SC-18 Mobile Code
a. Define acceptable and unacceptable mobile code and mobile code technologies; and
b. Authorize, monitor, and control the use of mobile code within the system.
Baselines
- L
- M
- H
- P
Guidance
Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References 1
- SP 800-28 Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2.
Control Enhancements 5
- SC-18(01) Identify Unacceptable Code and Take Corrective Actions L M H P
- SC-18(02) Acquisition, Development, and Use L M H P
- SC-18(03) Prevent Downloading and Execution L M H P
- SC-18(04) Prevent Automatic Execution L M H P
- SC-18(05) Allow Execution Only in Confined Environments L M H P
Related controls 5
- AU-02 Event Logging L M H P
- AU-12 Audit Record Generation L M H P
- CM-02 Baseline Configuration L M H P
- CM-06 Configuration Settings L M H P
- SI-03 Malicious Code Protection L M H P