Skip to content

Add distributed cybersecurity activities and supplier responsibility model #58

Description

@JohnASRG

Motivation

ISO/SAE 21434 Clause 7 (distributed cybersecurity activities) and the OEM/Tier-1 reality of automotive supply chains require RDX to express who is responsible for which risk artifact, how responsibility transfers between supplier and integrator, and what the cybersecurity interface agreement (CIA / DIA) reference is. RDX today has no supplier responsibility model, which makes supplier↔OEM exchange ambiguous.

Proposed change

  1. responsibleParty object reusable on itemDefinition, controls, riskValues, attackPaths, cybersecurityRequirements:
    { partyId, partyName, role: "supplier"|"integrator"|"oem"|"operator"|"thirdParty",
      contactRef, responsibilityScope: "implementation"|"verification"|"monitoring"|"acceptance"|"shared",
      cybersecurityInterfaceAgreementRef }
    
  2. parties[] at top-level so identities can be reused — id, legalName, cscrmIdentifier (DUNS/LEI/internal), country, contact.
  3. cybersecurityInterfaceAgreements[]: id, parties[], scope summary, version, signed-on date, document reference (typically via linkedArtifacts[] Richer SBOM/HBOM/VEX linkage via a typed linkedArtifacts[] traceability layer #52).
  4. Risk-sharing model: riskValues[].sharedResponsibility[] array showing how a residual risk is split / transferred between parties (matters for R155 type approval and CRA manufacturer obligations).
  5. Example: examples/rdx-supplier-exchange-example.json showing supplier → OEM hand-off of a TARA chunk with explicit responsibility transfer.

References

Acceptance criteria

  • parties[], cybersecurityInterfaceAgreements[], and responsibleParty substructure added
  • riskValues[].sharedResponsibility[] added
  • Example demonstrates a supplier-to-OEM transfer with explicit CIA reference
  • methodology/ adds a "Distributed cybersecurity activities" page

Surfaced by external AI peer review; see chat transcript for full review text.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-proposalProposed by the AI idea scout; needs human reviewenhancementNew feature or requestpeer-reviewSurfaced by external AI/peer review of the repopriority/P2Medium priority — regulatory & lifecycle

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions