CIS Control 9.6: Block Unnecessary File Types at Your Email Gateway
Malicious attachments remain one of the fastest attack vectors into enterprise networks. CIS Control 9.6 requires you to configure your email gateway to automatically block file types that pose unnecessary risk to your organization. This control is foundational to preventing malware delivery before it reaches user inboxes.
What this means
CIS 9.6 mandates that organizations identify and block file types that are not required for business operations at the email gateway level. Rather than relying on user judgment, this control shifts protection upstream by preventing dangerous attachments—like executable files, scripts, and archive files containing malicious payloads—from ever reaching end users. The goal is to reduce the attack surface by eliminating unnecessary file type delivery mechanisms before they become security incidents.
How to comply
- 1.Audit your organization to determine which file types are genuinely required for business operations
- 2.Identify high-risk file types that should be blocked: .exe, .scr, .bat, .cmd, .com, .pif, .msi, .vbs, .js, .zip, .rar, and macro-enabled Office documents
- 3.Configure your email gateway (Exchange, Office 365, Gmail, Proofpoint, Mimecast, etc.) to block identified unnecessary file types
- 4.Test blocking rules in shadow mode before enforcing to prevent legitimate business mail disruption
- 5.Establish an exception process for users requiring blocked file types, with approval and logging
- 6.Monitor blocked attachments monthly and review logs for patterns indicating targeted attacks
- 7.Document your approved file type list and blocking policy in your security procedures
Evidence auditors look for
- Email gateway configuration screenshots showing blocked file type rules
- List of organization-approved file types with business justification
- Monthly email gateway logs showing blocked attachment attempts by file type
- Policy document defining file type blocking procedures and exception process
- Email gateway alert reports demonstrating detection of blocked high-risk attachments
- Change management records for file type blocking rule updates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically maps your email gateway blocking rules to CIS 9.6 requirements, tracks blocked attachment metrics in real-time, and generates compliance evidence—eliminating manual log review and audit preparation for this control.
See how GRCWatch handles this control automatically
Start free trial