NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-8(26) — Performance Security
Implement the security design principle of performance security in {{ insert: param, sa-08.26_odp }}.
Supplemental Guidance
The principle of performance security states that security mechanisms are constructed so that they do not degrade system performance unnecessarily. Stakeholder and system design requirements for performance and security are precisely articulated and prioritized. For the system implementation to meet its design requirements and be found acceptable to stakeholders (i.e., validation against stakeholder requirements), the designers adhere to the specified constraints that capability performance needs place on protection needs. The overall impact of computationally intensive security services (e.g., cryptography) are assessed and demonstrated to pose no significant impact to higher-priority performance considerations or are deemed to provide an acceptable trade-off of performance for trustworthy protection. The trade-off considerations include less computationally intensive security services unless they are unavailable or insufficient. The insufficiency of a security service is determined by functional capability and strength of mechanism. The strength of mechanism is selected with respect to security requirements, performance-critical overhead issues (e.g., cryptographic key management), and an assessment of the capability of the threat. The principle of performance security leads to the incorporation of features that help in the enforcement of security policy but incur minimum overhead, such as low-level hardware mechanisms upon which higher-level services can be built. Such low-level mechanisms are usually very specific, have very limited functionality, and are optimized for performance. For example, once access rights to a portion of memory is granted, many systems use hardware mechanisms to ensure that all further accesses involve the correct memory address and access mode. Application of this principle reinforces the need to design security into the system from the ground up and to incorporate simple mechanisms at the lower layers that can be used as building blocks for higher-level mechanisms.
Practitioner Notes
Performance security means that security controls should not degrade system performance to the point where users bypass them. Security that slows work to a crawl gets disabled in practice.
Example 1: Test the performance impact of security controls before deployment. If full-disk encryption slows laptop boot time from 30 seconds to 5 minutes, users will resist. Choose encryption solutions with hardware acceleration (most modern CPUs support AES-NI) that make the performance impact imperceptible.
Example 2: Configure endpoint protection (antivirus, EDR) with appropriate exclusions for performance-sensitive applications. If your scanner slows database operations by 40%, work with the vendor to configure scan exclusions for database data files while maintaining protection for executable files and scripts.