The final SP 800-234 overlay covers the 287 controls in the SP 800-53B Moderate baseline, adds AC-10 for concurrent interactive sessions, and tailors 60 controls across the access, management, computing, and storage zones defined in SP 800-223.
Ian Lee, a co-author of NIST Special Publication 800-234 and a former Lawrence Livermore security lead now with ShorePoint, has been making the federal HPC security argument in throughput terms. His shorthand is brutal: a 1 percent performance hit on El Capitan is roughly a Lassen-class machine.
The math holds. El Capitan, LLNL's exascale flagship, posted a 1.809 EFLOP/s HPL result on the November 2025 TOP500 list, so one percentage point of overhead is about 18.1 PFLOP/s. Lassen's June 2019 HPL result was 18.2 PFLOP/s, with a 23.05 PFLOP/s peak rating. A small percentage of overhead on an exascale system is not small. It is a previous-generation national lab supercomputer.
That is the operating reality behind NIST Special Publication 800-234, finalized on 4 May 2026. The new HPC security overlay builds from the SP 800-53B Moderate baseline, covers 288 controls, tailors 60 with HPC-specific guidance, and adds AC-10 (Concurrent Session Control) on top of the baseline because interactive multi-user access is not an edge case in HPC. It is the model. The overlay builds on SP 800-223, the HPC reference architecture NIST finalized in February 2024.
NIST's own framing of the design objective does most of the work in the title and the abstract: the overlay aims to provide "practical, performance-conscious security guidance that can be readily adopted." The phrase "performance-conscious" is not throat-clearing. It is the entire reconciliation. Federal HPC operators have been working against FISMA-driven NIST 800-53 control baselines for roughly two decades, and the tooling those baselines invited was designed for enterprise IT systems with throughput budgets measured in milliseconds of user response time, not in the wall-clock equivalent of a previous-generation national lab supercomputer.
800-234 is not a new set of controls. It is a formal tailoring of NIST 800-53 Moderate to HPC operational contexts, mapped onto the four-zone architecture finalized in SP 800-223. Of the 287 controls in the Moderate baseline, 60 received HPC-specific supplemental guidance. AC-10, an existing SP 800-53 control that is not part of the Moderate baseline, was added on top of it for HPC use, bringing the overlay total to 288.
The zone architecture inherited from 800-223 frames the controls geography. The Access Zone covers login nodes, data transfer nodes, and web portals, with controls focused on authentication and perimeter threat protection. The Management Zone covers system administration, schedulers, identity management, and configuration management, with the emphasis on privileged access and configuration integrity. The High-Performance Computing Zone covers compute nodes, accelerators, and high-speed interconnects, where resource isolation and performance preservation sit at the center of the security posture. The Data Storage Zone covers parallel file systems, burst buffers, and high-capacity storage, with controls organized around data integrity and high-throughput protection.
The key design move on AC-10 is not a carve-out. It is an addition: 800-234 pulls AC-10 into a Moderate-derived overlay because concurrent interactive sessions are central to HPC operations, then makes the control HPC-aware by allowing higher organization-defined limits and zone-specific implementation. HPC has always been multi-user by design - a shared scientific instrument with thousands of simultaneous sessions across login nodes, schedulers, and compute partitions - and the standard Moderate posture has no native way of expressing that reality.
The practitioner meat sits in the 60 controls that received supplemental guidance. They span performance-impact constraints, scale-appropriate implementations, multi-tenancy considerations, and zone-specific application. NIST asks implementers to read each tailored control through those lenses rather than against a generic enterprise reference.
The concrete examples NIST gives are operational, not abstract. Duplicate logging can create performance impacts on the very systems being logged. Periodic file scanning can be infeasible on HPC parallel filesystems. High-speed data flows can overwhelm enterprise network monitoring tools. Scanning identical or diskless compute nodes one-by-one can create performance penalties that buy little real security. Each is the kind of implementation choice that would survive an enterprise audit and break a national lab job mix.
Lee, writing in a Federal News Network commentary the same week the overlay was finalized, made the point in the bluntest available terms: enterprise-style implementations of standard controls can degrade HPC performance enough to "make the system functionally useless." NIST itself stops well short of that phrasing, but the tailoring choices in 800-234 are exactly what the document offers as a controlled response.
The overlay's design instinct is to specify what must be true - the control's intent - without specifying how it must be enforced in a way that breaks the throughput model. That instinct is what 800-234 contributes to the federal compliance literature. It is also what makes it useful as a reference document for allied national HPC programs working through the same problem.
The 17 named authors map closely onto the federal HPC ecosystem that will operate under the overlay. NIST's Yang Guo and Jeremy Licata are the document leads. The DOE national labs supplied co-authors from Argonne (Jeff Neel), Lawrence Livermore (Ian Lee, now with ShorePoint), Los Alamos (Catherine Hinton, David Shrader), and Sandia (Aron Warren, Tony DeNardo). DoD's HPC Modernization Program contributed Gary Key and James Waterman. NASA added Ted Bohrer and Katsutoshi Ishisoko. MIT Lincoln Laboratory's Andrew Prout and Albert Reuther appear, as do Kyle Earley from the Ohio Supercomputer Center and, on the university side, Ian Czarnezki of Arkansas and Erik Deumens of Florida.
That is a compliance population with representation in its own control map. DOE labs, DoD HPCMP, NASA computing, and university research-computing operations running federal workloads now have a tailored controls document with practitioner authorship to read against. ORNL is moving on an adjacent track, packaging the operational practice of running exascale federal systems through its Next-Generation Data Center Institute. The NGDCI is not a co-author of the NIST overlay, and the draft does not claim it informed the tailoring decisions, but the two efforts are reading the same federal HPC operator community from different angles. One codifies the security posture. The other codifies the operational know-how.
A central cost of security control implementation in HPC is throughput. That is the standing tension 800-234 is built to manage rather than resolve.
Lee's Lassen-equivalent framing is the most efficient way to translate that overhead into terms federal HPC operators already use. A 1 percent overhead on El Capitan's current HPL result is, by his math, on the order of an entire previous-generation national lab supercomputer. The cost of running an inappropriate enterprise security stack on the largest federal systems is not abstract. It is measurable in science not done.
Federal HPC is also operating against a resource headwind: the 100-gigawatt data center supercycle is allocating power, talent, and capital toward commercial AI infrastructure at a pace federal labs cannot match. Most commercial AI infrastructure does not carry the federal HPC overlay by default, though providers serving federal workloads can face federal security requirements through other paths. The point of 800-234's performance-conscious tailoring is not to remove the gap with commercial infrastructure. It is to keep security implementation from becoming a hidden tax on federal scientific throughput on top of the gap that already exists.
The practitioner community whose work intersects with that throughput-versus-controls trade-off is the same one that this year recognized Devesh Tiwari with the 2026 Jack Dongarra Early Career Award for sustainable HPC and hybrid quantum-classical systems work. The schedulers, data-movement tools, and resilience layers built by that community are the layer at which AC-10 and the 60 tailored controls will land in practice.
The US now has a NIST security overlay for federal HPC environments. That is a sovereign capability move, regardless of whether the document itself uses sovereignty language.
EuroHPC is moving along a different axis. On 15 April 2026, the EuroHPC Joint Undertaking released the first version of its Federation Platform, a single access point with unified authentication, authorization, and identification across EuroHPC systems. Separately, EuroHPC awarded GÉANT a connectivity contract in September 2025 to build secure, ultra-high-capacity links among European supercomputing sites, with services beginning in 2026. That stack is a federation-and-access-fabric strategy rather than a per-system controls-overlay strategy.
Both design centers are now visible in parallel. The compliance burden is different. So are the cross-border admissibility regimes, and the open-science user populations that can practically work on which machines will diverge accordingly. Allied programs — the UK's ARCHER successor, Japan's post-Fugaku flagship, Gulf-state national AI factories, Southeast Asian sovereign compute investments — now have two design centers to study rather than one.
The interesting question is not which model wins. It is whether the next several years show allied national programs referencing 800-234 directly, diverging deliberately, or building something hybrid. Federal HPC now has a controls-based security baseline. The international response will determine whether it becomes a reference model or a regional choice.
