How do you handle a situation where a required NIST security control conflicts with an operational mission requirement?