Security requirements are
|“||[t]ypes and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy.||”|
|“||those requirements levied on an information system that are derived from laws, Executive Orders, directives, policies, instructions, regulations, or organizational (mission) needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.||”|
The term security requirement is used by different communities and groups in different ways and may require additional explanation to establish the particular context for the various use cases. Security requirements can be stated at a very high level of abstraction, for example, in legislation, Executive Orders, directives, policies, standards, and mission/business needs statements. FISMA and FIPS 200 articulate security requirements at such a level. Organizations take these high-level security requirements and define certain security capabilities needed to satisfy those requirements and provide appropriate mission/business protection.
Security requirements are also reflected in various non technical security controls that address such matters as policy and procedures at the management and operational elements within organizations, again at differing levels of detail. It is important to define the context for each use of the term security requirement so the respective communities (including individuals responsible for policy, architecture, acquisition, engineering, and mission/business protection) can clearly communicate their intent.
- "Overview" section: NIST Special Publication 800-53, Rev. 4, at X.