This - OIX US ICAM LOA 1 Trust Framework (esp page 19 onwards) - should be what the security and privacy requirements document be modelled on. Designed by several of the top security and privacy researchers for the U.S Govt’s Open Identity Framework (which I dont know, why we are not making use of - its open and free to use)

Everything else is just a knee-jerk reaction.