NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-18 — Mobile Code
Define acceptable and unacceptable mobile code and mobile code technologies; and Authorize, monitor, and control the use of mobile code within the system.
Supplemental Guidance
Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
Practitioner Notes
Mobile code — JavaScript, Java applets, ActiveX controls, macros — runs on your users' machines after being downloaded from somewhere else. You need to control what mobile code can run and what it can do.
Example 1: Use a GPO to configure Microsoft Office macro settings: block macros from the internet, disable macros without notification for standard users, and only allow macros signed by trusted publishers. This prevents macro-based malware while still allowing approved business macros.
Example 2: Configure your web proxy to block downloads of executable content (Java applets, ActiveX, Flash) from untrusted websites. Use your browser's enterprise policies (Edge/Chrome ADMX templates) to disable Java and ActiveX plugins entirely on standard workstations.