Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the EDSP and implementation evidence showing that annual reviews of Email Services Information Assurance (IA) policy and procedures are done. If procedures are followed annually or more frequently, this is not a finding.
Document review procedures in the EDSP. Include annual review schedules and plans to conduct them.
Access the EDSP and confirm CM procedures and assignments are documented. Examine artifacts that show the processes have been implemented. If CM procedures are documented and implemented, this is not a finding.
Document Configuration Management procedures in the EDSP. Implement the CM procedures as documented.
Review the documented procedures for approval of Email Administrator Privileges. Review implementation evidence for the procedures. If the Email Administrator role is documented and authorized by the ISSO, this is not a finding.
Establish a procedure that ensures the Email Administrator role is defined and authorized (assigned) as documented by the ISSO.
Access the Email Domain Security Plan (EDSP) for email systems. Review for current STIG identification, tuning values, administrator assignments, and procedural IA programs and policies that govern email product servers. If email services are not documented in an EDSP, this is a finding.
Establish an Email Domain Security Plan (EDSP) to document STIG identification, tuning values, administrator, and procedural IA programs and policies that govern email product servers.
Access the EDSP to verify logging procedure for software installation account usage. Examine evidence that logging is done for use of the correct account for email software installations and upgrades. If email software installation account usage is logged, this is not a finding.
Implement a logging procedure for use of the email software installation account. Document it in the EDSP.
Review the audit trail review procedures in the EDSP. Examine artifacts of log reviews (results) and review frequency. If Audit trail review procedures and evidence of review results exist, this is not a finding.
Document audit record review procedures in the EDSP. Implement audit record daily reviews as documented.
Review EDSP documentation that describes division of duties by role in the email domain administration assignments. If Email Administrator tasks are assigned to a defined role in the organization, and the role is operating at least privilege for the tasks, this is not a finding.
Assign administrators to roles with appropriate permissions for Email Administrators. Configure each role so it is commensurate with least possible permission to perform the associated tasks.
Access the EDSP for description of automated audit trail review tool. Review automated tool usage artifacts or reports with audit trail result data. If automated tools are available for review and reporting on email server audit records, this is not a finding.
Implement automated reporting tools for Email Server audit records. Document the specifics in the EDSP.
Access EDSP documentation that describes data retention for audit records. Examine artifacts that demonstrate audit data retention for a period of 1 year. If email audit records are retained for required time period (1 year), this is not a finding.
Create a process that details email audit record retention for required time period of 1 year. Document the process in the EDSP.
Access the EDSP documentation that describes inclusion of Exchange audit data with the weekly backups. Verify these directories are included in the backup strategy to preserve log history. If email audit records are included in backups, this is not a finding.
Include email audit records in backups and document the backup strategy in the EDSP.
Access the disaster recovery documentation that describes the backup and recovery strategy for the email servers. The documentation should detail specifically what files and data stores are saved, including the frequency and schedules of the saves (as required by INFOCON levels), and recovery plans (should they become necessary). The recovery plan should also state a periodic recovery rehearsal to ensure the backup strategy is sound. If Email Backup and Recovery strategy is documented and periodically tested, this is not a finding.
Document the Email Backup and Recovery Strategy site Disaster Recovery Plan, with components, locations and directions, and test according to INFOCON frequency requirements.
Access EDSP documentation that describes protections for the Backup and Recovery data. If email backup and recovery data and processes are restricted to authorized users and groups, this is not a finding.
Document the authorized backup and recovery users and groups in the EDSP. Create access restrictions to the authorized staff for email services backup and restore data.
Access the EDSP for intended backup schedule and storage provisions. Review artifacts, such as job logs, file locations, access protections and procedures for offline files, and storage methods that demonstrate compliance to the intended schedule and log storage requirements. If email backups are conducted according to the EDSP, on schedule and are stored appropriately, this is not a finding.
Document the email backup strategy in the EDSP and perform backups on the schedule that is documented. Store the data as required.
Access the EDSP and review the email application software offline storage plan. Examine artifacts showing that copies exist and are stored off-site in fire-rated containers. If an email software copy exists and is stored off-site in a fire-rated container, this is not a finding.
Create email software copies for use in recovering systems, and store them off-site and in fire-rated containers. Document the off-site storage details in the EDSP.
Access the EDSP documentation that describes the Email Acceptable Use Policy that is followed at the site. If the Email Acceptable Use Policy is documented in the EDSP, this is not a finding.
Implement an Email Acceptable Use Policy that is documented in the EDSP and that requires a signature by each user.
Access the EDSP documentation that describes the Email Acceptable Use Policy elements. Included should be elements such as the following: User education User expectations Penalties for non-conformance Legal ramifications Classification labeling SPAM and Phishing recognition Bogus certificates Review frequency Services offered or not offered Message and attachment size quotas Help desk and other support information If the Email Acceptable Use Policy contains required elements, this is not a finding.
Revise or supplement the Email Acceptable Use Policy so it contains the required elements. Document the email acceptable use policy elements in the EDSP.
Access EDSP documentation that describes the infrastructure for email services. Verify an Edge Transport Server (or Email Secure Gateway) is installed and active on the network. Ensure all inbound and outbound email messages pass through and are examined as required. If the email domain employs an Edge Transport Server Role that performs the required protection, this is not a finding.
Install and configure an Edge Transport Server role in the email infrastructure, configured to perform specified sanitization processes. Ensure all inbound and outbound SMTP traffic passes through this server role. Document the Edge Transport Server specifics in the EDSP.
For sites not using Internet-sourced email web services, this check is N/A. Access the EDSP documentation that describes web email infrastructure. Confirm the architecture places the CA server inside the enclave and a transaction proxy residing in the DMZ. Verify DoD approved multi-factor authentication tokens (e.g., Common Access Card (CAC) for unclassified systems) are required at the transaction proxy. If the email domain employs the required architecture, this is not a finding.
Install a web security solution requiring DoD approved multi-factor authentication tokens, with architecture placing the CA server inside the enclave, and the transaction proxy residing in the DMZ. Document the solution in the EDSP.
Access the EDSP documentation that describes the Email Acceptable Use Policy. Verify there is a stated requirement for users to renew annually. If the Email Acceptable Use Policy requires annual user renewal with signature acknowledgement, this is not a finding.
Implement a review and renewal process for the Email Acceptable Use Policy that requires annual renewal and signature acknowledgement. Document the process in the EDSP.
For sites not using Internet-sourced email web services, this check is N/A. Access the EDSP documentation that describes web email infrastructure. Verify transaction proxies offload and inspect the encryption, and initiate a new security context for the transaction. If the transaction servers perform the required security steps before allowing the transaction to proceed into the enclave, this is not a finding.
Install a web security solution using a transaction proxy that offloads and inspects the TLS encryption and continues the transaction in a new security context on behalf of the user for Internet-sourced web mail transactions. Document the solution in the EDSP.
For systems not providing Internet-sourced email client services to CMDs, this check is N/A. Access the Email Domain Security Plan (EDSP) for email systems. Review for functional architecture of the email system for all required components, including the MEM, NOC, CMDs, etc., when providing service to CMDs. Confirm the design requires secure communication from the email system to the MEM. Verify the MEM, NOC, and CMDs are approved for use in DoD. If the email domain employs the required architecture and is documented in the EDSP, this is not a finding. If the architecture uses the EAS protocol to Commercial Mobile Devices (CMD) without connecting through external secure NOCs and encapsulating in a secure tunnel from the management servers residing in the DoD to the NOC and from the NOC to the CMD, this is a finding. If the use of EAS is not documented in the EDSP, this is a finding.
Email client services to Commercial Mobile Devices, including the required components of the architecture, must be documented in the Email Domain Security Plan (EDSP).