UCF STIG Viewer Logo

Email Services Policy STIG


Date Finding Count (21)
2015-08-07 CAT I (High): 2 CAT II (Med): 12 CAT III (Low): 7
STIG Description
Email Services Policy STIG requirements must be evaluated on each system review, regardless of the email product or release level. These policies ensure conformance to DoD requirements that govern email services deployment and operations. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-19546 High Email domains must be protected by an Edge Server at the email transport path.
V-19548 High Email domains must be protected by transaction proxy at the client access path.
V-18857 Medium Annual procedural reviews must be conducted at the site.
V-18878 Medium Automated audit reporting tools must be available.
V-18877 Medium Email Administrator Groups must ensure least privilege.
V-18884 Medium Email critical software copies must be stored off-site in a fire-rated container.
V-39139 Medium Email client services for Commercial Mobile Devices must be documented in the Email Domain Security Plan (EDSP).
V-18883 Medium Email backups must meet schedule and storage requirements.
V-18882 Medium Email backup and recovery data must be protected.
V-18880 Medium Audit logs must be documented and included in backups.
V-18864 Medium Email Configuration Management (CM) procedures must be implemented.
V-18879 Medium Email audit records must be retained for 1 year.
V-18867 Medium Email Services must be documented in the EDSP (Email Domain Security Plan).
V-35227 Medium Transaction proxies protecting email domains must interrupt and inspect web traffic on the client access path prior to its entry to the enclave.
V-18868 Low Email software installation account usage must be logged.
V-18881 Low The email backup and recovery strategy must be documented and tested on an INFOCON compliant frequency.
V-18865 Low Email Administrator role must be assigned and authorized by the ISSO.
V-18885 Low Email acceptable use policy must be documented in the Email Domain Security Plan (EDSP).
V-18869 Low Email audit trails must be reviewed daily.
V-33389 Low Email acceptable use policy must be renewed annually.
V-18886 Low Email Acceptable Use Policy must contain required elements.