NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-18(1)Identify Unacceptable Code and Take Corrective Actions

Identify {{ insert: param, sc-18.01_odp.01 }} and take {{ insert: param, sc-18.01_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Corrective actions when unacceptable mobile code is detected include blocking, quarantine, or alerting administrators. Blocking includes preventing the transmission of word processing files with embedded macros when such macros have been determined to be unacceptable mobile code.

Practitioner Notes

Your systems should be able to identify unacceptable mobile code and take corrective action automatically — block it, quarantine it, or alert on it.

Example 1: Configure Windows Defender Application Control (WDAC) to block unsigned or untrusted executables, scripts, and DLLs. When a user downloads a suspicious script, WDAC prevents it from running and logs the attempt.

Example 2: Deploy a cloud-based email security gateway (like Proofpoint or Microsoft Defender for Office 365) that detonates email attachments in a sandbox. Macros and scripts that exhibit malicious behavior are stripped from the attachment before delivery to the user.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability