UAF13 — Security Control should be a kind of Capability not a kind of Requirement

The UAF specification defines Security Control as a kind of SysML Requirement. However, the specification also references NIST SP 800-53 in the definition of Security Control. NIST SP 800-53 clearly separates Security Controls from Requirement. E.g., in section 2.1 Requirements and Controls of NIST SP 800-53r5 it says "...It is important to understand the relationship between requirements and controls." It goes on to say "...the term requirement is generally used to refer to information security and privacy obligations imposed on organizations." It defines controls as "...descriptions of the safeguards and protection capabilities appropriate
for achieving the particular security and privacy objectives of the organization...". In other words, Security Controls are a kind of capability.