Cybersecurity Interface Agreement workflow for a Tier-1 ECU supplier

Problem context

Cybersecurity activities in modern programmes are inherently distributed: TARA, vulnerability handling, incident response, and release decisions move between OEM and supplier. ISO/SAE 21434 Clause 7 requires a Cybersecurity Interface Agreement that makes the allocation explicit. Vague CIAs ("supplier shall ensure cybersecurity") are the single most common source of late-stage audit findings and incident-response confusion.

Engineering approach

1. Map the cybersecurity activities to be allocated — TARA, V&V, vulnerability handling, incident response, supplier audit, release for post-development.
2. Build the RASIC matrix per activity (Responsible / Accountable / Supports / Informed / Consulted) with named cybersecurity points of contact on each side.
3. Define information-sharing rules: classification, channel, retention, and disposal — including data-handling annex for GDPR / India DPDP / Japan APPI / California CCPA.
4. Specify incident-response service levels: acknowledgement, triage, containment, evidence preservation, customer-facing communication.
5. Document audit rights and frequency; define end-of-cybersecurity-support and decommissioning expectations.
6. Cascade the obligations into the Tier-2 supplier CIA so vulnerability and incident timelines flow to component level.

Outputs / evidence

• Negotiated CIA with RASIC matrix
• Information-sharing protocol and data-handling annex
• Incident-response SLA and escalation chain
• Audit-rights schedule and review cadence
• Tier-2 cascade requirements
• Annual review trigger list (architecture change, regulation change, supplier change)

Standards touched

• ISO/SAE 21434 Clause 7 (Distributed cybersecurity activities)
• UNECE R155 (assurance arguments around supplier responsibilities)
• ISO 26262 (DIA — paired or unified contract pattern)