UN-R155 & UN-R156
UN Regulation No. 155 (cybersecurity) and No. 156 (software updates) require manufacturers to maintain cybersecurity management systems (CSMS) and software update management systems (SUMS). TRF packages provide the traceable evidence regulators expect.
Key requirements and TRF evidence
| Regulation clause | Requirement | TRF artifacts |
|---|---|---|
| R155 Annex 5 | Threat analysis and risk assessment (TARA) | threat, vulnerability, risk_assessment artifacts with STRIDE/CVSS fields |
| R155 Annex 5 § 2.1.3 | Cybersecurity concept & mitigations | control artifacts linked mitigates to threats |
| R155 Annex 5 § 2.1.4 | Monitoring & detection capabilities | monitoring_plan, incident_report artifacts + runtime monitor logs |
| R156 Annex 1 | Software update policies and records | ota_campaign, update_policy, deployment_report artifacts |
| R156 Annex 4 | Re-verification after update | test and coverage reports linked to ota_campaign |
Evidence flow
threat --> control (mitigates)
vulnerability --> control (addresses)
ota_campaign --> test (verified_by)
ota_campaign --> deployment_report
Use confidence scores to highlight mitigations awaiting confirmation testing.
Fleet update tracking
- Represent each update campaign as an
ota_campaignartifact (target fleet size, deployment progress, rollback plans). - Attach validation reports, penetration test results, and regulator notifications.
- Use
tw coverage --from ota_campaign --to testto ensure regression suites ran post-update.
Compliance dashboards
tw export out/csms.twpack --format unr155 --output reports/csms-summary.html
tw export out/sums.twpack --format unr156 --output reports/sums-summary.html
Share HTML summaries with compliance, while retaining the TWPack as the audit source of truth.
Integration tips
- Synchronize vulnerability data from CVE feeds or internal tools via
--links-fromand custom scripts. - Record incident response exercises as artifacts to show continuous CSMS operation.
- Sign packages and store certificates to demonstrate provenance of cybersecurity documentation.
For broader automotive compliance context, combine these packages with ISO 26262 safety evidence and Automotive SPICE process data.