Email Security

Mimecast

Name: Mimecast
Rating: 2.2 (14 reviews)
Author: Mimecast

by Mimecast

Covered

controls

Partial

controls

Gaps

controls

NIST 800-171 Coverage6%

Overview

Mimecast by Mimecast is an email security solution that covers 7 NIST 800-171 controls (6% total coverage). It addresses key requirements in the email security domain for defense contractors pursuing CMMC compliance.

Controls Covered (7)

sc-3-13-1 sc-3-13-8 si-3-14-1 si-3-14-2 au-3-3-1 mp-3-8-1 mp-3-8-3

Partially Covered (2)

ac-3-1-1 ra-3-11-1

Not Covered (3)

ia-3-5-1 pe-3-10-1 cm-3-4-1

Implementation Notes

Deploy Mimecast with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.

More Email Security Products

Proofpoint

Proofpoint — 7% coverage

Abnormal Security

Abnormal Security — 5% coverage

Barracuda Email Security

Barracuda Networks — 5% coverage

Area 1 Security

Cloudflare — 5% coverage

Implementation Guidance for Mimecast

Configure Mimecast to address NIST 800-171 requirements through these key settings: For AC (Access Control) family, enable multi-factor authentication for all administrative accounts and implement role-based access controls with least privilege principles. Configure user access reviews quarterly through the Administration Console > Account > User Management section. For AU (Audit and Accountability), enable comprehensive logging in Security > Policy > Audit Logs, ensuring all email gateway events, administrative actions, and security incidents are captured with timestamps and user attribution. Set log retention to minimum 1 year and configure automated log forwarding to your SIEM. For SC (System and Communications Protection), activate ATP (Advanced Threat Protection) with sandboxing enabled, configure SPF/DKIM/DMARC enforcement, and enable TLS encryption for all email communications. Set attachment scanning policies to quarantine suspicious files and implement URL rewriting for threat protection. For SI (System and Information Integrity), enable real-time threat intelligence feeds, configure malware scanning with multiple engines, and set up automated incident response workflows. Generate compliance evidence through the Analytics > Reports section, creating monthly security summaries, audit trail reports, and threat protection statistics. Integrate with existing SOC tools via API connections to Splunk, QRadar, or similar SIEM platforms for centralized monitoring. Common misconfigurations include insufficient log retention periods, overly permissive user access roles, disabled threat protection features, and lack of proper SIEM integration - all frequently cited by C3PAOs during assessments.

Gap Analysis & Compensating Controls

Mimecast's 6% coverage leaves significant gaps in critical NIST 800-171 control families. The largest gap exists in IA (Identification and Authentication) controls, where Mimecast only provides basic email-level authentication but lacks comprehensive identity management capabilities required for CM.3.084 through CM.3.089. Organizations need dedicated IAM solutions like Active Directory Federation Services or Okta to address multi-factor authentication requirements across all systems. The PE (Physical and Environmental Protection) family represents another major gap, requiring physical security controls, facility access management, and environmental monitoring systems that email security cannot address - necessitating facility security assessments and physical access control systems. IR (Incident Response) controls are partially covered through email incident detection, but require comprehensive incident response platforms and documented procedures beyond email threats. To document gaps in your SSP, create specific POA&M entries for each uncovered control with timelines and responsible parties. Priority closure order should focus first on IA controls due to their foundational nature and high CMMC assessment weight, followed by IR capabilities for threat response, then PE controls which often require longer implementation timelines and facility modifications. Consider Microsoft Defender for Identity, IBM QRadar SOAR, and comprehensive physical security assessments as primary gap-filling solutions.

Compliance Cost Estimate

Mimecast licensing ranges from $3-8 per user per month depending on feature tier, with most defense contractors requiring the Advanced Threat Protection tier at $5-6/user/month for adequate NIST coverage. Implementation costs typically run $15,000-30,000 for organizations with 500-2000 users, including professional services for configuration, integration, and initial policy setup. Ongoing monitoring and maintenance costs approximately $2,000-4,000 annually for dedicated administration and compliance reporting. Compared to competitors like Proofpoint ($4-7/user/month) and Microsoft Defender for Office 365 ($2-5/user/month), Mimecast sits in the middle range but offers superior ease of compliance reporting and C3PAO-friendly audit trails, potentially reducing assessment costs by $5,000-10,000 annually through streamlined evidence collection.

Compliance Cross-References

Mimecast directly supports DFARS 252.204-7012 requirements for safeguarding covered defense information through email encryption, threat protection, and audit logging capabilities. For CMMC Level 2, it addresses portions of Access Control (AC.L2-3.1.1, AC.L2-3.1.2) through email-based access controls, Audit and Accountability (AU.L2-3.3.1, AU.L2-3.3.2) via comprehensive email logging, and System and Communications Protection (SC.L2-3.13.1, SC.L2-3.13.8) through encryption and malware protection. The solution satisfies CMMC assessment objectives for email security controls but requires integration with broader security platforms for complete domain coverage. FedRAMP control alignment includes AC-2 (Account Management), AU-2 (Audit Events), and SC-7 (Boundary Protection) at the email gateway level. Organizations should document Mimecast as a compensating control for email-specific requirements while identifying additional tools needed for comprehensive CMMC domain coverage, particularly in Asset Management, Configuration Management, and Risk Management domains where email security provides minimal coverage.

Frequently Asked Questions

How many NIST 800-171 controls does Mimecast cover?

Mimecast covers 7 of 110 NIST 800-171 controls (6%), with 2 partially covered and 3 gaps.

Can Mimecast alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. Mimecast covers 6% and should be part of a layered security stack addressing the remaining controls.

What controls does Mimecast not cover?

Mimecast does not cover controls ia-3-5-1, pe-3-10-1, cm-3-4-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.

Map Your Full Security Stack

See NIST 800-171 control coverage for 80+ security products.

Open NIST Tool Mapper

Track Mimecast NIST 800-171 coverage updates with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

← All NIST Tool Mappings

Implementation Guidance for Mimecast

Gap Analysis & Compensating Controls

Compliance Cost Estimate

Compliance Cross-References

Frequently Asked Questions

How many NIST 800-171 controls does Mimecast cover?

Mimecast covers 7 of 110 NIST 800-171 controls (6%), with 2 partially covered and 3 gaps.

Can Mimecast alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. Mimecast covers 6% and should be part of a layered security stack addressing the remaining controls.

What controls does Mimecast not cover?

Mimecast does not cover controls ia-3-5-1, pe-3-10-1, cm-3-4-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.