CMMC - What is meant by Mobile Code?

According to the National Institute of Science and Technology (NIST), mobile code is a software program or part of a program obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.

Have you ever tried to complete an online training course and it asks you to make sure that Java on your computer is updated to the latest version? That is because the online training course is provided to you via a Java program. Java programs are an example of “mobile code”.

Mobile code is not an application you install on a computer. Mobile code isn’t an application you install on your phone. Mobile code is a program that is generally provided to you by a server over the internet that runs on your computer. You are not required to install the program rather it runs on your computer in an application such as your internet browser.

• Java: Often used for smaller applications. A famous example is Minecraft.
• JavaScript: Used on websites to improve interactivity. Anytime you hover over a button on a website and it changes color it is probably using Javascript.
• ActiveX: Used by Microsoft’s Internet Explorer to load media.
• PDF: Used to present documents independent of software and operating systems.
• Flash animations: Remember those old cartoon-like videos on the internet before the YouTube days? Those were likely flash animations. Ever played a game on New Grounds in the early 2000’s? You probably played a flash game.

If you have a CMMC level three, four, or five requirement then you will need to “control and monitor the use of mobile code (SC.3.188)”. You can control mobile code by deploying relevant security configuration settings to your workstations and servers. The settings will generally impact your browsers such as Internet Explorer and Google Chrome as well as applications such as Adobe Acrobat and Java.

After deploying these settings users may have difficulty accessing mobile code when they visit a site or function that uses flash, java, or ActiveX. This can create significant IT overhead. The CMMC model doesn’t specify how or who specifically in your organization has to “monitor mobile code”. One option is to block the execution of mobile code in the browser but grant the user the liberty to allow mobile code to run. This can be accomplished via group policy settings. Granting users the ability to allow mobile code does expose them to more threats however training users on mobile code threats can help reduce this risk. If you have plenty of IT staff then only allowing mobile code when there is a business need is the best approach. This should be done inline with your change control procedures. Again, your IT staff will be dealing with a lot more tickets but if your business can afford it then this approach works best for controlling and monitoring the use of mobile code.