Skip to main content
NetStable
Level 2 SC.L2-3.13.13

Control and monitor the use of mobile code

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to manage and oversee the use of mobile code (like JavaScript, macros, or Flash) that can be downloaded and executed on systems. Mobile code can be useful but also risky because it might contain malware or vulnerabilities. The goal is to ensure only approved, safe mobile code runs on your systems, and to monitor its use to detect any suspicious activity. For example, you might allow JavaScript from trusted websites but block unsigned macros in Office documents. Another example is whitelisting specific mobile code vendors after verifying their security.

🎯 Why It Matters

Uncontrolled mobile code is a common attack vector. Malicious code can steal data, install ransomware, or create backdoors. For instance, in 2020, a defense contractor was compromised via a malicious Excel macro that downloaded malware. The average cost of a malware attack is $2.6 million (IBM). The DoD requires this control because mobile code is often used in phishing attacks targeting defense supply chains. Without proper controls, your systems could become entry points for adversaries.

How to Implement

  1. 1. Use AWS Lambda/Azure Functions to restrict mobile code execution to specific IAM roles.
  2. 2. Configure AWS Shield/Azure WAF to block mobile code from untrusted sources.
  3. 3. Implement CloudTrail/Azure Monitor logs to track mobile code execution events.
  4. 4. Use AWS Macie/Azure Purview to scan for unauthorized mobile code in storage buckets.
  5. 5. Deploy GCP Security Command Center to detect risky mobile code configurations.
⏱️
Estimated Effort
2-3 days for basic implementation (mid-level IT skills), plus ongoing monitoring.

📋 Evidence Examples

Mobile Code Policy

Format: PDF/DOCX
Frequency: Annual review
Contents: Approved vendors, whitelist/blacklist rules, monitoring procedures
Collection: Export from document management system

AppLocker Configuration Screenshot

Format: PNG
Frequency: After each change
Contents: Rules for scripts, installers, and DLLs
Collection: Windows Server Manager export

Macro Execution Logs

Format: CSV
Frequency: Monthly
Contents: Timestamp, user, file hash, execution result
Collection: Microsoft 365 Security Center export

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SC.L2-3.13.13 ("Control and monitor the use of mobile code"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SC.L2-3.13.13 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to control and monitor the use of mobile code. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SC.L2-3.13.13 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to control and monitor the use of mobile code. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SC.L2-3.13.13 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Document network architecture with CUI boundary clearly marked
  • Identify all encryption mechanisms (at rest and in transit)
  • Specify network monitoring and IDS/IPS deployment
  • Ensure this control covers all systems within your defined CUI boundary where control and monitor the use of mobile code applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 System and Communications Protection Policy
  • 📄 Network architecture diagram
  • 📄 Firewall rule documentation
  • 📄 Encryption configuration documentation
  • 📄 Evidence artifacts specific to SC.L2-3.13.13
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented policy defining approved mobile code sources?

✅ YES → Proceed to Q2
❌ NO → GAP: Draft a policy using NIST SP 800-171 template (remediate in 2 weeks)
Remediation:
https://csrc.nist.gov/Projects/sp-800-171

Question 2: Are all user workstations configured to block unsigned macros?

✅ YES → Proceed to Q3
❌ NO → GAP: Deploy Group Policy Object within 7 days (use MSFT guidance KB2919355)

Question 3: Do you review mobile code execution logs at least monthly?

✅ YES → Compliant
❌ NO → GAP: Implement OSSEC log analysis with weekly reports (remediate in 3 weeks)

⚠️ Common Mistakes (What Auditors Flag)

1. Allowing all Office macros by default

Why this happens: Legacy business processes depend on macros
How to avoid: Use Office Trust Center to disable all macros except digitally signed ones

2. No logging for PowerShell scripts

Why this happens: Default Windows settings don't log script blocks
How to avoid: Enable 'Script Block Logging' via GPO (gpedit.msc > Computer Config > Admin Templates > Windows Components > Windows PowerShell)

📚 Parent Policy

This practice is governed by the System and Communications Protection Policy

View SC Policy →

📚 Related Controls

SI.L2-3.14.4 (Malicious code protection) AC.L2-3.1.20 (External connections control)
Previous
SC.L2-3.13.12
Back to SC
Next
SC.L2-3.13.14