CMMC - What is meant by Mobile Code?
By: Omer Kaan Aslim
June 25, 2020
When reading the term “Mobile code” many folks are left scratching their heads. In this blog we explain what mobile code is and provide examples. We also mention the cybersecurity maturity model certification (CMMC) requirements related to mobile code and how you can meet them.
Defining Mobile Code
According to the National Institute of Science and Technology (NIST), mobile code is a software program or part of a program obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.
Mobile Code Explained
Have you ever tried to complete an online training course and it asks you to make sure that Java on your computer is updated to the latest version? That is because the online training course is provided to you via a Java program. Java programs are an example of “mobile code”.
Mobile code is not an application you install on a computer. Mobile code isn’t an application you install on your phone. Mobile code is a program that is generally provided to you by a server over the internet that runs on your computer. You are not required to install the program rather it runs on your computer in an application such as your internet browser.
Examples of Mobile Code
- Java: Often used for smaller applications. A famous example is Minecraft.
- ActiveX: Used by Microsoft’s Internet Explorer to load media.
- PDF: Used to present documents independent of software and operating systems.
- Flash animations: Remember those old cartoon-like videos on the internet before the YouTube days? Those were likely flash animations. Ever played a game on New Grounds in the early 2000’s? You probably played a flash game.
CMMC & Mobile Code
If you have a CMMC level three, four, or five requirement then you will need to “control and monitor the use of mobile code (SC.3.188)”. You can control mobile code by deploying relevant security configuration settings to your workstations and servers. The settings will generally impact your browsers such as Internet Explorer and Google Chrome as well as applications such as Adobe Acrobat and Java.
After deploying these settings users may have difficulty accessing mobile code when they visit a site or function that uses flash, java, or ActiveX. This can create significant IT overhead. The CMMC model doesn’t specify how or who specifically in your organization has to “monitor mobile code”. One option is to block the execution of mobile code in the browser but grant the user the liberty to allow mobile code to run. This can be accomplished via group policy settings. Granting users the ability to allow mobile code does expose them to more threats however training users on mobile code threats can help reduce this risk. If you have plenty of IT staff then only allowing mobile code when there is a business need is the best approach. This should be done inline with your change control procedures. Again, your IT staff will be dealing with a lot more tickets but if your business can afford it then this approach works best for controlling and monitoring the use of mobile code.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance