Reference: CMMC 2.11
Family: SC
Level Introduced: 2
Title: Mobile Code
Practice:
Control and monitor the use of mobile code.
CMMC Clarification:
Ensure mobile code such as Java, ActiveX, Flash is authorized to execute on the network in accordance to the organization's policy and technical configuration, and unauthorized mobile code is not. Then monitor the use of mobile code through boundary devices, audit of configurations, and implement remediation activities as needed.
Example
You are an IT administrator at the organization responsible for enforcing and monitoring the use of mobile code. The organization has established a policy that addresses the use of mobile code. You configure the baseline configuration of machines on your network to disable and deny the execution of mobile code. You implement an exception process to re- activate mobile code execution only for those users with a legitimate business need.
One user complains that a web application they need to perform their job no longer works. You meet with them and verify that the web application uses ActiveX in the browser. You submit a change for the user and get it approved by the Change Review Board for your organization. Once the change is approved, you reconfigure the user's machine to allow the running of ActiveX in the browser for this individual user. You set a reminder for yourself to check in with the user at the end of the year to verify they still need that web application.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.