ISO SAE 21434-2021 要求、建议、允许（RQ、RC、PM）整理

本文旨在将21434中各阶段涉及的RQ、RC、PM统一梳理出来，方便学习及查阅。

“RQ” for a requirement& “RC” for a recommendation&“PM” for a permission			RQ-要求；RC-建议；PM-允许
序号	编号	标准原文	中文翻译
1	RQ-05-01	The organization shall define a cybersecurity policy that includes: a) acknowledgement of road vehicle cybersecurity risks; and b) the executive management’s commitment to manage the corresponding cybersecurity risks.	组织应定义网络安全政策，包括： a)承认道路车辆网络安全风险;和 b)执行管理层对管理相应网络安全风险的承诺。
2	RQ-05-02	The organization shall establish and maintain rules and processes to: a) enable the implementation of the requirements of this document; and b) support the execution of the corresponding activities.	组织应建立并保持规则和过程以: a)使本文件要求得以实施;和 b)支持相应活动的执行。
3	RQ-05-03	The organization shall assign and communicate the responsibilities and corresponding organizational authority to achieve and maintain cybersecurity.	组织应分配和传达为实现和维护网络安全的职责和相应的组织职权。
4	RQ-05-04	The organization shall provide the resources to address cybersecurity.	组织应提供解决网络安全问题的资源。
5	RQ-05-05	The organization shall identify disciplines related to, or interacting with, cybersecurity and establish and maintain communication channels between those disciplines in order to: a) determine if and how cybersecurity will be integrated into existing processes; and b) coordinate the exchange of relevant information.	组织应识别与以下方面相关的分项:或者与网络安全部门进行互动，建立和维护这些分项之间的沟通渠道，以便: a)确定是否以及如何将网络安全集成到现有流程;和 b)协调相关信息的交流。
6	RQ-05-06	The organization shall foster and maintain a strong cybersecurity culture.	培养和维护强大的网络安全文化。
7	RQ-05-07	The organization shall ensure that persons to which cybersecurity roles and responsibilities are assigned have the competences and awareness to fulfil these.	组织应确保被指派网络安全角色和职责的人员具有履行这些职责的能力和意识。
8	RQ-05-08	The organization shall institute and maintain a continuous improvement process.	组织应建立并保持持续改进过程。
9	RQ-05-09	The organization shall define the circumstances under which information sharing related to cybersecurity is required, permitted, or prohibited, internal or external to the organization.	组织应定义组织内部或外部需要、允许或禁止与网络安全相关的信息共享的情况。
10	RC-05-10	The organization should align its information security management of the shared data with other parties in accordance with [RQ-05-09].	组织应根据[RQ-05-09]的要求，与其他方共享数据时，信息安全管理水平保持一致。
11	RQ-05-11	The organization shall institute and maintain a quality management system in accordance with International Standards, or equivalent, to support cybersecurity engineering, addressing: a) change management; b) documentation management; c) configuration management; and d) requirements management.	组织应根据国际标准或同等标准建立并维持质量管理体系，以支持网络安全管理，以解决以下问题: a)变更管理; b)文档管理; c)配置管理;和 d)需求管理。
12	RQ-05-12	The configuration information required for maintaining cybersecurity of a product in the field shall remain available until the end of cybersecurity support for the product, in order to enable remedial actions.	在现场维护产品网络安全所需的配置信息，应在产品网络安全支持结束之前保持可用，以便能够采取补救措施。
13	RC-05-13	A cybersecurity management system for the production processes should be established in order to support the activities of Clause 12.	应建立一个针对生产过程的网络安全管理体系，以支持第12章的活动
14	RQ-05-14	Tools that can influence the cybersecurity of an item or component shall be managed.	应管理能够影响相关项或组件网络安全的工具
15	RC-05-15	An appropriate environment to support remedial actions for cybersecurity incidents (see 13.3) should be reproducible until the end of cybersecurity support for the product.	支持针对网络安全事件补救措施的适当环境(见13.3)应可重复，直至产品的网络安全支持结束
16	RC-05-16	Work products should be managed in accordance with an information security management system.	工作产品应按照信息安全管理体系进行管理
17	RQ-05-17	A cybersecurity audit shall be performed independently to judge whether the organizational processes achieve the objectives of this document.	网络安全审计应独立进行，以判断组织流程是否达到本文件的目标
18	RQ-06-01	The responsibilities regarding the project’s cybersecurity activities shall be assigned and communicated in accordance with [RQ-05-03].	有关项目网络安全活动的责任应按照[RQ-05-03]进行分配和沟通
19	RQ-06-02	In order to decide cybersecurity activities needed for the item or component, the item or component shall be analysed to determine: a) whether the item or component is cybersecurity relevant; b) if the item or component is cybersecurity relevant, whether the item or component is a new development or a reuse; and c) whether tailoring in accordance with 6.4.3 is applied.	为确定该相关项或组件所需的网络安全活动，应分析相关项或组件以确定: a)该相关项或组件是否与网络安全相关; b)如果该相关项或组件与网络安全相关，则该相关项或组件是否为新开发或重复使用; c)是否按照6.4.3进行剪裁。
20	RQ-06-03	The cybersecurity plan shall include the: a) objective of an activity; b) dependencies on other activities or information; c) personnel responsible for performing an activity; d) required resources for performing an activity; e) starting point or end point, and the expected duration of an activity; and f) identification of the work products to be produced.	网络安全计划应包括: a)活动的目标; b)对其他活动或信息的依赖; c)负责执行活动的人员; d)执行活动所需的资源; e)起始点或结束点，以及活动的预期持续时间; f)识别要产生的工作产品。
21	RQ-06-04	The responsibilities for developing and maintaining the cybersecurity plan, and for tracking the progress of the cybersecurity activities against the cybersecurity plan shall be assigned in accordance with [RQ-05-03] and [RQ-05-04].	应根据[RQ-05-03]和[RQ-05-04]分配制定和维护网络安全计划以及跟踪针对网络安全计划的网络安全活动进展的职责
22	RQ-06-05	The cybersecurity plan shall either be: a) referenced in the project plan for the development; or b) included in the project plan, such that the cybersecurity activities are distinguishable.	网络安全计划可以是: a)在项目开发计划中引用;或 b)包含在项目计划中，使网络安全活动是可区分的。
23	RQ-06-06	The cybersecurity plan shall specify the activities that are required for cybersecurity during the concept and product development phases in accordance with the relevant requirements of Clauses 9, 10, 11 and 15.	网络安全计划应根据第9、10、11和15章的相关要求，规定在概念和产品开发阶段所需的网络安全活动
24	RQ-06-07	The cybersecurity plan shall be updated when a change or a refinement of the activities to be performed is identified.	当确定将执行的活动发生变更或改进时，应更新网络安全计划
25	PM-06-08	For threat scenarios of risk value 1 that are determined from an analysis in accordance with 15.8, conformity with 9.5, Clause 10 and Clause 11 may be omitted.	对于根据15.8分析确定的风险值为1的威胁场景，符合9.5、10和11的威胁场景可以忽略。
26	RQ-06-09	The work products identified in the cybersecurity plan shall be updated and maintained for accuracy until and at the release for post-development.	网络安全计划中确定的工作产品应进行更新和维护，以保持其准确性
27	RQ-06-10	If cybersecurity activities are distributed, customer and supplier shall each define a cybersecurity plan regarding their respective cybersecurity activities and interfaces in accordance with Clause 7.	如网络安全活动是分布式的，客户和供应商应根据第7条规定各自确定关于各自网络安全活动和接口的网络安全计划
28	RQ-06-11	The cybersecurity plan shall be subject to configuration management and documentation management, in accordance with 5.4.4	网络安全计划按照5.4.4的规定进行配置管理和文件管理
29	RQ-06-12	The work products identified in the cybersecurity plan shall be subject to configuration management, change management, requirements management, and documentation management, in accordance with 5.4.4	网络安全计划中确定的工作产品应按照5.4.4的标准进行配置管理、变更管理、需求管理和文档管理
30	PM-06-13	A cybersecurity activity may be tailored.	网络安全活动可以是按实际情况进行裁剪
31	RQ-06-14	If a cybersecurity activity is tailored, then a rationale why the tailoring is adequate and sufficient to achieve the relevant objectives of this document shall be provided and reviewed.	如果网络安全活动进行了裁剪，则应提供并审查该裁剪足以实现本文件的相关目标的理由
32	RQ-06-15	A reuse analysis shall be carried out if an item or component has been developed and: a) modifications are planned; b) is planned to be reused in another operational environment; or c) is planned to be reused without modification and there are relevant changes to the information concerning the item or component.	对已开发的相关项或组件应就那些复用分析，当存在以下的情况时： a)计划进行修改; b)是否计划在其他操作环境中进行复用;或 c)计划不经修改就复用，相关项或组件的信息有相应的更改。
33	RQ-06-16	A reuse analysis of an item or component shall: a) identify the modifications to the item or component and the modifications of its operational environment; b) analyse the cybersecurity implications of the modifications, including the effects on the validity of cybersecurity claims and previously made assumptions; c) identify the affected or missing work products; and d) specify the cybersecurity activities necessary to conform with this document in the cybersecurity plan (see 6.4.2).	对相关项或组件的复用分析应: a)确定对该相关项或组件的修改及对其操作环境的修改; b)分析修改的网络安全影响，包括对网络安全声明的有效性和先前作出的假设的影响; c)识别受影响或缺失的工作产品;以及 d)在网络安全计划中规定符合本文件所需的网络安全活动(见6.4.2)。
34	RQ-06-17	A reuse analysis of a component shall evaluate whether: a) the component is able to fulfil the allocated cybersecurity requirements from the item or component, in which it is to be integrated; and b) the existing documentation is sufficient to support the integration into an item, or into another component.	对组件的复用分析应评估: a)组件能够满足要集成的相关项或组件分配的网络安全需求; b)现有的文档足以支持集成到相关项或其他组件中。
35	RQ-06-18	Assumptions on the intended use and context, including the external interfaces, for a component developed out-of-context shall be documented in the corresponding work products.	相应的工作产品中应记录对外部开发的组件的预期用途和上下文的假设，包括外部接口
36	RQ-06-19	For the development of a component out-of-context, the cybersecurity requirements shall be based on the assumptions of [RQ-06-18].	对于脱离上下文的组件的开发，网络安全要求应基于[RQ-06-18]的假设
37	RQ-06-20	For the integration of a component developed out-of-context, the cybersecurity claims and assumptions of [RQ-06-18] shall be validated.	对于脱离上下文开发的组件的集成，[RQ-06-18]的网络安全声明和假设应得到验证。
38	RQ-06-21	When integrating an off-the-shelf component, the cybersecurity-relevant documentation shall be gathered and analysed to determine whether: a) allocated cybersecurity requirements can be fulfilled; b) the component is suitable for the specific application context of the intended use; and c) existing documentation is sufficient to support the cybersecurity activities.	当集成一个现有的组件时，应收集并分析网络安全相关文件，以确定: a)可以满足已分配的网络安全要求; b)该组件适合于预期用途的特定应用程序上下文; c)现有文档足以支持网络安全活动。
39	RQ-06-22	If the existing documentation is insufficient to support the integration of the off-the-shelf component, then the cybersecurity activities to conform with this document shall be identified and performed.	如果现有文档不足以支持现有组件的集成，则应识别并执行符合本文档的网络安全活动
40	RQ-06-23	A cybersecurity case shall be created to provide the argument for the cybersecurity of the item or component, supported by work products.	应创建一个网络安全案例，为有工作产品支持的相关项或组件的网络安全提供依据
41	RQ-06-24	A decision whether to perform a cybersecurity assessment for an item or component shall be made supported by a rationale applying a risk-based approach.	在决定是否对某一相关项或组件进行网络安全评估时，应提供适用基于风险的方法的理由支持。
42	RQ-06-25	The rationale of [RQ-06-24] shall be reviewed independently.	对[RQ-06-24]的理由进行独立评审
43	RQ-06-26	The cybersecurity assessment shall judge the cybersecurity of the item or component.	网络安全评估应当判断相关项或组件的网络安全
44	RQ-06-27	A person responsible to plan and perform independently a cybersecurity assessment shall be appointed in accordance with [RQ-06-01].	应按照[RQ-06-01]的规定，任命负责独立策划和执行网络安全评估的人员
45	RQ-06-28	A person who carries out a cybersecurity assessment shall have: a) access to the relevant information and tools; and b) the cooperation of the personnel performing the cybersecurity activities.	进行网络安全评估的人员应具有: a)获取相关信息和工具;以及 b)开展网络安全活动人员的合作。
46	PM-06-29	A cybersecurity assessment may be based on a judgement of whether the objectives of this document are achieved.	网络安全评估是基于对本文件的目标是否实现的判断
47	RQ-06-30	The scope of a cybersecurity assessment shall include: a) the cybersecurity plan and all work products identified in the cybersecurity plan; b) the treatment of the cybersecurity risks; c) the appropriateness and effectiveness of implemented cybersecurity controls and cybersecurity activities performed for the project; and d) the rationales, if provided, that demonstrate the achievement of the objectives of this document.	网络安全评估的范围应包括: a)网络安全计划及网络安全计划中确定的所有工作产品; b)网络安全风险的处理; c)为项目实施的网络安全控制和网络安全活动的适当性和有效性; d)如果提供了证明实现本文件目标的理由。
48	RQ-06-31	A cybersecurity assessment report shall include a recommendation for acceptance, conditional acceptance, or rejection of the cybersecurity of the item or component.	网络安全评估报告应包括对相关项或组件的接受、有条件接受或拒绝的网络安全的建议
49	RQ-06-32	If a recommendation for conditional acceptance in accordance with [RQ-06-31] is made, then the cybersecurity assessment report shall include the conditions for acceptance.	如果根据[RQ-06-31]提出了有条件接受的建议，则网络安全评估报告应包括接受条件
50	RQ-06-33	The following work products shall be available prior to the release for post-development: a) the cybersecurity case [WP-06-02]; b) if applicable, the cybersecurity assessment report [WP-06-03]; and c) the cybersecurity requirements for post-development [WP-10-02].	以下工作产品应在进入到生产阶段之前发布: a)网络安全案例[WP-06-02]; b)网络安全评估报告[WP-06-03]（如适用）; c)开发后的网络安全要求[WP-10-02]。
51	RQ-06-34	The following conditions shall be fulfilled for the release for post-development of the item or component: a) the argument for cybersecurity provided by the cybersecurity case is convincing; b) the cybersecurity case is confirmed by the cybersecurity assessment, if applicable; and c) the cybersecurity requirements for the post-development phases are accepted.	对相关项或组件进行开发后释放，应当满足下列条件: a)网络安全案例所提供的关于网络安全的论证具有说服力; b)网络安全案例经网络安全评估确认(如适用); c)接受开发后阶段的网络安全要求。
52	RQ-07-01	The capability of a candidate supplier to develop and, if applicable, perform post-development activities in accordance with this document shall be evaluated.	应评估候选供应商按照本文件进行开发的能力，以及(如果适用)进行开发后活动的能力。
53	RC-07-02	To support a customer’s evaluation of supplier capability, a supplier should provide a record of cybersecurity capability.	为支持客户对供应商能力的评估，供应商应提供网络安全能力记录
54	RQ-07-03	A request for quotation from a customer to a candidate supplier shall include: a)a formal request to conform to this document; b)the expectation that cybersecurity responsibilities will be taken on by the supplier in accordancewith 7.4.3; and c)the cybersecurity goals and/or set of cybersecurity requirements relevant to the item or componentfor which the supplier is quoting.	客户对候选供应商的报价请求应包括: a)符合本文件的正式请求; b)对供应商将按照7.4.3承担网络安全责任的期望;和 c)与供应商报价的相关项或组件相关的网络安全目标和/或一套网络安全要求
55	RQ-07-04	A customer and a supplier shall specify the distributed cybersecurity activities in a cybersecurity interface agreement including: a)appointment of customer’s and supplier’s points of contact regarding cybersecurity; b)identification of cybersecurity activities that are to be performed by customer and supplier,respectively; c)if applicable, a joint tailoring of cybersecurity activities in accordance with 6.4.3; d)the information and the work products to be shared; e)milestones regarding the distributed cybersecurity activities; and f)definition of the end of cybersecurity support for the item or component.	客户与供应商应在网络安全接口协议中明确分布式网络安全活动，包括: a)指定客户与供应商关于网络安全的联络点; b)识别将分别由客户和供应商进行的网络安全活动; c)按照6.4.3联合剪裁网络安全活动（如适用）; d)要共享的信息和工作产品; e)有关分布式网络安全活动的里程碑; f)对相关项或组件的网络安全支持结束的定义。
56	RC-07-05	The cybersecurity interface agreement should be mutually agreed upon between customer and supplier prior to the start of the distributed cybersecurity activities.	网络安全接口协议应在分布式网络安全活动开始之前由客户和供应商之间达成协议
57	RQ-07-06	If there is an identified vulnerability to be managed in accordance with [RQ-08-07], the customer and supplier shall agree on actions and responsibility for those actions.	如果发现漏洞需要按照[RQ-08-07]进行管理，客户和供应商应就采取的措施和对这些措施的责任达成一致。
58	RQ-07-07	If requirements are unclear, not feasible, or conflict with other cybersecurity requirements or requirements from other disciplines, then customer and supplier shall each notify the other so that appropriate decisions and actions can be taken.	如果要求不明确、不可行，或与其他网络安全要求或其他规程的要求相冲突，则客户和供应商应各自通知对方，以便采取适当的决策和行动。
59	RC-07-08	Responsibilities should be specified in a responsibility assignment matrix.	职责应在责任分配矩阵中加以规定（可使用RASIC表，见附件C）
60	RQ-08-01	Sources shall be selected for collection of cybersecurity information.	网络安全信息的收集应选择信息来源
61	RQ-08-02	Triggers shall be defined and maintained for the triage of cybersecurity information.	应定义并维护触发器，以便对网络安全信息进行分类（触发器可以包括关键字、配置信息的参考资料、组件或供应商的名称）
62	RQ-08-03	Cybersecurity information shall be collected and triaged to determine if the cybersecurity information becomes one or more cybersecurity events.	应收集网络安全信息并进行分类，以确定网络安全信息是否成为一个或多个网络安全事件
63	RQ-08-04	A cybersecurity event shall be evaluated to identify weaknesses in an item and/or component.	应对网络安全事件进行评估，以确定某一相关项和/或组件的弱点
64	RQ-08-05	Weaknesses shall be analysed to identify vulnerabilities.	应分析弱点，以识别漏洞
65	RQ-08-06	A rationale shall be provided for a weakness that is not identified as a vulnerability.	对于未被确定为漏洞的弱点，应提供一个理论依据
66	RQ-08-07	Vulnerabilities shall be managed such that for each vulnerability: a) the corresponding cybersecurity risks are assessed and treated in accordance with 15.9 such that no unreasonable risks remain; or b) the vulnerability is eliminated by applying an available remediation independent of a TARA.	应对漏洞进行管理，使每个漏洞: a)相应的网络安全风险按照15.9进行评估和处理，以便不存在不合理的风险;或 b)通过应用TARA的可用补救措施来消除漏洞。
67	RQ-08-08	If a risk treatment decision in accordance with 15.9 necessitates cybersecurity incident response, then 13.3 shall be applied.	如果根据15.9作出的风险处理决策需要网络安全事件响应，则应适用13.3。
68	RQ-09-01	The following information on the item shall be identified: a) item boundary; b) item functions; and c) preliminary architecture.	该项目应明确下列信息: a)项目边界; b)项目功能;和 c)初步架构。
69	RQ-09-02	Information about the operational environment of the item relevant to cybersecurity shall be described.	应描述与网络安全有关的项目的运行环境信息。
70	RQ-09-03	An analysis based on the item definition shall be performed that involves: a) asset identification in accordance with 15.3; b) threat scenario identification in accordance with 15.4; c) impact rating in accordance with 15.5; d) attack path analysis in accordance with 15.6; e) attack feasibility rating in accordance with 15.7; and f ) risk value determination in accordance with 15.8.	应根据项目定义进行分析，包括: a)按照15.3进行资产识别; b)按照15.4进行威胁场景识别; c)按照15.5进行影响等级划分; d)按照15.6进行攻击路径分析; e)按照15.7确定攻击可行性等级;和 f)按照15.8确定风险值。
71	RQ-09-04	Based on the results of [RQ-09-03], risk treatment options shall be determined for each threat scenario in accordance with 15.9.	根据[RQ-09-03]的结果，按照15.9确定每个威胁场景的风险处理方案。
72	RQ-09-05	If the risk treatment decision for a threat scenario includes reducing the risk, then one or more corresponding cybersecurity goals shall be specified.	如果威胁场景的风险处理决策包括降低风险，则应指定一个或多个相应的网络安全目标。
73	RQ-09-06	If the risk treatment decision for a threat scenario includes: a) sharing the risk; or b) retaining the risk due to one or more assumptions used during the analysis of [RQ-09-03],then one or more corresponding cybersecurity claims shall be specified.	如果威胁场景的风险处理决策包括: a)转移风险;或 b)由于[RQ-09-03]分析期间使用的一个或多个假设而保留风险， 则应指定一个或多个相应的网络安全声明。
74	RQ-09-07	A verification shall be performed to confirm: a) correctness and completeness of the result of [RQ-09-03] with respect to the item definition; b) completeness, correctness and consistency of the risk treatment decisions of [RQ-09-04] with respect to the results of [RQ-09-03]; c) completeness, correctness and consistency of the cybersecurity goals of [RQ-09-05] and of the cybersecurity claims of [RQ-09-06] with respect to the risk treatment decisions of [RQ-09-04]; and d) consistency of all cybersecurity goals of [RQ-09-05] and cybersecurity claims of [RQ-09-06] of the item.	应进行验证，以确认: a)[RQ-09-03]关于项目定义结果的正确性和完整性; b) [RQ-09-04]风险处理决策相对于[RQ-09-03]关于项目定义结果的完整性、正确性和一致性; c) [RQ-09-05]的网络安全目标以及[RQ-09-06]的声明关于[RQ-09-04]风险处理决策的网络安全声明的完整性、正确性和一致性;和 d)项目的[RQ-09-05]的所有网络安全目标和[RQ-09-06]的网络安全声明的一致性。
75	RQ-09-08	Technical and/or operational cybersecurity controls and their interactions to achieve the cybersecurity goals shall be described, taking into account: a) dependencies between the functions of the item; and/or b) cybersecurity claims.	为实现网络安全目标而进行的技术和/或操作网络安全控制及其相互作用应在描述时考虑: a)项目功能之间的依赖关系;和/或 b)网络安全声明。
76	RQ-09-09	Cybersecurity requirements of the item and requirements on the operational environment shall be defined for the cybersecurity goals in accordance with the description of [RQ-09-08].	应根据[RQ-09-08]的描述，定义项目的网络安全要求和对运行环境的要求
77	RQ-09-10	The cybersecurity requirements shall be allocated to the item, and if applicable to one or more of its components.	如果适用于该项目的一个或多个组件，网络安全要求应分配给该项目。
78	RQ-09-11	The results of [RQ-09-08], [RQ-09-09] and [RQ-09-10] shall be verified to confirm: a) completeness, correctness, and consistency with respect to cybersecurity goals; and b) consistency with respect to cybersecurity claims.	对[RQ-09-08]、[RQ-09-09]和[RQ-09-10]的结果进行验证，以确认: a)网络安全目标的完整性、正确性和一致性;和 b)关于网络安全声明的一致性。
79	RQ-10-01	Cybersecurity specifications shall be defined based on: a) cybersecurity specifications from higher levels of architectural abstraction; b) cybersecurity controls selected for implementation, if applicable; and c) existing architectural design, if applicable.	网络安全规范应根据以下原则进行定义: a)来自更高层次的体系结构抽象化的网络安全规范; b)选择要实施的网络安全控制(如适用);和 c)现有的架构设计(如适用)。
80	RQ-10-02	The defined cybersecurity requirements shall be allocated to components of the architectural design.	所定义的网络安全要求应分配给架构设计的各个组成部分
81	RQ-10-03	Procedures to ensure cybersecurity after the development of the component shall be specified, if applicable.	应规定确保组件开发后的网络安全的程序（如适用）。
82	RQ-10-04	If design, modelling or programming notations or languages are used for the cybersecurity specifications or their implementation, the following shall be considered when selecting such a notation or language: a) an unambiguous and comprehensible definition in both syntax and semantics; b) support for achievement of modularity, abstraction and encapsulation; c) support for the use of structured constructs; d) support for the use of secure design and implementation techniques; e) ability to integrate already existing components; and f ) resilience of the language against vulnerabilities due to its improper use.	如果设计、建模或编程符号或语言被用于网络安全规范或其实施，则在选择符号或语言时应考虑以下因素: a)在句法和语义上都有明确和可理解的定义; b)支持实现模块化、抽象和封装; c)支持使用结构化结构; d)支持使用安全设计和实现技术; e)集成现有组件的能力;和 f)语言对由于使用不当而造成的漏洞的抵御能力。
83	RQ-10-05	Criteria (see [RQ-10-04]) for suitable design, modelling or programming languages for cybersecurity that are not addressed by the language itself shall be covered by design, modelling and coding guidelines, or by the development environment.	针对网络安全的设计、建模或编程语言标准(见[RQ-10-04])应由设计、建模和编码指南或开发环境涵盖。
84	RC-10-06	Established and trusted design and implementation principles should be applied to avoid or minimize the introduction of weaknesses.	应采用已建立和可信的设计和实施原则，以避免或尽量减少弱点的引入。
85	RQ-10-07	The architectural design defined in [RQ-10-01] shall be analysed to identify weaknesses.	应分析[RQ-10-01]中定义的架构设计，以找出弱点。
86	RQ-10-08	The defined cybersecurity specifications shall be verified to ensure completeness, correctness, and consistency with the cybersecurity specifications from higher levels of architectural abstraction.	应验证已定义的网络安全规范，以确保来自高层次架构抽象的网络安全规范的完整性、正确性和一致性
87	RQ-10-09	Integration and verification activities shall verify that the implementation and integration of components fulfil the defined cybersecurity specifications.	集成与验证活动应验证组件的实现和集成符合规定的网络安全规范。
88	RQ-10-10	The integration and verification activities of [RQ-10-09] shall be specified considering: a) the defined cybersecurity specifications; b) configurations intended for series production, if applicable; c) sufficient capability to support the functionality specified in the defined cybersecurity specifications; and d) conformity with the modelling, design and coding guidelines of [RQ-10-05], if applicable.	[RQ-10-09]的集成和验证活动应考虑以下因素: a)已定义的网络安全规范; b)适用于系列生产的配置(如适用); c)有足够能力来支持已定义的网络安全规范中指定的功能;和 d)符合[RQ-10-05]的建模、设计和编码指南(如适用)。
89	RQ-10-11	If verification by testing is adopted, test coverage shall be evaluated using defined test coverage metrics to determine sufficiency of the test activities.	如果采用测试验证，应使用已定义的测试覆盖值对测试覆盖率进行评估，以确定测试活动的充分性。
90	RC-10-12	Testing should be performed in order to confirm that unidentified weaknesses and vulnerabilities remaining in the component are minimized.	应进行测试，以确认组件中残留的未识别弱点和漏洞已被最小化。
91	RQ-10-13	If testing in accordance with [RC-10-12] is not performed, then a rationale shall be provided.	如果没有按照[RC-10-12]进行测试，则应提供理由。
92	RQ-11-01	Validation activities at the vehicle level for the item considering the configurations for series production shall confirm: a) adequacy of the cybersecurity goals with respect to the threat scenarios and corresponding risk; b) achievement of the cybersecurity goals of the item; c) validity of the cybersecurity claims; and d) validity of the requirements on the operational environment, if applicable.	考虑到用于连续生产的配置，该产品在车辆级别的验证活动应确认: a)针对威胁场景和相应风险的网络安全目标的充分性; b)该项目的网络安全目标的实现; c)网络安全声明的有效性;和 d)对操作环境要求的有效性(如适用)。
93	RQ-11-02	A rationale for the selection of validation activities shall be provided.	应提供选择验证活动的理由。
94	RQ-12-01	A production control plan shall be created that applies the cybersecurity requirements for post-development.	应制定一个生产控制计划，适用于开发后的网络安全要求
95	RQ-12-02	The production control plan shall include: a) sequence of steps that apply the cybersecurity requirements for post-development; b) production tools and equipment; c) cybersecurity controls to prevent unauthorized alteration during production; and d) methods to confirm that the cybersecurity requirements for post-development are met.	生产控制计划应包括: a)将网络安全要求应用于开发后的阶段的步骤; b)生产工具和设备; c)网络安全控制，防止生产过程中未经授权的变更;以及 d)确认满足开发后阶段的网络安全要求的方法。
96	RQ-12-03	The production control plan shall be implemented.	应实施生产控制计划
97	RQ-13-01	For each cybersecurity incident, a cybersecurity incident response plan shall be created that includes: a) remedial actions; b) a communication plan; c) assigned responsibilities for the remedial actions; d) a procedure for recording new cybersecurity information relevant to the cybersecurity incident; e) a method for determining progress; f) criteria for closure of the cybersecurity incident response; and g) actions for the closure.	对于每一个网络安全事件，应制定网络安全响应计划，其中包括: a)补救措施; b)沟通计划; c)对补救措施分配的责任人; d)记录与网络安全事件相关的新网络安全信息的程序; e)确定进度的方法; f)网络安全事件响应关闭标准; g)关闭的操作。
98	RQ-13-02	The cybersecurity incident response plan shall be implemented.	应实施网络安全事件响应计划
99	RQ-13-03	Updates and update-related capabilities within the vehicle shall be developed in accordance with this document.	车辆内的更新和更新相关的功能应根据本文件进行开发
100	RQ-14-01	A procedure shall be created to communicate to customers when an organization decides to end cybersecurity support for an item or component.	当组织决定终止对某一项目或组件的网络安全支持时，应创建程序与客户沟通
101	RQ-14-02	The cybersecurity requirements for post-development with regard to decommissioning shall be made available.	应提供与退役相关的开发后的网络安全要求
102	RQ-15-01	Damage scenarios shall be identified.	应识别损害场景
103	RQ-15-02	Assets with cybersecurity properties whose compromise leads to a damage scenario shall be identified.	应识别资产的网络安全属性，其妥协会导致损害的场景
104	RQ-15-03	Threat scenarios shall be identified and include: — targeted asset; — compromised cybersecurity property of the asset; and — cause of compromise of the cybersecurity property.	应识别威胁场景，包括: -目标资产; -损害资产的网络安全属性;和 -网络安全属性受损的原因。
105	RQ-15-04	The damage scenarios shall be assessed against potential adverse consequences for road users in the impact categories of safety, financial, operational, and privacy (S, F, O, P) respectively.	应根据道路使用者在安全、财务、操作和隐私(S、F、O、P)等影响类别中可能产生的不良后果，评估损害情况。
106	RQ-15-05	The impact rating of a damage scenario shall be determined for each impact category to be one of the following: — severe; — major; — moderate; or — negligible.	应确定每个影响类别的损失场景的影响等级为以下因素之一： -严重 -重大 -中等 -可忽略
107	RQ-15-06	Safety related impact ratings shall be derived from ISO 26262-3:2018, 6.4.3.	与安全相关的影响评级应根据ISO 26262-3:2018, 6.4.3得出。
108	PM-15-07	If a damage scenario results in an impact rating and an argument can be made that every impact of another impact category is considered less critical, then further analysis for that other impact category may be omitted.	如果某一损害情景导致影响评级，并且可以认为另一影响类别的每一影响都不那么重要，则可以忽略对该其他影响类别的进一步分析
109	RQ-15-08	The threat scenarios shall be analysed to identify attack paths.	应分析威胁场景，以识别攻击路径
110	RQ-15-09	An attack path shall be associated with the threat scenarios that can be realized by the attack path.	攻击路径需要与该攻击路径可以实现的威胁场景相关联
111	RQ-15-10	For each attack path, the attack feasibility rating shall be determined as described in Table1	对于每一条攻击路径，应按照表1所示确定攻击可行性等级
112	RC-15-11	The attack feasibility rating method should be defined based on one of the following approaches: a) attack potential-based approach; b) CVSS-based approach; or c) attack vector-based approach.	攻击可行性评级方法的定义应基于以下几种方法之一: a)基于攻击潜力的方法; b) 基于CVSS方法;或者 c)基于攻击向量的方法。
113	RC-15-12	If an attack potential-based approach is used, the attack feasibility rating should be determined based on core factors including: a) elapsed time; b) specialist expertise; c) knowledge of the item or component; d) window of opportunity; and e) equipment.	如果采用基于攻击潜力的方法，应根据核心因素确定攻击可行性评级，包括: a)经历时长; b)专业知识; c)项目或组件的知识; d)机会窗口;和 e)设备。
114	RC-15-13	If a CVSS-based approach is used, the attack feasibility rating should be determined based on the exploitability metrics of the base metric group, including: a) attack vector; b) attack complexity; c) privileges required; and d) user interaction.	如果使用基于CVSS的方法，应根据基本度量组的可利用性指标来确定攻击的可行性评级，包括: a)攻击向量； b)攻击复杂性； c)所需的特权；和 d)用户交互
115	RC-15-14	If an attack vector-based approach is used, the attack feasibility rating should be determined based on evaluating the predominant attack vector (cf. CVSS [24] 2.1.1) of the attack path.	如果使用基于攻击向量的方法，应基于评估主要的攻击向量来确定攻击的可行性评级的攻击路径。
116	RQ-15-15	For each threat scenario the risk value shall be determined from the impact of the associated damage scenarios and the attack feasibility of the associated attack paths.	对于每个威胁场景，风险值应根据相关损害场景的影响和相关攻击路径的攻击可行性来确定。
117	RQ-15-16	The risk value of a threat scenario shall be a value between (and including) 1 and 5, where a value of 1 represents minimal risk.	威胁场景的风险值应为1到5之间的值，其中1代表最小风险。
118	RQ-15-17	For each threat scenario, considering its risk values, one or more of the following risk treatment option(s) shall be determined: a) avoiding the risk; b) reducing the risk; c) sharing the risk; d) retaining the risk.	对于每种威胁场景，考虑其风险值，应确定以下一种或多种风险处置措施: a)消除风险; b)缓解风险; c)转移风险; d)接受或保留风险。