Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: SI

Level Introduced: 3

Implement email forgery protections.

CMMC Clarification:
Implement email protections in addition to basic spam protections. Some potential advanced email protections include Sender Policy Framework (SPF) ,Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). SPF uses DNS to show which servers are allowed to send email for a given domain. DKIM uses asymmetric cryptography to verify the authenticity of an email message and provide assurance of the legitimacy of the email to the recipient. DMARC allows organizations to deploy a combination of DKIM and SPF to further enhance their electronic mail infrastructure by adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

As the email administrator for your organization, you want to add additional protections to ensure you are blocking as many unwanted and harmful emails as possible. You configure a DMARC policy that enables both SPF and DKIM on your domain. You configure an SPF text entry in your DNS configuration so that you explicitly authorize the servers that can send email as well as ensuring relevant outbound emails are signed using DKIM.

Protecting your environment from harmful emails is one of the best ways to reduce the risk of viruses and malware from entering your network. Email attacks are one of the primary attack vectors in use by threat actors today because of their simplicity and effectiveness for circumventing an organization’s perimeter defenses. Implementing advanced email protections can help mitigate these email-based threats from penetrating an organization’s defenses and landing in the inbox of organizational end users.

Source: CMMC v1.02



The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

Supplemental Guidance:
This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02