last sync: 2024-Nov-25 18:54:24 UTC

Define acceptable and unacceptable mobile code technologies | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Define acceptable and unacceptable mobile code technologies
Id 1afada58-8b34-7ac2-a38a-983218635201
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1651 - Define acceptable and unacceptable mobile code technologies
Additional metadata Name/Id: CMA_C1651 / CMA_C1651
Category: Operational
Title: Define acceptable and unacceptable mobile code technologies
Ownership: Customer
Description: The customer is responsible for defining acceptable and unacceptable mobile code technologies.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 9 compliance controls are associated with this Policy definition 'Define acceptable and unacceptable mobile code technologies' (1afada58-8b34-7ac2-a38a-983218635201)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SC-18 FedRAMP_High_R4_SC-18 FedRAMP High SC-18 System And Communications Protection Mobile Code Shared n/a The organization: a. Defines acceptable and unacceptable mobile code and mobile code technologies; b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and c. Authorizes, monitors, and controls the use of mobile code within the information system. Supplemental Guidance: Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. References: NIST Special Publication 800-28; DoD Instruction 8552.01. link 3
FedRAMP_Moderate_R4 SC-18 FedRAMP_Moderate_R4_SC-18 FedRAMP Moderate SC-18 System And Communications Protection Mobile Code Shared n/a The organization: a. Defines acceptable and unacceptable mobile code and mobile code technologies; b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and c. Authorizes, monitors, and controls the use of mobile code within the information system. Supplemental Guidance: Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. References: NIST Special Publication 800-28; DoD Instruction 8552.01. link 3
hipaa 0225.09k1Organizational.1-09.k hipaa-0225.09k1Organizational.1-09.k 0225.09k1Organizational.1-09.k 02 Endpoint Protection 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code Shared n/a Automated controls (e.g., browser settings) are in place to authorize and restrict the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations). 10
hipaa 0226.09k1Organizational.2-09.k hipaa-0226.09k1Organizational.2-09.k 0226.09k1Organizational.2-09.k 02 Endpoint Protection 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code Shared n/a The organization has implemented and regularly updates mobile code protection, including anti-virus and anti-spyware. 9
hipaa 0227.09k2Organizational.12-09.k hipaa-0227.09k2Organizational.12-09.k 0227.09k2Organizational.12-09.k 02 Endpoint Protection 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code Shared n/a The organization takes specific actions to protect against mobile code performing unauthorized actions. 18
hipaa 0401.01x1System.124579-01.x hipaa-0401.01x1System.124579-01.x 0401.01x1System.124579-01.x 04 Mobile Device Security 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking Shared n/a Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, or equivalent functionality, secure configurations, and physical protections. 7
NIST_SP_800-171_R2_3 .13.13 NIST_SP_800-171_R2_3.13.13 NIST SP 800-171 R2 3.13.13 System and Communications Protection Control and monitor the use of mobile code. Shared Microsoft and the customer share responsibilities for implementing this requirement. Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations, and VBScript. Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including requiring mobile code to be digitally signed by a trusted source. [SP 800-28] provides guidance on mobile code. link 3
NIST_SP_800-53_R4 SC-18 NIST_SP_800-53_R4_SC-18 NIST SP 800-53 Rev. 4 SC-18 System And Communications Protection Mobile Code Shared n/a The organization: a. Defines acceptable and unacceptable mobile code and mobile code technologies; b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and c. Authorizes, monitors, and controls the use of mobile code within the information system. Supplemental Guidance: Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. References: NIST Special Publication 800-28; DoD Instruction 8552.01. link 3
NIST_SP_800-53_R5 SC-18 NIST_SP_800-53_R5_SC-18 NIST SP 800-53 Rev. 5 SC-18 System and Communications Protection Mobile Code Shared n/a a. Define acceptable and unacceptable mobile code and mobile code technologies; and b. Authorize, monitor, and control the use of mobile code within the system. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 1afada58-8b34-7ac2-a38a-983218635201
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC