CMMC Practice Requirement:

Utilize email sandboxing to detect or block potentially malicious email attachments.

CMMC Requirement Explanation:

Sandboxing separates emails from your system while they are scanned for malicious links and attachments. If the email is deemed to be malicious it will be blocked. This prevents users from falling prey to phishing attacks.

Example CMMC Implementation:

Make sure the email service you use, scans emails for malicious attachments. Services like G-Suite and Office 365 do this automatically for their email services. For Office 365 you can purchase advanced threat protection, providing you with more capability. If your email service does not scan files for malicious attachments, then you will need to purchase a tool that does.


- Scenario 1:

Your employee received an email with an attachment. Because the attachment was malicious he received a notification that the attachment has been blocked.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance