CMMC Practice SC.3.188
Control and monitor the use of mobile code.
Bold Coast Security Guidance
Mobile code has presented a high number of exploitable vulnerabilities into the Internet environment. It must be controlled by well-defined processes of system building and hardening, as well as strategic choices that will determine how an organization's public-facing systems will present information. Mobile code is useful when controlled. If not required to accomplish business tasks, it should be disabled. Unfortunately, it is woven through the most common Internet technologies with which we interact hundreds of times per day. For Level 3 compliance, an organization must have the baseline standards, driven by a formal policy and enacted by a clear plan.
DRAFT NIST SP 800-171 R2