logo
stripes
logo
stripes

Supplier & External Interfaces

For China-market vehicles, GB/T 44495 (cybersecurity) and GB/T 44496 (software updates) expect the manufacturer to manage end-to-end supply-chain security: requirements flow-down, evidence exchange, audits, update coordination, and incident handling. This non-normative guide outlines a practical, audit-ready approach.

Objectives

  • Define responsibilities across OEM, Tier-1/2, tool vendors, and service partners.
  • Flow down security & update requirements with measurable acceptance criteria.
  • Operate a controlled evidence exchange (artifacts, SBOMs, test reports).
  • Run risk-based assessments/audits and track CAPA to closure.
  • Coordinate update campaigns, keys/credentials, and incident response.

Responsibility Split & Governance

  • RACI matrices per interface (item security, TARA, V&V, PSIRT, SUMS, records/retention).
  • Design authority and waiver rules (who can accept residual risk; re-approval triggers).
  • Local CN contacts for audits, incident comms, and authority queries.

Requirements Flow-Down (Contract & Spec)

Embed both product and process expectations:

  • Product security: secure boot, partitioning, authenticated comms, logging, IDS hooks.
  • Update controls: signing/verification, anti-rollback counters, eligibility rules, rollback path.
  • Process: SDLC security gates, vuln handling/PSIRT SLAs, SBOM delivery & maintenance.
  • Evidence: test reports (incl. fuzz/pentest scope), coverage/traceability, conformity letters.
  • Acceptance criteria: measurable entry/exit, defect classes & fix timelines.

Evidence Exchange & Versioning

  • Portal-based delivery with access control; encrypt in transit and at rest.
  • Artifact packages: TARA excerpts, requirements coverage, V&V results, SBOMs, update procedures.
  • Stable IDs & manifests for documents/builds/keys; record hashes and owners.
  • Bilingual labels (EN/中文) for CN audits and joint reviews.

Supplier Assessment & Audits

  • Capability: CSMS/SUMS maturity, competence, incident playbooks, toolchain control.
  • Product risk: interface exposure, criticality, backend dependencies, update path robustness.
  • Audit focus: high-risk controls (keys, signing, parsers, diag/service tools).
  • CAPA: time-bound fixes, re-test triggers (major release, incident, key rotation).

Interface Security & Keys/Credentials

  • Key custody: HSM-backed generation, rotation, revocation; dual control for sensitive ops.
  • Delegation: supplier signing under OEM-approved PKI with scoped certs and audit logs.
  • Service tools: authenticated access, attestation/version control, tamper-evident logs.
  • Backend: mutual auth, rate limits, replay protection, secrets management.

Open Source & Third-Party Components

  • Deliver and maintain SBOMs per release; track vulnerabilities against SBOM.
  • Define patch SLAs and backport policy for critical components.
  • Verify provenance (supply-chain integrity) for imported binaries and libraries.

China Context: Localization, Residency & Compliance

  • Localization: CN translations for critical specs, comms, and evidence indices.
  • Data residency: document storage locations for telemetry/records; cross-border transfer rules if any.
  • Regulatory comms: align supplier notices with OEM authority filings when applicable.

Incident Coordination (PSIRT)

  • Shared intake channels (security, portal forms) and encrypted exchange.
  • Severities & SLAs agreed contractually; OEM incident commander identified.
  • Corrective updates linked to GB/T 44496 campaign dossiers; joint post-mortems and lessons learned.

KPIs & Continuous Improvement

  • Supplier first-time pass rate on acceptance; time-to-patch for critical vulns.
  • Evidence completeness (on-time, correct IDs, coverage); audit findings closure.
  • Key/signing errors, eligibility failures, and rollback events by supplier-sourced items.

Practical Do / Don’t

Do

  • Provide standard contract clauses and evidence templates up front.
  • Require SBOM + test summaries with every delivery.
  • Run joint incident drills (focus: keys, eligibility, rollback).
  • Snapshot eligibility rules used for each VIN decision.
  • Tag all artifacts for China applicability and keep translations versioned.

Don’t

  • Accept deliveries without signed manifests and stable IDs.
  • Share keys/credentials via email or unmanaged channels.
  • Depend on certificates alone—ask for evidence tied to your threats.
  • Change rollout eligibility mid-campaign without re-approval and supplier alignment.

Typical Outputs / Evidence

  • RACI per interface; CN contacts for audits/incidents.
  • Contracts/SOWs with security/update clauses, SLAs, and acceptance criteria.
  • Supplier evidence packs: TARA excerpts, requirements coverage, V&V reports, SBOMs, update procedures.
  • Key/credential custody records, PKI delegation docs, access/audit logs.
  • Assessment/audit reports, CAPA and re-test results; localized indices and manifests.
  • Joint incident timelines, corrective updates linked to campaign dossiers.
Disclaimer: This page summarizes supplier and external interface practices relevant to GB/T 44495 & 44496. For authoritative requirements, consult the official standards and applicable guidance from Chinese authorities or accredited bodies.