NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-8(25) — Economic Security
Implement the security design principle of economic security in {{ insert: param, sa-08.25_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
The principle of economic security states that security mechanisms are not costlier than the potential damage that could occur from a security breach. This is the security-relevant form of the cost-benefit analyses used in risk management. The cost assumptions of cost-benefit analysis prevent the system designer from incorporating security mechanisms of greater strength than necessary, where strength of mechanism is proportional to cost. The principle of economic security also requires analysis of the benefits of assurance relative to the cost of that assurance in terms of the effort expended to obtain relevant and credible evidence as well as the necessary analyses to assess and draw trustworthiness and risk conclusions from the evidence.
Practitioner Notes
Economic security means considering the costs and resource requirements of security mechanisms. Security controls that are too expensive to implement or maintain properly will eventually be disabled or neglected.
Example 1: When selecting security controls, evaluate the total cost of ownership — not just the license fee, but staffing to operate and monitor, training, maintenance, and the operational impact on users. A cheaper tool that your team can actually use and maintain is more secure than an expensive one that nobody understands.
Example 2: Leverage built-in security features before purchasing additional tools. Microsoft 365 E5 includes Defender for Endpoint, Sentinel-ready connectors, DLP, and Conditional Access. If you are already paying for E5, use these capabilities rather than buying separate products that add cost and complexity.