NIST 800-53 r5 · Controls catalogue · Family SC

SC-37Out-of-band Channels

Employ the following out-of-band channels for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}: {{ insert: param, sc-37_odp.01 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (12)

T1071 Application Layer Protocol Command And Control
T1071.001 Web Protocols Command And Control
T1071.002 File Transfer Protocols Command And Control
T1071.003 Mail Protocols Command And Control
T1071.004 DNS Command And Control
T1114 Email Collection Collection
T1114.001 Local Email Collection Collection
T1114.002 Remote Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1213 Data from Information Repositories Collection
T1213.005 Messaging Applications Collection
T1489 Service Stop Impact

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	Out-of-band delivery transmits sensitive data on a separate path, directly reducing exposure to unauthorized actors on the primary channel.
`CWE-522`	Insufficiently Protected Credentials	1,518	Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.
`CWE-319`	Cleartext Transmission of Sensitive Information	1,042	Sensitive values are moved off the primary channel, avoiding cleartext transmission risks associated with that channel.
`CWE-300`	Channel Accessible by Non-Endpoint	53	An out-of-band channel is inaccessible to non-endpoints that can observe or interfere with the primary communication channel.
`CWE-523`	Unprotected Transport of Credentials	20	Using a distinct channel for credential transmission prevents unprotected transport over the application's normal communication path.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9