eclipse-score · sunildevda · Jan 29, 2026 · Jan 30, 2026 · Feb 12, 2026 · masc2023
@@ -21,5 +21,6 @@ Module Documents
 
    manual/index.rst
    safety_mgt/index.rst
+   security_mgt/index.rst
    verification/module_verification_report.rst
    release/release_note.rst
@@ -19,3 +19,4 @@ Manuals
    :titlesonly:
 
    safety_manual
+   security_manual
@@ -12,18 +12,26 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Security Manual Template
-=========================
+Security Manual
+===============
 
-.. gd_temp:: Security Manual Template
-   :id: gd_temp__security_manual
-   :status: valid
-   :complies:
+.. note:: Document header
 
-   Will be moved to Folder Templates (tbd https://github.com/eclipse-score/process_description/issues/109)
-   For the content see here: need:`doc__module_name_security_manual`
-   Will also adapted to the latest Safety ManualTemplate
+.. document:: [Your Module Name] Security Manual
+   :id: doc__module_name_security_manual
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__module_security_manual
+   :tags: template
 
+.. attention::
+    The above directive must be updated according to your Module.
+
+    - Modify ``Your Module Name`` to be your Module Name
+    - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc__`` and succeeded by ``_security_manual``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``security`` and ``tags`` according to your needs
 
 Introduction/Scope
 ------------------
@@ -39,7 +47,9 @@ Assumptions of Use
 
 Assumptions on the Environment
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-| Generally the assumption of the Project platform OoC is that it is integrated in a secure system, i.e. the POSIX OS it runs on is qualified and also the HW related failures are taken into account by the system integrator, if not otherwise stated in the module's security concept.
+| The platform and its components are developed as Out of Context (OoC) with assumptions on the environment.
+  It is assumed that the platform/components are integrated in a secure system, i.e. qualified POSIX OS.
+  Also the HW related failures are taken into account by the system integrator, if not otherwise stated in the module's security concept.
 | <List here all the OS calls the Project platform expects to be secure.>
 
 List of AoUs expected from the environment the platform / module runs on:
@@ -58,12 +68,12 @@ List of AoUs expected from the environment the platform / module runs on:
 
 Assumptions on the User
 ^^^^^^^^^^^^^^^^^^^^^^^
-| As there is no assumption on which specific OS and HW is used, the integration testing of the stakeholder and feature requirements is expected to be performed by the user of the platform EooC. Tests covering all stakeholder and feature requirements performed on a reference platform (tbd link to reference platform specification), reviewed and passed are included in the platform EooC security package.
+| As there is no assumption on which specific OS and HW is used, the integration testing of the stakeholder and feature requirements is expected to be performed by the user of the platform OoC. Tests covering all stakeholder and feature requirements performed on a reference platform (tbd link to reference platform specification), reviewed and passed are included in the platform OoC security package.
 | Additionally the components of the platform may have additional specific assumptions how they are used. These are part of every module documentation: <link to add>. Assumptions from components to their users can be fulfilled in two ways:
 | 1. There are assumption which need to be fulfilled by all SW components, e.g. "every user of an IPC mechanism needs to make sure that he provides correct data (e.g. including appropriate security (access) control)" - in this case the AoU is marked as "platform".
-| 2. There are assumption which can be fulfilled by a security control realized by some other Project platform component and are therefore not relevant for an user who uses the whole platform. But those are relevant if you chose to use the module EooC stand-alone - in this case the AoU is marked as "module". An example would be the "JSON read" which requires "The user shall provide a string as input which is not corrupted due to HW or QM SW errors." - which is covered when using together with safe <Project> platform persistency feature.
+| 2. There are assumption which can be fulfilled by a security control realized by some other Project platform component and are therefore not relevant for an user who uses the whole platform. But those are relevant if you chose to use the module OcC stand-alone - in this case the AoU is marked as "module". An example would be the "JSON read" which requires "The user shall provide a string as input which is not corrupted due to HW or QM SW errors." - which is covered when using together with safe <Project> platform persistency feature.
 
-List of AoUs on the user of the platform features or the module of this security manual:
+List of AoUs on the user of the platform features or the module of this Security Manual:
 
 .. needtable::
    :style: table
@@ -83,7 +93,7 @@ Security concept of the OoC
 
 Security Weaknesses, Vulnerabilities
 ------------------------------------
-| Weaknesses, Vulnerabilities (bugs in security relevant SW, detected by testing or by users, which could not be fixed) known before release are documented in the platform/module release notes <add link to release note>.
+| Weaknesses, vulnerabilities (bugs in security relevant SW, detected by testing or by users, which could not be fixed) known before release are documented in the platform/module release notes <add link to release note>.
 
 References
 ----------

@@ -12,8 +12,8 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Module Safety Plan
-******************
+Safety Plan
+***********
 
 .. note:: Document header
 

@@ -0,0 +1,23 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Security Management
+###################
+
+.. toctree::
+   :titlesonly:
+
+   module_security_plan
+   module_security_plan_fdr
+   module_security_package_fdr
@@ -12,17 +12,31 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Security Package Formal Review Checklist
-========================================
+Security Package Formal Review Report
+=====================================
+
+.. note:: Document header
+
+.. document:: [Your Module Name] Security Package Formal Review
+   :id: doc__module_name_security_package_fdr
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__fdr_reports
+   :tags: template
+
+.. attention::
+    The above directive must be updated according to your Module.
+
+    - Modify ``Your Module Name`` to be your Module Name
+    - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc_`` and succeeded by ``safety_package_fdr``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety`` and ``tags`` according to your needs
 
-.. gd_chklst:: Security Package Formal Review Checklist
-   :id: gd_chklst__security_package
-   :status: valid
-   :complies: std_req__isosae21434__prj_management_6471, std_req__isosae21434__prj_management_6491, std_req__isosae21434__prj_management_6492
 
 **1. Purpose**
 
-The purpose of this review checklist is to report status of the formal review for the security package.
+The purpose of this review checklist is to report status of the formal review for the Security Package.
 
 **2. Checklist**
 
@@ -32,17 +46,17 @@ See also :ref:`review_concept` for further information about reviews in general
         :header-rows: 1
 
         * - Id
-          - Security package activity
+          - Security Package activity
           - Compliant to ISO SAE 21434?
           - Comment
 
         * - 1
-          - Is a security package provided which matches the security plan (i.e. all planned work products referenced)?
+          - Is a Security Package provided which matches the Security Plan (i.e. all planned work products referenced)?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 2
-          - Is the argument how security is achieved, provided in the security package, plausible and sufficient?
+          - Is the argument how security is achieved, provided in the Security Package, plausible and sufficient?
           - NO
           - The argument is intentionally not provided by the Project.
 
@@ -52,9 +66,9 @@ See also :ref:`review_concept` for further information about reviews in general
           - <Rationale for result>
 
         * - 4
-          - Are the referenced work products in released state, including the process security audit?
+          - Are the referenced work products in released state, including the Process Security Audit?
           - NO
-          - Security audit is currently not planned, tailored out.
+          - Security Audit is currently not planned, tailored out.
 
         * - 5
           - If security related deviations from the process or security concept are documented, are these argued understandably?

@@ -12,26 +12,34 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Module Security Plan Template
-=============================
+Security Plan
+=============
 
-.. gd_temp:: Module Security Plan Template
-   :id: gd_temp__module_security_plan
-   :status: valid
-   :complies:
+.. note:: Document header
 
-   Will be moved to Folder Templates (tbd https://github.com/eclipse-score/process_description/issues/109)
-   For the content see here: need:`doc__module_name_security_plan`
-   Will also adapted to the latest Safety Plan Template
+.. document:: [Your Module Name] Security Plan
+   :id: doc__module_name_security_plan
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__module_security_plan
+   :tags: template
 
+.. attention::
+    The above directive must be updated according to your Module.
+
+    - Modify ``Your Module Name`` to be your Module Name
+    - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc_`` and succeeded by ``security_plan``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety`` and ``tags`` according to your needs
 
 
    | **1. Security Management Context**
    | This Security Plan adds to the :ref:`process_security_management` all the module development relevant work products needed for ISO SAE 21434 conformity.
    |
    | **2. Security Management Scope**
    | This Security Plan's scope is a SW module of the SW platform <link to module documentation in platform/modules/<modulename>/index.rst>.
-   | The module consists of one or more SW components and will be qualified as a EooC.
+   | The module consists of one or more SW components and will be qualified as a OoC.
    |
    | **3. Security Management Roles**
 
@@ -74,21 +82,21 @@ Module Security Plan Template
           - <Link to WP>
           - <automated>
 
-        * - :need:`wp__fdr_reports` (module Security Plan)
+        * - :need:`wp__fdr_reports` (Module Security Plan)
           - :need:`gd_chklst__security_plan`
           - <automated>
           - <Link to issue>
           - <Link to WP>
           - <automated>
 
-        * - :need:`wp__fdr_reports` (module Security Package)
+        * - :need:`wp__fdr_reports` (Module Security Package)
           - :need:`Security Package Formal Review Checklist <gd_chklst__security_package>`
           - <automated>
           - <Link to issue>
           - <Link to WP>
           - <automated>
 
-        * - :need:`wp__fdr_reports` (module's Security Analyses)
+        * - :need:`wp__fdr_reports` (Module's Security Analyses)
           - Security Analysis FDR tbd
           - <automated>
           - <Link to issue>
@@ -110,7 +118,7 @@ Module Security Plan Template
           - <automated>
 
         * - :need:`wp__module_security_manual`
-          - :need:`gd_temp__security_manual`
+          - :need:`gd_temp__module_security_manual`
           - <automated>
           - <Link to issue>
           - <Link to WP>

@@ -12,17 +12,31 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Security Plan Review Checklist
-==============================
+Security Plan Formal Review Report
+==================================
 
-.. gd_chklst:: Security Plan Review Checklist
-   :id: gd_chklst__security_plan
-   :status: valid
-   :complies: std_req__isosae21434__prj_management_6411, std_req__isosae21434__prj_management_6421, std_req__isosae21434__prj_management_6422, std_req__isosae21434__prj_management_6423, std_req__isosae21434__prj_management_6424, std_req__isosae21434__prj_management_6425, std_req__isosae21434__prj_management_6426, std_req__isosae21434__prj_management_6427, std_req__isosae21434__prj_management_6428, std_req__isosae21434__prj_management_6429, std_req__isosae21434__prj_management_64210, std_req__isosae21434__prj_management_64211, std_req__isosae21434__prj_management_6431, std_req__isosae21434__prj_management_6432, std_req__isosae21434__prj_management_6441, std_req__isosae21434__prj_management_6442, std_req__isosae21434__prj_management_6443, std_req__isosae21434__prj_management_6451, std_req__isosae21434__prj_management_6452, std_req__isosae21434__prj_management_6453, std_req__isosae21434__prj_management_6461, std_req__isosae21434__prj_management_6462
+.. note:: Document header
+
+.. document:: [Your Module Name] Security Plan Formal Review
+   :id: doc__module_name_security_plan_fdr
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__fdr_reports
+   :tags: template
+
+.. attention::
+    The above directive must be updated according to your Module.
+
+    - Modify ``Your Module Name`` to be your Module Name
+    - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc_`` and succeeded by ``_security_plan_fdr``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety`` and ``tags`` according to your needs
 
 **1. Purpose**
 
-The purpose of this security plan review checklist is to report status of the review for the security plan.
+The purpose of this review checklist is to provide a guidence for reviewing the Security Plans for each module.
+Each Module Security Plan shall have one checklist filled.
 
 **2. Checklist**
 
@@ -32,12 +46,12 @@ See also :ref:`review_concept` for further information about reviews in general
         :header-rows: 1
 
         * - Id
-          - Security plan activity
+          - Security Plan activity
           - Compliant to ISO SAE 21434?
           - Comment
 
         * - 1
-          - Is the rationale for the security work products tailoring included?
+          - Is the rationale for the Security Work Products tailoring included?
           - [YES | NO ]
           - <Rationale for result>
 
@@ -47,47 +61,47 @@ See also :ref:`review_concept` for further information about reviews in general
           - <Rationale for result>
 
         * - 3
-          - Does the security plan define all needed activities for security management (incl. Review and Security Audit)?
+          - Does the Security Plan define all needed activities for security management (including review and security audit)?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 4
-          - Does the security plan define all needed activities for SW development, integration and verification?
+          - Does the Security Plan define all needed activities for SW development, integration and verification?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 5
-          - Does the security plan define all needed activities for security analysis?
+          - Does the Security Plan define all needed activities for security analysis?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 6
-          - Does the security plan define all needed activities for supporting processes (incl. tool mgt)?
+          - Does the Security Plan define all needed activities for supporting processes (incl. tool mgt)?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 7
-          - Does the security plan document a responsible for all activities?
+          - Does the Security Plan document a responsible for all activities?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 8
-          - If Off-the-shelf (e.g. existing OSS) software components is used, is it planned to be analysed?
+          - If OSS software components is used, is it planned to be qualified?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 9
-          - Is a security manager and a project lead appointed for the project?
+          - Is a Security Manager and a Project Lead appointed for the project?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 10
-          - Is security plan sufficiently linked to the project plan?
+          - Is Security Plan sufficiently linked to the Project Plan?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 11
-          - Is security plan updated iteratively to show the progress?
+          - Is Security Plan updated iteratively to show the progress?
           - [YES | NO ]
           - <Rationale for result>
 
@@ -97,14 +111,14 @@ See also :ref:`review_concept` for further information about reviews in general
           - <Rationale for result>
 
         * - 13
-          - Does the security plan define all needed activities for SBOM generation?
+          - Does the Security Plan define all needed activities for SBOM generation?
           - [YES | NO ]
           - <Rationale for result>
 
         * - 14
-          - Does the security plan define regular vulnerability scans for the generated SBOM?
+          - Does the Security Plan define regular vulnerability scans for the generated SBOM?
           - [YES | NO ]
           - <Rationale for result>
 
 .. note::
-    Off-the-shelf means existing software which may used w/o modification, e.g. existing OSS
+    Off-the-shelf means existing software which may used without modification, e.g. existing OSS
Original file line number	Diff line number	Diff line change
Expand Up		@@ -19,3 +19,4 @@ Manuals
		:titlesonly:

		safety_manual
		security_manual