DE.CM-5: Unauthorized Mobile Code Detection
Unauthorized mobile code—scripts, applets, and executable content from untrusted sources—poses a direct threat to system integrity and data security. NIST CSF's DE.CM-5 requires you to detect and respond to this threat in real-time. This control is essential for SMBs managing diverse endpoints and cloud workloads.
What this means
DE.CM-5 requires your organization to implement detection mechanisms that identify unauthorized mobile code attempting to execute within your environment. Mobile code includes Java applets, ActiveX controls, JavaScript, mobile applications, and other executable content that may bypass traditional perimeter controls. Detection must occur before or immediately upon execution, enabling rapid containment and response.
How to comply
- 1.Deploy endpoint detection and response (EDR) tools with behavioral analysis to identify suspicious script execution and code injection patterns
- 2.Configure email and web gateway controls to block or sandbox potentially malicious mobile code before users can execute it
- 3.Implement application whitelisting policies that restrict execution to approved applications and prevent unauthorized scripts from running
- 4.Enable logging and monitoring of script interpreters (PowerShell, Python, JavaScript engines) to capture execution events for forensic review
- 5.Establish detection rules based on known malicious signatures, unusual privilege escalation, and suspicious network communications from processes
- 6.Conduct quarterly reviews of detection logs to identify gaps and tune rules to reduce false positives while maintaining coverage
- 7.Define and document incident response procedures specific to unauthorized code detection, including quarantine and remediation steps
Evidence auditors look for
- EDR/XDR platform console showing detection and blocking of unauthorized scripts with timestamps and execution context
- Email security gateway logs demonstrating blocked malicious attachments or links that deliver mobile code
- Application whitelisting policy documentation and audit reports confirming only approved executables can run
- PowerShell and script engine audit logs showing execution attempts, including command-line arguments and parent process chains
- Detection rule documentation with signatures, behavioral triggers, and tuning parameters specific to mobile code threats
- Incident response playbook tailored to mobile code detection scenarios with defined escalation and containment procedures
- Monthly detection summary reports showing volume of blocked/detected unauthorized code attempts and response metrics
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates DE.CM-5 compliance by centralizing EDR alerts, script execution logs, and detection events in a single dashboard, eliminating manual log aggregation and providing audit-ready evidence reports with a single click.
See how GRCWatch handles this control automatically
Start free trial