Level 5 CMMC - CMMC Practices

SI.3.220  

Reference: CMMC 1.02

Family: SI

Level Introduced: 3

Practice:
Utilize sandboxing to detect or block potentially malicious email.

CMMC Clarification:
You create an email sandbox by implementing an isolated environment to execute an attached file or linked URL. Before allowing attachments or links to be opened on the production network, they are executed within the sandbox and their behavior is observed. By opening these files or links in a protected environment, the system detects malicious activity before it is introduced into the network.

Example
You are in charge of IT operations for your organization. Part of your role is to verify all attachments and URL links in company emails. To do this, you set-up an isolated environment, or email sandbox, to execute or open all email attachments before allowing them on your network. You use the email sandbox to observe what happens when the attachment or link opens. By testing these files in a sandbox, you are able to prevent the entry of malicious content through email attachments or URL links. You only allow emails with attachments or URL links through once they have been tested and determined to be safe.

SC-44

DETONATION CHAMBERS

Description:
The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].

Supplemental Guidance:
Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator (URL) requests in the safety of an isolated environment or virtualized sandbox. These protected and isolated execution environments provide a means of determining whether the associated attachments/applications contain malicious code. While related to the concept of deception nets, the control is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, it is intended to quickly identify malicious code and reduce the likelihood that the code is propagated to user environments of operation (or prevent such propagation completely). Related controls: SC-7, SC-25, SC-26, SC-30.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02