Level 5 CMMC - CMMC Practices

SC.3.188  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Control and monitor the use of mobile code.

CMMC Clarification:
Ensure mobile code such as Java, ActiveX, Flash is authorized to execute on the network in accordance to the organization’s policy and technical configuration, and unauthorized mobile code is not. Then monitor the use of mobile code through boundary devices, audit of configurations, and implement remediation activities as needed.

Example
You are an IT administrator at the organization responsible for enforcing and monitoring the use of mobile code. The organization has established a policy that addresses the use of mobile code. You configure the baseline configuration of machines on your network to disable and deny the execution of mobile code. You implement an exception process to re- activate mobile code execution only for those users with a legitimate business need.

One user complains that a web application they need to perform their job no longer works. You meet with them and verify that the web application uses ActiveX in the browser. You submit a change for the user and get it approved by the Change Review Board for your organization. Once the change is approved, you reconfigure the user’s machine to allow the running of ActiveX in the browser for this individual user. You set a reminder for yourself to check in with the user at the end of the year to verify they still need that web application.

3.13.13

Control and monitor the use of mobile code.

Discussion:
Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations, and VBScript. Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including requiring mobile code to be digitally signed by a trusted source.

[SP 800-28] provides guidance on mobile code.

Source: NIST Special Publication 800-171 Rev. 2

SC-18

MOBILE CODE

Description:
The organization:
    a. Defines acceptable and unacceptable mobile code and mobile code technologies;
    b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
    c. Authorizes, monitors, and controls the use of mobile code within the information system.

Supplemental Guidance:
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02