access federal information system must: 1. defined security & privacy req 2. use state art equipment & aquisition processes 3. security & privacy planning 4. system development life cycle management 5. engineer for security & privacy 6. document practices & processes 7. continously monitor