SI-8: Spam Protection

An OSCAL Control

Statement

a.
Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and
b.
Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
- Guidance:
  When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.
  
  https://cyber.dhs.gov/bod/18-01/
- Guidance:
  CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.