Mixed bag
The requirements do include some bits that are sensible and practical, and some that are neither. Take care to read to the end of each section before flaming. There is a cop-out for most of the over-broad requirements that reduce them to practicality or irrelevance. Careful choice for the definitions of undefined terms can make several requirements anywhere between practical and ineffective. Here are the howlers:
A subset of 8 character passwords are considered secure.
Administrative accounts should be configured to require a password change on a regular basis (e.g. at least every 60 days). - someone hasn't read the memo.
Administrative accounts should not be granted access to email or the internet (Diverting mail sent to an administrative account to the appropriate user account is simple and practical. If a sysadmin cannot fake From: and Reply-to: for the replies then he should RTFM promptly. What I do not get is how to prevent someone with administrative access getting around any restriction to internet access on an internet connected device.)
There is a long list of references to other standards that are not referenced in the text. This is where I expected to find requirements that effectively specify a particular brand of software. As they are not referenced, I would assume they are not requirements for certification.
There are two other documents: a questionaire and something about what to do with the answers. I am sure someone else will critique them before I get back.
Summary: vague woolly and the blind leading the apathetic.