Mobile Code Control (NIST SP 800-171 3.13.13)
Mobile code—including scripts, applets, and downloadable applications—introduces significant security risks to your information systems. NIST 800-171 3.13.13 requires you to establish controls that monitor, restrict, and authorize mobile code execution across your infrastructure. Without proper governance, unauthorized mobile code can bypass security perimeters and compromise sensitive data.
What this means
This control requires organizations to identify all mobile code present in their systems, define which mobile code is authorized for use, establish policies governing mobile code execution, and implement technical controls to prevent unauthorized mobile code from running. Mobile code includes Java applets, ActiveX controls, JavaScript, browser plugins, and any executable content downloaded from external sources. The control emphasizes both preventive measures (blocking unauthorized code) and detective measures (monitoring and logging code execution).
How to comply
- 1.Create an inventory of all mobile code types used in your organization (Java, JavaScript, plugins, ActiveX, etc.)
- 2.Establish a whitelist of authorized mobile code sources and applications approved for use
- 3.Document a mobile code policy that specifies approval requirements, allowed execution environments, and restrictions
- 4.Configure systems to disable or restrict mobile code execution by default (disable JavaScript in email, restrict plugin use)
- 5.Implement technical controls like application whitelisting, browser security policies, and sandboxing environments
- 6.Log and monitor all mobile code execution attempts, including blocked and allowed activities
- 7.Conduct regular audits to identify new or unauthorized mobile code in your environment
- 8.Educate users on risks of mobile code and approved procedures for requesting code authorization
Evidence auditors look for
- Mobile code inventory listing all code types, sources, and locations in your systems
- Approved mobile code whitelist with business justification for each authorized application
- Mobile code security policy document addressing authorization, execution, and monitoring requirements
- System configuration screenshots showing disabled or restricted mobile code features
- Application whitelisting reports and audit logs showing enforcement
- Monitoring and logging records demonstrating detection of mobile code execution attempts
- Regular audit reports identifying unauthorized or new mobile code
- User training records on mobile code risks and approval procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and catalogs mobile code across your systems, tracks approval status against your whitelist, and consolidates execution logs for audit evidence—eliminating manual inventory work and providing ready-to-demonstrate compliance documentation for 3.13.13.
See how GRCWatch handles this control automatically
Start free trial