Forward Email: Your Section 889 Compliant Email Forwarding Solution

Prefazione

At Forward Email, we believe in simple, secure, and private email forwarding for everyone. We know that for many organizations, especially those working with the US government, compliance isn't just a buzzword – it's a necessity. Ensuring adherence to federal regulations for email is crucial. That's why we're proud to confirm our secure email forwarding service is built to meet stringent federal requirements, including Section 889 of the National Defense Authorization Act (NDAA).

Our commitment to government email compliance was recently put into practice when the US Naval Academy approached Forward Email. They required secure email forwarding services and needed documentation confirming our adherence to federal regulations, including Section 889 compliance. This experience serves as a valuable case study, demonstrating our readiness and capability to support government-funded organizations and meet their stringent requirements. This dedication extends to all our users seeking a reliable, privacy-focused email solution.

Understanding Section 889 Compliance

What is Section 889? Simply put, it's a US federal law that prohibits government agencies from using or contracting with entities that use certain telecommunications and video surveillance equipment or services from specific companies (like Huawei, ZTE, Hikvision, Dahua, and Hytera). This rule, often associated with the Huawei ban e ZTE ban, helps protect national security.

[!NOTE] Section 889 specifically targets equipment and services from Huawei, ZTE, Hytera, Hikvision, and Dahua, including their subsidiaries and affiliates.

For an email forwarding service for government contracts like Forward Email, this means ensuring none of our underlying infrastructure providers use this prohibited equipment, making us Section 889 compliant.

How Forward Email Achieves Section 889 Compliance

So, how is Forward Email Section 889 compliant? We achieve this through careful selection of our infrastructure partners. Forward Email relies exclusively on two key providers for its Section 889 compliant infrastructure:

  1. Cloudflare: Our primary partner for network services and Cloudflare email security.
  2. DataPacket: Our primary provider for server infrastructure (we use Digital Ocean and/or Vultr for failover and will soon transition to solely use DataPacket – of course we did confirm Section 889 compliance in writing from both of these failover providers).

[!IMPORTANT] Our exclusive reliance on Cloudflare and DataPacket, neither of which uses Section 889 prohibited equipment, is the cornerstone of our compliance.

Both Cloudflare e DataPacket are committed to high security standards and do not use equipment prohibited under Section 889. Using Cloudflare and DataPacket for Section 889 compliance is fundamental to our service.

Cloudflare's Commitment

Cloudflare explicitly addresses Section 889 compliance in their Third Party Code of Conduct. They state:

"Under Section 889 of the National Defense Authorization Act (NDAA), Cloudflare does not use, or otherwise permit in its supply chain, telecommunications equipment, video surveillance products, or services produced or provided by Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities)."

(Source: Cloudflare Third Party Code of Conduct, retrieved April 29, 2025)

This clear statement confirms that Cloudflare's infrastructure, which Forward Email leverages, meets Section 889 requirements.

DataPacket's Infrastructure

DataPacket, our server provider, utilizes networking equipment exclusively from Arista Networks e Cisco. Neither Arista nor Cisco are among the companies prohibited under Section 889. Both are established vendors widely used in secure enterprise and government environments, known for adhering to stringent security and compliance standards.

By using only Cloudflare e DataPacket, Forward Email ensures its entire service delivery chain is free from Section 889 prohibited equipment, providing secure email forwarding for federal agencies and other security-conscious users.

Beyond Section 889: Broader Government Compliance

Our commitment to government email security and compliance extends beyond Section 889. While Forward Email itself doesn't directly process or store sensitive government data like Controlled Unclassified Information (CUI) in the same way a large SaaS platform might, our open-source email forwarding architecture and reliance on secure, compliant providers align with the principles of other key regulations:

  • FAR (Federal Acquisition Regulation): By using compliant infrastructure and offering a straightforward commercial service, we provide FAR compliant email forwarding principles suitable for government contractors.
  • Privacy Act & FISMA: We are privacy-focused by design, offering Privacy Act email principles. We don't store your emails. Emails are forwarded directly, minimizing data handling. Our infrastructure providers (Cloudflare, DataPacket) manage their systems according to high security standards consistent with FISMA compliant email principles.
  • HIPAA: For organizations needing HIPAA compliant email forwarding, Forward Email can be part of a compliant solution. Since we don't store emails, the primary compliance responsibility lies with the end-point email systems. However, our secure transport layer supports HIPAA requirements when used correctly.

[!WARNING] A Business Associate Agreement (BAA) might be needed with your final email provider, not Forward Email itself, as we do not store your email content (unless you use our encrypted IMAP/POP3 storage layer).

Our Path Forward: Expanding Compliance Horizons

While our Section 889 compliance provides a crucial foundation, especially for federal contractors, we understand that different organizations and government agencies have diverse and evolving regulatory needs. At Forward Email, transparency is key, and we want to share our perspective on the broader compliance landscape and our future direction.

We recognize the importance of frameworks and regulations such as:

Our Current Position and Future Goals:

Forward Email's core design – being privacy-focused, open-source, and minimizing data handling (especially in our basic di inoltro email service) – aligns well with the principles behind many of these regulations. Our existing security practices (encryption, support for modern email standards) and Section 889 compliance provide a strong starting point.

However, achieving formal certification or authorization for frameworks like FedRAMP or CMMC is a significant undertaking. It involves rigorous documentation, implementation of specific technical and procedural controls (often hundreds of them), independent assessments (like 3PAO for FedRAMP - Third-Party Assessment Organization), and continuous monitoring.

[!IMPORTANT] Compliance isn't just about technology; it's about documented processes, policies, and ongoing vigilance. Achieving certifications like FedRAMP or CMMC requires substantial investment and time.

Our Commitment:

As Forward Email grows and as our customers' needs evolve, we are committed to exploring and pursuing relevant compliance certifications. This includes plans for:

  1. SAM Registration: To facilitate direct engagement with US federal agencies.
  2. Formalizing Processes: Enhancing our internal documentation and procedures to align with standards like NIST SP 800-171, which forms the basis for CMMC.
  3. Evaluating FedRAMP Pathways: Assessing the requirements and feasibility of pursuing FedRAMP authorization, likely starting with a Low or Moderate baseline, potentially leveraging the LI-SaaS model where applicable.
  4. Supporting Specific Needs: Addressing requirements like HIPAA (potentially through BAAs and specific configurations for stored data) and FERPA (through appropriate contractual terms and controls) as we engage more with healthcare and educational institutions.

This journey requires careful planning and investment. While we don't have immediate timelines for all certifications, strengthening our compliance posture to meet the needs of government and regulated industries is a key part of our roadmap.

[!NOTE] We believe our open-source nature provides unique transparency throughout this process, allowing our community and customers to see our commitment firsthand.

We will continue to update our community as we reach significant milestones on our compliance journey.

Why This Matters for You

Choosing a Section 889 compliant email forwarding service like Forward Email means:

  • Peace of Mind: Especially for government agencies, contractors, and security-conscious organizations.
  • Reduced Risk: Avoids potential conflicts with federal regulations for email.
  • Trust: Demonstrates a commitment to security and supply chain integrity.

Forward Email provides a simple, reliable, and compliant way to manage your custom domain di inoltro email needs.

Secure, Compliant Email Forwarding Starts Here

Forward Email is dedicated to providing a secure, private, and open-source email forwarding service. Our compliance with Section 889, achieved through our partnership with Cloudflare e DataPacket (reflecting our Forward Email compliance for US Naval Academy work), is a testament to this commitment. Whether you're a government entity, a contractor, or simply value government email security, Forward Email is built for you.

Ready for secure, compliant email forwarding? Sign up free today!

References