Standards and Policies Collaborations

The Automotive Industry Action Group (AIAG) is a nonprofit organization comprised of original equipment manufacturers (OEMs), suppliers, service providers, government entities, and individuals in academia who work collaboratively to improve quality and reduce costs and complexity in the automotive supply chain. AIAG membership includes leading global manufacturers, parts suppliers, and service providers.

The Automotive Information Sharing and Analysis Center (Auto-ISAC) is an industry-driven community that shares and analyzes intelligence about emerging cyber security risks to vehicles and collectively enhances vehicle cyber security capabilities across the global automotive industry, including light- and heavy-duty vehicle OEMs, suppliers, and the commercial vehicle sector. Auto-ISAC defines best practices that are well adopted among OEMs.

Automotive Open System Architecture (AUTOSAR) is a worldwide development partnership of vehicle manufacturers, suppliers, service providers, and companies from the automotive electronics, semiconductor, and software industries. AUTOSAR standards are used heavily in safety-critical automotive and aircraft applications.

The AUTOSAR Classic Platform defines a standard architecture and API that ensures interoperability across vendor components. It distinguishes on the highest abstraction level between three software layers that run on a microcontroller: application, runtime environment, and basic software. The AUTOSAR Classic Platform Working Groups develop and maintain the Classic Platform.

The AUTOSAR Adaptive Platform for high-performance computing engine control units (ECUs) implements the AUTOSAR runtime for adaptive applications (ARA). The two types of interfaces include services and APIs. The AUTOSAR Adaptive Platform Working Groups develop and maintain the Adaptive Platform.

AUTOSAR works closely with ISO/IEC JTC 1/SC 22/WG 14,  the ISO C standards committee working group, and ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee working group.

AUTOSAR and MISRA  announced that their industry standard for best practice in C++ will be integrated into one publication.

The Center for Internet Security (CIS) is a community-driven nonprofit responsible for CIS Controls and CIS Benchmarks, globally recognized best practices for securing information technology (IT) systems and data.

CIS Benchmarks are consensus-developed, secure configuration guidelines for hardening of the cloud, operating systems, phone devices, applications, and middleware. Developed by cyber security professionals and subject matter experts, CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. The CIS Benchmarks community develops and updates secure configuration guidelines for technology families.

CIS WorkBench is a virtual place to network and collaborate with cyber security professionals from around the world. Activities include helping to draft configuration recommendations for the CIS Benchmarks, submitting tickets, and discussing best practices to secure a wide range of technologies.

The Consortium for Information and Software Quality (CISQ) is an industry leadership group that develops international standards to automate the measurement of software size and structural quality from the source code. CISQ standards enable organizations that develop or acquire software-intensive systems to measure the operational risk software poses to the business, as well as estimate the cost of ownership.

CISQ was co-founded by:

• Object Management Group (OMG), an international, open membership, not-for-profit technology standards consortium. OMG standards are driven by vendors, end users, academic institutions, and government agencies. OMG task forces develop enterprise integration standards for a wide range of technologies and industries.
• Software Engineering Institute (SEI) at Carnegie Mellon University (CMU), a Federally Funded Research and Development Center (FFRDC) sponsored by the U.S. Department of Defense (DOD). FFRDC is a nonprofit, public/private partnership that conducts research for the U.S. government. SEI works with partners throughout the U.S. government, the private sector, and academia. The SEI Computer Emergency Response Team (CERT) Division partners with government, industry, law enforcement, and academia to improve the security and resilience of computer systems and networks. CERT studies problems that have widespread cyber security implications and develops advanced methods and tools to counter large-scale, sophisticated cyber threats.

CISQ members and sponsors include software engineering, security, and quality management professionals and senior leadership responsible for major mission-critical systems from global enterprises, system integrators, service providers, software technology vendors, and public sector institutions. The CISQ roadmap includes the development of new standards, certification programs, and deployment activities to advance the state of practice in software engineering. CISQ sponsors participate in and influence standards development, including the identification of CISQ projects.

The CISQ governing board sets the program direction, including the roadmap for standards development and publication of technical guidance. CISQ projects include the following:

• The Automated Source Code Data Protection Measure by a CISQ working group is based on a collection of relevant CWEs that support enterprise and supply chain needs to protect data, confidential information, IP, and privacy.
• The Tool-to-Tool Software Bill of Materials Exchange, a joint working group of CISQ, the OMG, and the Software Package Data Exchange (SPDX), develops a standard that defines a software Bill of Materials (BOM or SBOM) and other items needing BOMs.
• The Architecture and Flow Measures for Modernization and DevOps Pipelines working group develops international standards for a new generation of software measures targeted at DevOps and modernization.
• “The Cost of Poor Software Quality in the U.S.: A 2020 Report” quantifies the impact of poor software quality on the U.S. economy referencing publicly available source material.

The study groups of the International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T) assemble experts from around the world to develop international standards known as ITU-T recommendations that act as defining elements in the global infrastructure of information and communication technologies (ICTs).

ITU-T SG 17 adopted the Cybersecurity Information Exchange (CYBEX) framework initiative that imports best-of-breed standards for platforms developed by government agencies and industry to enhance cyber security and infrastructure protection. The ITU-T CYBEX X.1500 standard series includes:

• ITU-T X.1520 based on the Common Vulnerabilities and Exposures (CVE) list, which includes records for publicly known vulnerabilities used in numerous global cyber security products and services such as the U.S. National Vulnerability Database (NVD)
• ITU-T X.1524 based on the Common Weakness Enumeration (CWE) list, which is a community-developed list of software and hardware weakness types that serves as a common language, measuring stick for security tools, and baseline for weakness identification, mitigation, and prevention efforts
• ITU-T X.1544 based on the Common Attack Pattern Enumeration and Classification (CAPEC) list, which is a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities

CVE, CWE, and CAPEC are sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI), which is operated by MITRE.

CVE numbering authorities (CNAs)  are global organizations authorized to assign CVE IDs to vulnerabilities that affect products within their distinct, agreed-upon scope for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and IT vendors.

The CVE board is comprised of numerous cyber security–related organizations and provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE list.

CWE/CAPEC board members include technical implementers, subject matter experts, and advocates who provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction for the CWE and CAPEC lists.

The International Electrotechnical Commission (IEC) is an international standards organization that prepares and publishes international standards for all electrical, electronic, and related technologies.

IEC develops many standards through joint technical committees including:

• ISA99 committee       
  
• ISO/IEC technical committees and working groups for programming languages
• ISO/IEC technical committee and working group for IT, cyber security, and privacy protection
• ISO/IEC technical committee for software and systems engineering

The Institute of Electrical and Electronics Engineers (IEEE) is a technical professional organization dedicated to advancing technology for the benefit of humanity.

The IEEE Standards Association (IEEE SA) is a consensus-building organization that nurtures, develops, and advances global technologies through IEEE by bringing together a broad range of individuals and organizations to facilitate standards development and standards-related collaboration.

The IEEE SA corporate program facilitates the exploration of new standards opportunities at IEEE, supporting the development of projects around the full life cycle of standards. Its international presence allows for a broad-based focus on new work areas and programs.

The IEEE technical committee on electric and autonomous vehicles (TC-EAV) under the IEEE Reliability Society (RS) brings researchers and practitioners together for interdisciplinary collaborations among academia, industry, and government agencies, including both private and public sectors in areas such as software engineering, communications and networking, computer visions, artificial intelligence and machine learning, cyber-physical systems, testing, validation, and formal verification.

The International Committee for Information Technology Standards (INCITS) is the U.S. forum dedicated to creating technology standards for the next generation of innovation. INCITS members combine their expertise to create the building blocks for globally transformative technologies, from cloud computing to communications, from transportation to healthcare.

INCITS serves as the U.S. Technical Advisory Group (TAG) for ISO/IEC Joint Technical Committee 1. A U.S. TAG is a committee accredited by the American National Standards Institute (ANSI) to participate in ISO/IEC technical activities. ANSI-accredited U.S. TAGs include the range of U.S. parties interested in and affected by specific ISO/IEC standards.

The International Society of Automation (ISA) is a professional nonprofit association that develops widely used global standards, certifies industry professionals, provides education and training, publishes books and technical articles, hosts conferences and exhibits, and provides networking and career development programs for its global members and customers.

The ISA99 committee brings together global industrial cyber security experts to develop ISA standards on industrial automation and control systems security. It draws on the input and knowledge of global industrial automation and control systems (IACS) security experts to develop consensus standards that are applicable to all industry sectors and critical infrastructure.

The ISA99 committee develops a series of standards adopted by the IEC including the ISA/IEC 62443 series of standards, which provide a flexible framework to address and mitigate current and future security vulnerabilities in IACS.

The International Standards Organization (ISO) is an independent, nongovernmental, international organization of national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges. ISO standards are developed by ISO technical committees.

ISO/IEC technical committees for programming languages

The ISO/IEC Joint Technical Committee 1 (JTC 1) Subcommittee 22 (SC 22) is the international standardization subcommittee for programming languages, their environments, and system software interfaces. SC 22 is also known as the portability subcommittee. JTC 1/SC 22 has working groups (WGs) for various programming languages including:

• ISO/IEC JTC 1/SC 22/WG 14, the ISO C standards committee working group
• ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee (ISOCPP) working group organized into a three-stage pipeline consisting of several subgroups or study groups, such as SG 16 for topics related to Unicode text processing in C++, that develops standards like ISO/IEC 14882 C++ programming languages
• ISO/IEC JTC 1/SC 22/WG 23, the ISO programming language vulnerabilities standards committee working group that develops TR 24772 for various programming languages

ISO/IEC technical committee for IT, cyber security, and privacy protection

INCITS serves as the U.S. TAG to ISO/IEC JTC 1/SC 27 for information security, cyber security, and privacy protection. ISO/IEC JTC 1/SC 27/WG 3 security evaluation, testing and specification  codevelops standards for the protection of information and ICT including:

• ISO/IEC 27036 information security for supplier relationships standard for IT and security techniques, a multipart supply chain standard that offers guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers
• ISO/IEC 29147 vulnerability standard for information technology and security techniques, which provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services

ISO/IEC technical committee for software and systems engineering

ISO/IEC JTC 1/SC 7 for software and systems engineering develops standards for processes, supporting tools, and supporting technologies for the engineering of software products and systems including ISO/IEC/IEEE 15026 systems and software assurance, which defines assurance-related terms and establishes an organized set of concepts and relationships to form a basis for shared understanding across user communities for assurance.

ISO technical committee for E/E components and general system aspects

ISO/TC 22/SC 32 for electrical and electronic (E/E) components and general system aspects develops standards for E/E components and cross-sectional specifications for E/E systems and components including:

• ISO 26262 functional safety standard for road vehicles, a multipart standard for safety-related systems that include one or more E/E systems and are installed in series production passenger cars
• ISO/CD 24089 software update engineering standard for road vehicles, which specifies requirements for cyber security risk management regarding engineering for concept, development, production, operation, maintenance, and decommissioning for road vehicle E/E systems, including their components and interfaces
• ISO/SAE 21434 cyber security engineering standard for road vehicles, which builds upon SAE J3061 and provides a similar framework for the entire life cycle of road vehicles

The Information Technology Industry Council (ITI or ITI-C) is a global advocate for technology. ITI promotes public policies and industry standards that advance competition and innovation worldwide. ITI members include the world's leading innovation companies.