The most important quality of a cybersecurity requirement is that it should ideally be objectively testable on an instance of the product. If it can't be tested on the product itself, it is a documentation requirement, in which the assessor documents the steps they took to implement the requirement (such as configuration files or written policies used by employees).
The most important quality of a cybersecurity requirement is that it should ideally be objectively testable on an instance of the product. If it can't be tested on the product itself, it is a documentation requirement, in which the manufacturer documents the steps they took to implement the requirement (such as configuration files or written policies used by employees).
The alternative is "check-box" requirements, which only require that the vendor says that they did a thing ("Did you have every commit code-reviewed by a second person? [x] Yes [ ] No"). These are not acceptable and should be converted into testable requirements if possible and documentation requirements otherwise.
