myctrl.tools
Compare

SC-11Trusted Path

>Control Description

a

Provide a [Selection (one): physically; logically] isolated trusted communications path for communications between the user and the trusted components of the system; and

b

Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: organization-defined security functions.

>Control Enhancements(1)

SC-11(1)

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk
PR.DS-02
Compare
PR.DS-10
Compare

SCF

END-09
Compare

>Supplemental Guidance

Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) directly with the security functions of systems with the requisite assurance to support security policies. Trusted path mechanisms can only be activated by users or the security functions of organizational systems. User responses that occur via trusted paths are protected from modification by and disclosure to untrusted applications.

Organizations employ trusted paths for trustworthy, high-assurance connections between security functions of systems and users, including during system logons. The original implementations of trusted paths employed an out-of-band signal to initiate the path, such as using the <BREAK> key, which does not transmit characters that can be spoofed. In later implementations, a key combination that could not be hijacked was used (e.g., the <CTRL> + <ALT> + <DEL> keys).

Such key combinations, however, are platform-specific and may not provide a trusted path implementation in every case. The enforcement of trusted communications paths is provided by a specific implementation that meets the reference monitor concept.

>Related Controls

AC-16
AC-25
SC-12
SC-23

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of trusted path?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-11?

Technical Implementation:

  • How is trusted path technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that trusted path remains effective as the system evolves?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-11?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?

Ask AI

Configure your API key to use AI features.