Ground rules for requirements decomposition:

1. "The Rule of SHALL": A requirement is recognized by the verbs SHALL and SHALL NOT contained in a normative section of the source text.

2. "The Rule of SHOULD": A recommendation is recognized by the SHOULD or SHOULD NOT verbs.

3. "The rule about names" requirements must follow naming scheme to produce uniquely identification - tagged in a way that will help the reader find the source.

4. "The rule of sentences": requirement must be expressed as a simple, complete sentence, with a subject, verb and perhaps object. The source text may be reworked to break down to "atomic" requirements.

5. "The rule of accountability": requirements must apply to something (actors may include: RP, agency, CSP, applicant, subscriber, assessor). When the source text is written in passive voice such that the actor is unclear (e.g. A4.2.1), rework the requirement to be active ("The RP may not use the results of identity proofing to determine suitability or entitlement to gain access to services or benefits.")

6. "The Rule of Conditions": everybody knows that requirements are required, except when they are optional. We need to be clear about any conditions, otherwise requirements are mandatory. Some requirements will apply only at certain assurance levels. In some cases there's a choice, for example A4.4 states that at IAL2 CSPs SHALL proof according to either 4.4.1 or 4.4.2.

Requirements Naming Scheme:

1. The first character of the requirement name denotes the source document, it shall be either “3”, “A”, “B” or “C”.

2. Subsequent numbers denote the section number in which the requirement is found. (e.g. “4.2”)

3. Some sections will contain multiple requirements, and requirements will need to be broken into parts. Use roman numerals for these (e.g. “i”, “ii”, etc.)

Requirements Data Model:

1. Every requirement will have:

a. A name generated by a name scheme such as above

b. A text that contains the wording of the requirement (before and after)

c. A subject which is the entity or entities who are subject to the requirement

d. (sometimes) One or more conditions when the requirement becomes mandatory (e.g. “at IAL2”, “when doing in person identity proofing”, etc.)

e. All of these attributes can be “calculated” from the source text

2. For each requirement the workgroup will derive one or more “assessment methods” – this is where the harder work begins

Google spreadsheet for the work product. (Save a static snapshot once a week or so and uploaded to the wiki page).
LINK: https://docs.google.com/spreadsheets/d/1cPGjTvC4JRWzADHM8Xn9g9NKpIPTAPg3OvMvyk03Ln8/edit?usp=sharing

Browser not supported