Control statement
a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and
b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
Guidance: When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.
https://cyber.dhs.gov/bod/18-01/
Guidance: CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-CNA-01 | Restrict Network Traffic _Persistently_ ensure all _machine-based_ _information resources_ are configured to limit inbound and outbound network traffic. | Cloud Native Architecture |
| KSI-CNA-05 | Unwanted Activity _Persistently_ review the effectiveness of protection against denial of service attacks and other unwanted activity. | Cloud Native Architecture |