Security Credential Management System

The vendor required to provide security credential management system (SCMS) for requirements:
- Security and credentials management system functional requirements
•    SCMS shall provide pseudonym, identity, and application certificates as needed to support device certificate needs.
•    SCMS shall determine if a device’s certificates should be revoked based on misbehavior reports it receives.
•    The SCMS shall generate and maintain a certificate revocation list (CRL) as specified in IEEE 1609.2 to identify and revoke misbehaving or compromised devices.
•    SCMS certificates shall contain an operational organization identifier
•    SCMS certificates shall contain service specific permissions (SSP), based on vehicle type
- Security and credentials management system interface requirements
•    SCMS shall provide application certificates to authorized roadside unit (RSUs)
•    SCMS shall provide application certificates to the mobile edge processor (MEP).
•    SCMS shall provide pseudonym certificates to authorized OBUs
•    SCMS shall provide identity certificates to authorized on-board unit (OBUs).
•    SCMS shall provide identity certificates to authorized mobile devices.
•    SCMS shall receive misbehavior reports from all devices.
•    SCMS shall distribute a CRL to all devices.
•    SCMS shall include a gateway appliance\service that enables a secure proxy for routing RSU requests to the SCMS. 
•    This should be a transport layer security (TLS), or similar, secure connection to the SCMS system.
- Security and credentials management system security requirements
•    All SCMS communications with v2x devices shall be conducted over secure, encrypted, end-to-end connections compliant with IEEE 1609.2 security standards.
•    The SCMS shall support a minimum of 128-bit security strength for cryptographic operations, including certificate signing and validation, in accordance with national institute of standards and technology (NIST) and IEEE 1609.2 guidelines.
•    Access to the SCMS shall be controlled using role-based access control, ensuring users can access only the functions necessary for their role.
•    SCMS user accounts shall be authenticated using a unique username and a strong password meeting NIST SP 800-63b guidelines (minimum length, complexity, and password history requirements).
•    Firewalls shall support internet protocol version 6 (ipv6) tunneling over internet protocol version 4 (ipv4) where applicable to maintain secure connectivity between devices and SCMS infrastructure.

- Pre-Proposal Conference Date: December 16, 2025
- Questions/Inquires Deadline: December 25, 2025