Tasks address potential problems/weaknesses in the project (e.g. P408 Weak Password Requirements). In certain cases, these problems/weaknesses pertain to specific standards/regulations (e.g. PCI-DSS and PA-DSS).
However, a common issue is that different standards have different requirements for the same problem. To help with managing these different requirements, it is possible to create Additional Requirements for a Task.
For example, PA-DSSv2 requires that a password be at least 7 characters long while COBIT4.1 requires that a password be at least 8 characters long. In this case, we can create an Additional Requirement for P408 to record this difference in requirement between different standards. Note that this differs from How-Tos in that the details of implementation is not important in an Additional Requirement.