SC.L2-3.13.13: Control and Monitor Mobile Code
Mobile code—including scripts, applets, and downloaded applications—poses significant security risks if left uncontrolled. SC.L2-3.13.13 requires you to establish controls that prevent unauthorized mobile code execution and maintain visibility into what's running across your systems. This control is critical for preventing supply chain attacks and protecting sensitive DoD information.
What this means
Mobile code refers to any executable content (Java applets, ActiveX controls, JavaScript, Flash, macros) that executes on your systems without explicit user awareness or authorization. This control requires you to implement technical and administrative measures to control mobile code usage—either by disabling it entirely where unnecessary, restricting execution to trusted sources, or monitoring and logging all mobile code activities. The goal is to prevent malicious code execution while maintaining operational functionality for legitimate business needs.
How to comply
- 1.Identify all systems and applications that support or execute mobile code
- 2.Develop a mobile code policy defining approved sources, acceptable use, and execution restrictions
- 3.Disable mobile code execution by default on systems where it's not business-critical
- 4.Implement allowlisting for trusted code sources and digitally signed mobile code
- 5.Configure web browsers and email clients to restrict or prompt before executing mobile code
- 6.Enable logging and monitoring of all mobile code execution attempts and failures
- 7.Conduct regular audits of systems to detect unauthorized or unmanaged mobile code
- 8.Document all mobile code controls, exemptions, and their business justification
- 9.Train employees on risks associated with mobile code and proper handling procedures
Evidence auditors look for
- Mobile code control policy document with approval and effective date
- Browser security configuration baselines disabling Java, Flash, or ActiveX
- Email gateway logs showing blocked executable attachments and script execution prevention
- System hardening documentation showing disabled mobile code interpreters
- Allowlist/whitelist documentation for approved mobile code sources with digital signatures
- Mobile code execution logs from endpoint protection or application whitelisting tools
- Audit reports demonstrating scanning for unauthorized mobile code on systems
- Change management records showing implementation of mobile code control updates
- Risk assessment documentation explaining exemptions for systems requiring mobile code
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the collection of mobile code control evidence by integrating with your endpoint protection, browser policies, and system logs—eliminating manual evidence gathering and providing auditors with a complete control chain.
See how GRCWatch handles this control automatically
Start free trial