NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-11(1)Irrefutable Communications Path

Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and Initiate the trusted communications path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

An irrefutable communications path permits the system to initiate a trusted path, which necessitates that the user can unmistakably recognize the source of the communication as a trusted system component. For example, the trusted path may appear in an area of the display that other applications cannot access or be based on the presence of an identifier that cannot be spoofed.

Practitioner Notes

The trusted path must provide irrefutable proof that both parties in a communication are who they claim to be — neither side can deny the exchange.

Example 1: Use mutual TLS (mTLS) for critical system-to-system communications. Both the client and server present certificates, so neither side can deny the connection. Log the certificate details in your SIEM for audit purposes.

Example 2: Implement digital signatures on all administrative commands sent to critical infrastructure. The signature proves the command came from an authorized administrator and was not altered in transit. Store signed command logs for non-repudiation.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability