When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

A. After the system preliminary design has been developed and the data security categorization has been performed

B. After the vulnerability analysis has been performed and before the system detailed design begins

C. After the system preliminary design has been developed and before the data security categorization begins

D. After the business functional analysis and the data security categorization have been performed