Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-11Trusted Path

Provide a {{ insert: param, sc-11_odp.01 }} isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: {{ insert: param, sc-11_odp.02 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 5 mapping(s) from 2 framework(s): ASVS 5.0 3 (partial) · CSF 2.0 2 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-290Authentication Bypass by Spoofing698Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.
CWE-346Origin Validation Error661Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.
CWE-288Authentication Bypass Using an Alternate Path or Channel592Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels.
CWE-923Improper Restriction of Communication Channel to Intended Endpoints61Mandates restriction of the channel for authentication to only the intended trusted endpoints, blocking unauthorized communication paths.
CWE-940Improper Verification of Source of a Communication Channel55Requires explicit verification of the source and integrity of the channel used for authentication and other security functions.
CWE-300Channel Accessible by Non-Endpoint54Explicitly isolates the communications path so it cannot be accessed or intercepted by non-endpoint entities during security functions.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-23785.57.40.0017good
CVE-2026-00075.58.60.0009partial
CVE-2025-33054 UPD5.58.10.0083good
CVE-2024-88973.56.10.0689partial
CVE-2025-150325.57.40.0024minimal

Other controls in family SC

SC-1 SC-10 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9