SI-8 Spam Protection
Control
a.
Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and
b.
Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
Guidance:
When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.
Guidance:
CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.
Discussion
System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.
FedRAMP-Defined Assignment / Selection Parameters
N/A