CMMC Practice SC.L2-3.13.13 – Mobile Code: Control and monitor the use of mobile code.
Links to Publicly Available Resources
Discussion [NIST SP 800-171 R2]
Ensure mobile code is authorized to execute in company systems only in accordance with policy and technical configuration, and that unauthorized mobile code is not. Monitor the use of mobile code through boundary devices (e.g., firewalls), audit logs, or security utilities (e.g., mobile device management, advanced endpoint protection) and implement remediation activities as needed.
The first intent of this practice is to ensure the limits of mobile code usage and usage restrictions are documented and enforced. This includes documenting all authorizations for the use of mobile code and ensuring it is not used in other ways. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices to include all mobile devices and smart phones.
The second intent is to monitor the use of mobile code and implement remediation steps if its use does not align with policy.