NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION

3.13.13Mobile Code

Define acceptable mobile code and mobile code technologies. Authorize, monitor, and control the use of mobile code.

CMMC Practice Mapping

NIST 800-53 Controls

SC-18

Assessment Objectives

  • the use of mobile code is authorized.
  • the use of mobile code is monitored.
  • the use of mobile code is controlled.
  • acceptable mobile code is defined.
  • acceptable mobile code technologies are defined.

Practitioner Notes

Mobile code refers to software that is downloaded and executed automatically -- things like JavaScript, Java applets, ActiveX controls, PowerShell scripts, or macros. You need to control what types of mobile code can run in your environment.

Example 1: Restrict Office macro execution via GPO: User Configuration > Administrative Templates > Microsoft Office > Security Settings > VBA Macro Notification Settings -- set to Disable all except digitally signed macros. This prevents untrusted macros (a common malware delivery method) from running while still allowing business-critical signed macros.

Example 2: Configure Windows Defender Application Control (WDAC) or AppLocker to restrict which scripts and executables can run. Create an AppLocker policy via GPO (Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker) that allows only scripts signed by your organization or from trusted paths (e.g., C:\Program Files\*) and blocks everything else.

Related NIST 800-171 Requirements

3.13.1 Boundary Protection 3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security 3.13.3 Separate User Functionality from System Management Functionality 3.13.4 Information in Shared System Resources