October 21, 2020

Last Updated on January 4, 2024

Many SMBs within the US Defense Industrial Base (DIB) have significant work ahead of them tachieve Cybersecurity Maturity Model Certification (CMMCcompliance—especially if they will handle Controlled Unclassified Information (CUI), which requires certification to CMMC Level 3 or higher.
To help SMBs uplift their cybersecurity postures to CMMC Level 3, John Verry, Pivot Point Security’s CISO and Managing Partner, recorded a special episode of The Virtual CISO Podcast on the six biggest “gotchas” for SMBs on the road to a CMMC Level 3 certification.
This blog post covers email spam protection and sandboxingBe sure to check our blog for posts on the other “gotchas.

  1. Mobile Device Management
  2. Multifactor Authentication
  3. End-to-End Encryption
  4. Email Spam Protection and Sandboxing
  5. Logging and Alerting

How to Beat CMMC Level 3’s Email Spam Protection and Sandboxing Requirements

Most people are familiar with email spam protection techniques, which use various degrees of automation/artificial intelligence and user intervention to keep spam, phishing attacks and other potentially malware-loaded emails out of users’ inboxes. But what is email attachment sandboxing?
“Sandboxing” is a generic IT term that basically means running software in an isolated, safe environment where it can’t harm production systems if it’s full of bugs or infested with malware. For example, say you open a malicious file attachment in an email sent by hackers. Most likely it will run a macro, which will try to pull more malicious code down from the internet onto your computer. But an email attachment sandboxing solution can test that malicious attachment out in a safe place and neutralize, quarantine or delete it before a user ever sees it in his or her inbox.
According to John, “CMMC has done a good job of recognizing that the single largest threat vector for most organizations is email.” Anti-spam, attachment sandboxing and related solutions are “basic cyber hygiene” steps for any organization. Without them, your data is a sitting duck. Thus, CMMC Level 3 mandates a number of associated controls.
“The good news is that the vast majority of organizations already have the basics in place,” John statesFor example, many Microsoft 365 customers take advantage of built-in email protection mechanisms at various licensing levels. Others leverage third-party email protection solutions like Mimecast or Proofpoint.”
Does this mean that most DIB suppliers already have these capabilities on tap and just need to tune them to achieve CMMC Level 3 compliance?
John continues: “For organizations that have at least a moderately robust set of information security practices, the answer is yes. … You’re probably doing 80%-90% of the stuff right already. But unfortunately, in the DIB there are a number of smaller organizations. And some of them are from fields that don’t traditionally make significant investments in information security.”
If you’re a law firm, you’re already going to have a pretty good information security posture,” John explains. “If you’re a 25-person manufacturing company, very often those will be a little bit less mature, and these hurdles could be a little bit higher for them.”
Will your business face a CMMC audit in the coming months? Then you definitely want to catch this special episode of The Virtual CISO Podcast with John Verry.
To listen to this show all the way through, and access many others like it, you can subscribe to The Virtual CISO Podcast here. 
If you don’t use Apple Podcasts, you can find all our episodes here.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.