Mobile Code: Control and monitor the use of mobile code.
Monarch ISC Guidance
Mobile code has presented a high number of exploitable vulnerabilities into the Internet environment. It must be controlled by well-defined processes of system building and hardening, as well as strategic choices that will determine how an organization's public-facing systems will present information. Mobile code is useful when controlled. If not required to accomplish business tasks, it should be disabled. Unfortunately, it is woven through the most common Internet technologies with which we interact hundreds of times per day. An organization must have the baseline standards, driven by a formal policy and enacted by a clear plan.
NIST SP 800-171 R2
Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations, and VBScript. Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including requiring mobile code to be digitally signed by a trusted source.