Purpose
Cybersecurity goals bridge the gap between risk assessment and security engineering. Each goal is linked from a TARA record via thehasCybersecurityGoal link role and drives the derivation of cybersecurity requirements, which in turn are verified by test cases. Goals are assigned when the treatment choice on a TARA record is Reducing or Avoiding.
Work Item Identity
| Property | Value |
|---|---|
| Type ID | cybersecurityGoal |
| Label | Cybersecurity Goal |
| Icon | type_requirement.gif |
| Tracker Prefix | TR |
| Form Layout | cybersecurityGoal-form-layout.xml |
Custom Fields
| Field ID | Name | Type | Description |
|---|---|---|---|
cal | CAL | enum:cybersecurityGoal-cal | Cybersecurity Assurance Level (CAL 1-4) per ISO/SAE 21434. Determines the rigor of security development and verification activities required for this goal. |
goalCiaxProperty | CIAx Property | enum:taraRecord-ciaxProperty | The CIAx security property this goal protects (Confidentiality, Integrity, Availability, Authenticity, Authorization, or Non-repudiation). Reuses the same enum as the TARA record ciaxProperty field. |
goalAsset | Asset | text/plain | Free-text identification of the asset this goal protects (e.g., “ECU firmware”, “CAN bus communication”). |
goalRationale | Rationale | text/html | Rich-text explanation of why this goal was defined and the threat or damage scenario it addresses. Provides audit trail for ISO/SAE 21434 compliance evidence. |
CAL Enum Values
ThecybersecurityGoal-cal enumeration defines four assurance tiers aligned with ISO/SAE 21434:
| Enum ID | Label | Decorator Color | Description |
|---|---|---|---|
cal1 | CAL 1 | Green (#4CAF50) | Minimal assurance rigor. Lowest process burden. |
cal2 | CAL 2 | Orange (#FF9800) | Moderate assurance rigor. Structured security controls required. |
cal3 | CAL 3 | Red (#f44336) | High assurance rigor. Formal security testing and verification required. |
cal4 | CAL 4 | Dark Red (#b71c1c) | Highest assurance rigor. Exhaustive validation and independent review required. Analogous to ASIL D in functional safety. |
CAL Validation Against Verdict
The RisksheetcalDecorator enforces minimum CAL based on the TARA record verdict:
| Verdict | Minimum CAL Required |
|---|---|
| 5 (Critical) | CAL 4 |
| 4 (High) | CAL 3 |
| 3 (Medium) | CAL 2 |
| 1-2 (Low/Negligible) | CAL 1 |
Link Roles
Outgoing Links
| Role ID | Forward Label | Target Type | Description |
|---|---|---|---|
| (none specific) | — | — | Cybersecurity goals do not have outgoing TARA-specific links. Standard Polarion links (parent, branched_from) are available. |
Incoming Links
| Role ID | Reverse Label | Source Type | Description |
|---|---|---|---|
hasCybersecurityGoal | is Cybersecurity Goal in | taraRecord | TARA records link to this goal when treatment is Reducing or Avoiding. |
derivesRequirement | has Derived | sysReq | Cybersecurity requirements derived from this goal. Completes the Goal Track: TARA Record -> Cybersecurity Goal -> Requirement -> Test Case. |
Traceability Chain
The cybersecurity goal sits at the center of the Goal Track:
Workflow
ThecybersecurityGoal type follows the general work item workflow:
| State | Color | Description |
|---|---|---|
draft | #3366FF | Initial state after creation. |
inReview | #FFFF99 | Submitted for peer review. |
pendingApproval | #FFFF33 | Review complete, awaiting formal sign-off. |
approved | #66FF66 | Formally approved. Baseline-ready. |
rejected | #FF3300 | Rejected during review. Requires rework. |
obsolete | — | No longer active. Retained for traceability. |
Risksheet Integration
In the TARA Risksheet, the cybersecurity goal appears in two columns:| Column ID | Header | Group | Description |
|---|---|---|---|
cybersecurityGoal | Cybersecurity Goal | Cybersecurity Goal (teal) | itemLink column using hasCybersecurityGoal role. Picker populated by cybersecurityGoalQuery factory (type:cybersecurityGoal). Decorated with goalHighlight (orange outline when treatment is Reducing/Avoiding but no goal is set). |
goalCal | CAL | Cybersecurity Goal (teal) | Bound to cybersecurityGoal.cal via bindings. Decorated with calDecorator for color-coded CAL badge and minimum CAL validation. |
Form Layout Notes
ThecybersecurityGoal-form-layout.xml layout exposes:
- Standard fields: Title, Description, Status, Priority
- Custom fields:
cal,goalCiaxProperty,goalAsset,goalRationale - Linked items section showing TARA records (via
hasCybersecurityGoal) and derived requirements (viaderivesRequirement)
Related Pages
- TARA Record (taraRecord) — the risk assessment record that links to this goal
- CIAx Security Properties — the shared CIAx property enum
- CAL Levels — detailed CAL enumeration reference
- Link Roles and Traceability Relationships — complete link role inventory
- Traceability Chain — how goals fit in the dual-track traceability model