CMMC SI.3.220 - Implement Email Sandboxing

CMMC SI.3.220 - Implement Email Sandboxing

Requirement text: SI.3.220: Utilize sandboxing to detect or block potentially malicious email.

DISCUSSION FROM SOURCE: CIS CONTROLS V7.1
Minimize the attack surface and the opportunities for attackers to manipulate human
behavior through their interaction with web browsers and email systems.
Web browsers and email clients are very common points of entry and attack because of their
technical complexity, flexibility, and their direct interaction with users and with other
systems and websites. Content can be crafted to entice or spoof users into taking actions
that greatly increase risk and allow introduction of malicious code, loss of valuable data, and
other attacks. Since these applications are the main means that users interact with untrusted
environments, these are potential targets for both code exploitation and social engineering.
This practice is based on the following CIS control:

7.10 Use sandboxing to analyze and block inbound email attachments with malicious
behavior.

CMMC CLARIFICATION
You create an email sandbox by implementing an isolated environment to execute an
attached file or linked URL. Before allowing attachments or links to be opened on the
production network, they are executed within the sandbox and their behavior is observed.
By opening these files or links in a protected environment, the system detects malicious
activity before it is introduced into the network.

Example
You are in charge of IT operations for your organization. Part of your role is to verify all
attachments and URL links in company emails. To do this, you set-up an isolated
environment, or email sandbox, to execute or open all email attachments before allowing
them on your network. You use the email sandbox to observe what happens when the
attachment or link opens. By testing these files in a sandbox, you are able to prevent the
entry of malicious content through email attachments or URL links. You only allow emails
with attachments or URL links through once they have been tested and determined to be
safe.

References
• CIS Controls v7.1 7.10
• NIST SP 800-53 Rev 4 SC-44

    • Related Articles

    • CMMC SI.3.219 - Implement Email Forgery Protection

      Requirement text: SI.3.219: Implement email forgery protections. DISCUSSION FROM SOURCE: CMMC Protecting your environment from harmful emails is one of the best ways to reduce the risk of viruses and malware from entering your network. Email attacks ...

    • CMMC SI.3.218 - Employ Spam Protections

      Requirement text: SI.3.218: Employ spam protection mechanisms at information system access entry and exit points. DISCUSSION FROM SOURCE: CMMC Spam filtering is used to protect against unwanted, unsolicited, and often harmful emails from reaching end ...

    • CMMC SI.1.211 – Protect Information Systems from Malicious Code

      Requirement text: SI.1.211: Provide protection from malicious code at appropriate locations within organizational information systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Designated locations include system entry and exit points which ...

    • CMMC SI.2.214 - Monitor Security Alert and Respond

      Requirement text: SI.2.214: Monitor system security alerts and advisories and take action in response. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 There are many publicly available sources of system security alerts and advisories. The United ...

    • System and Information Integrity: SP 800-171 Security Family 3.14

      Integrity is defined as guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. It is the assertion that data can only be accessed or modified by the authorized employees. ...