Skip to Content

NIST 800-171 - Mobile Code (3.13.13)

205  Matthew Burdick September 26, 2022  System and Communications Protection

Overview:
Control and monitor the use of mobile code.


Action Items:
3.13.13[a]
Determine if: use of mobile code is controlled.


3.13.13[b]
Determine if: use of mobile code is monitored.


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; system audit logs and records; system security plan; list of acceptable mobile code and mobile code technologies; list of unacceptable mobile code and mobile technologies; authorization records; system monitoring records; system audit logs and records; other relevant documents or records].


2
Interview: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for managing mobile code].


3
Test: Organizational process for controlling, authorizing, monitoring, and restricting mobile code; mechanisms supporting or implementing the management of mobile code; mechanisms supporting or implementing the monitoring of mobile code].


Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing mobile code
3) mobile code usage restrictions, mobile code implementation policy and procedures
4) system audit logs and records
5) system security plan
6) list of acceptable mobile code and mobile code technologies
7) list of unacceptable mobile code and mobile technologies
8) authorization records
9) system monitoring records
10) system audit logs and records
11) other relevant documents or records


Additional Guidance:
Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including, for example, requiring mobile code to be digitally signed by a trusted source. NIST Special Publication 800-28 provides guidance on mobile code.
Not Rated
Secure Code