NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-11 — Trusted Path
Provide a {{ insert: param, sc-11_odp.01 }} isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: {{ insert: param, sc-11_odp.02 }}.
Supplemental Guidance
Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) directly with the security functions of systems with the requisite assurance to support security policies. Trusted path mechanisms can only be activated by users or the security functions of organizational systems. User responses that occur via trusted paths are protected from modification by and disclosure to untrusted applications. Organizations employ trusted paths for trustworthy, high-assurance connections between security functions of systems and users, including during system logons. The original implementations of trusted paths employed an out-of-band signal to initiate the path, such as using the <BREAK> key, which does not transmit characters that can be spoofed. In later implementations, a key combination that could not be hijacked was used (e.g., the <CTRL> + <ALT> + <DEL> keys). Such key combinations, however, are platform-specific and may not provide a trusted path implementation in every case. The enforcement of trusted communications paths is provided by a specific implementation that meets the reference monitor concept.
Practitioner Notes
A trusted path provides a secure, verifiable communication channel between the user and the system for security-critical operations like login. The user must be confident they are talking to the real system, not a spoof.
Example 1: Windows Secure Attention Sequence (Ctrl+Alt+Delete) is a trusted path — it guarantees the login screen is the real Windows login and not a fake login screen planted by malware. Require Ctrl+Alt+Delete for login via GPO under Interactive Logon settings.
Example 2: For web applications, use HTTPS with extended validation (EV) certificates or certificate pinning so users can verify they are communicating with the genuine application and not a phishing site performing a man-in-the-middle attack.