You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ISO/SAE 21434 Clause 7 (distributed cybersecurity activities) and the OEM/Tier-1 reality of automotive supply chains require RDX to express who is responsible for which risk artifact, how responsibility transfers between supplier and integrator, and what the cybersecurity interface agreement (CIA / DIA) reference is. RDX today has no supplier responsibility model, which makes supplier↔OEM exchange ambiguous.
Proposed change
responsibleParty object reusable on itemDefinition, controls, riskValues, attackPaths, cybersecurityRequirements:
Risk-sharing model: riskValues[].sharedResponsibility[] array showing how a residual risk is split / transferred between parties (matters for R155 type approval and CRA manufacturer obligations).
Example: examples/rdx-supplier-exchange-example.json showing supplier → OEM hand-off of a TARA chunk with explicit responsibility transfer.
Motivation
ISO/SAE 21434 Clause 7 (distributed cybersecurity activities) and the OEM/Tier-1 reality of automotive supply chains require RDX to express who is responsible for which risk artifact, how responsibility transfers between supplier and integrator, and what the cybersecurity interface agreement (CIA / DIA) reference is. RDX today has no supplier responsibility model, which makes supplier↔OEM exchange ambiguous.
Proposed change
responsiblePartyobject reusable onitemDefinition,controls,riskValues,attackPaths,cybersecurityRequirements:parties[]at top-level so identities can be reused —id,legalName,cscrmIdentifier(DUNS/LEI/internal),country,contact.cybersecurityInterfaceAgreements[]: id, parties[], scope summary, version, signed-on date, document reference (typically vialinkedArtifacts[]Richer SBOM/HBOM/VEX linkage via a typed linkedArtifacts[] traceability layer #52).riskValues[].sharedResponsibility[]array showing how a residual risk is split / transferred between parties (matters for R155 type approval and CRA manufacturer obligations).examples/rdx-supplier-exchange-example.jsonshowing supplier → OEM hand-off of a TARA chunk with explicit responsibility transfer.References
Acceptance criteria
parties[],cybersecurityInterfaceAgreements[], andresponsiblePartysubstructure addedriskValues[].sharedResponsibility[]addedmethodology/adds a "Distributed cybersecurity activities" pageSurfaced by external AI peer review; see chat transcript for full review text.