NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-18(5)Allow Execution Only in Confined Environments

Allow execution of permitted mobile code only in confined virtual machine environments.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Permitting the execution of mobile code only in confined virtual machine environments helps prevent the introduction of malicious code into other systems and system components.

Practitioner Notes

If mobile code must run, confine it to a sandbox or restricted environment where it cannot access the rest of the system.

Example 1: Enable Windows Sandbox or Application Guard for Edge. When users download and open untrusted files or visit untrusted websites, they run in an isolated container that is destroyed when closed — any malware is contained and discarded.

Example 2: Use browser isolation technology (like Menlo Security or Zscaler Browser Isolation) that executes web content in a remote container. Only a safe visual stream reaches the user's browser — malicious scripts run in the cloud container where they cannot touch the endpoint.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability