In order to pass a security audit, RC4 ciphers need to be completely disabled. Checking the option 'Disable SSLv3 in all SMTP conversations' does not stop the SMG advertising RC4 ciphers for SMTP TLS communications.
This is currently by design to allow older clients and servers to continue to work with the Messaging Gateway.
If RC4 ciphers need to completely disabled, the command-line function to enable FIPS mode needs to be used. Complete instructions on how to do this are detailed here: