System and Communications Protection 3.13.13 (3.13.13)

Control and monitor the use of mobile code.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to establish and enforce policies for managing mobile code—software that can be transmitted across networks and executed on systems without explicit installation. Mobile code includes technologies like JavaScript, Java applets, ActiveX controls, and PDF scripts. Organizations must control what mobile code is allowed, monitor its use, and implement safeguards such as digital signatures from trusted sources. The goal is to prevent malicious code from executing on systems while allowing legitimate business functionality. This applies to both server-side mobile code and code downloaded to end-user devices.

Control Intent

To prevent malicious mobile code from executing on organizational systems by establishing controls over what mobile code technologies are permitted, how they are acquired and deployed, and how their execution is monitored and restricted.

Who This Control Applies To

  • All systems that process, store, or transmit CUI
  • Web browsers and email clients that can execute mobile code
  • Servers hosting web applications that utilize mobile code technologies
  • Workstations, laptops, and mobile devices where users can download or execute mobile code
  • Development environments where mobile code is created or tested
  • Network security devices that can inspect and filter mobile code

Not Applicable When

  • Systems are completely air-gapped with no ability to receive or execute mobile code from external sources
  • Systems use only static content with no scripting or executable code capabilities
  • Environments where all mobile code technologies are completely disabled at the operating system and application level with no exceptions

Key Objectives

  • 1Establish and enforce policies that define acceptable and unacceptable mobile code technologies based on organizational risk tolerance
  • 2Implement technical controls to restrict mobile code execution to only approved sources and digitally signed code from trusted publishers
  • 3Monitor mobile code usage across systems to detect unauthorized or suspicious mobile code execution
  • 4Prevent the introduction of malicious or unvetted mobile code through acquisition, development, or download processes

Sample Self-Assessment Questions (Partial)

Does your organization use web browsers, email clients, or applications that can execute JavaScript, Java, ActiveX, or other mobile code?

Do you have a documented policy that defines which mobile code technologies are allowed or prohibited in your environment?

Implementation Approaches (High-Level)

Browser-Based Mobile Code Restrictions

Configure web browsers to restrict mobile code execution through built-in security settings and group policy enforcement

Application Whitelisting with Code Signing Verification

Deploy application control solutions that restrict execution to approved applications and verify digital signatures before allowing code to run

Web Content Filtering and Proxy-Based Controls

Deploy web filtering or proxy solutions that inspect and control mobile code at the network perimeter before it reaches endpoints

Endpoint Protection with Script and Behavior Monitoring

Deploy endpoint detection and response (EDR) or advanced antivirus solutions that monitor and block malicious mobile code execution based on behavior analysis

Email Security Gateway with Mobile Code Filtering

Deploy email security solutions that scan attachments and embedded content for mobile code and block or sanitize malicious scripts before delivery

Server-Side Mobile Code Restrictions

Harden servers to disable unnecessary mobile code technologies and restrict execution to only approved, signed code required for application functionality

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If mobile code policy does not exist: Create documented policy within 30 days, implement technical controls within 90 days based on risk assessment If browser security settings are not enforced: Deploy Group Policy or MDM configurations within 60 days, verify enforcement on all in-scope systems within 90 days If digital signature verification is not required: Implement code signing requirements within 90 days, starting with highest-risk systems (internet-facing, CUI processing) If monitoring for mobile code execution is absent: Deploy logging and alerting within 90 days, integrate with SIEM within 120 days If mobile code controls are inconsistent across system types: Conduct gap analysis within 30 days, remediate highest-risk gaps within 90 days, achieve full coverage within 180 days If users can bypass mobile code restrictions: Remove administrative rights within 60 days, implement application control within 90 days If legacy applications require unrestricted mobile code: Document risk acceptance within 30 days, implement compensating controls (network segmentation, enhanced monitoring) within 90 days If email or web filtering does not address mobile code: Deploy or reconfigure security tools within 90 days, enable SSL inspection within 120 days Prioritize POA&M items based on: 1) Systems processing CUI, 2) Internet-facing systems, 3) Systems with highest user population, 4) Systems with known mobile code vulnerabilities Include testing and validation milestones in POA&M to ensure controls are effective before closing items

Related CMMC Controls

3.4.23.4.63.11.33.13.13.13.83.14.23.14.53.14.63.14.7

Frequently Asked Questions

What exactly is mobile code and why is it a security risk?

Mobile code is software that can be transmitted across networks and executed on systems without explicit installation by the user. Technologies like JavaScript, Java applets, ActiveX controls, and PDF scripts can perform actions on your system automatically when you visit a website or open a document. The risk is that malicious actors can embed harmful code in these technologies to steal data, install malware, or compromise systems without the user's knowledge or consent.

Do I need to completely disable JavaScript and other mobile code technologies?

No, complete disabling is usually not practical or necessary. The control requires you to control and monitor mobile code use, not eliminate it entirely. Most organizations allow mobile code from trusted sources (like their own business applications) while blocking or restricting it from untrusted sources. The key is having a documented policy, technical controls to enforce it, and monitoring to detect violations.

How do I determine which mobile code technologies are acceptable for my organization?

Base your decision on a risk assessment that considers: 1) What mobile code technologies your business applications require, 2) The security risks of each technology (ActiveX is generally higher risk than JavaScript), 3) Your ability to control and monitor each technology, and 4) Whether you can require digital signatures from trusted sources. Document your decisions in a mobile code policy that defines what is allowed, prohibited, and under what conditions.

What does it mean to require mobile code to be digitally signed by a trusted source?

Digital signatures verify that code comes from a known publisher and hasn't been tampered with. Requiring signed code means your systems will only execute mobile code that has a valid digital signature from a publisher you've explicitly trusted (like Microsoft, Adobe, or your own organization). Unsigned or self-signed code is blocked. This is typically enforced through browser settings, application control policies, or code integrity features in the operating system.

How is this control verified during a CMMC assessment?

Assessors will review your mobile code policy, examine technical configurations (browser settings, application control policies, web filtering rules), and test that restrictions are actually enforced. They'll look at logs showing monitoring of mobile code execution and may attempt to execute unauthorized mobile code to verify it's blocked. They'll also check that controls are consistently applied across different system types and that users cannot bypass them.

What are the most common mistakes organizations make with this control?

The most common failures are: 1) Having no documented mobile code policy at all, 2) Not enforcing browser security settings centrally, allowing users to change them, 3) Failing to require digital signature verification for mobile code, 4) Not monitoring for mobile code execution, and 5) Implementing controls inconsistently (e.g., hardening servers but not workstations). Many organizations also overlook mobile code in email attachments and PDF documents.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.