SC-18(4)—Mobile Code | Prevent Automatic Execution

IL5

IL6

>Control Description

Prevent the automatic execution of mobile code in ⚙organization-defined software applications and enforce ⚙organization-defined actions prior to executing the code.

>DoD Impact Level Requirements

DoD FedRAMP+ Parameters

Software applications such as but not limited to email, scriptable document/file editing applications that support documents with embedded code (e.g., Microsoft Office applications/documents), etc. Prompting the user for permission.

>Discussion

Actions enforced before executing mobile code include prompting users prior to opening email attachments or clicking on web links. Preventing the automatic execution of mobile code includes disabling auto-execute features on system components that employ portable storage devices, such as compact discs, digital versatile discs, and universal serial bus devices.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What policies govern the implementation of prevent automatic execution?
•How are system and communications protection requirements defined and maintained?
•Who is responsible for configuring and maintaining the security controls specified in SC-18(4)?

Technical Implementation:

•How is prevent automatic execution technically implemented in your environment?
•What systems, tools, or configurations enforce this protection requirement?
•How do you ensure that prevent automatic execution remains effective as the system evolves?

Evidence & Documentation:

•What documentation demonstrates the implementation of SC-18(4)?
•Can you provide configuration evidence or system diagrams showing this protection control?
•What logs or monitoring data verify that this control is functioning correctly?

Ask AI

Configure your API key to use AI features.