SC-18: Mobile Code

Control Family:

System And Communications Protection

Priority:

CSF v1.1 References:

Baselines:

  • Low

    N/A

  • Moderate
    • SC-18
  • High
    • SC-18

Next Version:

Control Statement

The organization:

  1. Defines acceptable and unacceptable mobile code and mobile code technologies;
  2. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
  3. Authorizes, monitors, and controls the use of mobile code within the information system.

Supplemental Guidance

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.

Control Enhancements

SC-18(2): Acquisition / Development / Use

Baseline(s):

(Not part of any baseline)

The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements].

SC-18(4): Prevent Automatic Execution

Baseline(s):

(Not part of any baseline)

The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code.

Related Controls

NIST Special Publication 800-53 Revision 4

Cloud Controls Matrix v3.0.1

Critical Security Controls Version 8