SC.L2-3.13.13 — Control and monitor the use of mobile code.

What this control requires

Control and monitor the use of mobile code.

Source: CMMC L2 v2.13 SC.L2-3.13.13 / NIST SP 800-171 R2 3.13.13 (official control text).

Why this matters

Mobile code—JavaScript, Java applets, Flash, macros, PDFs with embedded scripts—executes automatically when users open files or visit websites. Attackers exploit this automatic execution to deliver malware, exfiltrate data, or compromise endpoints without requiring victims to run an executable. This control prevents adversaries from weaponizing legitimate browser and application features, protecting systems from drive-by downloads, macro-based ransomware, and script-based command-and-control channels. Organizations must enforce which mobile code technologies are permitted, restrict execution to signed/trusted sources, and monitor for unauthorized code attempting to run in the environment.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls