8
4.2.11 Industry best practices
[G.22] Best practices for secure software development should be followed, for example as
outlined in NIST publications
32
33
and ISO/SAE 21434.
34
Due to the dynamic and continuously evolving nature of cybersecurity, it is important for the members of
the automotive industry to stay abreast of the available cybersecurity guidance, best practices, design
principles, and standards based on or published by SAE International, ISO, Auto-ISAC, NHTSA,
Cybersecurity Infrastructure Security Agency (CISA), NIST, industry associations, and other recognized
standards-setting bodies, as appropriate. Further,
[G.23] Manufacturers should actively participate in automotive industry-specific best practices
and standards development activities through recognized standards development
organizations and the Auto-ISAC.
[G.24] As future risks emerge; industry should collaborate to expediently develop mitigation
measures and best practices to address new risks.
4.3 Information Sharing
In late 2014, in alignment with Executive Order 13691, “Promoting Private Sector Cybersecurity
Information Sharing,” (EO 13691),
35
NHTSA began encouraging the industry
36
to create the Auto-
ISAC.
37
The automotive industry established the Auto-ISAC in late 2015 and it became fully
operational on January 19, 2016. The Auto-ISAC is authorized by EO 13691 to facilitate industry’s
cybersecurity-related information sharing among its members. Government entities, including NHTSA,
are not members of the Auto-ISAC. NHTSA does not participate in or access the information sharing
that takes place within Auto-ISAC.
As of early-2022, Auto-ISAC membership includes 64 organizations. NHTSA recommends:
[G.25] Members of the extended automotive industry (including, but not limited to, vehicle
manufacturers, automotive equipment suppliers, software developers, communication
32
Black P., Badger M., Guttman B., Fong E., NISTIR 8151 Dramatically Reducing Software Vulnerabilities: Report
to the White House Office of Science and Technology Policy.
33
Dodson D., Souppaya M., Scarfone K., Mitigating the Risk of Software Vulnerabilities by Adopting a Secure
Software Development Framework
34
ISO/SAE 21434 clause 10 discusses software development practices.
35
Executive Order 13691 Promoting Private Sector Cybersecurity Information Sharing encourages the development
and formation of Information Sharing and Analysis Centers.
36
NHTSA Report to Congress: “Electronic Systems Performance in Passenger Motor Vehicles” December 2015,
available at: https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/electronic-systems-performance-in-
motor20vehicles.pdf.
37
McCarthy, C., Harnett K., Carter A., & Hatipoglu, C., Assessment of the information sharing and analysis center
model 2014, available at: https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/812076-assessinfosharingmodel.pdf.