Email Security

Egress

Name: Egress
Rating: 2.1666666666666665 (10 reviews)
Author: Egress Software

by Egress Software

Covered

controls

Partial

controls

Gaps

controls

NIST 800-171 Coverage5%

Overview

Egress by Egress Software is an email security solution that covers 5 NIST 800-171 controls (5% total coverage). It addresses key requirements in the email security domain for defense contractors pursuing CMMC compliance.

Controls Covered (5)

sc-3-13-1 sc-3-13-8 mp-3-8-1 mp-3-8-3 au-3-3-1

Partially Covered (3)

si-3-14-1 ac-3-1-1 ra-3-11-1

Not Covered (3)

ia-3-5-1 pe-3-10-1 cm-3-4-1

Implementation Notes

Deploy Egress with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.

More Email Security Products

Proofpoint

Proofpoint — 7% coverage

Mimecast

Mimecast — 6% coverage

Abnormal Security

Abnormal Security — 5% coverage

Barracuda Email Security

Barracuda Networks — 5% coverage

Implementation Guidance for Egress

Configure Egress to satisfy NIST 800-171 requirements by implementing these control family settings: For SC-8 (Transmission Confidentiality), enable Egress Secure Email with TLS 1.2+ encryption for all external communications and configure message-level encryption for CUI content. Set policies to automatically encrypt emails containing keywords like 'ITAR', 'CUI', or 'Controlled' and require recipient authentication for sensitive attachments. For AC-4 (Information Flow Enforcement), configure Data Loss Prevention policies to block transmission of files containing SSNs, credit card numbers, or classified markings, and implement approval workflows for emails to non-authorized domains. For AU-3 (Audit Record Content), enable comprehensive logging of all email security events including encryption status, DLP violations, and access attempts, ensuring logs capture user identity, timestamp, and action taken. For SI-4 (Information System Monitoring), activate real-time threat detection for malicious links and attachments, with automated quarantine of suspicious content. Generate assessment evidence through Egress's compliance dashboard showing encryption rates, DLP violations, and security incident reports. Integrate with Microsoft 365 or Google Workspace via native connectors, and feed security events to SIEM solutions like Splunk through API connections. Common misconfigurations include: failing to enable encryption for all CUI-containing emails (causes AC-4 findings), insufficient DLP keyword coverage (SC-8 violations), inadequate audit log retention periods (AU-11 gaps), and missing recipient verification requirements for external encrypted emails. Ensure policy exceptions are documented and approved through formal change control processes to prevent C3PAO findings during assessments.

Gap Analysis & Compensating Controls

Egress covers only 5 of 110 NIST 800-171 controls, leaving significant gaps in Access Control (AC), System and Communications Protection (SC), and Incident Response (IR) families. The biggest gaps are in AC-2 (Account Management) and AC-3 (Access Enforcement), which require identity management solutions beyond email security - implement Azure AD or similar IAM tools with multi-factor authentication and role-based access controls. SC-7 (Boundary Protection) gaps require network firewalls and intrusion detection systems like Palo Alto or Fortinet to monitor and control network traffic at organizational boundaries. IR-4 (Incident Handling) deficiencies need dedicated incident response platforms such as IBM QRadar or Phantom SOAR to manage security incident workflows and response procedures. Document these gaps in your System Security Plan (SSP) by clearly stating 'Email security controls implemented via Egress, network and access controls addressed through [specific tools]' and create POA&M entries for each uncovered control with implementation timelines. Priority order for gap closure: 1) Multi-factor authentication (AC-1, high CMMC weight), 2) Network boundary protection (SC-7, critical for CUI protection), 3) Vulnerability management (SI-2, required for continuous monitoring), 4) Incident response automation (IR-4, essential for breach notification requirements). Consider bundled security platforms like Microsoft Defender or CrowdStrike that cover multiple control families to reduce complexity and cost while achieving comprehensive NIST 800-171 compliance across all 14 control families.

Compliance Cost Estimate

Egress licensing ranges from $8-15 per user per month depending on feature tier and user count, with enterprise contracts offering volume discounts. Implementation costs include 40-80 hours of configuration work ($8,000-16,000 at $200/hour consulting rates) to properly configure DLP policies, encryption rules, and audit settings for NIST compliance. Ongoing monitoring requires 4-8 hours monthly for policy updates and compliance reporting ($1,000-2,000 annually). Compared to competitors like Proofpoint ($12-20/user/month) or Mimecast ($10-18/user/month), Egress provides competitive pricing but covers fewer NIST controls per dollar spent. Total first-year cost for 100 users: $25,000-35,000 including licensing, implementation, and monitoring.

Compliance Cross-References

Egress directly satisfies DFARS 252.204-7012 requirements for CUI protection in transit through encryption and DLP capabilities, specifically addressing safeguarding requirements in paragraph (b)(1). For CMMC Level 2, Egress covers SC.3.177 (employ cryptographic mechanisms) and SC.3.191 (protect confidentiality of CUI at rest and in transit). The solution partially addresses AC.3.018 (control CUI flow) through DLP policies but requires additional access controls for complete compliance. FedRAMP Moderate baseline controls SC-8 and SC-13 are fully satisfied through Egress encryption capabilities. CMMC assessment objectives met include: verifying cryptographic protection implementation, demonstrating CUI identification and handling procedures, and providing audit trails for information flow. However, Egress alone cannot satisfy CMMC domains like Asset Management (AM), Configuration Management (CM), or Risk Management (RM), requiring additional tools such as vulnerability scanners, configuration management databases, and risk assessment platforms to achieve comprehensive Level 2 certification.

Frequently Asked Questions

How many NIST 800-171 controls does Egress cover?

Egress covers 5 of 110 NIST 800-171 controls (5%), with 3 partially covered and 3 gaps.

Can Egress alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. Egress covers 5% and should be part of a layered security stack addressing the remaining controls.

What controls does Egress not cover?

Egress does not cover controls ia-3-5-1, pe-3-10-1, cm-3-4-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.

Map Your Full Security Stack

See NIST 800-171 control coverage for 80+ security products.

Open NIST Tool Mapper

Track Egress NIST 800-171 coverage updates with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

← All NIST Tool Mappings

Implementation Guidance for Egress

Gap Analysis & Compensating Controls

Compliance Cost Estimate

Compliance Cross-References

Frequently Asked Questions

How many NIST 800-171 controls does Egress cover?

Egress covers 5 of 110 NIST 800-171 controls (5%), with 3 partially covered and 3 gaps.

Can Egress alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. Egress covers 5% and should be part of a layered security stack addressing the remaining controls.

What controls does Egress not cover?

Egress does not cover controls ia-3-5-1, pe-3-10-1, cm-3-4-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.