System and services acquisition policy
system and services acquisition procedures
personally identifiable information processing policy
procedures addressing the minimization of personally identifiable information in system design
system design documentation
system configuration settings and associated documentation
change control records
information security and privacy requirements and specifications for the system
system security and privacy architecture
system security plan
privacy plan
privacy impact assessment
privacy risk assessment documentation
other relevant documents or records