Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
NIST 800-53 (r4) Supplemental Guidance:
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions. Related controls: AT-2, AT-3, SC-5, SC-7, SI-3.
References: NIST Special Publication 800-45.
NIST 800-53 (r5) Discussion:
System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.
38North Guidance:
Meets Minimum Requirement:
Employ spam protection mechanisms if they plan to deploy an email server within their system boundary.
Configure the email settings to ensure that DMARC is implemented and SPF is enabled. Configure the DKIM key length to the required length of the CSP.
If the system will be allowing inbound emails, CSP should:
a. Employ spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
This control is not applicable if the system does not accept any inbound email and here are no email servers or components that are able to carry a spam payload within scope of the system.
Best Practice: None
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Mechanisms supporting and/or implementing spam protection.
Evidence that spam protection mechanisms are being updated and applied as needed, automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms.
If marked N/A, 3PAO will inspect the information system, firewall rulesets, etc. to confirm the cloud service offering does not allow inbound emails.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse