Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Control and monitor the use of mobile code.

CMMC Clarification

Ensure mobile code such as Java, ActiveX, Flash is authorized to execute on the network in accordance to the organization’s policy and technical configuration, and unauthorized mobile code is not. Then monitor the use of mobile code through boundary devices, audit of configurations, and implement remediation activities as needed. Example You are an IT administrator at the organization responsible for enforcing and monitoring the use of mobile code. The organization has established a policy that addresses the use of mobile code. You configure the baseline configuration of machines on your network to disable and deny the execution of mobile code. You implement an exception process to reactivate mobile code execution only for those users with a legitimate business need. One user complains that a web application they need to perform their job no longer works. You meet with them and verify that the web application uses ActiveX in the browser. You submit a change for the user and get it approved by the Change Review Board for your organization. Once the change is approved, you reconfigure the user’s machine to allow the running of ActiveX in the browser for this individual user. You set a reminder for yourself to check in with the user at the end of the year to verify they still need that web application.

800-171 Description

Control and monitor the use of mobile code.

800-171 Discussion

Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations, and VBScript. Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including requiring mobile code to be digitally signed by a trusted source.29 Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded. [SP 800-28] provides guidance on mobile code.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-18

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.13

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

AU ACSC Essential Eight


Assessment Sub-Criteria 1

SC.3.188.[a] use of mobile code is controlled; and

Assessment Sub-Criteria 2

SC.3.188.[b] use of mobile code is monitored.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15