>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-18Mobile Code

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Define acceptable and unacceptable mobile code and mobile code technologies; and

b

Authorize, monitor, and control the use of mobile code within the system.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript.

Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.

>Programmatic Queries

Beta

Related Services

AWS Lambda
AWS WAF
Amazon CloudFront

CLI Commands

List Lambda functions with runtime restrictions
aws lambda list-functions --query 'Functions[].{Name:FunctionName,Runtime:Runtime,CodeSize:CodeSize}'
List WAF rules blocking malicious code
aws wafv2 list-web-acls --scope REGIONAL
Get WAF web ACL rules for code execution controls
aws wafv2 get-web-acl --name ACL_NAME --scope REGIONAL --id ACL_ID
List CloudFront functions (edge code restrictions)
aws cloudfront list-functions
Open AWS ConsoleDocumentation

>Related Controls

AU-2
AU-12
CM-2
CM-6
SI-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of mobile code?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-18?

Technical Implementation:

  • How is mobile code technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that mobile code remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-18?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.