Clause 7

Introduction

Welcome to our written course on ISO/SAE 21434 Clause 7: Distributed Cybersecurity Activities. This lesson aims to provide a comprehensive understanding of the clause’s requirements and its significance in managing cybersecurity responsibilities across customers and suppliers within the automotive industry. By the end of this course, you’ll be equipped with the knowledge necessary to effectively implement this clause and ensure robust cybersecurity measures throughout your supply chain.

ISO/SAE 21434 Clause 7 focuses on the distribution of cybersecurity activities, particularly the management of cybersecurity responsibilities between an organization and its suppliers. This can include both external suppliers and internal supply teams, depending on your organization’s structure. The essence of this clause is the extension of cybersecurity management down the supply chain, ensuring all parties involved adhere to the cybersecurity standards and requirements set forth by ISO/SAE 21434.

Understanding the Clause

The primary objective of Clause 7 is to manage cybersecurity responsibilities effectively between customers and suppliers. This includes activities related to items and components where cybersecurity-related tasks are executed by a supplier. It is crucial for organizations to assess the cybersecurity capabilities of prospective suppliers and establish cybersecurity goals for each project or component. The Request for Quotation (RFQ) process plays a significant role in this, where adherence to ISO/SAE 21434 and the definition of cybersecurity responsibilities in a Cybersecurity Interface Agreement (CSIA) are critical components.

Key Considerations and Implementation

Implementing Clause 7 involves several key considerations and teams within an organization, including:

  • Product Cybersecurity Team
  • Supplier Management
  • Procurement
  • Product Development
  • Compliance
  • Risk Management
  • Legal

One of the primary challenges is the responsibility for the cybersecurity of the supply chain, including evaluating supplier cybersecurity capabilities and tracking cybersecurity activities. Despite these challenges, implementation becomes more manageable once an organization’s cybersecurity processes are well-defined.

Integrating with the V-Cycle and ISO 26262

Clause 7 integrates into the V-model systems development life cycle, highlighting the parallel between safety and cybersecurity in the automotive engineering process. It is crucial to leverage synergies with ISO 26262, such as using similar processes for vendor assessment and coordinating security and safety work products into the product development lifecycle.

General Process and Workflow

The general process for implementing Clause 7 includes:

  1. Assessing the cybersecurity capabilities of suppliers.
  2. Establishing cybersecurity goals for the project/component.
  3. Including cybersecurity requirements in the RFQ.
  4. Finalizing a Cybersecurity Interface Agreement (CSIA) that outlines the responsibilities for cybersecurity-related activities.
  5. Tracking and verifying the performance of cybersecurity activities as listed in the CSIA.

Key Provisions and Work Products

Clause 7 contains eight provisions and one primary work product, the CSIA, which is crucial for documenting the distribution of cybersecurity responsibilities between the customer and suppliers. Implementing these provisions effectively requires a thorough understanding of both the requirements and the recommended actions to ensure compliance with ISO/SAE 21434.

Conclusion

Successfully implementing ISO/SAE 21434 Clause 7 is essential for ensuring the cybersecurity of automotive products and components across the supply chain. By understanding the requirements, considerations, and the general process outlined in this course, organizations can effectively manage cybersecurity responsibilities with their suppliers, ensuring adherence to industry standards and enhancing the overall cybersecurity posture of their products.

Clause 7 emphasizes the importance of evaluating a supplier’s cybersecurity capabilities during the selection process and including cybersecurity requirements in requests for quotation to ensure it is considered during sourcing. It also highlights the need to clearly define cybersecurity responsibilities in distributed development involving automotive OEMs, suppliers, and partners.

Contents:

  • 1 Work Product
  • 5 Requirements
  • 3 Recommendations
  • 9 Cybersecurity activities (7.4.1 - 7.4.3)

7.4.1 Supplier Capability

[RQ-07-01]

The capability of a candidate supplier to develop and, if applicable, perform post-development activities in accordance with this document shall be evaluated.

This evaluation aids in selecting a supplier and may be based either on the supplier’s ability to comply with this document or on their past performance in implementing another national or international standard related to cybersecurity engineering.

[RC-07-02]

To support a customer’s evaluation of supplier capability, a supplier should provide a record of cybersecurity capability.

Documentation of cybersecurity capability may include:

  • proof of the organization’s competence in cybersecurity (e.g., best practices applied during development, post-development, governance, quality management, and information security);
  • evidence of ongoing cybersecurity efforts (refer to Clause 8) and incident response measures (refer to Clause 13); and
  • summaries of past cybersecurity assessment reports.

Supplier Capability Checklist

Below you will find the RQ-07-01 checklist that you can refer to.

Part A: General Supplier Capability

Part B: Cybersecurity Process Capability

Part C: Post-Development Capability (if applicable)


7.4.2 Request for Quotation

[RQ-07-03]

A request for quotation from a customer to a candidate supplier shall include:

a) a formal request to conform to this document;
b) the expectation that cybersecurity responsibilities will be taken on by the supplier in accordance with 7.4.3; and
c) the cybersecurity goals and/or set of cybersecurity requirements relevant to the item or component for which the supplier is quoting.


7.4.3 Alignment of responsibilities

Work Product(s) [WP-07-01] Cybersecurity Interface Agreement (CSIA)

[RQ-07-04]

A customer and a supplier shall specify the distributed cybersecurity activities in a cybersecurity interface agreement including:

a) appointment of customer’s and supplier’s points of contact regarding cybersecurity;
b) identification of cybersecurity activities that are to be performed by customer and supplier, respectively;
c) if applicable, a joint tailoring of cybersecurity activities in accordance with 6.4.3;
d) the information and the work products to be shared;
e) milestones regarding the distributed cybersecurity activities; and
f) definition of the end of cybersecurity support for the item or component.

Below you can refer to the Cybersecurity Interface Agreement (CIA) Compliance Checklist.

1. Points of Contact

  • Has the customer appointed a Cybersecurity Point of Contact (CSPoC)?
  • Has the supplier appointed a CSPoC?
  • Are contact details and roles/responsibilities documented?

2. Cybersecurity Activity Distribution

  • Are the cybersecurity activities clearly listed for both customer and supplier?
  • Are examples documented (e.g., vehicle-level validation by customer)?
  • Is there clarity on post-development responsibilities?
  • Is responsibility for cybersecurity assessment (customer/supplier/3rd party) clearly defined?

3. Joint Tailoring (if applicable)

  • Has clause 6.4.3 been reviewed for possible tailoring?
  • Have any jointly agreed tailoring decisions been documented?
  • Have both parties signed off on tailored processes or activities?

4. Information and Work Product Sharing

  • Have the types of information and work products to be shared been listed?
  • Have the following areas been addressed:
  • Distribution and review processes?
  • Cybersecurity issue and vulnerability feedback mechanisms?
  • Risk-related information exchange procedures?
  • Interface-related processes, methods, and tools?
  • Roles and responsibilities for each party?
  • Change management and potential TARA updates?
  • Requirements management tool alignment?
  • Cybersecurity assessment results sharing?

5. Milestones

  • Are key milestones for distributed cybersecurity activities clearly defined?
  • Are milestones aligned with the project lifecycle?
  • TARA completion
  • Design reviews
  • Implementation phases
  • Validation/verification
  • Support and incident handling

6. End of Cybersecurity Support

  • Is there a documented end-of-support date or condition for the item/component?
  • Have support scope and duration (e.g., patches, monitoring) been clearly agreed upon?

7. Review and Maintenance

  • Has a review cycle or trigger condition been defined (e.g., major changes, annually)?
  • Is the CIA version-controlled and change-tracked?
  • Is there a mechanism for both parties to approve updates?

8. Sign-off and Archiving

  • Has the CIA been formally signed by both customer and supplier?
  • Is the agreement archived and accessible to relevant stakeholders?

Alignment of reponsibilities

[RC-07-05] The cybersecurity interface agreement should be mutually agreed upon between customer and supplier prior to the start of the distributed cybersecurity activities.

[RQ-07-06] If there is an identified vulnerability to be managed in accordance with [RQ-08-07], the customer and supplier shall agree on actions and responsibility for those actions.

[RQ-07-07] If requirements are unclear, not feasible, or conflict with other cybersecurity requirements or requirements from other disciplines, then customer and supplier shall each notify the other so that appropriate decisions and actions can be taken.

[RC-07-08] Responsibilities should be specified in a responsibility assignment matrix.

A RASIC table can be used.

Provisions and Work Products Overview

Last updated on