>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SI-8Spam Protection

Moderate
High

>Control Description

a

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and

b

Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

SI-8 Guidance: When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01. https://cyber.dhs.gov/bod/18-01/ SI-8 Guidance: CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

>Discussion

System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.

>Cross-Framework Mappings

SCF

END-08
Compare

>Programmatic Queries

Beta

Related Services

Amazon SES
WorkMail
Route 53

CLI Commands

Check SES email receiving rules
aws ses describe-active-receipt-rule-set
List SES configuration sets
aws sesv2 list-configuration-sets
Check WorkMail organization
aws workmail list-organizations
List email filtering rules
aws ses list-receipt-filters
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern spam protection?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?
  • What is your patch management process and timeline?

Technical Implementation:

  • What technical controls detect and respond to spam protection issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?
  • What anti-spam and phishing protections are in place?
  • How do you ensure timely installation of security-relevant patches?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-8 is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?
  • Can you show recent patch installation records?

Ask AI

Configure your API key to use AI features.