The acquisition, development, and/or use of mobile code to be deployed in DoD systems meets the following requirements:
1. Emerging mobile code technologies that have not undergone a risk assessment by NSA and been assigned to a Risk Category by the DoD CIO is not used.
2. Category 1 mobile code is signed with a DoD-approved PKI code signing certificate; use of unsigned Category 1 mobile code is prohibited; use of Category 1 mobile code technologies that cannot block or disable unsigned mobile code (e.g., Windows Scripting Host) is prohibited.
3. Category 2 mobile code, which executes in a constrained environment without access to system resources (e.g., Windows registry, file system, system parameters, network connections to other than the originating host) may be used.
4. Category 2 mobile code that does not execute in a constrained environment may be used when obtained from a trusted source over an assured channel (e.g., SIPRNET, SSL connection, S/MIME, code is signed with a DoD-approved code signing certificate).
5. Category 3 mobile code may be used.
6. All DoD workstation and host software are configured, to the extent possible, to prevent the download and execution of mobile code that is prohibited.
7. The automatic execution of all mobile code in email is prohibited; email software is configured to prompt the user prior to executing mobile code in attachments.
|MAC / CONF ||Impact ||Subject Area |
| MACI |
|Medium ||Security Design and Configuration |