NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-37 — Out-of-band Channels
Employ the following out-of-band channels for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}: {{ insert: param, sc-37_odp.01 }}.
Supplemental Guidance
Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file.
Practitioner Notes
Use out-of-band channels — communication paths separate from your primary network — for delivering critical security information like keys, passwords, or emergency alerts.
Example 1: When resetting an administrator password, send the temporary password via encrypted SMS or a phone call — not through the same email system the password protects. The out-of-band channel prevents an attacker who has compromised email from intercepting the new password.
Example 2: Maintain a phone tree or out-of-band messaging system (like Signal) for incident response communications. If your corporate email and chat are compromised, you need an alternative way to coordinate your response team without the attacker listening in.