking. It involves rigorous documentation, implementation of specific technical and procedural controls (often hundreds of them), independent assessments (like 3PAO for FedRAMP - Third-Party Assessment Organization), and continuous monitoring.

Important

Compliance isn't just about technology; it's about documented processes, policies, and ongoing vigilance. Achieving certifications like FedRAMP or CMMC requires substantial investment and time.

Our Commitment:

As Forward Email grows and as our customers' needs evolve, we are committed to exploring and pursuing relevant compliance certifications. This includes plans for:

SAM Registration: To facilitate direct engagement with US federal agencies.
Formalizing Processes: Enhancing our internal documentation and procedures to align with standards like NIST SP 800-171, which forms the basis for CMMC.
Evaluating FedRAMP Pathways: Assessing the requirements and feasibility of pursuing FedRAMP authorization, likely starting with a Low or Moderate baseline, potentially leveraging the LI-SaaS model where applicable.
Supporting Specific Needs: Addressing requirements like HIPAA (potentially through BAAs and specific configurations for stored data) and FERPA (through appropriate contractual terms and controls) as we engage more with healthcare and educational institutions.

This journey requires careful planning and investment. While we don't have immediate timelines for all certifications, strengthening our compliance posture to meet the needs of government and regulated industries is a key part of our roadmap.

Note

We believe our open-source nature provides unique transparency throughout this process, allowing our community and customers to see our commitment firsthand.

We will continue to update our community as we reach significant milestones on our compliance journey.

Why This Matters for You

Choosing a Section 889 compliant email forwarding service like Forward Email means:

Peace of Mind: Especially for government agencies, contractors, and security-conscious organizations.
Reduced Risk: Avoids potential conflicts with federal regulations for email.
Trust: Demonstrates a commitment to security and supply chain integrity.

Forward Email provides a simple, reliable, and compliant way to manage your custom domain email forwarding needs.

Secure, Compliant Email Forwarding Starts Here

Forward Email is dedicated to providing a secure, private, and open-source email forwarding service. Our compliance with Section 889, achieved through our partnership with Cloudflare and DataPacket (reflecting our Forward Email compliance for US Naval Academy work), is a testament to this commitment. Whether you're a government entity, a contractor, or simply value government email security, Forward Email is built for you.

Ready for secure, compliant email forwarding? Sign up free today!

References

Section 889 (NDAA): https://www.acquisition.gov/Section-889-Policies
Cloudflare: https://www.cloudflare.com/
Cloudflare Third Party Code of Conduct: https://cf-assets.www.cloudflare.com/slt3lc6tev37/284hiWkCYNc49GQpAeBvGN/e137cdac96d1c4cd403c6b525831d284/Third_Party_Code_of_Conduct.pdf
DataPacket: https://datapacket.com/
System for Award Management (SAM): https://sam.gov/
Federal Acquisition Regulation (FAR): https://www.acquisition.gov/browse/index/far
FAR 52.212-4: https://www.acquisition.gov/far/52.212-4
Defense Federal Acquisition Regulation Supplement (DFARS): https://www.acquisition.gov/dfars
DFARS 252.239-7010: https://www.acquisition.gov/dfars/252.239-7010-cloud-computing-services.
Cybersecurity Maturity Model Certification (CMMC): https://dodcio.defense.gov/cmmc/About/
NIST SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r3/final
Federal Risk and Authorization Management Program (FedRAMP): https://www.fedramp.gov/
Federal Information Security Modernization Act (FISMA): https://www.cisa.gov/topics/cybersecurity-best-practices/fisma
Health Insurance Portability and Accountability Act (HIPAA): https://www.hhs.gov/hipaa/index.html
Family Educational Rights and Privacy Act (FERPA): https://studentprivacy.ed.gov/ferpa
Children's Online Privacy Protection Act (COPPA): https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa