NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-8(5) — Efficiently Mediated Access
Implement the security design principle of efficiently mediated access in {{ insert: param, sa-08.05_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
The principle of efficiently mediated access states that policy enforcement mechanisms utilize the least common mechanism available while satisfying stakeholder requirements within expressed constraints. The mediation of access to system resources (i.e., CPU, memory, devices, communication ports, services, infrastructure, data, and information) is often the predominant security function of secure systems. It also enables the realization of protections for the capability provided to stakeholders by the system. Mediation of resource access can result in performance bottlenecks if the system is not designed correctly. For example, by using hardware mechanisms, efficiently mediated access can be achieved. Once access to a low-level resource such as memory has been obtained, hardware protection mechanisms can ensure that out-of-bounds access does not occur.
Practitioner Notes
Efficiently mediated access means that every access attempt is checked by a reference monitor (access control mechanism) that cannot be bypassed, is tamper-proof, and is small enough to be verified.
Example 1: Ensure your access control enforcement points cannot be bypassed. If users must go through a VPN to access internal resources, make sure there are no alternative paths (open RDP ports, unprotected management interfaces) that skip the VPN. Regularly scan for unauthorized access paths.
Example 2: In web applications, enforce authorization checks at the API layer, not just in the UI. A user might bypass the UI by calling the API directly — every API endpoint must independently verify the caller's permissions before returning data. Never rely on the front-end to enforce security.