This report describes two studies related to version 3 of Krav på säkerhetsfunktioner (KSF3) - a risk management model and a collection of IT security requirements on security functions developed by the Military Intelligence and Security Directorate (MUST) for the Swedish Armed Forces. In addition to these two studies, the report includes an analysis of how successful requirements engineering is measured in scholarly research. The first of the two studies analysed 13 documents used in the accreditation process to specify how IT systems fulfil the IT-security requirements of MUST. The purpose was to identify IT security requirements that are frequently added on top of the IT security requirements posed by MUST in the KSF3. Of the 672 unique requirements that were investigated in the study 288 were represented in KSF3, 308 were additional requirements and 76 were too ambiguous to be categorized. The majority of the additional requirements concerned non-physical measures (60%), many of the additional requirements were often motivated by antagonists (67%) and many of the additional requirements specifically addressed system availability (15%). Nine categories of additional requirements were identified. The categories associated with most requirements were configuration functionality (34%) and physical perimeter protection (17%). Furthermore, the current version of MUST's requirements on security functions (KSF3) differs significantly from the previous version (KFS2) which was used when the 13 security requirements specifications were written. Some parts of KSF3 requirements are better represented in the documents than others. For instance, protection against malicious code is better represented in the documents than access control functions. The second study analysed how the functional security requirements in KSF3 could most easily be realized in a fictive system using typical security components. The researchers found that the basic level of KSF3 could most easily be realized with a Windows-based solution including a terminal server, antivirus software, firewall and a tool for central log management. For the additional security components on the next level of KSF3, the (main) additions were assessed to be smartcard-based authentication, anomaly detection, a patch management server, and support for tagging objects. More advanced smartcards, application sandboxing and more advanced inspection systems for data exchange were the main additional functions for KSF3 on the highest level. Furthermore, in most cases TEMPEST protection and cable inspection are required (these may however also be relevant to fulfil additional requirements).