CMMC Practice SI.3.218
Employ spam protection mechanisms at information system access entry and exit points.
Bold Coast Security Guidance
There are multiple cost effective email filtering services available, and most cloud based email services, such as Microsoft Office 365 and G-Suite from Google, include spam filters automatically. These must be "tuned" to different sensitivities as spam increase or decreases in your environment. When you make filter changes, alert staff to monitor their spam folders for false-positives. You should also take steps to block email at the firewall. It should only be allowed from your mail server, if you are still hosting your own server. Outline your intent to block spam in your policy, and then detail the system to be used in your plan, along with who is responsible for maintaining the system and any cost associated with it. Also, define a time to regularly check in with users to determine the effectiveness of your spam filtering to meet maturity level 4.
Spam filtering is used to protect against unwanted, unsolicited, and often harmful emails from reaching end user mailboxes. Spam filters are applied on inbound and outbound emails. Spam filtering helps protect your network from phishing and emails containing viruses and other malicious content. Spam filtering can also be used to mark email as potential spam to caution users reading the email and clicking on links within the email. Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote -access servers, workstations, mobile devices, and notebook/laptop computers.