A needs statement should be prepared to describe, in written form, deficiencies in existing capabilities, new or changed program requirements, or opportunities for increased economy and efficiency.
It should justify the exploration of alternative solutions (including automation) to the deficiencies. An adaptation of the document should be used for systems not designated as major systems.
The need for SDLC security should be identified, based on anticipated system’s sensitivity/criticality. Since the needs statement is a management document, it normally should not exceed four to six pages in length.