You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
methodology/ISO21434-Mapping.md is strong on Clause 15 (TARA) but thin on the lifecycle around it. Several Clause 9–12 work products still have no RDX home: cybersecurity concept (control allocation + rationale), cybersecurity validation/verification evidence (test cases, test results, coverage), and continuous risk maintenance (status over time, review cadence, validity, field feedback, incident/vulnerability linkage). This issue closes those gaps — orthogonal to #51 (cybersecurity requirements) and #61 (test coverage model), which it depends on.
Proposed change
cybersecurityConcept object on itemDefinition: controlAllocation[] (control → component(s) at a higher level than implementation), allocationRationale, concept-level securityClaimRefs.
continuousRiskMaintenance on riskValues[]: lastReviewedAt, nextReviewDueAt, reviewCadence (e.g., P3M), validityPeriod, fieldFeedbackRefs[], incidentRefs[], vulnerabilityRefs[], monitoringRefs[] (linking to Add monitoringAndDetection[] for MDR / detection engineering use cases #55monitoringAndDetection[] entries).
reviewHistory[] at document level: reviewedAt, reviewerPartyRef, outcome, notes.
methodology/ISO21434-Mapping.md rewrite: expand to cover Clauses 5–12 with concrete RDX object mappings, not just TARA.
References
AI peer review, section 7 ("ISO 21434 coverage is focused on TARA, but not the full lifecycle")
Motivation
methodology/ISO21434-Mapping.mdis strong on Clause 15 (TARA) but thin on the lifecycle around it. Several Clause 9–12 work products still have no RDX home: cybersecurity concept (control allocation + rationale), cybersecurity validation/verification evidence (test cases, test results, coverage), and continuous risk maintenance (status over time, review cadence, validity, field feedback, incident/vulnerability linkage). This issue closes those gaps — orthogonal to #51 (cybersecurity requirements) and #61 (test coverage model), which it depends on.Proposed change
cybersecurityConceptobject onitemDefinition:controlAllocation[](control → component(s) at a higher level than implementation),allocationRationale,concept-level securityClaimRefs.continuousRiskMaintenanceonriskValues[]:lastReviewedAt,nextReviewDueAt,reviewCadence(e.g.,P3M),validityPeriod,fieldFeedbackRefs[],incidentRefs[],vulnerabilityRefs[],monitoringRefs[](linking to Add monitoringAndDetection[] for MDR / detection engineering use cases #55monitoringAndDetection[]entries).reviewHistory[]at document level:reviewedAt,reviewerPartyRef,outcome,notes.methodology/ISO21434-Mapping.mdrewrite: expand to cover Clauses 5–12 with concrete RDX object mappings, not just TARA.References
Acceptance criteria
cybersecurityConcept,continuousRiskMaintenance,reviewHistory[]added in JSON Schema + XSDmethodology/ISO21434-Mapping.mdexpanded to cover Clauses 5–12REQUIREMENTS.mdSurfaced by external AI peer review; see chat transcript for full review text.