compliance controls are associated with this Policy definition 'Establish usage restrictions for mobile code technologies' (ffdaa742-0d6f-726f-3eac-6e6c34e36c93)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SC-18 |
FedRAMP_High_R4_SC-18 |
FedRAMP High SC-18 |
System And Communications Protection |
Mobile Code |
Shared |
n/a |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system.
Supplemental Guidance: Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3.
References: NIST Special Publication 800-28; DoD Instruction 8552.01. |
link |
3 |
| FedRAMP_Moderate_R4 |
SC-18 |
FedRAMP_Moderate_R4_SC-18 |
FedRAMP Moderate SC-18 |
System And Communications Protection |
Mobile Code |
Shared |
n/a |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system.
Supplemental Guidance: Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3.
References: NIST Special Publication 800-28; DoD Instruction 8552.01. |
link |
3 |
| hipaa |
0112.02d2Organizational.3-02.d |
hipaa-0112.02d2Organizational.3-02.d |
0112.02d2Organizational.3-02.d |
01 Information Protection Program |
0112.02d2Organizational.3-02.d 02.03 During Employment |
Shared |
n/a |
Acceptable usage is defined and usage is explicitly authorized. |
|
7 |
| hipaa |
0225.09k1Organizational.1-09.k |
hipaa-0225.09k1Organizational.1-09.k |
0225.09k1Organizational.1-09.k |
02 Endpoint Protection |
0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Automated controls (e.g., browser settings) are in place to authorize and restrict the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations). |
|
10 |
| hipaa |
0226.09k1Organizational.2-09.k |
hipaa-0226.09k1Organizational.2-09.k |
0226.09k1Organizational.2-09.k |
02 Endpoint Protection |
0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization has implemented and regularly updates mobile code protection, including anti-virus and anti-spyware. |
|
9 |
| hipaa |
0227.09k2Organizational.12-09.k |
hipaa-0227.09k2Organizational.12-09.k |
0227.09k2Organizational.12-09.k |
02 Endpoint Protection |
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization takes specific actions to protect against mobile code performing unauthorized actions. |
|
18 |
| hipaa |
0401.01x1System.124579-01.x |
hipaa-0401.01x1System.124579-01.x |
0401.01x1System.124579-01.x |
04 Mobile Device Security |
0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, or equivalent functionality, secure configurations, and physical protections. |
|
7 |
| NIST_SP_800-171_R2_3 |
.13.13 |
NIST_SP_800-171_R2_3.13.13 |
NIST SP 800-171 R2 3.13.13 |
System and Communications Protection |
Control and monitor the use of mobile code. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations, and VBScript. Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including requiring mobile code to be digitally signed by a trusted source. [SP 800-28] provides guidance on mobile code. |
link |
3 |
| NIST_SP_800-53_R4 |
SC-18 |
NIST_SP_800-53_R4_SC-18 |
NIST SP 800-53 Rev. 4 SC-18 |
System And Communications Protection |
Mobile Code |
Shared |
n/a |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system.
Supplemental Guidance: Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3.
References: NIST Special Publication 800-28; DoD Instruction 8552.01. |
link |
3 |
| NIST_SP_800-53_R5 |
SC-18 |
NIST_SP_800-53_R5_SC-18 |
NIST SP 800-53 Rev. 5 SC-18 |
System and Communications Protection |
Mobile Code |
Shared |
n/a |
a. Define acceptable and unacceptable mobile code and mobile code technologies; and
b. Authorize, monitor, and control the use of mobile code within the system. |
link |
3 |