03.13.13 — (a) Define acceptable mobile code and mobile code technologies. (b) Authorize, monitor, and control the use of mobile code.

What this control requires

(a) Define acceptable mobile code and mobile code technologies. (b) Authorize, monitor, and control the use of mobile code.

Source: NIST SP 800-171 R3 §03.13.13 (official control text).

Why this matters

Mobile code—JavaScript, Java applets, HTML5, WebGL, and similar technologies—executes on endpoints without explicit user installation, creating attack surfaces for malicious payloads. Attackers embed exploit code in web pages, documents, or emails that automatically runs when opened, bypassing traditional install-time security checks. This control prevents adversaries from using legitimate mobile code channels to deliver ransomware, credential stealers, or remote access tools. Organizations must define which mobile code technologies are necessary for business operations, then enforce technical controls that block unauthorized code types and verify trusted sources through digital signatures. Without this governance, any website or document becomes a potential infection vector for the entire network.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls