Your C3PAO assessment is coming. Your assessor will look at your email system and ask specific questions tied to NIST 800-171 practices. If you cannot demonstrate the controls, you fail that practice. Enough failures and you fail the assessment.
Here is exactly what they will ask about your email, organized by control family.
Access Control (AC)
AC-1: Limit system access to authorized users. Your assessor will ask who has email accounts, how they are provisioned, and how they are deprovisioned when someone leaves. They want to see a process, not just a password change. If a former employee still has an active mailbox, that is a finding.
AC-2: Limit system access to the types of transactions and functions that authorized users are permitted to execute. Your assessor will ask about role-based access. Can a regular user access admin settings? Can they export other users’ mailboxes? They want to see that admin functions are restricted to administrators.
AC-3: Use MFA for local and network access. If your email does not enforce multi-factor authentication for every user, this is an automatic finding. Your assessor will test it. “We tell people to turn it on” is not enforcement.
AC-7: Limit unsuccessful login attempts. Your assessor will ask what happens after failed login attempts. Account lockout after a defined threshold is expected. If your email provider does not support this, you have a gap.
AC-8: Display system use notification. Your assessor will check for a login banner or acceptable use notice before users access email. Most commercial email providers do not support this natively.
Audit and Accountability (AU)
AU-2: Define auditable events. Your assessor will ask what events your email system logs. At minimum: login attempts (successful and failed), email sends and receives, admin actions (user creation, deletion, policy changes), and mailbox access by administrators. If your email provider does not log these events, you cannot demonstrate this control.
AU-3: Content of audit records. Logs must include who, what, when, where, and the outcome. “User logged in” is not enough. Your assessor wants to see timestamps, source IP addresses, and whether the action succeeded or failed.
AU-6: Review and analyze audit logs. Having logs is not enough. Your assessor will ask how often you review them and what you look for. You need a documented process and evidence that you follow it.
AU-9: Protect audit information from unauthorized access, modification, and deletion. Your assessor will ask who can access or delete logs. If your email admin can delete audit logs, that is a finding. Logs should be immutable or stored in a separate system.
Identification and Authentication (IA)
IA-2: Authenticate users before granting access. Every user must have a unique account. Shared mailboxes where multiple people use the same credentials are a finding. Distribution groups are fine. Shared login credentials are not.
IA-5: Manage authenticators (passwords). Your assessor will check your password policy: minimum length, complexity requirements, rotation schedule, and whether you prohibit known compromised passwords. They will also verify that MFA is configured.
Media Protection (MP)
MP-2: Restrict access to CUI on system media. Email attachments containing CUI must be protected. Your assessor will ask how you prevent CUI from being downloaded to unmanaged devices. If users can access email on personal phones without device management, that is a gap.
MP-4: Mark media containing CUI. If your organization handles CUI via email, your assessor may ask how CUI is identified in messages and attachments. This is more about organizational policy than email features, but your email system should support it.
System and Communications Protection (SC)
SC-8: Protect the confidentiality of CUI in transit. Your assessor will verify that email is encrypted in transit using TLS 1.2 or higher. They may ask for evidence of TLS enforcement, not just opportunistic encryption. If your email provider allows unencrypted delivery to external recipients, you need a policy to handle it.
SC-13: Use FIPS-validated cryptography. Your assessor will ask whether your email provider uses FIPS 140-2 or 140-3 validated cryptographic modules. Self-attestation is not sufficient. They want to see the certificate number or the provider’s documentation citing it.
SC-28: Protect the confidentiality of CUI at rest. Email stored on the server must be encrypted at rest. Your assessor will ask about the encryption mechanism, key management, and whether per-tenant isolation exists. Shared encryption keys across all customers is weaker than per-tenant keys.
Incident Response (IR)
IR-2: Incident response testing and training. Your assessor will ask about your incident response plan and whether it covers email-specific scenarios: phishing, compromised accounts, and unauthorized access to mailboxes containing CUI.
IR-6: Incident reporting. DFARS 252.204-7012 requires cyber incident reporting to the DoD within 72 hours. Your assessor will ask how your email system supports this. Can you identify when a breach occurred? Can you preserve evidence? Can you provide the access logs the DoD will request?
What most email systems fail on
Commercial email providers (standard Office 365, Google Workspace, Proton) typically fail on:
- Audit log completeness. Logs exist but do not include enough detail for AU-3 compliance.
- Log immutability. Admins can delete or modify logs.
- MFA enforcement. MFA is available but not enforced at the organizational level.
- FIPS-validated cryptography. Most commercial providers do not use FIPS-validated modules.
- Login banners. Not supported natively on most platforms.
- 72-hour incident reporting support. No automated detection or preservation workflow.
GCC High addresses most of these but requires a $50K+ tenant rebuild to access them.
How to prepare
Before your assessment:
- Map your email system to each control above. For every practice, document how your email provider satisfies it. If it does not, document the gap and your plan to close it.
- Collect evidence. Screenshots of MFA enforcement, sample audit logs, password policy configuration, encryption documentation.
- Test your incident response. Simulate a compromised email account. Can you detect it, contain it, preserve evidence, and report within 72 hours?
- Review your access controls. Audit your user list. Deactivate former employees. Verify that admin access is limited to people who need it.
If your current email system cannot demonstrate these controls, switching to a purpose-built compliant platform before your assessment is faster than trying to patch a commercial system into compliance.
Get early access
Be first in line when we launch. Founding member pricing and a free CMMC Level 2 readiness checklist included.
Founding member pricing goes away at launch.