Customer Proposal Summary
Product and cybersecurity architecture understanding package generated from Markdown-derived requirements.
Executive Takeaway
The customer proposal summary is ready for review, not approval. It consolidates supplier positions, customer actions, and unresolved responsibility decisions so the customer can respond without losing evidence traceability.
- Rows with clarification or partial acceptance require customer decisions before baseline agreement.
- Security capability dependencies show where ECU-side implementation depends on customer-owned policy, PKI, backend, or approval authority.
Total Requirements1076customer-facing rows
Proposal Ready1076supplier proposal present
Accepted by Supplier283clear scope
Accepted with Assumption389customer confirmation needed
Partially Accepted275shared responsibility
Rejected by Supplier0supplier rationale
Clarification Needed7customer answer needed
Open Points9decision topics
High Estimation Impact250planning drivers
Cybersecurity Concept Impact101security concept
Customer Feedback Received0matched rows
Agreement Baseline StatusNot establishedNo customer feedback has been ingested.
Supplier Position Summary
| Supplier Position | Count | Meaning | Customer Action Needed |
|---|---|---|---|
| Accept with Assumption | 389 | Implement under stated assumption. | Confirm or correct assumption. |
| Accept | 283 | Supplier will implement. | Confirm responsibility and method. |
| Partially Accept | 275 | ECU part only; customer part remains open. | Confirm responsibility split. |
| Informational Only | 113 | Context only. | Confirm if binding. |
| Needs Internal Review | 9 | Supplier review remains open. | No customer action yet. |
| Needs Customer Clarification | 7 | Blocked pending customer answer. | Answer linked open point. |
Open Point Customer Answers
| Open Point ID | Topic | Required Customer Answer | Impact | Related Requirements |
|---|---|---|---|---|
| OP-001 | ECU designation, variant and item definition for TARA | Confirm the exact ECU designation/variant and the agreed item definition and boundary used for the risk analysis (TARA). | TARA scope and effort stay open; downstream assets, goals and design may rework. | REQ-AUTO-00634;REQ-AUTO-00873;REQ-AUTO-00876 |
| OP-002 | Diagnostic security role model and service authorization | Confirm the diagnostic role model, the authorized services per role, and which party owns the diagnostic authorization policy. | Security-access design and verification scope cannot be frozen; risk of an unprotected diagnostic service. | REQ-AUTO-00282;REQ-AUTO-00299;REQ-AUTO-00310;REQ-AUTO-00333;REQ-AUTO-00334;REQ-AUTO-00350;REQ-AUTO-00366;REQ-AUTO-00377;REQ-AUTO-00411;REQ-AUTO-00412;REQ-AUTO-00413;REQ-AUTO-00442;REQ-AUTO-00450;REQ_UDS-0001;REQ_UDS-0047;REQ_UDS-0051;REQ_UDS-0338;REQ_UDS-0060;REQ_UDS-0063;REQ_UDS-0065;REQ_UDS-0067;REQ_UDS-0068;REQ_UDS-0071;REQ-AUTO-00578;REQ_UDS-0075;REQ_UDS-0076;REQ_UDS-0250;REQ_UDS-0082;REQ_UDS-0083;REQ_UDS-0089;REQ_UDS-0108;REQ_UDS-0109;REQ_UDS-0111;REQ_UDS-0112;REQ_UDS-0128;REQ_UDS-0158;REQ_UDS-0160;REQ_UDS-0170;REQ_UDS-0171;REQ_UDS-0172;REQ-AUTO-00733;REQ_UDS-0183;REQ_UDS-0185;REQ_UDS-0186;REQ_UDS-0187;REQ_UDS-0188;REQ_UDS-0190;REQ_UDS-0194;REQ_UDS-0202;REQ_UDS-0212;REQ_UDS-0223;REQ_UDS-0225;REQ_UDS-0227;REQ_UDS-0229;REQ_UDS-0230;REQ-AUTO-00789;REQ-AUTO-00804;REQ-AUTO-00806;REQ-AUTO-00808;REQ-AUTO-00810;REQ-AUTO-00814;REQ-AUTO-00817;REQ-AUTO-00820;REQ-AUTO-00821;REQ-AUTO-00832;REQ-AUTO-00833;REQ-AUTO-00834;REQ-AUTO-00835;REQ-AUTO-00837;REQ-AUTO-00889;REQ-AUTO-00890;REQ-AUTO-00892;REQ-AUTO-00910;REQ-AUTO-00962;REQ-AUTO-00964;REQ-AUTO-00967;REQ-AUTO-00973;REQ-AUTO-00994;REQ-AUTO-00995 |
| OP-003 | Key and certificate ownership, provisioning and lifecycle | Confirm ownership and provisioning flow for keys/certificates (generation, injection, storage, renewal, revocation) between OEM and supplier. | ECU secure-storage and provisioning design is blocked; production-line and PKI dependencies stay open. | REQ_SEC_0016;REQ-AUTO-00818;REQ-AUTO-00893;REQ-AUTO-00895;REQ-AUTO-00900;REQ-AUTO-00901;REQ-AUTO-00906;REQ-AUTO-00907;REQ-AUTO-00908;REQ-AUTO-00935;REQ-AUTO-00937;REQ-AUTO-00938;REQ-AUTO-00939;REQ-AUTO-00940;REQ-AUTO-00942;REQ-AUTO-00950;REQ-AUTO-00951;REQ-AUTO-00953;REQ-AUTO-00960;REQ-AUTO-00982 |
| OP-004 | Secure software update / backend campaign responsibility | Confirm the update chain ownership (backend/campaign vs. ECU programming) and the authenticity/integrity scheme to be applied. | Update-control scope and evidence ownership stay open; risk of an unprotected update path. | REQ-AUTO-00078;REQ-AUTO-00306;REQ-AUTO-00313;REQ-AUTO-00317;REQ-AUTO-00329;REQ-AUTO-00330;REQ-AUTO-00348;REQ-AUTO-00367;REQ-AUTO-00373;REQ-AUTO-00375;REQ-AUTO-00429;REQ-AUTO-00440;REQ-AUTO-00448;REQ-AUTO-00561;REQ-AUTO-00636;REQ-AUTO-00922;REQ-AUTO-00924;REQ-AUTO-00925;REQ-AUTO-00930;REQ-AUTO-00931 |
| OP-005 | Secure on-board communication (SecOC/SDT) signal allocation | Confirm which signals/PDUs require SecOC/SDT, the freshness scheme, and the key distribution for protected communication. | Protected-signal design, key needs and runtime budget stay open; risk of unprotected critical signals. | REQ-AUTO-00997;REQ-AUTO-01000;REQ-AUTO-01002;REQ-AUTO-01003;REQ-AUTO-01006;REQ-AUTO-01007;REQ-AUTO-01012;REQ-AUTO-01014;REQ-AUTO-01016;REQ-AUTO-01017;REQ-AUTO-01022;REQ-AUTO-01023;REQ-AUTO-01034;REQ-AUTO-01035;REQ-AUTO-01036;REQ-AUTO-01037;REQ-AUTO-01038;REQ-AUTO-01041;REQ-AUTO-01042;REQ-AUTO-01051;REQ-AUTO-01052;REQ-AUTO-01053;REQ-AUTO-01054;REQ-AUTO-01057;REQ-AUTO-01058;REQ-AUTO-01059;REQ-AUTO-01060;REQ-AUTO-01061;REQ-AUTO-01062;REQ-AUTO-01063;REQ-AUTO-01064;REQ-AUTO-01065;REQ-AUTO-01066;REQ-AUTO-01067;REQ-AUTO-01068;REQ-AUTO-01075;REQ-AUTO-01076 |
| OP-006 | Incident response and vulnerability management ownership | Confirm the split of monitoring, triage, vulnerability handling and field response between OEM PSIRT and supplier. | Lifecycle effort and field-response capability stay unbounded; risk of an R155 compliance gap. | REQ_SEC_0034 |
| OP-008 | Production, development and debug-interface hardening | Confirm production/debug hardening expectations (debug lock, secure end-of-line, developer-access policy). | Hardware fusing and EOL process design stay open; risk of an exposed debug/production interface. | REQ_SEC_0026;REQ-AUTO-00321 |
| OP-009 | Cybersecurity work products, DIA and responsibility split | Confirm the DIA / responsibility (RASIC/CIA) split for each cybersecurity work product before supplier scope is fixed. | Without an agreed DIA the supplier risks owning customer work products or leaving cybersecurity gaps in the case. | REQ-AUTO-00691 |
| OP-011 | Document-specific scope and responsibility confirmation | Scope and responsibility for each listed requirement. | Supplier position, estimation, and affected design allocation remain conditional for the listed requirements. | REQ-AUTO-00006;REQ-AUTO-00146;REQ-AUTO-00488;REQ-AUTO-00866 |
Security Capability Dependencies
| Security Capability | Related Requirements | Supplier Proposal Summary | Customer Dependency |
|---|---|---|---|
| Authentication | REQ_SEC_0008, REQ-AUTO-00333, REQ-AUTO-00334, REQ-AUTO-00832, REQ-AUTO-00892, REQ-AUTO-00895, REQ-AUTO-00907, REQ-AUTO-00933 (30 total) | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
| Diagnostic security | req-6.20, REQ-AUTO-00282, REQ-AUTO-00290, REQ-AUTO-00299, REQ-AUTO-00310, REQ-AUTO-00315, REQ-AUTO-00318, REQ-AUTO-00350 (30 total) | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
| Cybersecurity requirement handling | REQ-AUTO-00001, REQ_SEC_0001, REQ_SEC_0003, REQ_SEC_0022, REQ-AUTO-00009, REQ_SEC_0023, REQ-AUTO-00011, REQ_SEC_0024 (17 total) | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
| Key management | REQ_SEC_0016, REQ_SEC_0019, REQ_UDS-0068, REQ_UDS-0070, REQ_UDS-0092, REQ-AUTO-00875, REQ-AUTO-00991, REQ-AUTO-01014 (13 total) | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
| Certificate handling | REQ-AUTO-00818, REQ-AUTO-00821, REQ-AUTO-00839, REQ-AUTO-00951, REQ-AUTO-00953 | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
| Vulnerability management | REQ_SEC_0002, REQ-AUTO-00051 | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
| Secure communication | REQ-AUTO-00455, REQ-AUTO-01058 | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
| Incident response | REQ_SEC_0045 | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
| Logging and audit trail | REQ_SEC_0051 | Implement mapped ECU-side controls and provide verification evidence. | Confirm responsibility and method. |
Delivery Files
| File | Purpose |
|---|---|
| customer_requirement_proposal_package.csv | Full customer-facing proposal package |
| customer_feedback_template.csv | Customer response template |
| customer_feedback_instructions.md | Allowed decision values and return instructions |