- the contents of the security framework, which should include at least 12 control identifiers (ID) with family notation of your choice and should include whether the control identifier is of low risk, moderate risk, or high risk impact;
- a gap analysis including a minimum of three controls for ID
- Your security framework must be at least one page in length