Standards
Aligned to the regulations your team is already chasing.
Every artifact in TARA Workbench traces back to a clause. CSMS evidence packs export ready for type approval. Audit trails survive procurement.
ISO/SAE 21434Covered §8 → §10
Road vehicles — Cybersecurity engineering
End-to-end coverage of concept, product development, and cybersecurity validation. Every work product maps to a clause and is audit-traceable.
- TARA covers §8 (Concept) → §10 (Validation)
- Work products auto-linked to source artifacts
- Snapshotted decisions for the §6 governance trail
UNECE R155In force since 2024-07-22
Cybersecurity Management System for vehicles
Annex 5 threat categories pre-mapped. CSMS evidence packs assembled clause by clause, ready for the type-approval auditor.
- Annex 5 categories applied at threat-tree authoring time
- Type-approval evidence pack generator
- Post-production CSMS audit trail
UNECE R156In force since 2024-07-22
Software Update Management System
Software-update governance built in. Version traceability, OTA campaign manifest, post-production change auditing — without leaving the workbench.
- Update campaign manifest exporter
- Version traceability across ECUs
- Post-production change audit
Clause map
How TARA Workbench artifacts trace to ISO/SAE 21434.
A short slice of the full mapping. The complete table covers §6 → §15 — download the PDF for the auditor.
| Clause | Workbench artifact | Status |
|---|---|---|
| §8 — Concept | TOE definition with CIA tags + asset graph | Covered |
| §8.4 — Damage scenarios | Damage scenarios linked to assets, scored S/F/O/P | Covered |
| §8.5 — Threat scenarios | Threat scenarios cross-referenced to R155 Annex 5 | Covered |
| §8.6 — Attack feasibility | Attack tree feasibility scoring with mitigation overlays | Covered |
| §8.7 — Impact rating | Risk matrix with treatment decisions | Covered |
| §9 — Product development | Security goals + concepts derived from treated risk | Covered |
| §10 — Cybersecurity validation | Phase-gated reviews (CSPR/CSDR/CSCR/CSSR/CSAR) | Covered |
| §15 — Distributed activities | Supply-chain interface evidence pack | Partial |
| §7 — Information sharing | Threat intel feed import (ISACs, vendor advisories) | Planned |
Also designed against
ISO 26262 (functional safety)ASPICETISAXISO 27001NIST SP 800-30SAE J3061
Need clause-level coverage for your auditor?
We'll come on the call with the mapping pulled up and your TARA already loaded.