Supplier & External Interfaces

Under UNECE R155, the manufacturer’s Cybersecurity Management System (CSMS) must cover the entire supply chain. This includes clear allocation of responsibilities, requirements flow-down, evidence exchange, and proportionate assessment of suppliers and external service providers whose products or services affect the vehicle’s cybersecurity posture.

Objectives

• Define and document responsibilities for cybersecurity activities across parties.
• Flow down cybersecurity requirements into contracts, specifications, and SOWs.
• Establish evidence exchange and acceptance criteria for delivered items.
• Perform risk-based supplier assessments and audits where appropriate.
• Coordinate monitoring, vulnerability handling, and incident response with suppliers.

Responsibility Split & Governance

• RACI/Roles: Define who is Responsible, Accountable, Consulted, Informed for each interface.
• Design authority: Clarify who approves security-relevant design decisions and changes.
• Escalation: Set up decision forums for risk acceptance, exceptions, and waivers.

Requirements Flow-Down

Contracts and technical specifications should embed cybersecurity requirements derived from risk analysis:

• Product requirements: secure boot, authenticated updates, secure communications, partitioning, logging.
• Process requirements: secure development lifecycle, vulnerability management, SBOM and change control.
• Evidence requirements: test reports, penetration testing summaries, traceability, conformity statements.
• Acceptance criteria: measurable conditions to approve deliveries (incl. remediation SLAs).

Evidence Exchange & Acceptance

• Artifact packages: TARA excerpts, requirements coverage, V&V reports, update procedures, SBOMs.
• Secure channels: controlled portals or encrypted transfer with access control and retention policy.
• Verification: independent checks, spot testing, and issue tracking linked to deliverables.
• Versioning: stable IDs for documents, builds, keys/certs, and calibration/config items.

Supplier Assessment & Audits

Apply a risk-based approach to evaluate supplier capability and product risk:

• Capability assessment: CSMS/SDLC maturity, incident response, competence and training.
• Product assessment: threat exposure, criticality, interfaces, dependency on backend services.
• Audit scope: proportional to risk; focus on controls that mitigate top threats.
• Follow-up: corrective actions with deadlines and re-test/reaudit triggers.

Interface Security & Operations

• Key & credential management: provisioning, storage, rotation; custody during production and service.
• Update process coordination: package signing, eligibility, anti-rollback (align with R156/ISO 24089).
• Monitoring & PSIRT linkage: vuln intake, advisories, incident escalation, shared timelines.
• Service tool controls: authenticated access, audit logs, tamper-resistance, revocation capability.
• Third-party cloud/backends: security expectations for interfaces that impact the vehicle.

Open-Source & Third-Party Components

• Maintain SBOM for software stacks and track vulnerabilities against it.
• Define patch SLAs and backport strategy for critical components.
• Require licensing compliance and provenance (supply chain integrity).

Practical Do / Don’t

Typical Outputs / Evidence

• Responsibility matrices (RACI), interface specifications, and security clauses in contracts/SOWs.
• Supplier assessment/audit records with corrective actions and re-test results.
• Evidence packages: TARA excerpts, requirements coverage, test reports, SBOMs, update/signing procedures.
• Operational coordination artifacts: PSIRT contacts, intake policy, incident timelines, advisories.
• Key/credential custody records; secure provisioning and revocation procedures.