Has the capability demonstrated open and honest discussions with the customer about unresolved risks?
Has the customer been presented with different approaches for achieving capability outputs including cyber security?
Has the capability understood where it fits in the wider operational environment?
Has the capability identified existing architectural patterns that could be re-used?
Has the capability considered how mutual support could address cyber security risks?
Does the capability have security objectives that are linked to its mission?
Has the capability integrated its risk management and change management processes?
Has the capability identified who is responsible for delivering each security requirement?