Requirements

The term requirements can be used in various contexts. In the context of information security and privacy policies compliance, it typically refers to the obligations imposed on organizations regarding information security and privacy.

In addition to the use of the term requirements in the context of compliance, this guideline uses the term requirements in a broader sense, referring to the set of stakeholder protection needs for a particular system or organization.

Stakeholder protection needs, and the corresponding security and privacy requirements, may originate from various sources, including laws, executive orders, directives, regulations, policies, standards, mission and business needs, and risk assessments.

In this guideline, the term requirements encompasses both legal and policy requirements, as well as the broader set of stakeholder protection needs derived from these other sources. When applied to a system, these requirements help define the necessary characteristics of the system, covering security, privacy, and assurance.

Organizations may choose to divide security and privacy requirements into more granular categories depending on where the requirements are employed in the system development life cycle (SDLC) and for what purpose. For example, organizations may use the term capability requirement to describe a capability that the system or organization must provide to satisfy a stakeholder protection need.

(Sources: NIST SP 800-37, NIST SP 800-39)