Back to Control Explorer



Control Acronym



System And Information Integrity

CMMC Level


800-171 Control #


CMMC Description

Utilize sandboxing to detect or block potentially malicious email.

CMMC Clarification

You create an email sandbox by implementing an isolated environment to execute an attached file or linked URL. Before allowing attachments or links to be opened on the production network, they are executed within the sandbox and their behavior is observed. By opening these files or links in a protected environment, the system detects malicious activity before it is introduced into the network. Example You are in charge of IT operations for your organization. Part of your role is to verify all attachments and URL links in company emails. To do this, you set-up an isolated environment, or email sandbox, to execute or open all email attachments before allowing them on your network. You use the email sandbox to observe what happens when the attachment or link opens. By testing these files in a sandbox, you are able to prevent the entry of malicious content through email attachments or URL links. You only allow emails with attachments or URL links through once they have been tested and determined to be safe.

800-171 Description

800-171 Discussion


Other Source Discussion

CIS CONTROLS V7.1 Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems. Web browsers and email clients are very common points of entry and attack because of their technical complexity, flexibility, and their direct interaction with users and with other systems and websites. Content can be crafted to entice or spoof users into taking actions that greatly increase risk and allow introduction of malicious code, loss of valuable data, and other attacks. Since these applications are the main means that users interact with untrusted environments, these are potential targets for both code exploitation and social engineering. This practice is based on the following CIS control: 7.10 Use sandboxing to analyze and block inbound email attachments with malicious behavior.

CIS Control References

CIS Controls v7.1 7.10

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-44

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

SI.3.220.[a] the organization defines information system, system component, or location where a sandbox capability to detect or block potentially malicious email is employed; and

Assessment Sub-Criteria 2

SI.3.220.[b] the organization employs a sandbox capability within organization-defined information system, system component, or location to detect or block potentially malicious email.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15