The topic of cybersecurity assessments is being pursued with full commitment. After the intacs™ working group “Cybersecuirty SPICE” developed a first PAM as an intacs™ add-on for existing SPICE models in 2020, a working group of the VDA has now published the yellow volume “Automotive SPICE for Cybersecurity 1st Edition February 2021” online based on this material. The feedback phase ends at the end of May 2021: https://vdaqmc.de/en/publications/yellow-prints/
The yellow volume consists of 2 parts: Part I contains the process reference and the assessment model for Cybersecurity Engineering. Part II contains the assessment guidelines for the process.
UNECE Regulation R155 requires the vehicle manufacturer to, among other things, identify and manage cybersecurity risks in the supply chain. To include cybersecurity-related processes within the approved scope of Automotive SPICE, additional processes have been defined in a Process Reference and Assessment Model for Cybersecurity Engineering (Cybersecurity PAM).
Certain aspects of ISO/IEC 21434 are not in the scope of Automotive SPICE for Cybersecurity because they are not performed in the context of a development project, but are part of the cybersecurity management system. These aspects, such as cybersecurity management, continuous cybersecurity activities, post-development phases, and decommissioning, are the subject of a cybersecurity management system audit.
An intacs™ working group has created a training scheme for the Cybersecurity SPICE extension and is now converting the seminar scheme into an intacs™ training material. We expect training to be offered starting in summer 2021. Some car manufacturers have announced that they will assess the model intensively as early as 2022.