NIST 800-53 r5 · Controls catalogue · Family SC

SC-11Trusted Path

Provide a {{ insert: param, sc-11_odp.01 }} isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: {{ insert: param, sc-11_odp.02 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (0)

No ATT&CK techniques mapped to this control yet.

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-290`	Authentication Bypass by Spoofing	631	Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.
`CWE-346`	Origin Validation Error	548	Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.
`CWE-288`	Authentication Bypass Using an Alternate Path or Channel	523	Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels.
`CWE-923`	Improper Restriction of Communication Channel to Intended Endpoints	57	Mandates restriction of the channel for authentication to only the intended trusted endpoints, blocking unauthorized communication paths.
`CWE-300`	Channel Accessible by Non-Endpoint	53	Explicitly isolates the communications path so it cannot be accessed or intercepted by non-endpoint entities during security functions.
`CWE-940`	Improper Verification of Source of a Communication Channel	45	Requires explicit verification of the source and integrity of the channel used for authentication and other security functions.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2026-0007`	1.7	8.6	0.0000	partial
`CVE-2026-2378`	1.5	7.4	0.0003	good

Other controls in family SC

SC-1 SC-10 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9