As highlighted in my previous blog post entitled Addressing the latest and greatest in Automotive Product Security: Arm’s journey toward ISO/SAE 21434, Arm has been in a continuous path towards meeting the ISO/SAE 21434.
As vehicles become more complex, new threats arise, and the regulatory landscape changes, the Automotive supply chain must ensure that vehicles and components are developed, integrated, maintained and decommissioned based on strong security practices.
This involves assessing individual products for their cybersecurity and having a Cybersecurity Management System (CSMS) in place covering processes for example secure product development, cybersecurity management, monitoring, vulnerability management and incident response.
These are all aspects addressed by the ISO/SAE 21434 which has been increasingly applied by the Automotive supply chain in response to the UNECE WP.29 R155 regulation. The UNECE R155 requires Automotive OEMs to show proof of the implementation of a CSMS to commercialize their vehicles in UNECE-regulated markets. Failure to comply will result in market access restrictions. In fact, many popular vehicle models have been recently discontinued, due to challenges complying with the regulation.
Although the ISO/SAE 21434 is a legal requirement exclusively for Automotive OEMs, the standard mandates them to assess the cybersecurity capabilities of their suppliers. In turn, OEM suppliers are required to evaluate the capabilities of their own suppliers, and so on. Cybersecurity capability evaluation is typically conducted by assessing the supplier’s ability to comply with the ISO/SAE 21434 standard as an organization and through the implementation of their compliant CSMS in their products.
Serving various industries where security is a concern, Arm’s has had a strong Product Security foundation in place even before the ISO/SAE 21434 came in 2021. This allowed Arm to build on its existing systematic Product Security approach and expand to address security requirements specific to the Automotive industry.
In 2024, Arm’s CSMS for HW IP has been audited and in January 2025, Arm received its first ISO/SAE 21434 Certification from exida with Maturity Level 3 (ML 3). Although maturity levels are defined by the IEC 62443 standard for industrial applications, ISO/SAE 21434 auditors use this classification to indicate the maturity of a CSMS.
ML 3 means that the organization not only has the processes required by the ISO/SAE 21434 in place, but also, applies these processes in a repeatable and consistent manner. You can find out more about Maturity Levels reading this exida blog post.
The ISO/SAE 21434 talks not only about periodic organizational CSMS audits, but also, covers the assessment of individual products to judge their cybersecurity. This includes the analysis of evidence demonstrating that the CSMS has been applied, and that reasonable actions to manage identified cybersecurity risks have been taken where needed.
The Arm Neoverse V3AE CPU marks a milestone for Arm as the first IP to be successfully assessed against the ISO/SAE 21434. The product has been assessed by exida that are based on the ISO/SAE 21434 requirements for Components out-of-Context (CooC), and its certificate is publicly available here.
In addition to the certificate, with Neoverse V3AE and all future ISO/SAE 21434 assessed IP, partners receive a set of supporting security documentation including:
Security Summary Report (SSR): The SSR communicates assumptions that are made on intended use and context, security objectives met and not met by the design, residual risks and suggested remediations which the integrator must consider. This document helps integrators address requirements from the ISO/SAE 21434 Clause 6, regarding the integration of Components Out-of-Context.
Security Interface Report (SIR): The SIR replaces the Cybersecurity Interface Agreement, as described in Clause 7 of the ISO/SAE 21434, and provides a unilateral allocation of security responsibilities between Arm and IP integrators. The SIR also covers other aspects from Clause 7 including information around Arm’s Security Development Lifecycle (SDL), cybersecurity monitoring, vulnerability management, incident response and end of life processes.
A list of work products required by the ISO/SAE 21434, their applicability, a mapping to evidence produced by Arm and their availability to partners is also communicated through the SIR.
The above-described collaterals, in addition to Arm’s proven organizational cybersecurity capability enables the secure integration of Arm IP and accelerates partners journeys towards the ISO/SAE 21434.
Visit the Arm Automotive Cybersecurity page for more information about Automotive Security in Arm and Arm’s latest automotive initiatives.
Learn more