NEWS & REPORTS

Connected vehicles rule submitted to White House

Jan 4, 2025 | Industry News

Mark Schremmer

The U.S. Department of Commerce is hitting the accelerator on a rulemaking to address security risks involving connected vehicles.

Less than two months after the comment period ended for a proposal to prohibit transactions involving connected vehicle technology by China or other “foreign adversaries,” the Department of Commerce has already drafted a final rule.

The department’s Bureau of Industry and Security submitted a final rule to be reviewed by the White House Office of Management and Budget on Dec. 17, 2024. The quick turnaround appears to be an attempt to get a final rule published before a new administration takes control later this month. The gap between a proposal and final rule often can be a year or more.

However, the White House still needs to approve the final rule before it can be published in the Federal Register and take effect. As of the morning of Thursday, Jan. 2, that had not happened.

The expedited rulemaking process also could be attributed to the importance of the issue. The agency said the proposal, which was unveiled in September 2024, is aimed at addressing “undue or unacceptable” risks to national security.

“Today’s vehicles contain a myriad of connected components that provide greater convenience for consumers and increase road safety for both drivers and pedestrians,” the agency wrote. “However, the incorporation of progressively more complex hardware and software systems that facilitate these features has also increased the attack surfaces through which malign actors may exploit vulnerabilities to gain access to a vehicle.”

The proposal would prohibit transactions involving Vehicle Connectivity System hardware and covered software designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of the People’s Republic of China, the Hong Kong Special Administrative Region or the Russian Federation.

The agency proposed regulations that would:

  • Prohibit Vehicle Connectivity System hardware importers from knowingly importing into the United States certain hardware for connected vehicles
  • Prohibit connected vehicle manufacturers from knowingly importing into the United States completed connected vehicles incorporating certain software
  • Prohibit connected vehicle manufacturers from knowingly selling within the United States completed connected vehicles that incorporate covered software
  • Prohibit connected vehicle manufacturers who are owned by, controlled by or subject to the jurisdiction of China or Russia from knowingly selling in the United States completed vehicles that incorporate covered hardware or software

The proposal received about 100 comments.

The Owner-Operator Independent Drivers Association, which is supportive of the rulemaking, used its comments to ask for more oversight of autonomous vehicles.

“OOIDA has raised safety and cybersecurity concerns regarding the development of autonomous vehicles as the technology has been deployed in recent years,” the Association wrote in formal comments. “We believe this Department of Commerce proposal can help implement necessary federal oversight for autonomous vehicle safety and protect private personal and vehicle information.”

OOIDA also called out the lack of transparency regarding autonomous vehicles and the link between some of these companies and foreign countries. For instance, a former TuSimple executive was accused of failing to disclose his relationship with a Chinese autonomous hydrogen-powered truck company.

It is unknown how much time it will take for the connected vehicle final rule to clear the White House. Additionally, it is unknown if the agency’s submitted final rule has changed since the initial proposal.

“This rule marks a critical step forward in protecting America’s technology supply chains from foreign threats and ensures that connected vehicle technologies are secure from the potential exploitation of entities linked to the PRC and Russia,” said Under Secretary of Commerce for Industry and Security Alan F. Estevez. “The Department of Commerce will continue to take a proactive approach to address this national security risk before Chinese and Russian suppliers proliferate within the U.S. automotive ecosystem. Our goal is always to safeguard our national security.”

“Our regulatory focus remains steadfast on enhancing the security of our nation’s critical technologies,” said Elizabeth Cannon, Executive Director of OICTS. “Without this proposed rule, we would be leaving an open door for foreign adversaries looking to compromise one of our most important assets, our cars. BIS is committed to safeguarding our technology supply chains from foreign adversary manipulation.”

Today’s proposed rule would prohibit the import and sale of vehicles with certain VCS or ADS hardware or software with a nexus to the PRC or Russia. The VCS is the set of systems that allow the vehicle to communicate externally, including telematics control units, Bluetooth, cellular, satellite, and Wi-Fi modules. The ADS includes the components that collectively allow a highly autonomous vehicle to operate without a driver behind the wheel.

The rule would also prohibit manufacturers with a nexus to the PRC or Russia from selling connected vehicles that incorporate VCS hardware or software or ADS software in the United States, even if the vehicle was made in the United States.

The prohibitions on software would take effect for Model Year 2027 and the prohibitions on hardware would take effect for Model Year 2030, or January 1, 2029 for units without a model year.

The proposed rule is implemented under BIS’s ICTS authorities, as provided for under Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain.” EO 13873 allows the Department of Commerce to issue regulations that establish criteria by which particular technologies may be included in EO 13873’s prohibitions when transactions involving those technologies (1) pose an undue or unacceptable risk of sabotage to or subversion of ICTS in the United States; (2) pose an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the digital economy of the United States; or (3) otherwise pose an unacceptable risk to the national security of the United States or the security and safety of U.S. persons.

This NPRM incorporates public feedback submitted in response to an Advance Notice of Proposed Rulemaking (ANPRM) on connected vehicles published by BIS on March 1, 2024. BIS is seeking additional public comment on today’s proposed rule from all interested parties.

Additional Information:

The text of the proposed rule is available here. BIS invites public comments, which are due 30 days after publication. Stakeholders are encouraged to submit their feedback by the deadline to ensure that the final provisions reflect broad industry and public input. You may submit comments for the rule by identified docket number BIS-2024-0005 or RIN 0694-AJ56. All comments must be submitted through the Federal eRulemaking Portal (https://www.regulations.gov) or emailed directly to connectedvehicles@bis.doc.gov with “RIN 0694-AJ56” included in the subject line.

About the Author

NEWS & REPORTS

FMCSA expands crash preventability review criteria

FMCSA has adopted its proposed changes to its Crash Preventability Determination Program (CPDP), adding four new eligible crash types and broadening the definition of existing crash types to include indirect consequences of actions of other motorists. The new and...

Register for Q&A webinar on SMS changes

Understanding Future Changes to FMCSA's Safety Measurement System – Part 1 Join the Federal Motor Carrier Safety Administration (FMCSA) for a webinar series to learn more about upcoming changes to the Safety Measurement System (SMS) methodology used to prioritize...

CATEGORIES