Establish and maintain an organizational cybersecurity framework (ISO/SAE 21434) and a Cybersecurity Management System (CSMS) (UNECE R155).

• Cybersecurity Policy and Objectives / CSMS Scope - OC.1

  Defining and communicating the organization's cybersecurity policy and objectives (ISO/SAE 21434) and defining the scope of the CSMS (UNECE R155).

• Risk Acceptance Criteria - OC.1.1

  Defining and documenting the organization's risk acceptance criteria for cybersecurity.

• Roles

  OC.2

• Segregation of Duties - OC.2.1

  Implementing segregation of duties to prevent single points of failure or abuse.

• Cybersecurity Processes & CSMS Procedures - OC.3

  Establishing cybersecurity processes (ISO/SAE 21434) and implementing CSMS procedures (UNECE R155).

• Asset Management - OC.3.1

  Establishing and maintaining an inventory of assets relevant to cybersecurity.

• Security Awareness & CSMS Training - OC.4

  Implementing security awareness (ISO/SAE 21434) and ensuring personnel skills for the CSMS (UNECE R155).

• Background Checks - OC.4.1

  Conducting background checks for personnel with access to sensitive systems or data.

• Resource Management for Cybersecurity & CSMS - OC.5

  Ensuring resources for cybersecurity (ISO/SAE 21434) and for the CSMS (UNECE R155).

• Capacity Planning - OC.5.1

  Planning for future cybersecurity resource needs based on anticipated growth and changes.

Define cybersecurity goals and requirements (ISO/SAE 21434).

• Definition of Cybersecurity Goals - CP.1

  Establishing clear and measurable cybersecurity goals for the specific vehicle or component (the "item").

• Identification of Cybersecurity Requirements - CP.2

  Identifying and documenting the specific cybersecurity requirements based on the defined goals and relevant regulations (including UNECE R155 & R156 where applicable).

• Definition of Item's Cybersecurity Scope - CP.3

  Clearly defining the boundaries and interfaces of the item that are relevant to cybersecurity.

Implement cybersecurity measures (ISO/SAE 21434).

• Cybersecurity Risk Assessment (TARA) - PD.1

  Conducting detailed cybersecurity risk assessments for the item during the development phase; including Threat Analysis and Risk Assessment (TARA) methodologies as often referenced in both ISO/SAE 21434 and UNECE R155.

• Cybersecurity Controls Implementation - PD.2

  Designing and implementing cybersecurity controls to mitigate the identified risks and meet the defined cybersecurity requirements.

• Authentication and Authorization - PD.2.1

  Implementing robust authentication and authorization mechanisms within the item.

• Data Encryption - PD.2.2

  Implementing encryption for sensitive data both when it is stored (at rest) and when it is being transmitted (in transit) within or by the item.

• Cybersecurity Verification and Validation - PD.3

  Verifying and validating that the implemented cybersecurity controls are effective and meet the defined cybersecurity requirements.

• Static and Dynamic Code Analysis - PD.3.1

  Utilizing static and dynamic code analysis tools during the software development lifecycle.

• Management of Vulnerabilities - PD.4

  Establishing and maintaining a robust process for identifying; analyzing; and addressing cybersecurity vulnerabilities in the item throughout its lifecycle.

• Secure Software Development - PD.5

  Adhering to secure coding practices and guidelines during the software development process.

• Cybersecurity Documentation - PD.6

  Creating and maintaining comprehensive cybersecurity documentation for the item throughout its lifecycle.

• Supplier Cybersecurity Management - PD.7

  Addressing cybersecurity risks associated with suppliers and their components used in the item.

Ensure cybersecurity during manufacturing (ISO/SAE 21434).

• Secure Manufacturing Processes - PR.1

  Implementing secure processes during the manufacturing and assembly of the item to prevent the introduction of vulnerabilities or unauthorized modifications.

• Traceability and Configuration Management - PR.2

  Maintaining traceability of all components and configurations relevant to cybersecurity throughout the production process.

Maintain and improve cybersecurity (ISO/SAE 21434) and address CSMS/SUMS.

• Cybersecurity Monitoring and Analysis - PSD.1

  Continuously monitoring the cybersecurity posture of the released items in the field and analyzing potential threats and vulnerabilities that may emerge after deployment.

• Intrusion Detection and Prevention - PSD.1.1

  Implementing intrusion detection and prevention systems (IDPS) within the item or its supporting infrastructure.

• Vulnerability Management (Post-Release) - PSD.2

  Managing newly discovered cybersecurity vulnerabilities that affect the released items; including the processes for receiving reports; analyzing the vulnerabilities; prioritizing their remediation; and developing and deploying patches or updates.

• Incident Response - PSD.3

  Handling cybersecurity incidents that occur in the released items; including the phases of detection; analysis; containment; eradication; recovery; and post-incident analysis.

• Software Updates and Maintenance (including CSMS/SUMS OTA) - PSD.4

  Providing secure software updates and maintenance for the released items throughout their lifecycle; including Over-The-Air (OTA) update capabilities as required by UNECE R155 and managed under a Software Update Management System (SUMS) as per UNECE R156.

• End-of-Life Management - PSD.5

  Defining and implementing processes for the secure end-of-life handling of the item and its components.

Specific requirements of UNECE R155 for the Cybersecurity Management System.

• CSMS Risk Assessment - CSMS.1

  Conducting cybersecurity risk assessments relevant to the vehicle type as part of the CSMS.

• CSMS Cybersecurity by Design and by Default - CSMS.2

  Ensuring that cybersecurity is considered and integrated throughout the entire vehicle lifecycle within the CSMS framework.

• CSMS Human Resources - CSMS.3

  Ensuring that personnel involved in activities related to the CSMS have the necessary skills; competence; and awareness to fulfill their responsibilities effectively.

• CSMS Incident Response - CSMS.4

  Establishing and maintaining processes for detecting; analyzing; and responding to cybersecurity incidents within the CSMS framework.

• CSMS Software Updates (OTA) - CSMS.5

  Establishing and maintaining processes to ensure the security of software updates; including Over-The-Air (OTA) updates; as a key component of the CSMS.

• CSMS Data Security and Protection - CSMS.6

  Implementing measures to ensure the security and protection of data that is processed; stored; or transmitted by the vehicle and its related systems within the context of the CSMS.

• CSMS Supply Chain Security - CSMS.7

  Establishing and maintaining measures to address cybersecurity risks associated with the supply chain within the CSMS framework.

• CSMS Security Testing and Validation - CSMS.8

  Establishing and maintaining processes for regularly testing and validating the effectiveness of the cybersecurity measures implemented within the CSMS.

• CSMS Continuous Monitoring and Improvement - CSMS.9

  Establishing and maintaining processes for the ongoing monitoring and continual improvement of the CSMS.

Requirements of UNECE R156 for a Software Update Management System.

• SUMS Policy and Objectives - SUMS.1

  Defining the policy and objectives for the Software Update Management System (SUMS).

• SUMS Roles and Responsibilities - SUMS.2

  Defining the roles and responsibilities of personnel involved in the Software Update Management System (SUMS).

• SUMS Processes and Procedures - SUMS.3

  Establishing and maintaining documented processes and procedures for the Software Update Management System (SUMS).

• SUMS Resource Management - SUMS.4

  Ensuring that the Software Update Management System (SUMS) has the necessary resources to operate effectively.

• SUMS Risk Assessment - SUMS.5

  Conducting risk assessments specifically related to the software update process.

• SUMS Security - SUMS.6

  Ensuring the security of the software update process and the infrastructure used to manage and deliver updates.

• SUMS Validation and Verification - SUMS.7

  Validating and verifying the software update process and the updated software before deployment to vehicles.

• SUMS Documentation and Records - SUMS.8

  Maintaining comprehensive documentation and records related to the Software Update Management System (SUMS) and all software update activities.

• SUMS Incident Response - SUMS.9

  Having established procedures for responding to and managing incidents that are related to the software update process.

• SUMS Continuous Improvement - SUMS.10

  Implementing processes for the continuous monitoring and improvement of the Software Update Management System (SUMS).