Device Class 1: Mobile Code

Control ID: SC-18 Mobile Code

Family: System and Communications Protection

Source: NIST 800-53r4

Control: The organization:

Defines acceptable and unacceptable mobile code and mobile code technologies;
Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
Authorizes, monitors, and controls the use of mobile code within the information system.

Supplemental Guidance:
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.

Related Controls: AU-2, AU-12, CM-2, CM-6, SI-3

Control Enhancements: N/A

References: N/A

Mechanisms:

The device shall only permit any code to run, whether it is "mobile code" as identified above or not, if it is installed using a mechanism permitted under CM-7.

Protocol Implementation Conformance Statements:

ID	Statement	Status	Reference	Notes
SC-18/1	The device identifies and stores the installation method of each piece of code	M	CM-7
SC-18/2	At runtime, the device verifies that code was installed according to a supported method, and does not permit execution if a supported method is not fund	M	CM-7