Overview
The Compliance pillar provides structured regulatory compliance assessment, evidence management, and audit reporting for the ThreatZ platform. It enables automotive cybersecurity teams to assess their posture against ISO/SAE 21434:2021 and UNECE R155/R156, track work product completion, detect compliance violations in real time, and generate audit-ready reports with gap analysis and recommendations.
Supported Standards
| Standard | Scope | Coverage |
|---|---|---|
| ISO/SAE 21434:2021 | Cybersecurity engineering for road vehicles | 15 clauses, full requirement mapping |
| UNECE R155 | Cybersecurity and CSMS | Vehicle category-specific, Annex 5 threats |
| UNECE R156 | Software update management | Referenced framework |
| ISO 26262 | Functional safety | Framework standard reference |
| SAE J3061 | Cybersecurity guidebook | Framework standard reference |
| China GB 44495 | Vehicle cybersecurity (Clauses 7–8) | Professional+ tier |
Compliance Structure
The compliance framework is organized hierarchically:
Standard
→ Clause (e.g., Clause 9: Concept Phase)
→ Section (e.g., 9.3: TARA)
→ Record (e.g., RQ-09-04: Identify damage scenarios)
• Answer (met / not met)
• Notes (evidence description)
• Work Products (WP links)Requirement ID formats:
RQ-XX-YY— Requirement (mandatory)RC-XX-YY— Recommendation (advisory)PM-XX-YY— Practice (guidance)
ISO 21434 Clause Coverage
| Clause | Title | Focus Area |
|---|---|---|
| 5 | Organizational Cybersecurity Management | Policy, competence, tools, audits |
| 6 | Project-Dependent Cybersecurity Management | Cybersecurity plan, case, assessment |
| 7 | Distributed Cybersecurity Activities | Interface agreements with suppliers |
| 8 | Continual Cybersecurity Activities | Monitoring, vulnerability management |
| 9 | Concept Phase | Item definition, TARA, goals, claims |
| 10 | Product Development | Specifications, design, integration, verification |
| 11 | Cybersecurity Validation | Validation report |
| 12 | Production | Production control plan |
| 13 | Operations & Maintenance | Incident response plan |
| 14 | End of Cybersecurity Support | Decommissioning procedures |
| 15 | TARA Methods | Threat analysis, risk assessment methodology |
Work Product Tracking
44 work products mapped across all clauses:
| ID Range | Category | Examples |
|---|---|---|
| WP-05-01 to WP-05-05 | Organizational Management | Cybersecurity policy, competence management, audit reports |
| WP-06-01 to WP-06-04 | Project Management | Cybersecurity plan, cybersecurity case, assessment report |
| WP-07-01 | Distributed Activities | Cybersecurity interface agreement |
| WP-08-01 to WP-08-06 | Continual Activities | Sources, triggers, events, vulnerabilities, analysis, evidence |
| WP-09-01 to WP-09-07 | Concept Phase | Item definition, TARA, goals, claims, verification reports |
| WP-10-01 to WP-10-07 | Product Development | Specifications, requirements, documentation, verification |
| WP-11-01 | Validation | Validation report |
| WP-12-01 | Production | Production control plan |
| WP-13-01 | Operations | Incident response plan |
| WP-14-01 | End of Support | End of support procedures |
| WP-15-01 to WP-15-08 | TARA | Damage scenarios, assets, threats, impact, attack paths, feasibility, risk values, treatment |
Compliance Scoring
Scores are calculated bottom-up:
- Record level: Binary (met / not met)
- Section level: Average of record answers within the section
- Clause level: Average of section percentages within the clause
- Overall level: Average across all clauses
Status Interpretation
| Score | Status | Meaning |
|---|---|---|
| 90–100% | Ready | Full compliance, audit-ready |
| 70–89% | Almost Ready | Minor gaps remaining |
| 50–69% | In Progress | Significant work needed |
| < 50% | Early Stage | Major gaps across clauses |
Compliance Statuses
COMPLIANT(80%+)PARTIAL(50–79%)NON_COMPLIANT(< 50%)NOT_ASSESSED
Violation Detection
The platform continuously evaluates compliance requirements as project entities change. Violations are detected for:
- Threat Modeling requirements (RQ-15-01 through RQ-15-15): Missing assets, damage scenarios, threat scenarios, attack paths
- Risk Assessment requirements (RQ-09-04 through RQ-09-10): Incomplete risk calculations, missing feasibility ratings
- Risk Treatment requirements (RQ-09-08 through RQ-09-10): Missing goals, claims, or control implementations
Each violation includes the failing requirement ID, the entity type and ID causing the violation (Asset, Damage Scenario, Threat, Attack Path, Risk, Goal, Claim), a descriptive message, and a fix suggestion. Violations are grouped by Compliance Model (Threat Modeling, Risk Assessment, Risk Treatment) for targeted review.
Report Generation
ISO 21434 Report
- Overall compliance status (Compliant / Partial / Non-Compliant)
- Overall coverage percentage
- Clause-by-clause coverage breakdown
- Test summary (total runs, penetration tests, fuzz tests, conformance tests)
- Findings summary by severity (Critical, High, Medium, Low)
- Gap analysis with severity and recommendations
- Evidence package (artifact count, size, types)
UNECE R155 Report
- All ISO 21434 report fields, plus:
- Vehicle type information (category, manufacturer, model)
- Category coverage by threat category
- Threat coverage (addressed / partially addressed / not addressed)
Gap Types
| Type | Description |
|---|---|
| Missing Test | No test case covers this requirement |
| Insufficient Coverage | Test coverage below threshold |
| Missing Evidence | No evidence artifacts linked |
| Missing Mitigation | No controls or goals address this risk |
| Failed Test | Test execution failed for this requirement |
Evidence Management
Evidence is collected and linked through multiple mechanisms:
- Claim evidence media: Files attached directly to claims
- Test artifacts: Penetration test reports, fuzz reports, scan reports, PCAP files, conformance reports, coverage reports
- Compliance record notes: Free-text evidence descriptions per requirement
- Work product deliverables: Documents and reports linked to work product IDs
Integration with Other Pillars
| Direction | Pillar | Data Flow |
|---|---|---|
| Inbound | TARA | Assets, threats, risks, goals, claims, controls provide evidence for Clauses 9 and 15 |
| Inbound | Testing | Test results and coverage update compliance scores automatically |
| Inbound | SBOM | Vulnerability status and component inventory feed compliance posture |
| Inbound | Design | Architecture documentation serves as evidence for system-level work products |
| Inbound | Operations | Incident response logs provide evidence for Clause 13 work products |
| Outbound | All pillars | Compliance violations flag gaps that need engineering action |
Compliance Models
Three compliance models map requirements to specific engineering areas:
| Model | Requirements | Purpose |
|---|---|---|
| Threat Modeling | RQ-15-01 to RQ-15-15 | Validates threat analysis completeness |
| Risk Assessment | RQ-09-04 to RQ-09-10 | Validates risk scoring and feasibility |
| Risk Treatment | RQ-09-08 to RQ-09-10 | Validates mitigation completeness |
These models enable targeted violation checking — when an asset is modified, only Threat Modeling requirements are re-evaluated; when a risk score changes, only Risk Assessment requirements are checked.