CMMC SC.3.188 - Control the Use of Mobile Code

CMMC SC.3.188 - Control the Use of Mobile Code

Requirement text: SC.3.188: Control and monitor the use of mobile code.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Shockwave
movies, Flash animations, and VBScript. Decisions regarding the use of mobile code in
organizational systems are based on the potential for the code to cause damage to the
systems if used maliciously. Usage restrictions and implementation guidance apply to the
selection and use of mobile code installed on servers and mobile code downloaded and
executed on individual workstations, notebook computers, and devices (e.g., smart phones).
Mobile code policy and procedures address controlling or preventing the development,
acquisition, or introduction of unacceptable mobile code in systems, including requiring
mobile code to be digitally signed by a trusted source.

CMMC CLARIFICATION
Ensure mobile code such as Java, ActiveX, Flash is authorized to execute on the network in
accordance to the organization’s policy and technical configuration, and unauthorized
mobile code is not. Then monitor the use of mobile code through boundary devices, audit of
configurations, and implement remediation activities as needed.

Example
You are an IT administrator at the organization responsible for enforcing and monitoring the
use of mobile code. The organization has established a policy that addresses the use of
mobile code. You configure the baseline configuration of machines on your network to
disable and deny the execution of mobile code. You implement an exception process to re-
activate mobile code execution only for those users with a legitimate business need.

One user complains that a web application they need to perform their job no longer works.
You meet with them and verify that the web application uses ActiveX in the browser. You
submit a change for the user and get it approved by the Change Review Board for your
organization. Once the change is approved, you reconfigure the user’s machine to allow the
running of ActiveX in the browser for this individual user. You set a reminder for yourself to
check in with the user at the end of the year to verify they still need that web application.

References
• NIST SP 800-171 Rev 1 3.13.13
• NIST CSF v1.1 DE.CM-5
• NIST SP 800-53 Rev 4 SC-18
• AU ACSC Essential Eight

    • Related Articles

    • CMMC AC.3.020 - Control Mobile Connections

      Requirement text: AC.3.020: Control connection of mobile devices. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is ...

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • Systems and Communications Protection: SP 800-171 Security Family 3.13

      System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...

    • CMMC SC.3.189 - Control and Monitor use of VOIP Technologies

      Requirement text: SC.3.189: Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 VoIP has different requirements, features, functionality, availability, and service ...

    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...