Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Defines acceptable and unacceptable mobile code and mobile code technologies;
(b) Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
(c) Authorizes, monitors, and controls the use of mobile code within the information system.
NIST 800-53 (r4) Supplemental Guidance:
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3.
NIST 800-53 (r5) Discussion:
Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
38North Guidance:
Meets Minimum Requirement:
Maintain a list of acceptable and unacceptable software products (including mobile code and mobile code technologies).
Establish usage restrictions (e.g., restricting permissions to and usage of a particular software package to the Quality Assurance Team for web application testing only, etc.) and implementation guidance for each acceptable software product.
Establish and follow a Software/System Development Life Cycle (SDLC) process for authorizing, monitoring, and controlling the use of software within the authorization boundary.
Once a system becomes operational, all subsequent software additions, removals, and modifications within the authorization boundary should undergo an established Change Management (CM) process that includes a formal change request, peer review, testing, vulnerability scanning, security impact analysis, and managerial approval.
Best Practice:
Establish a dedicated group responsible for obtaining, testing, approving, deploying, and maintaining software.
Maintain a company-wide Approved Products List (APL) that includes acceptable and unacceptable software packages complete with usage restrictions and implementation guidance.
Establish a formal process for requesting, vetting, and approving new software items to the APL.
Perform one or more of the following activities to monitor and control the use of software within the authorization boundary: deploy a software/application whitelisting technology (e.g., AppLocker, AppArmor, etc.); conduct periodic vulnerability and inventory scanning; and configure system- and application-level audit logging.
Limit the number of individuals who have the administrative privileges necessary to install and configure software within the authorization boundary.
Only use mobile code and mobile code technologies that have been digitally signed by a trusted source.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
An Acceptable Use Policy that includes provisions for acceptable/unacceptable mobile code and mobile code technologies, usage restrictions, and implementation guidance.
Documentation describing established SDLC and CM processes.
An approved software list containing usage restrictions and implementation guidance.
An updated FedRAMP Integrated Inventory Workbook that includes mobile code and mobile code technologies.
A sample of completed workflow tickets, from a project management tool such as Jira, that captures the end-to-end process of requesting, testing, approving, hardening, and installing a software product.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse