What does SC.L2-3.13.13 require for CMMC Level 2?

Mobile code includes scripts, macros, Java applets, and plugins that execute on a system. You must control which mobile code is allowed to run and monitor its execution to prevent malicious use.

What evidence do I need for SC.L2-3.13.13?

Policy defining mobile code rules, browser configurations restricting plugins and scripts, endpoint protection rules, and monitoring logs showing mobile code detection and blocking.

What's the most common failure for SC.L2-3.13.13?

No policy on mobile code, or browsers/systems allow all mobile code to execute without controls. Plugins like Flash are still enabled even though they are deprecated.

SC.L2-3.13.13

SC.L2-3.13.13: Mobile Code

Control and monitor the use of mobile code.

Updated March 30, 2026

Mobile code execution is a common attack vector. SC.L2-3.13.13 requires that you control what mobile code can run on your systems and monitor its execution. This includes scripts, browser plugins, and macros. Related to SI.L2-3.14.1 (malware protection and AU.L2-3.3.1 (system monitoring).

Family System and Communications Protection

Practice SC.L2-3.13.13

Difficulty Medium

Key evidence Mobile code policy, browser security settings, endpoint controls, monitoring logs

What the assessor is actually evaluating

The assessor will check:

Mobile code policy: You should have a documented policy defining what mobile code is allowed (e.g., JavaScript is permitted, Java applets are not).
Browser and system controls: Browsers should be configured to disable dangerous plugins and scripts. Settings might include disabling Flash, ActiveX, or Java.
Monitoring: Endpoint protection or web filtering should detect and log execution of mobile code.

What a realistic SSP definition looks like

Policy: “The organization controls and monitors mobile code execution. Deprecated technologies such as Flash and Java applets are disabled. Browser scripts are permitted only from trusted domains. Execution of unsigned or untrusted mobile code is blocked. Endpoint protection monitors and logs mobile code execution.”

Supporting details:

Browser configuration: Internet Explorer/Edge policies disable Flash, ActiveX, and Java. JavaScript is permitted from internal and trusted external sites but blocked from untrusted origins.
Plugin management: All deprecated plugins are disabled. Chrome/Firefox extensions are restricted to approved list.
Endpoint protection: Antivirus and EDR solutions monitor for execution of suspicious scripts or code.
Monitoring: Logs from web proxy, endpoint protection, and browser security extensions are reviewed weekly.

How to present your evidence

Mobile code policy document: Defines which types of mobile code are allowed, which are blocked, and how monitoring is performed.
Browser security settings: Screenshots showing that Flash, ActiveX, Java, and other deprecated technologies are disabled. Show that script execution is controlled.
Group Policy screenshots: If browser settings are enforced via GPO, show the policy.
Endpoint protection configuration: Show antivirus or EDR settings that monitor mobile code execution.
Monitoring logs: Web proxy logs or endpoint protection logs showing detection of mobile code execution. Show examples of blocked or suspicious code.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “Tell me about your mobile code policy. What mobile code is allowed to run on your systems?”

You: “We allow JavaScript from trusted domains, but we have disabled Flash, ActiveX, and Java. Endpoint protection monitors for suspicious script execution.” [Pull up policy and browser security settings]

Assessor: “Show me your browser configuration.”

You: [Open Internet Options or Group Policy and show Flash, ActiveX, and Java are disabled. Show JavaScript is allowed from trusted domains only]

Assessor: “How do you monitor mobile code?”

You: “Our endpoint protection and web proxy log all script execution. We review logs weekly for suspicious activity.” [Pull up sample logs showing detection of mobile code]

Common failures

No documented mobile code policy: Mobile code is not mentioned in policy documents.

Deprecated technologies still enabled: Flash, Java, or ActiveX is still enabled on user systems.

No monitoring of mobile code: Endpoint protection is installed but not configured to monitor script execution.

Unrestricted script execution: Any JavaScript from any website can execute on user systems.

Clear policy defining allowed mobile code: Deprecated technologies are disabled. Trusted scripts are allowed. Untrusted code is blocked.

Active monitoring: Logs show detection and blocking of mobile code.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages browser security or endpoint protection, ensure they are disabling deprecated mobile code technologies and monitoring for suspicious code execution. Request logs showing detection and blocking of mobile code.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SC.L2-3.13.14: Voice over Internet Protocol All Practices SC.L2-3.13.12: Collaborative Computing →