1. Show that system security is an integral part of the agency's IT architecture.
2. Report the costs of security and show how the security plan is part of the life-cycle of the system. Develop a security plan that includes the security rules for the system and the consequences of violating the rules and a way to identify, limit and control connections to other systems.
3. Identify security risks and how risks will be assessed and minimized. Demonstrate how security controls are commensurate with the risk.
4. Use appropriate security for systems that permit public access. Ensure personal information is consistent with relevant federal policies.
5. Account for departures from National Institute for Standards and Technology guidance.