Spice4Cars

Analyze relevant to define evaluation criteria for supplier’s capabilities.
Note 1: The definition of evaluation criteria may consider:

Functional and non- (Functional requirement = A statement that identifies what a product or process must accomplish to produce required behavior and/or results.)
Technical evaluation regarding cybersecurity capabilities of the supplier, including cybersecurity concepts and methods (threat analysis and risk assessment, attack models, (Vulnerability = Weakness that can be exploited as part of an attack path.) analysis, etc.)
The capability of the supplier’s organization concerning cybersecurity (e.g., cybersecurity best practices from the development, applicable post-development activities (e.g. production, operation and decommissioning), governance, quality, and information security)
Continuous operation, including cybersecurity
Supplier capability and performance evidence in terms of cybersecurity obtained by supplier monitoring in the previous projects.

Collect information about the supplier’s capabilities and evaluate it against the established evaluation criteria. Short-list the preferred suppliers and document the results.
Note 2: The evaluation of potential suppliers may be supported by:

Summaries of previous Automotive SPICE® for Cybersecurity assessments
Evidence of the organizational cybersecurity management (System = A collection of interacting items organized to accomplish a specific function or set of functions within a specific environment.) (e.g., organizational audit results if available)
Evidence of an information security management (System = A collection of interacting items organized to accomplish a specific function or set of functions within a specific environment.)
Evidence of the organization's quality management (System = A collection of interacting items organized to accomplish a specific function or set of functions within a specific environment.) appropriate/capable of supporting cybersecurity engineering
Experience from previous acquisitions

Identify supplier candidates based on the evaluation. Prepare and issue a request for quotation including a corrective action plan for identified deviations.

Establish a commitment/agreement based on the evaluation of the request for quotation responses,
covering the relevant , and the agreed corrective actions.
Note 3: Distributed cybersecurity activities may be specified within a cybersecurity interface agreement considering all relevant aspects (e.g., contacts, tailoring, responsibilities, information sharing, milestones, timing).
Note 4: In case of deliverables without any support (e.g., free and open-source ), an interface agreement is not required.

Signed off by all parties involved in the commitment/agreement
Establishes what the commitment is for
Establishes the resources required to fulfill the commitment, such as:
- time
- people
- budget
- equipment
- facilities

Used by these processes:

ACQ.2 Supplier Request and Selection

Identifies the initial problem
Identifies the ownership for completion of defined action
Defines a solution (series of actions to fix problem)
Identifies the open date and target closure date
Contains a status indicator
Indicates follow up audit actions

Used by these processes:

ACQ.2 Supplier Request and Selection
MAN.7 Cybersecurity Risk Management

Interface agreement should include definitions regarding
- customer and supplier stakeholders and contacts
- tailoring agreements
- customer/supplier responsibilities (e.g. roles, RASIC chart) for distributed activities, including required actions in development and post-development
- share of information/work products in case of issues (e.g. vulnerabilities, findings, risks)
- agreed customer/supplier milestones
- duration of supplier’s support and maintenance

Used by these processes:

ACQ.2 Supplier Request and Selection

Reference to the (Requirements Specification = A document that specifies the requirements for a system or item.
Typically included are functional requirements, performance requirements, interface requirements, design requirements, and development standards.)
Cybersecurity responsibilities of the supplier
The scope of work regarding cybersecurity, including the (Cybersecurity goal = Concept-level cybersecurity requirement associated with one or more threat scenarios.) or the set of relevant cybersecurity (Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.) and their attributes
Action plan for identified deviations and risks
Identifies desired characteristics, such as:
- (System = A collection of interacting items organized to accomplish a specific function or set of functions within a specific environment.) architecture, configuration (Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.) or the (Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.) for service (consultants, maintenance, etc.)
- quality criteria or (Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.)
- project schedule (Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.)
- expected delivery/service dates
- cost/price expectations
- regulatory standards/ (Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.)
Identifies submission constraints:
- date for resubmission of the response
(Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.) with regard to the format of response

Used by these processes:

ACQ.2 Supplier Request and Selection

Identifies:
- the risk to be mitigated, avoided, retained or transferred (shared)
- the activities to mitigate, avoid, retain or transfer (share) the risk
- the originator of the measure
- criteria for successful implementation
- criteria for cancellation of activities
- frequency of monitoring
Risk treatment alternatives:
- treatment option selected – avoid/reduce/retain/transfer (share)
- alternative descriptions
- recommended alternative(s)
justifications

Used by these processes:

ACQ.2 Supplier Request and Selection
MAN.7 Cybersecurity Risk Management

States the purpose of evaluation
Identifies supplier selection criteria
Method and instrument (checklist, tool) used for evaluation
(Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.) used for the evaluation
Assumptions and limitations
Identifies the context and scope information required (e.g. date of evaluation, parties involved)
Fulfillment of evaluation (Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.)

Used by these processes:

ACQ.2 Supplier Request and Selection

Expectations for conformity, to be fulfilled by suppliers
Links from the expectations to national/international/domain-specific standards/laws/regulations
(Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.)’ conformity evidence to be provided by the potential suppliers or assessed by the acquiring organization
Agreed exceptions to the (Requirement = A property or capability that must be achieved or possessed by a system, system item, product or service to satisfy a contract, standard, specification or other formally imposed documents.)

Used by these processes:

ACQ.2 Supplier Request and Selection

ACQ.2 Supplier Request and Selection