OEMs require ISO 21434 evidence and SBOM from every Tier 1. No tier is exempt.
Suppliers who cannot produce compliant evidence are excluded from OEM RFPs before the commercial conversation starts. X-DLM™ makes that evidence automatic.
and
The cybersecurity qualification bar for automotive suppliers is rising faster than most have prepared for.
Of automotive cyberattacks exploit software system vulnerabilities — the majority originating in ECU components from Tier 1 and Tier 2 suppliers who haven't governed their open-source dependencies. Source: Upstream 2024.
Countries requiring UN R155 type approval — meaning every Tier 1 supplier whose ECU software is in a vehicle sold in any of those markets is part of the OEM's CSMS evidence scope.
Reduction in audit preparation time when ISO 21434 TARA and SBOM evidence is maintained continuously in Polarion rather than assembled before each OEM qualification review. Source: X-DLM™ benchmarks.
Risk for Tier 1 suppliers who cannot demonstrate ISO 21434-aligned processes. OEMs increasingly require cybersecurity interface agreements and SBOM data as conditions of supplier selection — before the RFP commercial round.
Sources: Upstream 2024. UNECE R155 Annex 5. Auto-ISAC SBOM Report. X-DLM™ customer benchmarks.
Cybersecurity qualification is becoming a supplier selection criterion, not an afterthought.
- 01
ISO 21434 TARA evidence — the OEM's primary qualification requirement
OEMs require Tier 1 suppliers to demonstrate ISO 21434-aligned Threat Analysis and Risk Assessment processes as part of cybersecurity interface agreements. Polarion provides the TARA workflow, traceability, and evidence documentation that OEM qualification audits review. X-DLM™ links Black Duck vulnerability intelligence directly to TARA assets — so the TARA stays current with new CVEs automatically.
- 02
ECU SBOM for Tier 1 delivery — what OEMs actually ask for
OEMs increasingly require Tier 1 suppliers to provide machine-readable SBOMs covering every component in ECU software deliverables — for integration into the vehicle-level SBOM and CSMS documentation. Black Duck generates SPDX and CycloneDX SBOMs from ECU firmware binaries, AUTOSAR components, and embedded Linux stacks — covering what the supplier declared and what was actually shipped.
- 03
Cybersecurity Interface Agreements — documentation on demand
UN R155 requires OEMs to establish and maintain cybersecurity interface agreements with suppliers covering cybersecurity roles, responsibilities, and evidence exchange. X-DLM™ maintains the Polarion governance records — TARA outputs, vulnerability response history, SBOM versions, and security requirement traceability — that form the documented basis of those agreements.
- 04
Cascade compliance to Tier 2 and Tier 3 suppliers
Tier 1 suppliers are cascading OEM cybersecurity requirements to their own supplier base. X-DLM™ supports supplier portal SBOM exchange and Tier 2 vulnerability inquiry management — giving Tier 1 procurement teams the same supply chain evidence cascade capability that OEMs are requiring from them.
See how Siemens Polarion and Black Duck become one governed software risk workflow.
X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, escalation paths, and continuously maintained evidence.
Brand authority buyers recognize
Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.
Siemens Polarion ALM
Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.
Black Duck Software Composition Analysis
Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.
Automotive cybersecurity obligations cascade from OEM to every Tier in the supply chain.
UN R155 holds the OEM responsible for CSMS evidence across the entire vehicle — but Tier 1 suppliers must provide cybersecurity interface agreements, TARA evidence, and SBOM data to support that obligation. ISO/SAE 21434 governs the engineering process at every tier. A Tier 2 supplier without ISO 21434-aligned processes is a risk that lands in the OEM's type approval file.
View ISO 21434, UN R155 & All Frameworks →Qualify as a cybersecurity-capable automotive supplier.
ISO 21434 TARA evidence. ECU SBOM delivery. Cybersecurity interface agreement documentation.
See how X-DLM™ integrates Black Duck and Siemens Polarion to produce the ISO/SAE 21434-aligned TARA evidence, ECU SBOM data, vulnerability response records, and cybersecurity interface agreement documentation that automotive OEMs require from Tier 1 and Tier 2 suppliers.