This is pretty far removed from my experience, but the language in the security considerations references several RFCs for security considerations, references RFC 7201 for a set of security mechanisms available for use, and RFC 7202 for rationale on not including such details in each payload specification, like this one, This seems sufficient to me.