CMMC Practice SC.L2-3.13.13

Control and monitor the use of mobile code.

Bold Coast Security Guidance

Mobile code has presented a high number of exploitable vulnerabilities into the Internet environment. It must be controlled by well-defined processes of system building and hardening, as well as strategic choices that will determine how an organization's public-facing systems will present information. Mobile code is useful when controlled. If not required to accomplish business tasks, it should be disabled. Unfortunately, it is woven through the most common Internet technologies with which we interact hundreds of times per day. An organization must have the baseline standards, driven by a formal policy and enacted by a clear plan.

Discussion From Source

DRAFT NIST SP 800-171 R2 Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including requiring mobile code to be digitally signed by a trusted source.