Why This Mapping Matters
ISO/SAE 21434 defines the cybersecurity engineering lifecycle for road vehicles. Regulatory frameworks such as UNECE R155 reference it as the basis for Cyber Security Management System (CSMS) certification. Auditors need to trace each clause requirement to concrete evidence in your project. This mapping shows exactly where that evidence lives within the TARA solution.
Coverage Summary
Detailed Clause Mapping
Clause 6 — Cybersecurity Management (Full Coverage)
| Requirement | Implementation |
|---|
| Cybersecurity plan (6.4.2) | CYBERSEC-PLAN document in the Risks space. Sections for activities, roles, responsibilities, methods, tools, and milestones. |
| Cybersecurity case / assurance argument (6.4.6) | Cybersecurity Case dashboard. Aggregates cybersecurity goals with CAL badges, TARA coverage with verdict distribution, requirements traceability, and residual risk summary. Concludes with case status (OPEN or READY FOR REVIEW). |
| Document approval | riskSpecification document workflow: Draft > In Review > Approved > Published. Electronic signatures via project_approver role. |
Clause 9 — Item Definition (Full Coverage)
| Requirement | Implementation |
|---|
| Item identification | systemElement work item type with elementType hierarchy (system, subsystem, assembly, subassembly, component). |
| Interfaces and architecture | System element hierarchy in the SYSTEM-ELEMENTS document with parent link roles. |
| Assets (RED Assets) | redAssets document custom field on each TARA module. |
| Cybersecurity context | cybersecurityContext and assumptions custom fields on riskSpecification documents. |
Clause 10 — Cybersecurity Goals and Concept (Full Coverage)
| Requirement | Implementation |
|---|
| Cybersecurity goals | cybersecurityGoal work item type with cal (Cybersecurity Assurance Level), goalCiaxProperty, and goalRationale fields. Linked from TARA records via hasCybersecurityGoal. |
| Cybersecurity concept | CYBERSEC-CONCEPT document deriving requirements from goals using derivesRequirement link role. |
| Requirement allocation | allocatedTo link role from requirements to system elements. classification = cybersecurity for filtering. |
Clause 11 — Product Development (Partial Coverage)
| Requirement | Implementation |
|---|
| Design specifications | sysReq work items with cybersecurity classification. |
| Implementation | Out of scope — code-level implementation is beyond the TARA analysis domain. |
| Integration testing | testCase work items linked via verifies provide test planning structure. Actual test execution management requires additional Polarion test management configuration. |
Clause 11 addresses the full product development lifecycle. The TARA solution covers the requirements and verification planning portions but does not extend to implementation or detailed test execution management.
Clause 12 — Cybersecurity Verification (Full Coverage)
| Requirement | Implementation |
|---|
| Verification planning | testCase work items linked to requirements via verifies link role. |
| Verification evidence | verification column in the Risksheet “5. Req & Verification” view traverses the link chain from risk controls through requirements to test cases. |
| CAL-based verification rigor | The calDecorator validates minimum CAL against verdict level, ensuring verification rigor matches risk severity. |
Clause 15 — TARA (Full Coverage)
| Requirement | Implementation |
|---|
| Asset identification (15.3) | systemElement hierarchy with cybersecurity context. |
| Damage scenario identification (15.4) | damageScenario text field per TARA record. |
| Threat scenario identification (15.5) | threatScenario itemLink to the Threat Scenario Catalog plus threatPath text field. |
| Attack feasibility rating (15.6) | 5-factor scoring (TIME, EXP, KNOW, WOO, EQP) with feasibilityFormula. ISO 21434 Annex G thresholds. |
| Impact rating (15.7) | taraImpact enum: severe, major, moderate, negligible. |
| Risk determination (15.8) | verdictFormula computing verdict 1—5 from the 4x4 risk matrix. |
| Risk treatment decision (15.9) | treatmentChoice enum: reducing, avoiding, sharing, retaining. |
Annex G — Attack Feasibility Rating (Full Coverage)
The feasibilityFormula implements the attack potential-based approach from Annex G with 5 factors and ISO-aligned score weights. See Attack Feasibility Scoring (EVITA).
Clauses Out of Scope
| Clause | Topic | Reason |
|---|
| Clause 5 | Organizational cybersecurity management | Organizational process, not product-level analysis |
| Clause 7 | Distributed cybersecurity activities | Supply chain management beyond TARA tool scope |
| Clause 8 | Continual cybersecurity activities | Ongoing monitoring, not captured in project-level TARA |
| Clause 13 | Production | Manufacturing cybersecurity requirements |
| Clause 14 | Operations and maintenance | Post-production field activities |
UNECE R155 Alignment
The TARA solution supports UNECE R155 compliance by providing auditable evidence that:
- Threats have been systematically identified and assessed (Annex 5, Part A)
- Risks are classified and treated (Annex 5, Part B)
- Cybersecurity requirements are derived and verified (Annex 5, Part C)
- The process is documented and reviewable (CSMS evidence)
