SC-18

SC-18 MOBILE CODE

Overview

Number	Title	Impact	Priority	Subject Area
SC-18	Mobile Code	MODERATE	P2	System And Communications Protection

Instructions
The organization: SC-18a. Defines acceptable and unacceptable mobile code and mobile code technologies; SC-18b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and SC-18c. Authorizes, monitors, and controls the use of mobile code within the information system.

Guidance
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.

Guidance

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.

Enhancements

SC-18 (1) Identify Unacceptable Code / Take Corrective Actions

Corrective actions when unacceptable mobile code is detected include, for example, blocking, quarantine, or alerting administrators. Blocking includes, for example, preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code.

The information system identifies Assignment: organization-defined unacceptable mobile code and takes Assignment: organization-defined corrective actions.

SC-18 (2) Acquisition / Development / Use

The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets Assignment: organization-defined mobile code requirements.

SC-18 (3) Prevent Downloading / Execution

The information system prevents the download and execution of Assignment: organization-defined unacceptable mobile code.

SC-18 (4) Prevent Automatic Execution

Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices.

The information system prevents the automatic execution of mobile code in Assignment: organization-defined software applications and enforces Assignment: organization-defined actions prior to executing the code.

SC-18 (5) Allow Execution Only In Confined Environments

The organization allows execution of permitted mobile code only in confined virtual machine environments.