The most likely reason for some of the security requirements not being addressed in the system specification during the procurement of a new information system is that the description of the security requirements was insufficient. The description of the security requirements is the part of the procurement document that specifies the security objectives, criteria, standards, and measures that the system must meet or comply with. If the description of the security requirements is insufficient, vague, ambiguous, incomplete, or inaccurate, then the system specification may not reflect or satisfy the security needs and expectations of the organization. The procurement officer lacking technical knowledge, the security requirements changing during the procurement process, and there being no security professionals in the vendor’s bidding team are not the most likely reasons for this problem, as they do not directly affect the quality or clarity of the description of the security requirements. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1045. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1071.