Purpose of This Document
This document from the National Highway Traffic Safety Administration (NHTSA) updates the agency’s non-binding and voluntary guidance to the automotive industry for improving motor vehicle cybersecurity. NHTSA encourages vehicle and equipment manufacturers to review this guidance to determine whether and, if so, how to apply this guidance to their unique systems.
Vehicles are cyber-physical systems1 and cybersecurity vulnerabilities could impact safety. NHTSA has made vehicle cybersecurity an organizational priority, and it is important for automotive industry suppliers and manufacturers to do so as well. This includes proactively adopting and using available guidance, such as this document, as well as existing standards and best practices. Prioritizing vehicle cybersecurity also means establishing internal processes and strategies to ensure systems will be safe under expected real-world conditions, including in the presence of potential vehicle cybersecurity threats. The automotive cybersecurity environment is dynamic and is expected to change continually and quickly.2
NHTSA believes the voluntary best practices described in this document provide a solid foundation for developing a risk-based approach to cybersecurity challenges, and describes important processes that can be maintained, refreshed and updated effectively over time to serve the needs of the automotive industry.
This document is intended to cover cybersecurity issues for all motor vehicles3 and motor vehicle equipment (including software)4 and is therefore applicable to all individuals and organizations designing and manufacturing vehicle electronic systems and software. These entities include, but are not limited to, small- and large-volume motor vehicle and motor vehicle equipment designers, suppliers, manufacturers, modifiers, and alterers.
While the cybersecurity recommendations in this document have broad applicability, the implementation by all sizes and tiers of automotive entities would be expected to vary among them. Importantly, all individuals and organizations involved in the design, manufacturing, assembly and maintenance of a motor vehicle have a critical role to play with respect to vehicle cybersecurity. The security of a system is measured by its weakest link. Organizations within the automotive supply chain should set clear cybersecurity expectations for their suppliers that are consistent with the best practices outlined in this document and support their own verified implementation.