NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-18(2)Acquisition, Development, and Use

Verify that the acquisition, development, and use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

None.

Practitioner Notes

Control mobile code during its acquisition, development, and use — ensuring only approved mobile code from trusted sources is used in your environment.

Example 1: Maintain an approved list of browser extensions and Office add-ins. Use Chrome Enterprise or Edge management to push only approved extensions and block all others. Review and update the approved list quarterly.

Example 2: For internally developed macros and scripts, require code review and signing before deployment. Store approved scripts in a controlled repository (like an internal Git server) and use code signing certificates to verify authenticity before execution.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability