Requirement text: SI.3.219: Implement email forgery protections.
DISCUSSION FROM SOURCE: CMMC
Protecting your environment from harmful emails is one of the best ways to reduce the risk
of viruses and malware from entering your network. Email attacks are one of the primary
attack vectors in use by threat actors today because of their simplicity and effectiveness for
circumventing an organization’s perimeter defenses. Implementing advanced email
protections can help mitigate these email-based threats from penetrating an organization’s
defenses and landing in the inbox of organizational end users.
CMMC CLARIFICATION
Implement email protections in addition to basic spam protections. Some potential
advanced email protections include Sender Policy Framework (SPF) ,Domain Keys Identified
Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance
(DMARC). SPF uses DNS to show which servers are allowed to send email for a given domain.
DKIM uses asymmetric cryptography to verify the authenticity of an email message and
provide assurance of the legitimacy of the email to the recipient. DMARC allows
organizations to deploy a combination of DKIM and SPF to further enhance their electronic
mail infrastructure by adding linkage to the author (“From:”) domain name, published
policies for recipient handling of authentication failures, and reporting from receivers to
senders, to improve and monitor protection of the domain from fraudulent email.
Example
As the email administrator for your organization, you want to add additional protections to
ensure you are blocking as many unwanted and harmful emails as possible. You configure a
DMARC policy that enables both SPF and DKIM on your domain. You configure an SPF text
entry in your DNS configuration so that you explicitly authorize the servers that can send
email as well as ensuring relevant outbound emails are signed using DKIM.
References
• CMMC
• CIS Controls v7.1 7.8
• NIST CSF v1.1 PR.DS-2
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 SC-8