NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-8(28)Acceptable Security

Implement the security design principle of acceptable security in {{ insert: param, sa-08.28_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The principle of acceptable security requires that the level of privacy and performance that the system provides is consistent with the users’ expectations. The perception of personal privacy may affect user behavior, morale, and effectiveness. Based on the organizational privacy policy and the system design, users should be able to restrict their actions to protect their privacy. When systems fail to provide intuitive interfaces or meet privacy and performance expectations, users may either choose to completely avoid the system or use it in ways that may be inefficient or even insecure.

Practitioner Notes

Acceptable security means that the level of security implemented is appropriate for the system's risk level and mission importance. Over-engineering security wastes resources; under-engineering creates unacceptable risk.

Example 1: Match your security investment to the system's categorization. A FIPS 199 Low system does not need the same depth of monitoring as a High system. Spend your limited resources where the risk is greatest — protect your CUI processing systems more heavily than your break room display TV.

Example 2: Use your risk assessment results to justify security spending. If the annual loss expectancy from a risk is $10,000, spending $100,000 to mitigate it does not make business sense. Document the cost-benefit analysis and present risk acceptance decisions to leadership for formal approval.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment