Rule2025-00592
Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
January 16, 2025
Effective
March 17, 2025
Issuing agencies
Commerce DepartmentIndustry and Security Bureau
Abstract
This final rule, published by the Department of Commerce's (Department) Bureau of Industry and Security (BIS), sets forth regulations and procedures to address undue or unacceptable risks to national security and U.S. persons posed by classes of transactions involving information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries and that are integral to connected vehicles as defined herein.
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 10 (Thursday, January 16, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 10 (Thursday, January 16, 2025)]
[Rules and Regulations]
[Pages 5360-5424]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-00592]
[[Page 5359]]
Vol. 90
Thursday,
No. 10
January 16, 2025
Part X
Department of Commerce
-----------------------------------------------------------------------
Bureau of Industry and Security
-----------------------------------------------------------------------
15 CFR Part 791
Securing the Information and Communications Technology and Services
Supply Chain: Connected Vehicles; Final Rule
��Federal Register / Vol. 90 , No. 10 / Thursday, January 16, 2025 /
Rules and Regulations��
[[Page 5360]]
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Part 791
[Docket No. 250107-0005]
RIN 0694-AJ56
Securing the Information and Communications Technology and
Services Supply Chain: Connected Vehicles
AGENCY: Bureau of Industry and Security, Department of Commerce.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule, published by the Department of Commerce's
(Department) Bureau of Industry and Security (BIS), sets forth
regulations and procedures to address undue or unacceptable risks to
national security and U.S. persons posed by classes of transactions
involving information and communications technology and services (ICTS)
that are designed, developed, manufactured, or supplied by persons
owned by, controlled by, or subject to the jurisdiction or direction of
certain foreign adversaries and that are integral to connected vehicles
as defined herein.
DATES: This final rule goes into effect on March 17, 2025.
FOR FURTHER INFORMATION CONTACT: Marc Coldiron, U.S. Department of
Commerce, telephone: (202) 482-3678. For media inquiries: Office of
Congressional and Public Affairs, Bureau of Industry and Security, U.S.
Department of Commerce: <a href="/cdn-cgi/l/email-protection#561915061716343f257832393578313920"><span class="__cf_email__" data-cfemail="68272b3829280a011b460c070b460f071e">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
I. Background
In this final rule, BIS prohibits transactions involving Vehicle
Connectivity System (VCS) hardware and covered software designed,
developed, manufactured, or supplied by persons owned by, controlled
by, or subject to the jurisdiction or direction of the People's
Republic of China, including the Hong Kong Special Administrative
Region and the Macau Special Administrative Region, (PRC); or the
Russian Federation (Russia). It follows an advance notice of proposed
rulemaking (ANPRM), 89 FR 15066 (March 1, 2024), and a notice of
proposed rulemaking (NPRM), 89 FR 79088 (September 26, 2024). In the
ANPRM, BIS sought public comment to inform a rulemaking that would
address the undue or unacceptable risks, as identified in Executive
Order (E.O.) 13873, ``Securing the Information and Communications
Technology and Services Supply Chain,'' 84 FR 22689 (May 17, 2019),
posed by a class of transactions that involve ICTS designed, developed,
manufactured, or supplied by persons owned by, controlled by, or
subject to the jurisdiction or direction of a foreign adversary and
integral to connected vehicles. The NPRM proposed a rule to address the
undue or unacceptable risks identified in the ANPRM and solicited
public comment. BIS has considered the comments received during both
rounds of public comment, and is making revisions, from the proposed
rule, that address significant portions of that feedback.
In E.O. 13873, the President delegated to the Secretary of Commerce
(Secretary), to the extent necessary to implement the Order, the
authority granted under the International Emergency Economic Powers Act
(IEEPA) (50 U.S.C. 1701, et seq.), ``to deal with any unusual and
extraordinary'' foreign threat to the United States' national security,
foreign policy, or economy, if the President declares a national
emergency with respect to such threat. 50 U.S.C. 1701(a). In E.O.
13873, the President declared a national emergency with respect to the
``unusual and extraordinary'' foreign threat posed to the ICTS supply
chain and has, in accordance with the National Emergencies Act (NEA),
extended the declaration of this national emergency in each year since
E.O. 13873's publication. See Continuation of the National Emergency
With Respect to Securing the Information and Communications Technology
and Services Supply Chain, 85 FR 29321 (May 14, 2020); Continuation of
the National Emergency With Respect to Securing the Information and
Communications Technology and Services Supply Chain, 86 FR 26339 (May
13, 2021); Continuation of the National Emergency With Respect to
Securing the Information and Communications Technology and Services
Supply Chain, 87 FR 29645 (May 13, 2022); Continuation of the National
Emergency With Respect to Securing the Information and Communications
Technology and Services Supply Chain, 88 FR 30635 (May 11, 2023);
Continuation of the National Emergency With Respect to Securing the
Information and Communications Technology and Services Supply Chain, 89
FR 40353 (May 9, 2024).
Specifically, the President identified the ``unrestricted
acquisition or use in the United States of ICTS designed, developed,
manufactured, or supplied by persons owned by, controlled by, or
subject to the jurisdiction or direction of foreign adversaries'' as
``an unusual and extraordinary'' foreign threat to the national
security, foreign policy, and economy of the United States that
``exists both in the case of individual acquisitions or uses of such
technology or services, and when acquisitions or uses of such
technologies are considered as a class.'' See E.O. 13873, and 50 U.S.C.
1701(a)-(b).
Once the President declares a national emergency, IEEPA empowers
the President to, among other acts, investigate, regulate, prevent, or
prohibit, any ``acquisition, holding, withholding, use, transfer,
withdrawal, transportation, importation or exportation of, or dealing
in, or exercising any right, power, or privilege with respect to, or
transactions involving, any property in which any foreign country or a
national thereof has any interest by any person, or with respect to any
property, subject to the jurisdiction of the United States.'' 50 U.S.C.
1702(a)(1)(B).
To address the identified risks to national security from ICTS
transactions, the President in E.O. 13873 imposed a prohibition on
transactions that the Secretary, in consultation with relevant agency
heads, has determined involve foreign adversary ICTS and pose certain
risks to U.S. national security, including U.S. technology and critical
infrastructure, or the security and safety of U.S. persons.
Specifically, to fall within the scope of the prohibition, the
Secretary must determine that a transaction: (1) ``involves [ICTS]
designed, developed, manufactured, or supplied, by persons owned by,
controlled by, or subject to the jurisdiction or direction of a foreign
adversary,'' defined in E.O. 13873 as ``any foreign government or
foreign non-government person engaged in a long-term pattern or serious
instances of conduct significantly adverse to the national security of
the United States or security and safety of United States persons,
which, pursuant to E.O. 13873's implementing regulations at 15 CFR
791.4 are the PRC, Republic of Cuba (Cuba), Islamic Republic of Iran
(Iran), Democratic People's Republic of Korea (North Korea), Russia,
and Venezuelan politician Nicol[aacute]s Maduro (Maduro Regime); and
(2):
A. ``Poses an undue risk of sabotage to or subversion of the
design, integrity, manufacturing, production, distribution,
installation, operation, or maintenance of information and
communications technology or services in the United States;''
B. ``Poses an undue risk of catastrophic effects on the security or
[[Page 5361]]
resiliency of United States critical infrastructure or the digital
economy of the United States;'' or
C. ``Otherwise poses an unacceptable risk to the national security
of the United States or the security and safety of United States
persons.''
Factors A through C are collectively referred to as ``undue or
unacceptable risks.'' In addition, section 1(b) of E.O. 13873 grants
the Secretary the authority to design or negotiate mitigation measures
to allow an otherwise prohibited transaction.
The President also delegated to the Secretary the ability to
promulgate regulations that, among other things, establish when
transactions involving particular technologies may be categorically
prohibited. E.O. 13873 section 2(a)-(b); see also 3 U.S.C. 301-02.
Specifically, the Secretary may issue regulations establishing
criteria, consistent with section 1 of E.O. 13873, by which particular
technologies or market participants may be categorically included in or
categorically excluded from prohibitions established pursuant to E.O.
13873.
II. Introduction
Today's vehicles contain a myriad of connected components that
provide greater convenience for consumers and increase road safety for
both drivers and pedestrians, such as Wi-Fi, Bluetooth, cellular, and
satellite connectivity. However, the incorporation of progressively
more complex hardware and software systems that facilitate these
features has also increased the attack surfaces through which malign
actors and foreign adversaries may exploit vulnerabilities to gain
access to a vehicle. As BIS outlined in its March 1, 2024, ANPRM and
its September 26, 2024, NPRM, certain ICTS integral to connected
vehicles present an undue or unacceptable risk to U.S. national
security when those systems are designed, developed, manufactured, or
supplied by persons owned by, controlled by, or subject to the
jurisdiction or direction of a foreign adversary.
In the Securing the Information and Communications Technology and
Services Supply Chain interim final rule, 86 FR 4909 (Jan. 19, 2021),
the Secretary determined that certain foreign governments or foreign
non-government persons--the PRC, Cuba, Iran, North Korea, Russia, and
the Maduro Regime--constitute foreign adversaries for purposes of E.O.
13873 and regulations promulgated pursuant to E.O. 13873. See 15 CFR
791.4 (to the extent that the list of foreign adversaries identified in
15 CFR 791.4 is updated to add or remove governments or non-government
persons, this final rule intends to reflect the most up-to-date
designations of foreign adversaries). Additionally, section 2(b) of
E.O. 13873 provides that the Secretary may issue rules that identify
particular technologies or countries with respect to transactions
involving ICTS that warrant particular scrutiny. For the purposes of
this final rule regarding transactions involving ICTS integral to
connected vehicles, BIS is focusing its regulatory efforts on ICTS that
are designed, developed, manufactured, or supplied by persons owned by,
controlled by, or subject to the jurisdiction or direction of the PRC
or Russia. BIS has identified that, for the purposes of addressing the
national security risks posed by connected vehicles, these two foreign
adversaries pose particular undue and unacceptable risks to U.S.
national security because of these adversaries' legal, political, and
regulatory regimes, combined with their current and anticipated growth
and involvement in the connected vehicles sector.
As discussed below, the PRC and Russia are able to leverage
domestic legislation and regulatory regimes to compel companies subject
to their jurisdiction, including carmakers and their suppliers, to
cooperate with security and intelligence services. Such control over
companies and their products and services means that their equipment is
easily exploitable by PRC and Russian authorities. The privileged
access that the PRC and Russia may gain to connected vehicles through
their components, including software and hardware, could enable those
foreign adversaries to (1) exfiltrate sensitive data collected by
connected vehicles and (2) allow remote access and manipulation of
connected vehicles driven by U.S. persons. Pursuant to E.O. 13873, BIS
has determined that certain classes of transactions that can facilitate
the exfiltration of data and remote manipulation of connected vehicles
by the PRC and Russia pose undue or unacceptable risks to U.S. national
security and to the safety and security of U.S. persons. These risks,
moreover, present an urgent national security risk to the safety and
security of technology used in the United States and to U.S. persons.
The PRC has pre-positioned malware on U.S. information technology
and critical infrastructure networks. The PRC has also set objectives
for the completion of the People's Liberation Army's (PLA)
modernization and other military and technology goals by 2027, which--
in light of the PLA's military-civil fusion strategy and the growing
prevalence of PRC dual-use technologies in U.S. commercial supply
chains, including in the auto industry--presents additional risks to
U.S. national security. Mounting evidence of threats such as these to
U.S. critical infrastructure, data security, and broader national
security necessitates this urgent action by the U.S. government to
address the risk of foreign adversary supply chains in the connected
vehicles sector.
a. Overview of the Advance Notice of Proposed Rulemaking (ANPRM)
BIS issued an ANPRM, 89 FR 15066 (Mar. 1, 2024), seeking public
comment to inform a rulemaking that would address the undue or
unacceptable risks posed by a class of transactions that involve ICTS
designed, developed, manufactured, or supplied by persons owned by,
controlled by, or subject to the jurisdiction or direction of a foreign
adversary and integral to connected vehicles. In the ANPRM, BIS posed
35 questions to the public for comment and feedback. The questions
related to potential definitions used in the rulemaking, the degree of
foreign adversary involvement in the connected vehicle supply chain,
which systems should be the focus of a potential rulemaking, and what
the economic impacts of a potential rulemaking might be, among other
questions. BIS identified six systems as the potential focus for a
future rule: (1) vehicle operating systems (OS), (2) telematics
systems, (3) advanced driver assistance systems (ADAS), (4) automated
driving systems (ADS), (5) satellite or cellular telecommunications
systems, and (6) battery management systems (BMS). BIS received 57
comment submissions in response to the ANPRM from a variety of parties,
including original equipment manufacturers (OEMs), component suppliers,
two foreign governments, nonprofit organizations, and individual
respondents. Five comments contained Confidential Business Information
(CBI), and one comment was retracted at the request of the commenter.
The comments generally urged BIS to narrow the scope of a future
regulation and to limit the systems to be regulated to only those
posing significant national security risks. Commenters also urged BIS
to provide industry stakeholders with sufficient lead time to comply.
BIS considered each comment in developing the NPRM outlined in the next
section.
b. Overview of the Notice of Proposed Rulemaking (NPRM)
BIS then issued an NPRM, 89 FR 79088 (Sept. 26, 2024), that
identified a smaller subset of systems in connected
[[Page 5362]]
vehicles that pose the most significant undue or unacceptable risk to
national security when designed, developed, manufactured, or supplied
by persons owned by, controlled by, or subject to the jurisdiction or
direction of the PRC or Russia. Below is a summary of the proposed
rule.
Regulated Systems
The proposed rule identified (1) VCS, which is composed of the
hardware and software that enable a connected vehicle to communicate
off-board above 450 MHz, and (2) ADS, as subject to regulation by BIS.
This determination was based, in part, on public comments requesting
BIS narrow the scope of the rule, as a regulation that impacted all six
of the listed automotive systems would be overbroad. The ANPRM listed
ADS, operating systems, telematic systems, automated driving assistance
systems, satellite and communication systems, and battery management
systems as potential automotive systems that could be regulated in the
subsequent proposed rule. Public comment as well as BIS's analysis
suggested that automotive telematics functions were one of the primary
means for a foreign adversary to exploit automotive data and actuation
systems. BIS also determined, based on public comment as well as
internal analysis, that the term ``telematics'' generally refers to
systems that operate on cellular band protocols. As BIS intended to
regulate multiple automotive connectivity systems, not just automotive
cellular systems, BIS chose to use the broader term of ``VCS'' to
encompass cellular, Wi-Fi, Bluetooth, and potentially satellite
communications. The NPRM proposed to regulate both the hardware and
software in VCS and solely the software in ADS.
Prohibited Transactions
The NPRM proposed to (1) prohibit VCS hardware importers from
knowingly importing into the United States certain hardware for VCS;
(2) prohibit connected vehicle manufacturers from knowingly importing
into the United States completed connected vehicles incorporating
covered software, which was defined in the NPRM as certain software
that supports the function of VCS or ADS; and (3) prohibit connected
vehicle manufacturers from knowingly selling within the United States
completed connected vehicles that incorporate software that supports
the function of VCS or ADS. These prohibitions included in the NPRM
applied when such VCS hardware or covered software was designed,
developed, manufactured, or supplied by persons owned by, controlled
by, or subject to the jurisdiction or direction of the PRC or Russia.
The NPRM also proposed to (4) prohibit connected vehicle manufacturers
who are owned by, controlled by, or subject to the jurisdiction or
direction of the PRC or Russia from knowingly selling in the United
States completed connected vehicles that incorporate VCS hardware or
covered software, even when that hardware or software did not have a
nexus to the PRC or Russia.
Declarations of Conformity
The NPRM proposed that VCS hardware importers and connected vehicle
manufacturers would submit to BIS, once per calendar year or model
year, Declarations of Conformity attesting that they had not engaged in
prohibited transactions involving VCS hardware or covered software. The
NPRM would have mandated that VCS hardware importers and connected
vehicle manufacturers submit a substantial amount of information with
their Declarations of Conformity, including a hardware bill of
materials (HBOM) or software bill of materials (SBOM), and a list of
external endpoints to which the VCS hardware connected. In the final
rule, BIS has changed the Declarations of Conformity requirement to
clarify the certification, narrow the information required to be
submitted, and add recordkeeping requirements.
Authorizations
The NPRM enumerated general authorizations under which a regulated
entity would be permitted to engage in an otherwise prohibited
transaction without need to notify BIS. Under the NPRM, general
authorizations would have been available to small business VCS hardware
importers and connected vehicle manufacturers. Specifically, general
authorizations applied if (1) the connected vehicle manufacturer or VCS
hardware importer produced fewer than 1,000 connected vehicles or VCS
hardware units; (2) the completed connected vehicle was used on public
roadways for fewer than 30 calendar days in a year; (3) the completed
connected vehicle or VCS hardware was used solely for purposes of
display, testing, or research; or (4) the completed connected vehicle
was imported solely for repair, alteration, or competition off public
roads and would have been exported within one year of import. In the
final rule, BIS has revised the general authorizations provision so
that the above-mentioned general authorizations are not provided in the
rule text itself. Instead, BIS will issue general authorizations
through its website and the Federal Register.
The NPRM also provided a process for specific authorizations.
Following an application to and approval from BIS, a specific
authorization granted VCS hardware importers and connected vehicle
manufacturers the ability to engage in otherwise prohibited
transactions not eligible for a general authorization, subject to
certain conditions imposed by BIS.
Exemptions
The NPRM permitted VCS hardware importers to engage in otherwise
prohibited transactions involving VCS hardware and exempted them from
certain requirements so long as: (1) for VCS hardware not associated
with a model year, the import of the VCS hardware had taken place prior
to January 1, 2029; or (2) the VCS hardware unit was associated with a
vehicle model year prior to 2030 or the VCS hardware was integrated
into a connected vehicle (completed or incomplete) with a model year
prior to 2030. In the NPRM, connected vehicle manufacturers were
permitted to engage in otherwise prohibited transactions involving
covered software and exempt from certain requirements so long as the
completed connected vehicle that was imported, or sold within the
United States, was of a model year prior to 2027. Lastly, connected
vehicle manufacturers that are owned by, controlled by, or subject to
the jurisdiction or direction of the PRC or Russia were permitted to
sell completed connected vehicles with a model year prior to 2027 that
incorporated VCS hardware or covered software. The final rule includes
new exemptions for parts that are imported for the purpose of warranty
or repair of a completed connected vehicle with a model year prior to
2030.
Advisory Opinions, Is-Informed Notices, and Appeals
The NPRM provided an advisory opinion mechanism by which regulated
entities could seek guidance from BIS as to whether specific
prospective transactions were subject to the proposed rule's
prohibitions. The mechanism included in the NPRM applied to actual, as
opposed to hypothetical, transactions in which all parties are
identified. Additionally, the NPRM permitted BIS to issue certain ``Is-
Informed'' notices to VCS hardware importers and connected vehicle
manufacturers to inform them that a specific authorization was required
for an activity. The NPRM also included an
[[Page 5363]]
appeal process by which any person whose application for a specific
authorization was denied, whose specific authorization was suspended or
revoked, or who received a written notification of ineligibility for a
general authorization could appeal that decision to the Under Secretary
for Industry and Security (Under Secretary). In the final rule, BIS has
added a 60-day timeline for BIS to respond to advisory opinion requests
and clarified procedural requirements of submitting an appeal request.
Recordkeeping and Reporting
The NPRM proposed that regulated entities keep a ``full and
accurate record'' for a period of 10 years after each transaction for
which a Declaration of Conformity, general authorization, or specific
authorization was required, regardless of whether the transaction was
effected pursuant to such an authorization. In the NPRM, VCS hardware
importers and connected vehicle manufacturers were required to furnish
``complete information'' relevant to any transaction involving the
import of VCS hardware or covered software, irrespective of any
authorization granted by BIS.
Violations
The NPRM additionally outlined the framework by which BIS
determined a violation took place, the procedure by which BIS notified
an affected party of such a violation (including the party's right to
respond or to settle), the specific penalties BIS was permitted to
impose on violators, and the administrative collection of those
penalties.
c. Overview of Final Rule
The final rule benefits from the responses received during the
public comment periods for the ANPRM and the NPRM and incorporates
significant portions of that feedback. For example, BIS considered
public feedback to define the scope of connected vehicles, identify
ICTS integral to connected vehicles, and better understand the effects
of any potential prohibition. As stated in the NPRM, determining the
scope of the prohibitions required a balancing of the need to address
the undue or unacceptable risk posed by foreign adversary involvement
in the connected vehicles supply chain with the impact on the public
and industry. For a detailed discussion of how the final rule has
changed from the NPRM, refer to Section V: Discussion of the Final Rule
and Section VI: Revisions from the Proposed Rule and Response to
Comments.
III. Comments on the Notice of Proposed Rulemaking
BIS received 101 comments on the NPRM.\1\ Many commenters agreed
with BIS's risk assessment of foreign adversary connected vehicle
technology as described in Section IV of the NPRM and supported the
decision to address these risks through supply chain regulation.
Commenters' concerns with the NPRM centered on the broad scope of the
regulation and the potentially onerous and disruptive nature of the
compliance process, particularly the submission of Declarations of
Conformity. Some commenters disagreed with the NPRM's inclusion of the
commercial vehicle market, arguing that definitions proposed in the
NPRM did not as easily apply to this sector compared to the passenger
vehicle market. Commenters also warned that the wide scope of the NPRM
across the connected vehicle market may have significant economic
impact and that the current implementation timeline could not easily be
met by industry.
---------------------------------------------------------------------------
\1\ This includes four written submissions received after the
close of the public comment period, all of which were considered and
posted on <a href="http://regulations.gov">regulations.gov</a>.
---------------------------------------------------------------------------
Commenters requested that BIS implement alternative methods of
compliance, such as a self-certification model; provide greater detail
on the HBOM and SBOM submission requirements; and describe how BIS
intends to protect any submitted data. Commenters also voiced
apprehension over any requirement to share proprietary information with
customers and the government. For a more thorough discussion of the
comment submissions and BIS's responses, please see Section IV: Risks
Associated with Vehicle Connectivity Systems and Automated Driving
Systems When Designed, Developed, Manufactured, or Supplied by Persons
Owned by, Controlled by, or Subject to the Jurisdiction or Direction of
the PRC and Russia and Section V: Discussion of the Final Rule.
IV. Risks Associated With Vehicle Connectivity Systems and Automated
Driving Systems When Designed, Developed, Manufactured, or Supplied by
Persons Owned by, Controlled by, or Subject to the Jurisdiction or
Direction of the PRC and Russia
BIS received multiple comments related to the risks stemming from
VCS and ADS when designed, developed, manufactured, or supplied by
persons owned by, controlled by, or subject to the jurisdiction or
direction of the PRC or Russia. Commenters agreed with the risks posed
by PRC and Russian involvement in the connected vehicle supply chain as
laid out in the NPRM, and BIS reiterates those same risks in this
section. For instance, one commenter acknowledged that allowing
adversarial suppliers into the automotive supply chain poses direct
threats to data integrity, consumer safety, and national security. In
contrast, another commenter critiqued the proposed rule as overly broad
and characterized the threats as hypothetical in nature, underscoring
that PRC and Russian companies are incentivized to avoid exploiting
vulnerabilities in connected vehicles in order to avoid conflict. BIS
recognizes that many of the risks laid out in the NPRM and final rule
are forward-looking, and this rulemaking is an attempt to proactively
address these risks before PRC and Russian actors are able to leverage
them to harm U.S. national security. Moreover, while BIS agrees that
action by the PRC or Russia to leverage vulnerabilities in VCS or ADS
could feasibly cause undesired conflict, the strategic benefit of
exploiting vulnerabilities may outweigh other types of harm it causes
and thus is unlikely to preclude such an action altogether from the
perspective of the PRC and Russia. Another commenter highlighted that
the rule does not apply retroactively to address any of the data
already collected by connected vehicle manufacturers that may have
already been legitimately transferred to the PRC or other foreign
adversaries and may be informing foreign intelligence analysis. BIS
recognizes that some connected vehicle and component manufacturers may
already transfer vehicle data abroad, a point that is reiterated later
in this final rule. However, BIS believes that retroactive application
of this rule would not reduce or alleviate any of the harm that has
already occurred as a result of foreign intelligence organizations
gaining access to that data. Following consideration of the comments
received on the NPRM, and further consideration of the risks and
vulnerabilities associated with various ICTS components that are
critical to the operation of connected vehicles, BIS has decided to
retain the proposed rule's focus on two integral ICTS systems--VCS and
ADS--when designed, developed, manufactured, or supplied by persons
owned by, controlled by, or subject to the jurisdiction or direction of
two foreign adversaries--the PRC and Russia. Below, BIS provides its
findings of the undue and unacceptable risks associated with these
particular systems, and these particular foreign
[[Page 5364]]
adversaries, following this latest round of public comments.
a. Vulnerabilities Associated With Vehicle Connectivity Systems and
Automated Driving Systems
1. Vehicle Connectivity Systems
The term VCS encompasses hardware and software systems--such as the
telematics control units (TCU), cellular modems and antennas, and other
automotive components--that integrate various radio frequency (RF)
communication technologies and enable connected vehicles to access
external data sources, facilitate vehicle-to-vehicle communication, and
provide enhanced services to users through seamless connectivity
options. For example, as the primary automotive VCS component, a TCU
acts as the primary interface between the internal network and external
communication channels. It collects data from onboard sensors such as
Global Positioning Systems (GPS), accelerometers, gyroscopes, BMS, and
other Electronic Control Units via wired networks like Controller Area
Network (CAN) bus, Local Interconnect Network (LIN), FlexRay,
Automotive Ethernet and K-Line, as well as wireless protocols such as
Bluetooth and Wi-Fi. Some systems use cameras and microphones to
facilitate facial recognition of drivers or to respond to voice
commands of drivers. Once gathered, the TCU converts this internal data
into radio frequency signals suitable for transmission over the chosen
wireless protocol. In other words, as the vast array of sensors on a
connected vehicle collect information about a driver's location, speed,
voice patterns, battery state of charge, or other vehicle diagnostic
and operational information, the TCU converts that data into a format
that can be transmitted to systems outside the vehicle and then enables
that transmission. Sensing systems, such as radar, audio, video, or
Light Detection and Ranging (LiDAR) hardware and software, are not VCS.
Based on a number of comments to the proposed rule, BIS recognizes a
national security risk posed by LiDAR, but it concludes that focusing
this regulation on VCS hardware and software systems, which ultimately
enable the external communication of end-point sensors, is an
appropriate scope at this time. For a more thorough discussion on the
exclusion of PRC or Russian LiDAR from this rule, please see Section VI
below.
While the increased degree of vehicle connectivity offers benefits
to both consumers and manufacturers, it also increases risks to
consumers and manufacturers due to the number of access points into the
internal connected vehicle network. Each access point may present
multiple new software vulnerabilities for adversaries to exploit. See
Cabell Hodge, Konrad Hauk, Shivam Gupta, and Jess Bennett, Vehicle
Cybersecurity Threats and Mitigation Approaches, National Renewable
Energy Laboratory, at 4-5 (Aug. 2019), <a href="https://www.nrel.gov/docs/fy19osti/74247.pdf">https://www.nrel.gov/docs/fy19osti/74247.pdf</a>. Such compromise of VCS software could occur at
various points of the software development lifecycle where software
functionality can be accessed and altered, including tool development,
source code repositories, open-source dependencies, software updates,
and shipment interdiction. For instance, Upstream's 2024 Global
Automotive Cybersecurity Report documented a case where security
researchers installed malicious software on the VCS by performing a
simulated jailbreak attack of an OEM's VCS using a voltage fault
injection on the chipmaker's processor. This malicious software
unlocked features to manipulate the vehicle, such as acceleration and
heated seats. Upstream, 2024 Global Automotive Cybersecurity Report, at
62 (Feb. 2024), <a href="https://upstream.auto/reports/global-automotive-cybersecurity-report">https://upstream.auto/reports/global-automotive-cybersecurity-report</a>. The software also provided access to private user
data and enabled decryption of encrypted Non-Volatile Memory Express
(NVMe) storage, manipulation of the car's identity, and extraction of
the vehicle-unique credential used for authenticating and authorizing
the OEM's internal service network. See id. By compromising software or
its dependencies, malign actors may surveil, disrupt, damage, or
otherwise exploit the data or systems of those who use the software.
See National Counterintelligence and Security Center, Software Supply
Chain Attacks, (Mar. 2021), <a href="https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf">https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf</a>.
The threat of such a cyber operation by malicious actors can grow
significantly when firmware or hardware components are intentionally
designed with vulnerabilities. Access to the hardware supply chain for
VCS provides an avenue for threat actors to manipulate or insert, with
malicious intent, hardware, or firmware modules into telematics
hardware components such as modems, Systems on Chip (SoC), Printed
Circuit Boards (PCB), Central Processing Units, and antennae.
Manipulating or modifying hardware and associated firmware in the
supply chain could also allow foreign adversaries to insert a backdoor,
granting them control over the VCS. See Cybersecurity & Infrastructure
Security Agency, Defending Against Software Supply Chain Attacks, at 6
(Apr. 2021), <a href="https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508.pdf">https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508.pdf</a>; National
Counterintelligence and Security Center, Software Supply Chain Attacks,
(Apr. 2023), <a href="<a href="https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf">https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf</a>"><a href="https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf">https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf</a></a>. For instance, cellular and satellite
telecommunications transceivers are pivotal connectivity components in
the VCS, utilizing radio frequency (RF) energy to facilitate the
transmission and reception of data between a vehicle and the external
world. If these transceivers are designed, developed, manufactured, or
supplied by persons owned by, controlled by, or subject to the
jurisdiction or direction of the PRC or Russia, such actors would have
the means and capability to introduce vulnerabilities that could be
exploited to intercept and/or compromise the information exchanged
between the connected vehicle and the external world.
2. Automated Driving Systems
The complexity of ADS software, the large foundation of data
sources, and the driving responsibilities inherent to ADS render it a
valuable target for exploitation. An ADS encompasses the upper end of
the spectrum of autonomy levels that dictate the vehicle's
independence, and the extent of driver intervention required. The
primary standard setting organization for automotive autonomy is the
global mobility standard-setting body SAE International. SAE
International sets standards that affect many aspects of automotive
production and maintenance, often in concert with the International
Standards Organization (ISO). SAE International's Taxonomy and
Definitions for Terms Related to Driving Automation Systems for On-Road
Motor Vehicles (SAE J3016) is the current industry norm for evaluating
standard levels of vehicle autonomy. SAE J3016 autonomy levels range
from Level 0 (no automation) where the driver controls all aspects of
driving, to Level 5 (full automation) where the vehicle can operate
independently under all conditions without human intervention. Levels 1
and 2 offer driver assistance through systems that control either
steering or acceleration and braking, while Levels 3 through 5 (which
generally comprise ADS)
[[Page 5365]]
progressively increase the system's responsibility for driving tasks.
Level 4 requires the ability to complete all driving functions on a
sustained basis within defined operational design domains (ODDs), while
Level 5 requires the ability to complete all driving functions
unconditionally. As the autonomy level increases, the reliability and
safety of the ADS become increasingly reliant on the system's
operational performance, safety protocols, and cybersecurity measures.
See SAE J3016_02104, Taxonomy and Definitions for Terms Related to
Driving Automation Systems for On-Road Motor Vehicles, SAE
International, at 31-32 (Apr. 2021), <a href="https://www.sae.org/standards/content/j3016_202104/">https://www.sae.org/standards/content/j3016_202104/</a>.
An ADS must be able to execute Dynamic Driving Tasks (DDTs) within
specific ODDs. DDTs include critical tasks such as steering, braking,
acceleration, and Object and Event Detection, Classification and
Response (OEDCR). OEDCR enables an ADS to perceive and respond to
surrounding objects and events, a responsibility that shifts
progressively from the driver to the ADS itself as the degree of
vehicle autonomy increases. See id. at 17; Edward Griffor, David
Wollman, and Christopher Greer, Automated Driving System Safety
Measures Part 1: Operating Envelope Specification, NIST Special
Publication 1900-301, at 2 (2021), <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1900-301.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1900-301.pdf</a>.
An ADS relies on a large foundation of connected information
sources for decisions and outputs which, in turn, could create inherent
vulnerabilities. For example, a user of a vehicle, or even an OEM
purchaser of ADS likely does not know the sum total of what data the
ADS was trained on, or how, specifically, the ADS makes its decisions.
It is not possible to find single lines of code that dictate how an ADS
responds to specific scenarios in modern ADS systems. Rather, leading
ADS are controlled by complex software that can include a neural net
that references training data and previous decisions to instantaneously
decide on an action in a driving setting. This opacity and lack of
understanding of how the system actually reacts is inherently
vulnerable to poisoned data injection or specific scenario-based
failures. As a result, the complex software systems that drive
decisions for an ADS are valuable targets for malicious actors to
exploit. Software-based threats to connected vehicles equipped with an
ADS include manipulation of sensors to create phantom objects;
manipulation of ADS software to detect, capture, and retain information
about specific geographic areas or other sensitive data; or other
manipulation of sensor fusion processing software that could lead to
faulty and dangerous vehicle decision making, to include unauthorized
control over the connected vehicle. See National Counterintelligence
and Security Center, Autonomous Automotive Vehicle Supply Chain Risk,
(2022), <a href="https://www.dni.gov/files/NCSC/documents/supplychain/autonomous-vehicles-placemat-2022-D9A54B50-.pdf">https://www.dni.gov/files/NCSC/documents/supplychain/autonomous-vehicles-placemat-2022-D9A54B50-.pdf</a>.
A compromised ADS creates opportunities for data exfiltration and
unauthorized vehicle manipulation due to the direct access it has to
the Internal Vehicle Network (IVN). The IVN controls the communication
framework within a connected vehicle, overseeing the electronic control
units (ECUs) responsible for engine control, traction control, door
locks, climate control, battery management, powertrain, airbags,
cameras, and radar functionalities. These ECUs also communicate via
overlaid communication networking protocols such as a CAN bus, LIN, and
ethernet. See Anastasios Giannaros, et al. Autonomous Vehicles:
Sophisticated Attacks, Safety Issues, Challenges, Open Topics,
Blockchain and Future Directions, Journal of Cybersecurity and Privacy
3.3, at 508-513, (2023). Because ADS interacts with ECUs through the
IVN, a compromised ADS has the capability to execute functions that
affect nearly all of a connected vehicle's software and hardware
components. For example, an update to an ADS could alter outputs the
ADS makes to a Body Control Unit, enabling the ADS to erroneously and
dangerously open a vehicle's door while in motion. Moreover, because
many connected vehicles maintain their own networks and actively scan
their operating environment for other proximate networks, an ADS can
also potentially be used to impact the IVN of other vehicles or
transportation infrastructure networks through vehicle-to-vehicle
communication. This could lead to disablement or compromise of other
vehicles or of transportation infrastructure, affecting the movement of
goods and the physical safety of drivers. See National
Counterintelligence and Security Center, Autonomous Automotive Vehicle
Supply Chain Risk (Apr. 2022), <a href="https://www.dni.gov/files/NCSC/documents/supplychain/autonomous-vehicles-placemat-2022-D9A54B50-.pdf">https://www.dni.gov/files/NCSC/documents/supplychain/autonomous-vehicles-placemat-2022-D9A54B50-.pdf</a>;
Patrick Wagner, Nikolai Puch, and David Emeis, Cybersecurity risk
analysis of an automated driving system, Fraunhofer Institute AISEC
(Oct. 2023), <a href="https://publica.fraunhofer.de/entities/publication/4d66e81e-3570-4c49-9f8c-8c9967a34ca6/details">https://publica.fraunhofer.de/entities/publication/4d66e81e-3570-4c49-9f8c-8c9967a34ca6/details</a>.
Given the significant processing power and complex decision-making
capability of an ADS, the risks arising from ADS designed, developed,
manufactured, or supplied by persons owned by, controlled by, or
subject to the jurisdiction or direction of a foreign adversary extend
beyond the IVN itself and include risks to the fidelity and integrity
of data that flows to downstream or adjacent transportation
infrastructure. Foreign adversaries can corrupt ADS data by exploiting
existing vulnerabilities in ADS connectivity environments. See
subsection IV.b. As such, direct access to an ADS afforded to a
malicious actor or foreign adversary through the design, development,
manufacture, or supply of ADS software has the potential to cause
severe adverse consequences to U.S. national security and U.S. persons.
b. Threats Associated With the PRC and Russia
Several commenters agreed that PRC laws compel compliance with
government requests, thereby making some companies subject to the
direction of the PRC government. One commenter provided additional
detail about the linkages between prominent Chinese companies, the PRC
military, and the global automotive industry. Two commenters noted that
current investments by Chinese companies in Mexico may allow effective
``backdoor'' access to the American auto market. One commenter
specifically pointed to the risks posed by Chinese-developed buses with
connectivity features as posing a particular threat to U.S. national
security. While commercial vehicles such as buses are not in the scope
of this final rule, BIS intends to propose a new rule specifically
tailored to the commercial vehicle sector in order to address
substantial national security risks. Another commenter agreed with the
Department's actions, specifically as it related to addressing the
large amounts of data collected by connected vehicles already being
transmitted to the PRC, regardless of the vehicle's physical location.
In response to commenters' agreement with the nature of PRC and Russian
legal and regulatory landscapes, BIS is reiterating its legal and risk
analyses in this final rule. Moreover, BIS thanks commenters for
providing additional information that clarifies the linkages between
the PRC state, military, and the broader economy. In light of concerns
raised by
[[Page 5366]]
commenters regarding PRC companies' investments in Mexico, BIS
reiterates that PRC investments in Mexico's auto sector risk creating
additional potential nexus points between PRC connected vehicle
suppliers and U.S. automakers and consumers. Similarly, BIS agrees with
commenters' concerns that the PRC-linked entities already collect large
amounts of data, including from vehicles which are currently located in
the United States. These concerns directly underscore the importance
and necessity of this rulemaking.
The design, development, manufacture, or supply of certain VCS and
ADS components by persons owned by, controlled by, or subject to the
jurisdiction or direction of the PRC or Russia poses undue or
unacceptable risks to national security and U.S. persons. As discussed
further, the PRC and Russia have adopted political, legal, and
regulatory regimes that enable their governments to exercise direct and
indirect ownership, control, or influence over entities in the
connected vehicle supply chain. In addition, unlike other foreign
adversaries, the PRC and Russia have certain current and anticipated
industrial capabilities and expertise that uniquely position them
within the global automotive market to pose an outsized risk,
particularly when paired with the vulnerabilities present within
certain connected vehicle systems.
1. PRC
The PRC's role in the U.S. connected vehicle supply chain presents
undue and unacceptable risks. The PRC has a large and growing
automotive sector that has become increasingly integrated into the ICTS
supply chains of global automakers, providing the PRC automotive sector
with potential increased access to the U.S. automotive market. Further,
the PRC's automotive sector has historical and ongoing links to the PRC
military and is influenced by pervasive government intervention,
including through legal and regulatory structures that increase
government oversight of and control over PRC-based companies and their
foreign subsidiaries. See Du Xiaoying and Wang Siyi, Dongfeng plays
pivotal role in supporting China's military, China Daily (Sept. 25,
2015), <a href="https://www.chinadaily.com.cn/cndy/2015-09/25/content_21976945.htm">https://www.chinadaily.com.cn/cndy/2015-09/25/content_21976945.htm</a>; Matthew Funaiole, et al., China Accelerates
Construction of `Ro-Ro' Vessels, with Potential Military Implications,
Center for Strategic and International Studies (Oct. 11, 2023), <a href="https://chinapower.csis.org/analysis/china-construct-ro-ro-vessels-military-implications/">https://chinapower.csis.org/analysis/china-construct-ro-ro-vessels-military-implications/</a> (describing the involvement of Chinese automakers in the
production of ``ro-ro'' vessels and the dual-use applications of ro-ro
vessels, including clear evidence that the PRC military intends to
utilize ro-ros to support military operations). Moreover, the PRC
possesses advanced cyber espionage capacities that it exercises through
both state and non-state cyber actors, exacerbating such risks. See
Simon Handler, The 5x5-China's cyber operations, The Atlantic Council
(Jan. 2023), <a href="https://www.atlanticcouncil.org/content-series/the-5x5/the-5x5-chinas-cyber-operations/">https://www.atlanticcouncil.org/content-series/the-5x5/the-5x5-chinas-cyber-operations/</a>.
First, the size and scale of state control in the PRC auto sector
poses outsized risks, increasing the vectors by which the national
security threats associated with connected vehicles can enter the
United States. The PRC automotive sector has played an important role
in its domestic industrial policy since 1986, when the sector was first
named a ``pillar industry'' in the Seventh Five-Year Plan. The
Fourteenth Five-Year Plan, the latest strategic framework for the PRC,
continues to prioritize the technological innovation and sustainable
development of the automobile market, including new energy vehicles and
connected vehicle software and hardware systems, as key priorities. See
Ben Murphy, Outline of the People's Republic of China 14th Five-Year
Plan for National Economic and Social Development and Long-Range
Objectives for 2035, Center for Security and Emerging Technology, at
22-23 (May 2021), <a href="https://cset.georgetown.edu/wp-content/uploads/t0284_14th_Five_Year_Plan_EN.pdf">https://cset.georgetown.edu/wp-content/uploads/t0284_14th_Five_Year_Plan_EN.pdf</a>. For many years, the state has pursued
policies and practices to further its industrial policy objectives in
the automotive sector, including mandatory joint venture requirements,
foreign equity restrictions, massive subsidies, and other financial
support measures. The PRC automotive sector's growth is also led in
part by several prominent state-owned firms, some of which began as
military equipment suppliers (e.g., Dongfeng, Sichuan Auto Works,
Shanxi Auto Works). See Mattias Holweg, Jianxi Luo, and Nick Oliver,
The past, present and future of China's automotive industry: a value
chain perspective, International Journal of Technological Learning,
Innovation and Development 2, at 14 (Feb. 2009), <a href="https://www.pure.ed.ac.uk/ws/portalfiles/portal/7765689/Oliver.pdf">https://www.pure.ed.ac.uk/ws/portalfiles/portal/7765689/Oliver.pdf</a>. In recent
years, this growth and development has led to a massive surge in
domestic vehicle production, with Chinese vehicle production increasing
by 1.5 times over the 15-year span between 2008 and 2023. Indeed, in
2023, the PRC alone was responsible for nearly 33 percent of global
passenger vehicle production. See VDA, Global passenger vehicle
production in 2023, by country [Graph], (Retrieved July 23, 2024),
<a href="https://www.statista.com/statistics/277055/global-market-share-of-regions-on-auto-production/">https://www.statista.com/statistics/277055/global-market-share-of-regions-on-auto-production/</a>; OICA & Statista, China's share in global
vehicle production from 2008 to 2021 [Graph], (Mar. 17, 2022), <a href="https://www.statista.com/statistics/233942/chinas-share-of-global-production-capacity-of-the-automobile-industry/">https://www.statista.com/statistics/233942/chinas-share-of-global-production-capacity-of-the-automobile-industry/</a>.
Amid this significant growth in the PRC's domestic auto industry,
Chinese automakers, both state-owned and private firms, have leveraged
their significant state-backed support, including subsidies, to fuel a
global expansion that has seen Chinese automakers establishing foreign
operations in countries like South Africa, the Netherlands, Thailand,
Japan, and Brazil, among others, increasing the risks stemming from PRC
auto manufacturing in third countries. See Daisuke Wakabayashi and
Claire Fu, China E.V. Makers Rush In and Upend a Country's Entire Auto
Market, The New York Times (Jul. 30, 2024), <a href="https://www.nytimes.com/2024/07/30/business/chinese-electric-vehicles-thailand.html">https://www.nytimes.com/2024/07/30/business/chinese-electric-vehicles-thailand.html</a>; Daniel
Leussink, BYD's Global expansion push runs into stiff Japan test,
Reuters (Sept. 4, 2024), <a href="https://www.reuters.com/business/autos-transportation/byds-global-expansion-push-runs-into-stiff-japan-test-2024-09-05/">https://www.reuters.com/business/autos-transportation/byds-global-expansion-push-runs-into-stiff-japan-test-2024-09-05/</a>; China's BYD starts construction on manufacturing complex
in Brazil, Reuters (Mar. 5, 2024), <a href="https://www.reuters.com/business/autos-transportation/chinas-byd-starts-construction-manufacturing-complex-brazil-2024-03-06/">https://www.reuters.com/business/autos-transportation/chinas-byd-starts-construction-manufacturing-complex-brazil-2024-03-06/</a>.
The global expansion of the PRC auto sector's operations in foreign
markets and recent foreign investment announcements indicate that
Chinese automakers could attempt to enter the U.S. market via exports
from third-party countries. Exports from third-party countries of
vehicles with Chinese ICTS would expand the scope of the risk that
Chinese ICTS poses to U.S. national security. See Paul Wiseman,
Prospect of low-priced Chinese EVs reaching US from Mexico poses threat
to automakers, The Associated Press (June 27, 2024), <a href="https://www.ap.org/news-highlights/spotlights/2024/prospect-of-low-priced-chinese-evs-reaching-us-from-mexico-poses-threat-to-automakers/">https://www.ap.org/news-highlights/spotlights/2024/prospect-of-low-priced-chinese-evs-reaching-us-from-mexico-poses-threat-to-automakers/</a>; Daina
Beth Solomon, Chinese automaker BYD looking for Mexico plant location,
[[Page 5367]]
executive says, Reuters (Feb. 28, 2024), <a href="https://www.reuters.com/business/autos-transportation/chinese-carmaker-byd-launches-low-cost-dolphin-mini-ev-mexico-2024-02-28/">https://www.reuters.com/business/autos-transportation/chinese-carmaker-byd-launches-low-cost-dolphin-mini-ev-mexico-2024-02-28/</a>. Some PRC-based companies have
announced plans to establish manufacturing facilities in Mexico, which
could enable them to receive favorable trade terms contained in the
U.S.-Mexico-Canada Agreement (USMCA). See id. Therefore, the PRC's
growing presence within the global auto sector, particularly via
operations in third-party countries, is expected to expand the number
of potential nexus points between PRC connected vehicle suppliers and
U.S. automakers and consumers, further undermining U.S. national
security.
Second, the military linkage between the PRC government and the
automotive sector continues to the current day with the PRC's military-
civil fusion strategy, which seeks to, among other goals, exploit
investment and innovation within the PRC's private sector to achieve
military modernization goals. The military-civil fusion strategy
prioritizes specific information and communication technologies and
services that are integral to connected vehicle supply chains (e.g.,
telecommunications, artificial intelligence). See Ben Murphy,
Translation for Outline of the People's Republic of China 14th Five-
Year Plan for National Economic and Social Development and Long-Range
Objectives for 2035, Center for Security and Emerging Technology, at 11
and 36 (May 2021), <a href="https://cset.georgetown.edu/wp-content/uploads/t0284_14th_Five_Year_Plan_EN.pdf">https://cset.georgetown.edu/wp-content/uploads/t0284_14th_Five_Year_Plan_EN.pdf</a>. Strategies to achieve these goals
include mandating collaboration between PRC-based companies and the
military and establishing public and private firms as vectors to
facilitate technology transfer, industrial espionage, and intellectual
property (IP) theft that would be advantageous for the PRC military.
See Office of the Dir. of Nat'l Intelligence, Annual Threat Assessment
of the U.S. Intelligence Community, at 6-10 (Feb. 6, 2023), <a href="https://www.odni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf">https://www.odni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf</a>.
Third, even beyond military-civil fusion, the role of the PRC
government in the auto sector has only grown as government intervention
in the market increases. For example, the PRC intervenes in the auto
market through direct ownership of prominent industry participants, the
purchasing of so-called ``golden shares'' to gain significant levels of
influence within otherwise private firms, embedding Chinese Communist
Party (CCP) representatives within corporate boards and management, and
the forceful application, or threat, of the PRC's expansive security
laws, including its digital era legal structure. See Lingling Wei,
China's New Way to Control Its Biggest Companies: Golden Shares, Wall
Street Journal (Mar. 2023), <a href="https://www.wsj.com/articles/xi-jinpings-subtle-strategy-to-control-chinas-biggest-companies-ad001a63">https://www.wsj.com/articles/xi-jinpings-subtle-strategy-to-control-chinas-biggest-companies-ad001a63</a>. Laws
promulgated in recent years provide the PRC government increased
oversight and control over PRC-based companies and their foreign
subsidiaries, providing a lever for influence over corporate operations
that further exacerbates the threat that the PRC poses to U.S. national
security. These laws require PRC-based companies, wherever located, to
comply with certain access and information requests upon demand from
the PRC and therefore could be used by the PRC to obtain business or
other data from PRC-based companies involved in the connected vehicle
supply chain. Companies operating under these laws frequently highlight
the lack of transparency, consistency, clarity, and predictability of
the enforcement of these laws, publicly stating that PRC laws relating
to cybersecurity, data storage, or cryptography are not subject to the
same degree of judicial accountability as they might be in other
jurisdictions. In particular, BIS notes the PRC may utilize a suite of
national security laws (e.g., Counter-Espionage Law of the People's
Republic of China [promulgated by the Standing Committee of the
National People's Congress, Nov. 1, 2014, amended Apr. 26, 2023,
effective July 1, 2023]; National Security Law of the People's Republic
of China [promulgated by the Standing Committee of the National
People's Congress, July 1, 2015, effective July 1, 2015]; National
Intelligence Law of the People's Republic of China [promulgated by the
Standing Committee of the National People's Congress, June 27, 2017,
effective June 28, 2017, amended Apr. 27, 2018]; Anti-Terrorism Law of
the People's Republic of China [promulgated by the Standing Committee
of the National People's Congress, Dec. 27, 2015, effective Jan. 1,
2016, amended Apr. 27, 2018]) to compel companies, including those in
the connected vehicle supply chain, to support national security
efforts--which are more broadly defined in the PRC than in the United
States--or military agents upon request. The PRC pursues its broad
national security and geopolitical objectives through the creation of
backdoors and security vulnerabilities in products sold abroad, and, in
many cases, the PRC prohibits companies from disclosing that such a
request was made. See U.S. Department of Homeland Security, Data
Security Business Advisory: Risks and Considerations for Businesses
Using Data Services and Equipment from Firms Linked to the People's
Republic of China, (Dec. 2022), <a href="https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf">https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf</a>;
Ministry of Civil Affairs of the People's Republic of China, National
Security Law of the People's Republic of China, Arts. 25 and 77,
promulgated by the 12th National People's Congress on July 1, 2015,
<a href="https://www.mca.gov.cn/zt/n2643/n2647/c1662004999979993333/content.html">https://www.mca.gov.cn/zt/n2643/n2647/c1662004999979993333/content.html</a>. Additionally, PRC authorities have established a
regulatory system that effectively allows them to stockpile cyber
vulnerabilities. Entities subject to these regulations, including
automotive systems manufacturers, are required to report
vulnerabilities upon discovery to PRC authorities before patching them.
See Cyberspace Administration of China, Provisions on the Management of
Security Vulnerabilities of Network Products, (July 2021), <a href="https://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm">https://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm</a>. This requirement
drastically increases the ability of the PRC government and PRC-backed
cyber actors to take action against the United States using connected
hardware and its associated software by creating an accessible library
of known and potentially unpatched vulnerabilities.
[[Page 5368]]
Fourth, the PRC has demonstrated a high level of competency in
cyber malfeasance. For instance, PRC state-sponsored cyber group Volt
Typhoon has proven capable of infiltrating the IT networks of critical
U.S. infrastructure using sophisticated tactics, techniques, and
procedures such as Living Off the Land Techniques to pre-position
themselves across U.S. critical infrastructure and military assets to
carry out advanced reconnaissance in IT systems. At a later point, once
advanced reconnaissance is conducted, they are then capable of
launching cyberattacks to impede U.S. decision making, induce social
panic, and interfere with the deployment of U.S. military forces. See
Cybersecurity & Infrastructure Security Agency, PRC State-Sponsored
Actors Compromise and Maintain Persistent Access to U.S. Critical
Infrastructure, at 1-5 (Feb. 2024), <a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf">https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf</a>. A 2022 Annual Report to Congress by the U.S.-China Economic
and Security Review Commission found that the PRC's ability and
willingness to ``weaponize'' its own industries, particularly its
cybersecurity industry, grants the country an asymmetric advantage over
the United States. This argument is supported by public reporting
detailing the methods by which known government-affiliated cyber threat
groups utilize private firms to carry out their attacks. See U.S.-China
Economic and Security Review Commission, 2022 Annual Report to
Congress, at 11 and 14-15 (Nov. 2022), <a href="https://www.uscc.gov/sites/default/files/2022-11/2022_Annual_Report_to_Congress.pdf">https://www.uscc.gov/sites/default/files/2022-11/2022_Annual_Report_to_Congress.pdf</a>; Christian
Shepherd, et al., Leaked files from Chinese firms show vast
international hacking efforts, The Washington Post (Feb. 22, 2024),
<a href="https://www.washingtonpost.com/world/2024/02/21/china-hacking-leak-documents-isoon/">https://www.washingtonpost.com/world/2024/02/21/china-hacking-leak-documents-isoon/</a>. Additionally, a 2012 report from the United States
Senate Permanent Select Committee on Intelligence examining the
national security risks posed by the PRC-based companies Huawei and ZTE
specifically argued that there are numerous opportunities for PRC-based
threat actors to insert malicious hardware or software components into
ICTS products throughout the product development stage. See Permanent
Select Committee on Intelligence, Investigative Report on the U.S.
National Security Issues Posed by Chinese Telecommunications Companies
Huawei and ZTE, at 3 (Oct. 2012), <a href="https://intelligence.house.gov/sites/intelligence.house.gov/files/documents/huawei-zte%20investigative%20report%20">https://intelligence.house.gov/sites/intelligence.house.gov/files/documents/huawei-zte%20investigative%20report%20</a>(final).pdf. This risk is further
demonstrated by a study of designed vulnerabilities in products
conducted by the Georgetown Security Studies Review, which outlines
five years of persistent insertion of malicious code by PRC-based
threat actors. See Ryan Neauhard, Flawed by design electronics with
pre-installed malware, Georgetown Security Studies Review, at 2 (May
23, 2018), <a href="https://georgetownsecuritystudiesreview.org/2018/05/23/flawed-by-design-electronics-with-pre-installed-malware/">https://georgetownsecuritystudiesreview.org/2018/05/23/flawed-by-design-electronics-with-pre-installed-malware/</a>. Given the
above, the PRC's access to the U.S. connected vehicle supply chain
through its growing automotive sector, military-civil fusion and other
corporate governance policies and legal institutions, paired with its
development of mature cyber espionage capabilities, present a
significant risk that the PRC could alter the systems in or obtain and
manipulate data about market participants who use connected vehicle
ICTS designed, developed, manufactured, or supplied by persons owned
by, controlled by, or subject to the jurisdiction or direction of the
PRC.
2. Russia
The Russian state has prioritized the growth of its automotive
manufacturing industry, instituted a legal and regulatory framework to
compel company data sharing with the state, and maintained a long
history of malicious cyber operations against the United States. Under
these circumstances, there is an increasing likelihood that Russia
emerges as a supplier of connected vehicles technologies for the U.S.
market, providing the Russian government a means of exploiting U.S.
connected vehicles. Incorporating Russian hardware or software into the
U.S. connected vehicle supply chain, therefore, poses undue and
unacceptable risks to U.S persons and critical infrastructure.
First, while Russia has historically been less active in the global
automotive sector than the PRC, the Russian government has recently
sought to revitalize its domestic auto manufacturing industry following
the exodus of foreign automakers after the imposition of significant
additional sanctions in 2022 in response to the conflict in Ukraine. In
2024 alone, the Russian auto market is projected to experience a 15
percent increase in passenger vehicle sales, marking a notable uptick
since the Russian market crashed in 2022 following the imposition of
sanctions, and some Russian auto manufacturers have continued
introducing new models even amid broader economic headwinds. See
Russia's 2024 car sales forecast raised to 1.45mln, units, AEB says,
Reuters (July 3, 2024), <a href="https://www.reuters.com/business/autos-transportation/russias-2024-car-sales-forecast-raised-145-mln-units-aeb-says-2024-07-03">https://www.reuters.com/business/autos-transportation/russias-2024-car-sales-forecast-raised-145-mln-units-aeb-says-2024-07-03</a>. Russia's domestic auto sector has begun to show
signs of resilience, with at least one automaker releasing a new,
primarily domestically developed model since the imposition of Western
sanctions, even as other domestically sold models are manufactured in
the PRC but undergo final assembly in Russia. See Gleb Stolyarov and
Alexander Marrow, Focus: Made in Russia? Chinese cars drive a revival
of Russia's auto factories, Reuters (July 20, 2023), <a href="https://www.reuters.com/business/autos-transportation/made-russia-chinese-cars-drive-revival-russias-auto-factories-2023-07-20/">https://www.reuters.com/business/autos-transportation/made-russia-chinese-cars-drive-revival-russias-auto-factories-2023-07-20/</a>. In Russia, the
revitalization of the domestic economy, particularly the domestic auto
sector, has become a key focus of the Russian government since the
imposition of sanctions in recent years. The Russian government has
released several plans that prioritize the development of its domestic
automotive market with a particular focus on research and development
of new technology, including autonomous vehicles and V2X (``Vehicle to
Everything'') vehicle connectivity systems. See Russian Federation,
Order of the Government of the Russian Federation of December 28, 2022
No. 4261-r On Approval of the Strategy for the Development of the
Automotive Industry of the Russian Federation until 2035 (Jan. 4,
2023), <a href="https://www.garant.ru/products/ipo/prime/doc/405963861/#1000">https://www.garant.ru/products/ipo/prime/doc/405963861/#1000</a>;
Russian Federation, Order of the Government of the Russian Federation
of August 23, 2021 No. 2290-r On Approval of the Concept for the
Development of Electric Vehicle Production and the Transport Strategy
of 2030 (2023), <a href="http://static.government.ru/media/files/bW9wGZ2rDs3BkeZHf7ZsaxnlbJzQbJJt.pdf">http://static.government.ru/media/files/bW9wGZ2rDs3BkeZHf7ZsaxnlbJzQbJJt.pdf</a>. The development of these
interlocking national transportation and automotive industry strategies
involves stakeholders from domestic automakers, technology sectors, and
the Russian government, illustrating a coordinated effort across the
Russian state and its domestic automotive industry. In order to extend
the reach of the state into the Russian auto industry, in February
2024, Russia established a state-owned corporation named Rosavto that
will act as liaison between government and industry.
[[Page 5369]]
Rosavto will develop production plans for vehicles and automotive spare
parts, oversee the development of new models and technologies, and
manage order distribution, legislative initiatives, and workforce
training. See Eugene Gerden, New State Corporation to Oversee Russian
Auto Industry, Wards Auto (Feb. 2024), <a href="https://www.wardsauto.com/regulatory/new-state-corporation-to-oversee-russian-auto-industry">https://www.wardsauto.com/regulatory/new-state-corporation-to-oversee-russian-auto-industry</a>.
Further, Russia has demonstrated resilience against Western sanction
and export control regimes while also continuing to grow its electric
vehicle market. See Carnegie Endowment, Why Russia Has Been So
Resilient to Western Export Controls, (Mar. 2024), <a href="https://carnegieendowment.org/research/2024/03/why-russia-has-been-so-resilient-to-western-export-controls?lang=en">https://carnegieendowment.org/research/2024/03/why-russia-has-been-so-resilient-to-western-export-controls?lang=en</a>. According to market
reporting, the Russian electric vehicle market has had a robust
performance, with double digit growth in output and sales, largely
driven by a surge in the sector's exports. See Russia Automotive Market
Report--Analysing EVE Trends and Car Sales Volume Data, Global Monitor
(retrieved Nov. 2024), <a href="https://www.globalmonitor.us/product/russia-automotive-market">https://www.globalmonitor.us/product/russia-automotive-market</a>. Projections suggested that with the support of the
government, the electric vehicle subsector is poised for further
growth. See id. Concerted efforts by the Russian government to develop
the domestic Russian automotive industry, a growing electric vehicle
market, and resilience to western sanction and export control regimes
increase the likelihood that Russia-linked connected vehicle
technology, such as VCS hardware or covered software, will enter the
U.S. connected vehicle supply chain, which, as described below,
presents an undue or unacceptable risk to U.S. national security. Given
these factors, BIS is taking proactive measures to mitigate any risk
posed by Russia's influence over the U.S. connected vehicle supply
chain and to prevent Russia from gaining increasing influence over the
U.S. connected vehicle supply chain in the future.
Second, like the PRC, the Russian government employs a suite of
laws that enable it to compel domestic companies with overseas
operations to provide data gleaned through foreign ventures or to
surrender similar operational assets to the Russian state. These laws
(e.g., Russian Law Federal Security Service No. 40-FZ, ``Operational-
Investigative Activity'' No. 144-FZ, 2014 Amdt. to No. 97-FZ) allow the
Russian government direct control over Russian corporations' activities
and facilities, including data or customer information, and mandate
that companies assist with counterintelligence actions as requested by
the state, including the Federal Security Service of the Russian
Federation (FSB). The FSB can, in some cases, mandate that companies
allow the FSB to install equipment on their infrastructure or collect
data. Firms that are required to facilitate this surveillance or
intrusion activity can also be required to actively obfuscate such
requests and must provide the state with any information essential to
the decryption of any communications captured. Together, these laws
enable the Russian state to collect and exploit sensitive data on or
about U.S. persons via Russian businesses and, should Russian companies
become more prominent in the connected vehicle supply chain, create a
pathway through which the Russian government could secure wide-ranging
access to the vast amounts of data collected and processed by connected
vehicles in the United States. See internet Governance, Report of Peter
B. Maggs, (Dec. 2017), <a href="https://www.internetgovernance.org/wp-content/uploads/12-7-Exhibit-AR-Part-6-Maggs-report.pdf">https://www.internetgovernance.org/wp-content/uploads/12-7-Exhibit-AR-Part-6-Maggs-report.pdf</a>. Public reports have
consistently raised concerns about Russian government laws concerning
data collection, citing a lack of appropriate safeguards to prevent
misuse, including judicial or public oversight. More broadly, reports
have repeatedly documented the uneven application of the rule of law,
lack of judicial accountability, recurrent violations of judicial
proceedings, and challenges with judicial independence. See Justin
Sherman, Russia is weaponizing its data laws against foreign
organizations, Brookings (Sept. 2022), <a href="https://www.brookings.edu/articles/russia-is-weaponizing-its-data-laws-against-foreign-organizations/">https://www.brookings.edu/articles/russia-is-weaponizing-its-data-laws-against-foreign-organizations/</a>; Evegeni Moyakine and A. Tabachnik, Struggling to strike
the right balance between interests at stake: The `Yarovaya,' `Fake
news,' and `Disrespect' laws as examples of ill-conceived legislation
in the age of modern technology, Computer Law & Security Review, at 40
(Apr. 2021), <a href="https://www.sciencedirect.com/science/article/pii/S0267364920301175">https://www.sciencedirect.com/science/article/pii/S0267364920301175</a>.
Third, apart from the risks presented by the Russian government
access as codified in Russia's legal framework, the country has a
longstanding pattern of utilizing cyber operations to gain illicit
access to systems that advance the strategic ends of Russian
authorities. For example, in December 2020, the company SolarWinds
announced it was the target of a two-year-long cyber operation
perpetrated by Russian hackers in the Russian Foreign Intelligence
Services (SVR). See U.S. Securities and Exchange Commission, SEC
Charges SolarWinds and Chief Information Security Officer with Fraud,
Internal Control Failures, (Oct. 2023), <a href="https://www.sec.gov/newsroom/press-releases/2023-227">https://www.sec.gov/newsroom/press-releases/2023-227</a>. The perpetrators of the SolarWinds supply
chain attack used a software update to deliver malware to the
platform's users after Russian intelligence services obtained covert
access to the computer systems on which the platform was installed. The
attack ultimately impacted more than 18,000 users, including more than
100 companies and nine U.S. Government agencies. This attack credibly
demonstrates how Russian actors can infiltrate global enterprise
systems via software updates and exemplifies how they could similarly
leverage software as a means to exploit connected vehicles in the
United States. Additionally, a 2023 Cyber Security Advisory suggests
that exploitation of information technology firms and their software
will be a persistent tactic leveraged by the Russian government to
collect intelligence. See Joint Cyber Security Advisory, Russian
Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE
Globally, at 3 (Dec. 2023), <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a</a>. BIS has further identified
Kaspersky Lab as an example of the risks imposed by Russia's ability to
leverage software companies to allow Russia the ability to collect and
weaponize the personal information of Americans. See Bureau of Industry
and Security, Final Determination: Case No. ICTS-2021-002, Kaspersky
Lab, Inc. (June 2024), <a href="https://www.federalregister.gov/documents/2024/06/24/2024-13532/final-determination-case-no-icts-2021-002-kaspersky-lab-inc">https://www.federalregister.gov/documents/2024/06/24/2024-13532/final-determination-case-no-icts-2021-002-kaspersky-lab-inc</a>.
These political, legal, and regulatory frameworks, combined with
the demonstrated capabilities of Russia to exploit ICTS supply chains
through malicious cyber activity, exacerbate BIS's concern that the
threats posed by Russia could be directed at the U.S. connected vehicle
supply chain, including integral systems such as VCS and ADS. The
persistent connectivity and software-driven capabilities of VCS and
ADS, combined with the vast amounts of data that traverse these
systems, make them valuable and likely targets for the Russian
government to compromise.
[[Page 5370]]
c. Consequences
Taken together, VCS and ADS designed, developed, manufactured, or
supplied by persons under the ownership, control, jurisdiction, or
direction of the PRC or Russia manifest undue and unacceptable risks to
United States national security and to the safety and security of U.S.
persons in several ways. If left unaddressed, the interaction of
threats and vulnerabilities could result in the exfiltration of
sensitive U.S. persons' data to foreign adversaries or the remote or
automated manipulation of connected vehicles by the PRC and Russia,
among other concerns.
First, the integration of compromised VCS or ADS into a completed
vehicle could undermine the reliability of a connected vehicle or its
underlying control systems. Compromised components in VCS or ADS could
result in increased frequency and severity of connected vehicle
malfunctions that could, in turn, detrimentally impact U.S. national
security, including the resiliency of U.S. critical infrastructure, or
the safety of U.S. persons.
Given the persistent connectivity of VCS and ADS and the essential
functions that they serve in the operation of connected vehicles, these
systems, if compromised and co-opted by an adversary, could serve as
the nodes through which a foreign actor could probe or breach broader
ICTS systems within the United States. Remote malicious cyber
activities--which rely on network connectivity (e.g., Wi-Fi, Bluetooth,
3/4/5G networks)--have increased significantly in recent years and
consistently outnumber malicious cyber activities carried out through
physical access to devices since at least 2010, accounting for 95
percent of all malicious cyber activities in 2023. See Upstream,
Upstream's 2024 Global Automotive Cybersecurity Report (2024), <a href="https://upstream.auto/reports/global-automotive-cybersecurity-report/">https://upstream.auto/reports/global-automotive-cybersecurity-report/</a>.
Considering the increasingly sophisticated methodologies employed by
foreign adversaries to gain access to critical U.S. cyber
infrastructure, compromised VCS and ADS, with their inherent
connectivity, would easily present another attack surface for foreign
adversaries to exploit. As detailed in the previous analysis of
vulnerabilities inherent in VCS, adversaries with access to VCS, such
as telematics systems, could inject malicious code into a vehicle's
operational systems. Additionally, such malware could be developed in
such a way as to exploit vehicle connectivity to propagate itself
across multiple systems as the vehicle travels and connects to those
discrete systems. In this way, not only would the ICTS integral to
connected vehicles be compromised, but vehicle systems could be
exploited to spread malware with the intent of harming all ICTS systems
to which a vehicle connects. See Anastasios Giannaros, et al.,
Autonomous Vehicles: Sophisticated Attacks, Safety Issues, Challenges,
Open Topics, Blockchain and Future Directions, Journal of Cybersecurity
and Privacy 3.3, at 505 (2023).
Second, as discussed, both VCS and ADS have significant control
over and access to critical vehicle functions, including steering,
braking, speed control, ignition, and almost all other mechanical
functions of the vehicle. Such extensive control over vehicle
operations could enable a foreign adversary to use a compromised VCS or
ADS component to hamper vehicle functions or even to manipulate a
connected vehicle for malicious purposes. As VCS and ADS control or
link to integral vehicle functions, a foreign adversary could even
exploit compromised VCS or ADS components to impair or disable a
connected vehicle while in transit. Disabled, impaired, or otherwise
improperly functioning vehicles could result in grave damage or
impediment to critical infrastructure within the United States or could
result in physical harm to U.S. persons. A disabled, impaired, or
erratically functioning connected vehicle, or potentially multiple
connected vehicles all experiencing problems simultaneously, could
cause traffic patterns that would effectively block critical
transportation arteries. This scenario could also cause collisions,
ultimately damaging transportation features (e.g., roadways, bridges,
tunnels), energy, telecommunications, and similar infrastructure
situated near transportation systems. The potential consequences of
widespread connected vehicle impairment could be particularly acute if
the targets were fleet vehicles operating in support of infrastructure
vital to transportation, energy, water, waste, telecommunications, and
other essential services.
The risks to the resiliency of critical U.S. infrastructure posed
by connected vehicle components designed, developed, manufactured, or
supplied by persons that are owned by, controlled by, or subject to the
jurisdiction or direction of the PRC or Russia are further compounded
by the potential for VCS and ADS to collect data on infrastructure.
Advances in VCS and ADS necessitate increasingly cutting-edge sensor
suites incorporating radar, LiDAR, camera, sonar, and computer vision
to gather information on the surrounding environment for both onboard
computing and remote cloud computing to process data in informing
vehicle operating decisions. See Anastasios Giannaros, et al.,
Autonomous Vehicles: Sophisticated Attacks, Safety Issues, Challenges,
Open Topics, Blockchain and Future Directions, Journal of Cybersecurity
and Privacy 3.3, at 515 (2023); Luis Hernandez, et al., Applications of
Cloud Computing in Intelligent Vehicles, Journal of Artificial
Intelligence and Machine Learning in Management, at 12-13 (2022). This
vast wealth of data, collected over time by multiple vehicles, likely
contains valuable information such as location data about critical U.S.
infrastructure. For example, data gathered from GPS or global
navigation satellite systems (GNSS) in a connected vehicle could be
cross-referenced and collated with a multitude of other data to produce
information about the location, function, and operational trends of
various transportation, energy, or other critical infrastructure. See
Cybersecurity & Infrastructure Security Agency, Autonomous Ground
Vehicle Security Guide: Transportation Sector, at 1 (2021), <a href="https://www.cisa.gov/sites/default/files/publications/Autonomous%2520Ground%2520Vehicles%2520Security%2520Guide.pdf">https://www.cisa.gov/sites/default/files/publications/Autonomous%2520Ground%2520Vehicles%2520Security%2520Guide.pdf</a>;
Cybersecurity & Infrastructure Security Agency, Cybersecurity and
Physical Security Convergence, at 1 (2020), <a href="https://www.cisa.gov/sites/default/files/publications/Cybersecurity%2520and%2520Physical%2520Security%2520Convergence_508_01.05.2021.pdf">https://www.cisa.gov/sites/default/files/publications/Cybersecurity%2520and%2520Physical%2520Security%2520Convergence_508_01.05.2021.pdf</a>. A foreign adversary could extract such critical
infrastructure data using its control over designers, developers,
manufacturers, or suppliers of VCS and ADS components subject to the
foreign adversary's ownership, control, jurisdiction, or direction,
thereby increasing the risk and precision of attacks on such critical
infrastructure.
Finally, given the volume of information collected by vehicles to
support VCS and ADS operation, exploitation of these systems could
enable an adversary to cull a tremendous amount of data on vehicle
movement across the United States. This information could potentially
include data generated on or from fleet vehicles used by emergency
response, law enforcement, or the military. This data, and particularly
all metadata and
[[Page 5371]]
derived data that can be drawn from the raw data, can provide
considerable insight into fleet size, composition, and capabilities, as
well as information on organizational response times and response
procedures. Such information would prove valuable to an adversary
seeking to disrupt U.S. emergency response operations. Any potential
risks to U.S. national security arising from disrupting emergency
response activities are further compounded by the potential for an
adversary to exploit access to VCS and ADS to leverage the persistent
connectivity required for malign operations, including exploits to
trigger improper engine shutdown, brake activation, or electrical
system deactivation. Any of these actions would have serious
consequences for U.S. persons' health and safety. VCS and ADS, if
corrupted by the producer at the direction of a foreign adversary,
could improperly access driver mobile devices to collect, exfiltrate,
and exploit personally identifiable information (PII) or even protected
health information (PHI). It is also possible that a foreign adversary
could use covert access to VCS and ADS to provide false or misleading
operational information to a driver, causing degraded and dangerous
vehicle operation conditions. Such tactics could be used either
indiscriminately to sow panic and cause disruption, or to intentionally
target specific drivers. Additionally, and as noted by the Office of
the Director of National Intelligence in the 2024 National
Counterintelligence Strategy, foreign adversaries, like the PRC and
Russia, view this kind of PII and PHI as particularly valuable as it
provides them ``not only economic and R&D benefits, but also useful
[counterintelligence] information, as hostile intelligence services can
use vulnerabilities gleaned from such data to target and blackmail
individuals.'' See The Director of Nat'l Intelligence, 2024 National
Counterintelligence Strategy (Aug. 2024), <a href="https://www.dni.gov/files/NCSC/documents/features/NCSC_CI_Strategy-pages-20240730.pdf">https://www.dni.gov/files/NCSC/documents/features/NCSC_CI_Strategy-pages-20240730.pdf</a>.
Even when such systems are not subject to compromise, companies
owned by, controlled by, or subject to the jurisdiction or direction of
a foreign adversary, if occupying certain positions within the supply
chain, may potentially legally gain access to their users' personal
data. For example, one prominent Chinese auto manufacturer with
operations in the United States publicly states in its U.S. privacy
policy that the personal data it may collect (e.g., identifiers,
customer records information, internet or other electronic network
activity information, geolocation information, professional or
employment-related information) is only stored in the United States in
principle, but goes on to note that personal data may be transferred to
its headquarters in China for processing and storage. While the
incorporation in the U.S. supply chain of VCS hardware and covered
software designed, developed, manufactured, or supplied by persons
owned by, controlled by, or subject to the jurisdiction or direction of
the PRC or Russia poses one type of risk, transactions involving VCS
hardware and covered software pose a separate risk when the connected
vehicle manufacturer is, itself, owned by, controlled by, or subject to
the jurisdiction or direction of the PRC or Russia, even when the
connected vehicle manufacturer is located in the United States.
Connected vehicle manufacturers have privileged and direct access to
all systems in the vehicle, including the VCS hardware and covered
software. Not only are VCS hardware and covered software built to the
connected vehicle manufacturers' specifications but prior to the sale
of a completed connected vehicle, connected vehicle manufacturers are
able to exercise significant levels of control over that VCS hardware
and covered software with little to no external oversight prior to the
sale of the completed connected vehicle. Based on the foregoing, BIS
assesses that ICTS transactions involving VCS hardware or covered
software designed, developed, manufactured, or supplied by persons
owned or controlled by, or subject to the jurisdiction or direction of
the PRC or Russia--including transactions to supply the VCS hardware or
covered software into the United States market as part of the sale of
the completed connected vehicle--present undue or unacceptable risks to
the national security of the United States within the meaning of E.O.
13873.
V. Discussion of the Final Rule
This final rule prohibits--absent a general or specific
authorization otherwise--(1) VCS hardware importers from knowingly
importing into the United States certain hardware for VCS (section
791.302, ``Prohibited VCS hardware transactions''), (2) connected
vehicle manufacturers from knowingly importing into the United States
completed connected vehicles incorporating covered software, and (3)
connected vehicle manufacturers from knowingly selling within the
United States completed connected vehicles that incorporate covered
software (section 791.303, ``Prohibited covered software
transactions''). These prohibitions apply to transactions when such VCS
hardware or covered software is designed, developed, manufactured, or
supplied by persons owned by, controlled by, or subject to the
jurisdiction or direction of the PRC or Russia. The rule also (4)
prohibits connected vehicle manufacturers who are persons owned by,
controlled by, or subject to the jurisdiction or direction of the PRC
or Russia from knowingly selling in the United States completed
connected vehicles that incorporate VCS hardware or covered software
(section 791.304, ``Related prohibited transactions''), regardless of
whether such VCS hardware or covered software is designed, developed,
manufactured, or supplied by persons owned by, controlled by, or
subject to the jurisdiction or direction of the PRC or Russia
(collectively, ``prohibited transactions'').
This rule primarily impacts market participants who could be
considered VCS hardware importers or connected vehicle manufacturers,
such as OEMs and importers of completed connected vehicles, as well as
tier one and tier two suppliers of VCS hardware. For these entities,
three compliance mechanisms--Declarations of Conformity, general
authorizations, and specific authorizations--are available, depending
on whether the VCS hardware importer or connected vehicle manufacturer
wishes to engage in an otherwise prohibited transaction. Importantly,
because VCS hardware importers and connected vehicle manufacturers
frequently offer many different types of products, any one of the three
mechanisms may not be available for their entire business. Rather,
depending on the product, VCS hardware importers and connected vehicle
manufacturers could be required to use a combination of these three
mechanisms to meet their obligations under the rule.
First, Declarations of Conformity are required to be submitted to
BIS by VCS hardware importers and connected vehicle manufacturers prior
to importing VCS hardware or importing or selling completed connected
vehicles that incorporate covered software, certifying that the VCS
hardware or covered software was not designed, developed, manufactured,
or supplied by persons owned by, controlled by, or subject to the
jurisdiction or direction of the PRC or Russia (section 791.305,
``Declaration of Conformity''). The Declarations of Conformity require
VCS hardware importers and connected vehicle manufacturers to certify
to BIS, once a year or whenever material
[[Page 5372]]
changes occur, that they are not engaging in prohibited transactions
and provide certain information on the import of VCS hardware and/or
the import or sale of completed connected vehicles as relevant.
Second, a general authorization could be available for VCS hardware
importers and/or connected vehicle manufacturers seeking to engage in
an otherwise prohibited transaction, depending on the circumstances
(section 791.306, ``General authorizations''). General authorizations
are available only in a narrow set of circumstances in which the
conditions of the otherwise prohibited transaction appropriately
mitigate the level of risk associated with the particular type of
transaction. In determining whether to issue a general authorization,
BIS may consider any information or material BIS deems relevant and
appropriate, classified or unclassified, from any Federal department or
agency, or from any other source. BIS will publish general
authorizations issued pursuant to this subpart on its website (<a href="https://www.bis.gov/OICTS">https://www.bis.gov/OICTS</a>) and will also publish them in the Federal Register.
Those availing themselves of a general authorization are required to
continuously monitor their use of the VCS hardware or completed
connected vehicles covered by the general authorization to ensure the
authorization still applies. If a change renders the transaction
ineligible for a general authorization, such as a change in the
vehicle's use, the VCS hardware importer or connected vehicle
manufacturer is required to apply for a specific authorization and
cease engaging in such transaction unless and until a specific
authorization is granted.
Lastly, a specific authorization may be permitted for VCS hardware
importers and connected vehicle manufacturers who wish to engage in a
prohibited transaction, but do not otherwise qualify for a general
authorization from BIS (section 791.307, ``Specific authorizations'').
Such VCS hardware importers and connected vehicle manufacturers are
required to pause engaging in these transactions before they may
proceed with the prohibited transaction under a specific authorization.
A specific authorization will only be available in circumstances where
BIS determines, based on the information submitted by the applicant as
well as any information or material BIS deems relevant and appropriate,
classified or unclassified, from any Federal department or agency, or
from any other source, that the otherwise prohibited transaction does
not present an undue or unacceptable risk to U.S. national security.
However, as a condition of approving the specific authorization, BIS
might impose certain requirements and mitigation measures upon the VCS
hardware importers and connected vehicles manufacturers seeking to
proceed with the prohibited transaction.
VCS hardware importers and connected vehicle manufacturers can
appeal any of the following BIS decisions to the Under Secretary: the
determination that a VCS hardware importer or connected vehicle
manufacturer is ineligible for a general authorization, the denial of
an application for a specific authorization, or the suspension or
revocation of a previously granted specific authorization (section
791.309, ``Appeals''). Further, the regulation establishes a method for
VCS hardware importers and connected vehicle manufacturers to seek
guidance on prospective transactions that may be prohibited through a
BIS advisory opinion (section 791.310, ``Advisory opinions''). BIS may
also share guidance on its website for VCS hardware importers or
connected vehicle manufacturers that certain activities could
constitute a prohibited transaction.
In issuing this rule, BIS recognizes that Section 203(b) of IEEPA--
i.e., the ``Berman Amendment''--limits the scope of the authority to
regulate or prohibit transactions relating to ``information'' or
``informational materials.'' In relevant part, the Berman Amendment
states that the ``authority granted to the President by this section
does not include the authority to regulate or prohibit, directly or
indirectly . . . . the importation from any country, or the exportation
to any country, whether commercial or otherwise, regardless of format
or medium of transmission, of any information or informational
materials, including but not limited to, publications, films, posters,
phonograph records, photographs, microfilms, microfiche, tapes, compact
disks, CD ROMs, artworks, and newswire feeds.'' 50 U.S.C. 1702(b)(3).
Consistent with the statute's text and purpose, as demonstrated by
legislative history and context as well as judicial interpretations,
BIS interprets the phrase ``information or informational materials'' to
be limited to expressive material, consistent with the purpose of 50
U.S.C. 1702(b)(3) to protect materials involving the free exchange of
ideas from regulation under IEEPA and with IEEPA's broader purpose to
limit material support to adversaries. A broader interpretation of the
term would enable adversaries and countries of concern to use non-
expressive data to undermine our national security.
In the NPRM, BIS explained this regulation is consistent with the
Berman Amendment. BIS sought comment on this issue, including whether
and how to address the term ``information or informational materials''
in the final rule. One commenter claimed that the prohibitions included
in the rule could extend beyond IEEPA's intended purpose and result in
litigation risk for BIS. Therefore, according to the commenter, BIS
should clarify what types of information sharing will be allowed in
light of the IEEPA limitations included in the Berman Amendment. One
commenter requested clarification on what types of information sharing
will be allowed under the rule, including documentation of technology
designs. Another commenter asked about ``the information/materials--
including technology design documentation--that will be permitted or
required when the Berman Amendment applies.'' In response, BIS notes
that this rule does not add any restrictions on the sharing of
technology designs, technical documentation, or similar information,
nor does it remove any restrictions that may exist under any other
regulation (e.g., export controls). Additionally, while this rule
requires regulated parties to maintain documentation relevant to their
compliance with this rule, it does not prescribe any specific
requirements as to what that documentation must consist of. BIS did not
receive any comments requesting that specific provisions relating to
information or informational materials be added to the rule.
This final rule is consistent with the Berman Amendment. Its
purpose is to regulate transactions involving certain hardware and
software based on functional capabilities that can be exploited by
foreign adversaries, not to restrict the import or export of expressive
speech and communicative works and mediums that may be carrying such
expressive content. As discussed in Section IV, VCS hardware and
covered software process and transmit data such as geolocation
information or systems diagnostics reports, which are used to monitor
and control the vehicle's safe operation, and that a foreign adversary
could manipulate in ways that could impair or disable the vehicle's
function, leading to dangerous outcomes that pose a harm to U.S.
national security. Similarly, the functional data collected by covered
software--such as high-definition mapping data of infrastructure and
[[Page 5373]]
roadways--would pose serious risks to that critical infrastructure if
collected and exploited by a foreign adversary. This final rule
``balances IEEPA's competing purposes'' in ``restricting material
support for hostile regimes while encouraging the robust interchange of
information.'' United States v. Amirnazmi, 645 F.3d 564, 587 (3d Cir.
2011). Thus, BIS has determined that the prohibitions in this rule are
consistent with the Berman Amendment. To the extent that any parties
believe that a transaction governed by this rule qualifies as
``information or informational materials'' that is exempt under 50
U.S.C. 1702(b)(3), they can seek clarification using the administrative
processes for seeking an advisory opinion.
VI. Revisions From the Proposed Rule and Response to Comments
Each section of the final rule is discussed below, including BIS's
consideration of comments received in response to the NPRM.
a. Definitions
BIS received a variety of comments regarding the definitions listed
in the NPRM. In the following sections, BIS summarizes and responds to
those comments, outlines the definitions for this final rule, and for
some definitions, provides additional interpretation to assist readers
in understanding the final definition (see section 791.301,
``Definitions''). BIS notes that multiple commenters requested BIS
include definitions for terms that are already defined within 15 CFR
791.1, such as U.S. person. In response, BIS emphasizes that
definitions contained in 15 CFR 791.1 apply to this subpart, except
where the same term is defined differently in this rule.
1. Automated Driving System
In the NPRM, BIS proposed Automated Driving System (ADS) to mean
hardware and software that, collectively, are capable of performing the
entire dynamic driving task for a completed connected vehicle on a
sustained basis, regardless of whether it is limited to a specific ODD.
After considering commenters' feedback, BIS has chosen to retain this
definition in the final rule.
Many commenters requested clarity on the definition of ADS,
particularly urging BIS to explicitly reference SAE International's
J3016 standard in the definition. Commenters also recommended that BIS
explicitly exclude Levels 1 and 2 of the SAE J3016 standard or plainly
state that the regulation does not capture ADAS in the definition.
Similarly, BIS received feedback to incorporate language that excludes
hardware and software that are not capable of performing the entire
dynamic driving task and to provide examples of these exclusions, such
as steering, braking, acceleration, and speed.
BIS declines to include a reference to the current version of SAE
J3016 at this time and believes that the current definition adequately
covers only those systems that would fall into SAE categorization Level
3 and above. However, this does not preclude BIS from amending this
rule in the future to make explicit reference to the current version
(April 2021) or any future version of J3016. BIS emphasizes that in
enforcing this rule, it will only consider Automated Driving Systems
that meet the full definition of this rule to be in scope, and BIS
believes that the details regarding the specifics of Levels 3, 4, and 5
systems contained within J3016 are useful guidance for connected
vehicle manufacturers to determine if their products fall within scope.
Following the effective date of this rule, entities that seek
clarification if a specific piece of software is subject to the
prohibitions of this rule may submit a request for an advisory opinion
from BIS. Further, in response to commenters requesting that BIS
explicitly state that ADAS is out of scope, BIS believes this to be
unnecessary as the definition aligns with SAE J3016, which
differentiates between ADAS and ADS.
Comments contained various positions on the specific exclusion or
inclusion of LiDAR and other sensing systems within the prohibitions.
Several commenters advised BIS to identify examples of specific
components that are outside the scope of the prohibitions, such as
radar and camera technology. Others advocated for the inclusion of ADS
sensor technology in the prohibitions and explained that BIS should
explicitly scope the prohibitions to include cameras, radar, LiDAR,
Time of Flight internal sensors, ultrasonic sensors, and microphones.
Commenters pointed out that LiDAR is proliferating across critical
infrastructure industries and heavily sourced by foreign adversaries,
further urging that LiDAR, in particular, should fall in scope of the
prohibitions, including LiDAR hardware, software for sensor control,
and perception software.
BIS maintains its position from the NPRM that this rulemaking will
address only ADS software and not the multiple hardware systems that
support or directly enable ADS operation. BIS agrees that proliferation
of LiDAR and other sensing technologies from entities with a foreign
adversary nexus throughout multiple critical infrastructure sectors may
pose a threat to national security. However, within the limited scope
of the automotive sector, and with this initial rulemaking, BIS
assesses that a prohibition that focuses specifically on transactions
that provide ADS software is appropriate at this time to mitigate the
national security risks that they present while limiting the supply
chain and economic impact. As stated in the NPRM, BIS is proposing to
regulate ADS software rather than the hardware components of ADAS and
ADS so as to reduce unnecessary economic impacts and supply disruption.
The hardware that enables ADAS and ADS varies widely between different
OEMs. ADAS and ADS hardware encompasses a wide variety of different
sensors, distributed electronic control units (ECUs), centralized
computing units, actuators, and signaling units, among others. These
sensors and internal vehicle networking hardware rarely have
independent connectivity. A rule that coherently and feasibly addresses
these varied supply chains would have disproportionate economic and
supply chain impacts relative to the reduction of national security
risks. Further, focusing on the ADS software supply chain appropriately
mitigates the national security risks that they present while limiting
the supply chain and economic impact. Commenters should also refer to
the discussion below on covered software for greater detail on BIS's
decision to omit LiDAR from this rule. BIS's decision not to focus on
sensing technologies in this rule does not preclude BIS from addressing
them in a subsequent rulemaking.
Commenters recommended providing definitions for terms within the
ADS definition, such as ``operational design domain.'' BIS declines to
specify a definition for operational design domain as it believes this
to be an industry standard term in the autonomous vehicle sector that
refers to operating conditions under which an ADS or feature thereof is
specifically designed to function. Additionally, BIS hopes to provide
industry with additional flexibility to interpret these terms within
the contexts of their own technologies, reducing the compliance burden
of the rule. However, BIS emphasizes that the related definitions in
J3016 are useful guidance for industry and interested entities.
One commenter also advised removing ``for a completed connected
vehicle'' from the definition of ADS and adding an ``ADS-equipped
vehicle'' to
[[Page 5374]]
the definition to avoid industry confusion because not all connected
vehicles will have ADS. BIS maintains that the ADS-related prohibitions
of the rule affect only completed connected vehicles that are equipped
with ADS by the nature of how the covered software prohibition is
crafted, and therefore narrowing the definition of ADS to remove ``for
a completed connected vehicle'' is not necessary.
Commenters noted that the ADS definition includes hardware, while
the prohibited transactions do not include ADS hardware. The ADS
definition captures the whole of ADS, including hardware, while the
regulation prohibits only ADS software and does not prohibit ADS
hardware. Commenters advised removing ``hardware'' from the definition
of ADS or providing language that clarifies that the definition of ADS
generally describes what an ADS is, but not necessarily what aspects of
the system are regulated by this rule. After consideration, BIS
declines this suggestion. In the interest of maintaining a harmonized
definition that is consistent with other Federal regulations and with
industry standards such as NHTSA's Second Amended Standing General
Order 2021-01 and SAE J3016, BIS maintains that inclusion of
``hardware'' in the definition of ADS is appropriate, even though this
does not mean that the hardware of an ADS system is regulated. The
structure of the covered software definition and the covered software
prohibitions are the only instances of a use of the ADS definition and
make clear that ADS hardware is not prohibited when designed,
developed, manufactured, or supplied by entities owned by, controlled
by, or subject to the jurisdiction or direction of the PRC.
One commenter requested that BIS clarify that ADS software that
carries out only a single function, such as parking, be excluded from
the definition of ADS. While BIS generally believes that systems that
are not capable of executing the entire dynamic driving task (as
required by the definition of ADS) are not covered by this regulation,
BIS declines to amend the definition in this rule as such a
determination would be highly fact specific. BIS emphasizes that
persons seeking greater clarity may, upon the effective date of this
rule, seek an advisory opinion from BIS regarding a specific
transaction involving ADS software.
2. Completed Connected Vehicle
In the NPRM, BIS proposed to define completed connected vehicle as
follows: ``a connected vehicle that requires no further manufacturing
operations to perform its intended function. For the purposes of this
subpart, the integration of an ADS into a connected vehicle constitutes
a manufacturing operation for a completed connected vehicle.'' BIS
chose to retain this definition of completed connected vehicle in the
final rule based on comments, further research, and other changes to
the regulation.
Some commenters, particularly from the commercial vehicle sector,
argued that the proposed rule did not provide a clear definition of
completed vehicle within the context of the commercial market. As
discussed in the following section addressing the definition of
connected vehicle, BIS recognizes the substantial compliance concerns
associated with the complex commercial vehicle sector and has
determined that the commercial vehicle sector will not be covered by
this rulemaking. Recognizing there are substantial national security
concerns in the commercial vehicle market, BIS intends to issue a new
proposed rule specifically tailored to this sector.
One commenter urged BIS to substitute a new definition for ``ADS-
equipped connected vehicle'' instead of ``completed connected vehicle''
in order to avoid implying that all connected vehicles contain ADS
software. BIS recognizes that not all connected vehicles are ADS-
equipped. However, BIS declines this suggestion because the
prohibitions resulting from the regulation pertain to completed
connected vehicles, as defined by the regulation, and BIS does not want
to engender confusion or suggest that the prohibitions pertain only to
products equipped with ADS. Therefore, BIS chooses not to integrate
this recommendation into the final rule.
3. Connected Vehicle
In the NPRM, BIS proposed connected vehicle to mean a vehicle
driven or drawn by mechanical power and manufactured primarily for use
on public streets, roads, and highways, that integrates onboard
networked hardware with automotive software systems to communicate via
dedicated short-range communication, cellular telecommunications
connectivity, satellite communication, or other wireless spectrum
connectivity with any other network or device. Vehicles operated only
on a rail line are not included in this definition. BIS modified its
definition in the final rule based on comments from the public.
A few commenters requested clarifications or refinements for BIS's
definition of a ``connected vehicle.'' Some commenters highlighted that
other regulatory bodies, such as National Highway Traffic Safety
Administration (NHTSA) and the Environmental Protection Agency (EPA),
often implement separate rulemaking efforts for light/passenger
vehicles and heavy/commercial vehicles. BIS has opted to exclude
commercial vehicles from the final rule. As discussed elsewhere, BIS
emphasizes that the national security risks associated with PRC or
Russian VCS and ADS in commercial vehicles are grave, and BIS's
decision to exclude commercial vehicles from this rulemaking in no way
implies that these risks are lesser than in the passenger vehicle
market. Rather, BIS intends to propose a separate regulation tailored
to the commercial sector in the coming months.
Specifically, BIS has amended the definition of ``connected
vehicle,'' for the purposes of this rule, to exclude vehicles with a
gross vehicle weight rating (GVWR) of over 10,000 pounds, which
generally aligns with the weight delineation included in definitions
used by other government agencies (including the Federal Motor Carrier
Safety Administration) and by industry to delineate between passenger
and commercial vehicles.
One commenter also requested that BIS clarify that recreational
vehicles (RVs) are not included in the definition of a ``connected
vehicle.'' BIS declines to amend the definition as it believes RVs will
largely be excluded from the regulation. First, as amended, RVs
weighing over 10,000 pounds will not be captured by this rule and will
instead be subject to an intended future rule covering commercial
vehicles. Second, as the commenter noted, BIS intends to issue a
general authorization pertaining to vehicles used on public roads for
fewer than 30 days a year, which could capture additional RVs that
weigh under 10,001 pounds, if manufacturers are able to verify their
RVs are eligible. Manufacturers availing themselves of any future
general authorization need not notify BIS of its use nor apply for the
authorization, contrary to the comment's suggestion. In the future, BIS
may consider whether a general authorization that specifically
addresses RVs would be appropriate.
One commenter requested that BIS explicitly exclude agricultural
equipment, construction equipment, and mining equipment from the
definition of ``connected vehicle.'' BIS does not believe this
modification necessary as it believes the existing definition of
``connected vehicle,'' which mandates that the vehicle must be
manufactured ``primarily for use on
[[Page 5375]]
public streets, roads, and highways,'' and under 10,001 pounds,
sufficiently excludes these vehicles from the provisions of the rule.
Another commenter urged BIS to clarify that the rule does not apply to
entities importing VCS hardware intended for integration into vehicles
that are not covered by this rule. BIS believes that modifications to
the definition of VCS and VCS hardware address this comment.
Commenters urged BIS to amend the definition of ``connected
vehicle'' to clarify that Personal Delivery Devices (PDDs) and bicycles
are not captured by the rule. BIS does not believe this modification is
necessary as it does not believe PDDs nor bicycles meet the definition
of a connected vehicle. PDDs and bicycles primarily operate in
shoulders of roads, bike lanes, and sidewalks, which BIS does not
believe meets the definition of ``manufactured primarily for use on
public streets, roads, and highways.'' The exclusion of these devices
from this regulation is further in line with Federal and State-level
interpretations that have also excluded PDDs from the definition of
motor vehicle and related policies.
Commenters asked that BIS clarify whether a ``connected vehicle''
includes a motorcycle. One commenter offered the definition of
motorcycle from 40 CFR 205.151: ``[A]ny motor vehicle, other than a
tractor, that: (i) [h]as two or three wheels; (ii) [h]as a curb mass
less than or equal to 680 kg (1499 lb); and (iii) [i]s capable, with an
80 kg (176 lb) driver, of achieving a maximum speed of at least 24 km/h
(15 mph) over a level paved surface.'' BIS understands and acknowledges
that this definition of motorcycle fits into its definition of
``connected vehicle'' in this rule, meaning that motorcycles are
subject to this regulation, and BIS believes that an additional
definition is unnecessary to improve ease of administration of this
rule. Further, BIS notes that vehicles such as electric scooters and e-
bicycles are not ``manufactured primarily for use on public streets,
roads, and highways,'' given that in most jurisdictions such vehicles
cannot be ridden legally on public highways and many roads. Therefore,
BIS assesses that the definitions provided are scoped appropriately.
One commenter asked BIS to clarify that the regulation does not
apply to VCS hardware importers and connected vehicle manufacturers
that import covered hardware intended for assembly into vehicles that
are not covered by the definition of connected vehicle. In response,
BIS confirms that transactions involving covered software and VCS
hardware that are not integrated into a connected vehicle are not
subject to this regulation. VCS hardware importers and connected
vehicle manufacturers executing covered software and VCS hardware
transactions that are intended to be incorporated into a connected
vehicle, as defined in the final rule, are subject to this regulation.
BIS has chosen to define ``connected vehicle'' to mean a vehicle
driven or drawn by mechanical power and manufactured primarily for use
on public streets, roads, and highways, that integrates onboard
networked hardware with automotive software systems to communicate via
dedicated short-range communication, cellular telecommunications
connectivity, satellite communication, or other wireless spectrum
connectivity with any other network or device. Vehicles operated only
on a rail line are not included in this definition. For the purposes of
this subpart, a connected vehicle with a gross vehicle weight rating of
more than 4,536 kilograms or 10,000 pounds is not included in this
definition.
The primary change from the definition in the proposed rule is the
inclusion of a weight constraint. This final rule has been narrowed to
address vehicles under 10,001 pounds (which largely apply to the
passenger vehicle market). BIS intends to supplement this rulemaking
with an additional rule to address vehicles over 10,000 pounds (which
largely applies to the commercial vehicle market), given the national
security risks.
4. Connected Vehicle Manufacturer
In the NPRM, BIS proposed ``connected vehicle manufacturer'' to
mean a U.S. person (1) manufacturing or assembling completed connected
vehicles in the United States; and/or (2) importing completed connected
vehicles for sale in the United States. Based on feedback from
commenters, BIS has amended its definition of ``connected vehicle
manufacturer'' in the final rule.
Commenters advised BIS to be more specific about who is responsible
for reporting to BIS under this regulation. Commenters recommended that
BIS clarify that contracting with another party to manufacture or
assemble a completed connected vehicle that integrates one's own ADS or
VCS for one's own business is out of scope of the regulation. BIS
declines to do so. Through modifications to the connected vehicle
manufacturer definition, BIS specifies that a person whose sole
manufacturing or assembly operation is integrating ADS into an
otherwise completed connected vehicle would qualify such a person as
being a ``connected vehicle manufacturer.'' BIS also included changes
to the definition of sale to ensure that these contracting operations
are within scope of the regulation. As discussed further below relating
to the modifications to the definition of sale, BIS has determined that
contracting operations could, but may not necessarily, be a sale under
the terms of this rule.
Commenters encouraged BIS to consider whether a person owned by,
controlled by, or subject to the jurisdiction or direction of the PRC
or Russia, whose sole manufacturing or assembly operation is
integrating ADS into an otherwise completed connected vehicle, should
be subject to the prohibitions in the rule and need to obtain a
specific authorization before importing or selling that completed
connected vehicle in the United States. BIS determined that such
integration of ADS software into a completed connected vehicle by a
person owned by, controlled by, or subject to the jurisdiction or
direction of the PRC or Russia is an extension of the national security
risk relating to covered software and intended to be restricted. In
response, BIS clarifies that ADS integration into an otherwise
completed connected vehicle is subject to this regulation and has
updated the definition of connected vehicle manufacturer in the final
rule to reflect this.
Commenters also encouraged BIS to make third-party manufacturers or
assemblers operating on behalf of a U.S. entity, regardless of the
origin of the ADS or VCS, exempt from this regulation. BIS rejects this
request and has updated the regulation to clarify that third-party
manufacturers who are persons owned by, controlled by, or subject to
the jurisdiction or direction of the PRC or Russia are subject to this
rule. Third-party manufacturers are an integral aspect to a connected
vehicle manufacturer's overall manufacturing operations; therefore, if
such third parties were persons owned by, controlled by, or subject to
the jurisdiction or direction of the PRC or Russia, this would continue
to perpetuate the national security risks that this rule is seeking to
address.
In the final rule, BIS has chosen to define a connected vehicle
manufacturer to mean a U.S. person who:
(1) Manufactures or assembles completed connected vehicles in the
United States for sale in the United States;
(2) Imports connected vehicles for sale in the United States; and/
or
[[Page 5376]]
(3) Integrates ADS software on a completed connected vehicle for
sale in the United States.
A connected vehicle manufacturer may also be a VCS hardware
importer, as defined herein, if VCS hardware has already been installed
in a connected vehicle when the connected vehicle manufacturer imports
it.
This modified definition clarifies BIS's intention to capture
entities who purchase otherwise completed (and compliant) connected
vehicles from a third party and then integrate their proprietary ADS on
the vehicle to enable autonomous driving. For example, a U.S. person
who purchases completed connected vehicles from a U.S. connected
vehicle manufacturer (even if those vehicles do not contain PRC or
Russian VCS hardware or ADS software) and then integrates its own ADS
software on the vehicles would be performing a manufacturing operation
and would be explicitly captured as a connected vehicle manufacturer
under this amended definition. If that U.S. person is an entity owned
by, controlled by, or subject to the jurisdiction or direction of the
PRC or Russia, it would require a specific authorization to sell those
vehicles in the United States, which includes transferring those
vehicles for commercial operations. The modified definition also
clarifies that the first paragraph of the definition, which relates to
persons who manufacture or assemble completed connected vehicles in the
United States, applies only if the vehicles are intended for sale in
the United States (not for export and sale abroad).
5. Covered Software
In the NPRM, BIS proposed to define covered software as ``the
software-based components, in which there is a foreign interest,
executed by the primary processing unit of the respective systems that
are part of an item that supports the function of Vehicle Connectivity
Systems or Automated Driving Systems at the vehicle level. Covered
software does not include firmware, which is characterized as software
specifically programmed for a hardware device with a primary purpose of
controlling, configuring, and communicating with that hardware device.
Covered software also does not include open-source software that can be
freely used, modified, and distributed by anyone, with both access to
the source code and the ability to contribute to the software's
development and improvement unless that open-source software has been
modified for proprietary purposes and not redistributed or shared.''
Based on comments, BIS changed its definition of covered software to
better align with industry practices.
Commenters commonly sought more guidance on the layers of software
regulated under the rule. Commenters requested examples regarding how
covered software applies to the software stack for VCS and ADS. Common
feedback urged BIS to define software-based components that fall in and
out of scope of the regulation, such as application, firmware,
middleware, and system software. Commenters also encouraged BIS to
provide a definition of these layers of software, particularly
emphasizing that a definition was needed for firmware. Commenters
advocated for the exclusion of embedded software (e.g., middleware and
system software) because the application software more directly
facilitates external communications, and the embedded software is not
divisible or distinguishable from hardware. Commenters also suggested
that regulating embedded software would introduce more complex supply
chain bottlenecks and prevent many companies from meeting the covered
software prohibition within a year's time.
In response to these comments, BIS has added specificity to the
covered software definition to explicitly include application,
middleware, and system software, while continuing to exclude firmware.
BIS has also included a description of firmware. BIS declined to
generally exclude embedded software from the definition, because doing
so would exclude certain software that could pose a national security
risk. Rather, BIS has chosen to classify software along
``application,'' ``system,'' ``middleware,'' and ``firmware''
categories. To determine whether particular embedded software is
excluded from the definition, parties should consider whether the
embedded software leverages specific code executed by the primary
processing unit or units of the system. This requirement may exclude
embedded software systems that are executed on ancillary surface
modules or processors, depending on the specific architecture of the
VCS.
Two commenters recommended that BIS limit covered software to only
the application layer. BIS rejects this feedback. BIS intends covered
software to include application software, operating system software and
a library of established functions which are generally referred to as
``middleware.'' BIS chose to include operating system and middleware
function software in the definition of ``covered software'' because if
either the operating system or middleware functions are compromised,
the resulting application would not execute securely. So long as the
software in question is application, operating system, or middleware
executed by the primary processing unit of the subject system, it would
likely be covered software unless otherwise excluded.
One commenter requested that BIS define the term ``primary
processing unit'' in the ``covered software'' definition. BIS declines
to incorporate an explicit definition in the regulatory text because a
definition is unnecessary; unlike other specialized terms defined in
the final rule, ``primary processing unit'' is a generally widely
understood term. To provide additional interpretive guidance on the
term, BIS intends the term ``primary processing unit'' to encompass the
central or graphics computing unit of a system responsible for running
both the application(s) and the associated operating system that
directly enable VCS or ADS on the vehicle. Commenters supported the
exclusion of open-source software from the rule and requested BIS align
the definition of open-source software with the definitions from the
National Defense Authorization Act (NDAA) of 2019, CISA 2023 Open-
Software Security Roadmap, and the Open Source Initiative. Commenters
also wanted BIS to clarify if open-source software modified by Russian
or Chinese entities falls under scope of the regulation. BIS accepts
the recommendation of multiple commenters to align the definition of
open-source software with that of the 2019 NDAA. Further, BIS added
certain clarifying clauses to the 2019 NDAA definition to address
advances in artificial intelligence and the evolution of the use of the
term ``open-source'' in artificial intelligence applications by
including ``in its entirety'' to the definition. However, BIS declines
to limit the open-source software exclusion by the geographical
location of specific administrators or contributors to open-source
projects or libraries. BIS is not well placed to arbitrate the validity
of individual open-source contributors and rather relies on the
inherent structure and transparency of open-source software to identify
potential security compromises by malicious actors. BIS excludes open-
source software from covered software and characterizes it as software
for which the human-readable source code is available in its entirety
for use, study, re-use, modification, enhancement, and redistribution
by the users of such software unless that open-source
[[Page 5377]]
software has been modified for proprietary purposes and not
redistributed or shared.
In addition to BIS being more specific about the definition of
covered software, commenters requested that BIS explicitly scope out
different software components. Some commenters recommended modifying
the definition to cover only component software of ADS and VCS. These
commenters argued that tying the covered software to the hardware helps
narrow the scope and removes the ambiguity of the term ``item that
supports,'' which they argued was ambiguous because it is generally
understood as part of a system. To this end, commenters advised BIS to
define ``covered software'' as ``software, in which there is a foreign
interest, executed by the primary processing unit of the Vehicle
Connectivity System or Automated Driving System item that directly
enables the Vehicle Connectivity System or Automated Driving System
function,'' or similarly. Commenters argued that marrying the
definitions of VCS and ADS to the definition of covered software
provides clarity to connected vehicle developers and other automotive
industry actors while retaining BIS's stated goal of targeting ``two
integral ICTS systems,'' of VCS and ADS, and no other vehicle equipment
or technologies. Commenters also said this change removes the language
``an item that support the function of VCS,'' which is confusing to
industry.
In response to these comments, BIS clarified the definitions of
``covered software'' and ``VCS hardware'' to include items that
``directly enable'' the function of those systems as opposed to
``supports'' those systems. BIS defined the term ``item'' in conformity
with SAE International's 21434 ``Road Vehicles--Cybersecurity
Engineering'' standard of September 2021, as a term that would be
commonly understood by industry. The SAE 21434 standard promotes the
delineation of item definitions for different automotive systems and
for assessing the cybersecurity of those systems. BIS therefore
considered the SAE 21434 terms and practices in drafting its
definitions so that connected vehicle manufacturers can consult
existing compliance mechanisms to determine the item definition of
different systems and assess what is included within the item
definition of a VCS. BIS also retained ``covered software'' and ``VCS
hardware'' as separate terms and separate prohibitions due to other
structural and legal considerations.
Commenters also wanted to better understand the granularity of the
ADS software prohibition, seeking clarity as to whether final software
is considered ``designed'' or ``developed'' by a person owned by,
controlled by, or subject to the jurisdiction or direction of the PRC
when a software module from the PRC is part of the larger ADS suite. If
only one software subcomponent of an ADS software suite is designed,
developed, manufactured, or supplied by a PRC or Russian entity, then
the entire ADS software suite would be considered designed, developed,
manufactured, or supplied by a foreign adversary entity. BIS modified
the covered software definition to make clear that it applies to
software components of application, middleware, and system software.
BIS acknowledges the burden of determining the provenance of software
subcomponents for legacy code bases and therefore added an exclusion
for code that was designed, developed, manufactured, or supplied before
one year from the effective date of the rule.
One commenter requested clarity about VCS software architecture,
specifically regarding whether the regulation's scope includes upstream
communication transfer, downstream communications transfer, and
communications processing. This commenter thought that upstream
communications were within scope of the proposed rule, while the
downstream communication transfer and communication processing were out
of scope. Some commenters requested specific opinions about specific
automotive in-vehicle network architectures. Because of the variety and
diversity of automotive network designs, BIS sought to provide
definitions that could be applied across the industry and declines to
specifically opine on specific architectures. However, BIS intends to
work with industry to answer specific questions during the
implementation of the rule and through the issuance of advisory
opinions.
Commenters commonly sought clarity on the degree and type of remedy
necessary for the software to no longer be deemed covered software and
therefore not subject to the prohibitions and compliance requirements
in this rule. To this end, commenters recommended that BIS consider
integrating accepted international regulatory standards to drive its
guidance. For example, commenters suggested that BIS adopt the ISO/SAE
21434 Road Vehicles--Cybersecurity Engineering Threat Analysis and Risk
Assessment (TARA) to assess the cybersecurity risks in automotive
products. Commenters flagged that this standard provides a methodology
for the software developer to identify critical assets and privacy
concerns and allows for the greatest specificity to address the
critical asset(s), such as the specific lines of source code or module
at issue, rather than broadly including all software packages. BIS
appreciates this recommendation and acknowledges that it previously
considered such a framework. BIS ultimately declines to consider
compliance with SAE 21434 as a standalone security control sufficient
for mitigating the national security risks identified in this rule. BIS
determined that a combination of security controls could successfully
mitigate the national security risk relating to connected vehicles and
intends to use a multi-layered approach when issuing a specific
authorization. BIS anticipates that requiring security features
controls such as conformity with cybersecurity standards, audits
conducted by third parties or BIS, enhanced reporting requirements, and
controls on corporate governance may be effective ways to manage risk.
However, BIS will consider compliance with cybersecurity standards like
SAE 21434, R155, and NHTSA Cybersecurity Best Practices when evaluating
applications for specific authorizations.
Many commenters requested that BIS exclude legacy code from the
definition to minimize supply chain disruption and ensure warranties
can be fulfilled. BIS acknowledges comments regarding the mature code
bases that have been built, audited, and refined over time and the
significant burden that determining the specific developers that
contributed to those libraries over time would create. Based on the
comments, BIS incorporated a specific exclusion within the covered
software definition for legacy code. This addition to the covered
software definition will exclude all source code that is designed,
developed, manufactured, or supplied before a date that is one year
from the effective date of the rule. This ``legacy'' code exclusion
will protect products that have already gone to market. Furthermore,
excluding legacy code designed, developed, manufactured, or supplied
prior to March 17, 2026 will provide regulated entities time to
transfer intellectual property rights as well as responsibility for
development and maintenance of code to within their organizations in
order to come into compliance with the covered software prohibition.
BIS believes that this appropriately balances addressing the national
security risks posed by software that is actively maintained in the PRC
and Russia while lowering
[[Page 5378]]
potential burdens and disruptions to the market.
Commenters also warned that the regulation does not clearly
articulate if ADS added to a completed connected vehicle falls in scope
of the prohibition. Commenters advised limiting the scope of the
regulation by adding language at the end of the covered software
definition to ensure that the addition of ADS software that itself is
not designed, developed, manufactured, or supplied by PRC or Russian
entities to a connected vehicle is not a manufacturing operation for
the purposes of this rule. BIS declines to adopt this recommendation.
BIS explicitly included the sentence, ``For the purposes of this
subpart, the integration of an Automated Driving System into a
connected vehicle constitutes a manufacturing operation for a completed
connected vehicle,'' to make clear that the addition of ADS to a
completed connected vehicle falls within scope of this rule as it is a
manufacturing operation for a completed connected vehicle. If the
addition of covered ADS software to a completed connected vehicle
involves software in which there is no foreign interest, then the
integrating entity would not be required to submit a Declaration of
Conformity. However, if there is a foreign interest in that covered
software transaction, then it would require a Declaration of
Conformity, or in the case the software is covered by the prohibitions
of this rule, a specific authorization. BIS assesses that the addition
of covered ADS software to a completed connected vehicle by an
aftermarket vendor poses the same national security threat as the
addition of covered ADS software at the initial point of manufacture.
BIS believes such a modification or integration of ADS software could
introduce the same underlying risk that the connected vehicle can be
manipulated, to include unauthorized access to vehicle data.
Commenters also inquired if electronic logging devices (ELDs),
insurance-related vehicle tracking devices, and after-market safety
technologies are in the scope of covered software. BIS recommends that
commenters review the technical specifications of these devices against
the updated definition of covered software to confirm if they are
executed by the primary processing unit or units of an item that
directly enables the function of VCS or ADS at the vehicle level to
determine if said devices fall within the scope of the definition of
covered software. BIS believes the definitions for covered software and
VCS hardware should provide clarity; however, a person may submit a
request for an advisory opinion regarding transactions involving
specific technologies, along with technical information related to
these technologies, so BIS may provide an opinion specific to the
technology presented. BIS understands ``after-market safety
technologies'' to be broad and can encompass a range of varying
technologies. Such technologies would likely be covered as they relate
to ADS software directly; however, uses outside of this scope would
likely require BIS to receive additional information within a request
for an advisory opinion. While the use of these technologies in the
commercial vehicle market is out of scope of this regulation, under
certain circumstances these technologies may be subject to this
regulation (e.g., if they are used in vehicles weighing less than
10,001 pounds).
Commenters wanted BIS to define ``integrated or attached hardware
or software'' to clarify whether software or hardware attached by a
Bluetooth device or USB to a vehicle would be subject to the rule, or
if the rule includes only integrated technologies. Per its definitions,
this final rule is not limited to integrated technologies.
Commenters advised BIS to reconsider the zero percent threshold for
software containing code from prohibited foreign entities, such as a de
minimis threshold. BIS chose to not adopt a de minimis threshold
approach due to the risk of circumvention that it would create. For
example, entities could add additional code to make their percentage of
prohibited content appear to fall below the minimum threshold. This
suggestion would not adequately mitigate the risks identified.
Additionally, seeking to create an implementable de minimis standard of
code, wherein code could be analyzed by various metrics such as per
bit, per line, per execution command, per library, etc., would be
extremely complex, and the associated difficulty of assessing whether
content is de minimis or not would be inefficient and ineffective.
Furthermore, BIS added a significant exclusion in the ``covered
software'' definition by excluding all code that had been designed,
developed, or supplied prior one year from the effective date of this
rule. This legacy code exclusion, paired with the infeasibility and
ineffectiveness of a de minimis threshold led BIS to reject this
suggestion.
A commenter urged BIS to require companies to implement
cybersecurity requirements for edge cloud architecture and to establish
domestic or allied sourcing requirements for ADS cloud infrastructure,
as well as continuous monitoring of ADS cloud and edge systems. BIS
addresses its considerations for cybersecurity requirements in its
discussion of Declarations of Conformity, as well as other places in
this text. Cloud architecture and infrastructure are out of scope of
this current regulation. However, BIS understands the concern and may
consider this area for future rulemaking.
Commenters recommend that BIS consider narrowing the covered
software definition, or the annual reporting requirement, to exclude
covered software produced by companies based in trusted or allied
nations. Commenters suggest that this change would both streamline
connected vehicle manufacturers' reporting obligations and reduce the
burden on BIS in reviewing vast quantities of submitted information and
allow BIS to focus its resources and efforts on overseeing the use of
software-based components in completed connected vehicles that may
present actual or heightened risks to U.S. security. One commenter was
particularly concerned that not narrowing the foreign interest scope
meant that all technology must be sourced from a U.S. vendor, limiting
global supply chains to using only U.S. software. BIS addresses these
concerns in its discussion of Declarations of Conformity more in depth.
At a high level and as explained in more depth below, BIS will not
exclude non-foreign adversary nations from the scope of covered
software, because BIS assesses that it is necessary to address the
threats posed by interconnected but opaque supply chains writ large, as
opposed to finished products imported from non-foreign adversary
nations.
Commenters urged BIS to establish a process that would allow an OEM
to fully own software purchased from a prohibited supplier so that the
purchased software would not be considered prohibited. BIS is willing
to discuss such an approach through an advisory opinion request to
determine whether such a software purchase may adequately mitigate the
identified risk if the transaction is not otherwise excluded by the
modified definition of covered software.
In this final rule, BIS has chosen to define covered software to
mean the software-based components, including application, middleware,
and system software, in which there is a foreign interest, executed by
the primary processing unit or units of an item that directly enables
the function of VCS or ADS at the vehicle level. Covered software does
not include firmware,
[[Page 5379]]
which is characterized as software specifically programmed for a
hardware device with a primary purpose of directly controlling,
configuring, and communicating with that hardware device. Covered
software also does not include open-source software, which is
characterized as software for which the human-readable source code is
available in its entirety for use, study, re-use, modification,
enhancement, and redistribution by the users of such software, unless
that open-source software has been modified for proprietary purposes
and not redistributed or shared. Covered software also does not include
software subcomponents that were designed, developed, manufactured, or
supplied prior to March 17, 2026, as long as those software
subcomponents are not maintained, augmented, or otherwise altered by an
entity owned by, controlled by, or subject to the jurisdiction or
direction of a foreign adversary after March 17, 2026.
With this definition of covered software, BIS focused on both the
functional characteristics of the software that it intends to regulate
as well as the common industry terminology used to refer to that
software. For example, BIS acknowledges that there is not a bright line
between application-level software, middleware (e.g., device drivers,
database management functions), and firmware. However, by combining
both industry terminology and a functional definition in its definition
of covered software, BIS seeks to provide two levels of clarity. In
making a reasonable, good faith determination of whether a software
subcomponent falls within the covered software definition, entities
should refer to the architecture of the product to assess whether the
software component would be generally considered ``application'' level
software based on industry practice using established methodologies
like AUTOSAR software component definitions or ISO 26262 guidelines.
When there is uncertainty, entities should consider whether the primary
processor (e.g., a central processing unit, a graphics processing unit)
processes the executables, or whether the software is executed by a
peripheral microcontroller. If the primary processor does not execute
the software, and the software would not be classified as application
software by an industry standard like AUTOSAR, it is unlikely the
software would qualify as application software for the purpose of this
definition.
BIS has also provided examples to clarify what constitutes
application, middleware, and systems software below. If regulated
parties have questions about what constitutes covered software in
specific cases, they may request an advisory opinion.
Example 1: A U.S. person licenses automotive software from a vendor
who is a foreign person that is owned by, controlled by, or subject to
the jurisdiction or direction of the PRC or Russia. The automotive
software the U.S. person licenses includes a message processing
application that receives a digital message from a peripheral radio
device, processes that message, and uses the information within that
message to issue a digital control command to a related electronic
control unit. This software would be considered application software.
Because the licensed software includes application software designed,
developed, manufactured, or supplied by an entity owned by, controlled
by or subject to the jurisdiction of a foreign adversary, the licensed
software would be prohibited, unless it qualifies for a general or
specific authorization granted by BIS.
Example 2: A U.S. person licenses automotive software from a vendor
who is a foreign person that is owned by, controlled by, or subject to
the jurisdiction or direction of the PRC or Russia. The automotive
software the U.S. person licenses includes a software device driver
intended for use in the operating system for applications to activate
and utilize specific VCS hardware. This driver would be considered
middleware. Because the licensed software includes middleware designed,
developed, manufactured, or supplied by an entity owned by, controlled
by or subject to the jurisdiction of a foreign adversary, the licensed
software would be prohibited, unless it qualifies for a general or
specific authorization granted by BIS.
Example 3: A U.S. person licenses automotive software from a vendor
who is a foreign person that is owned by, controlled by, or subject to
the jurisdiction or direction of the PRC or Russia. The automotive
software the U.S. person licenses includes a software component in the
operating system that coordinates communications between distributed
applications and between applications and an internal reference
database. This software component would be considered middleware.
Because the licensed software includes middleware designed, developed,
manufactured, or supplied by an entity owned by, controlled by or
subject to the jurisdiction of a foreign adversary, the licensed
software would be prohibited, unless it qualifies for a general or
specific authorization granted by BIS.
Example 4: A U.S. person licenses automotive system software from a
vendor who is a foreign person that is owned by, controlled by, or
subject to the jurisdiction or direction of the PRC or Russia. The
automotive system software the U.S. person licenses is a proprietary
real time operating system that manages system resources as well as
task scheduling, prioritization, and synchronization for an automotive
system. This software component would be operating system software.
Because the licensed software includes operating system software
designed, developed, manufactured, or supplied by an entity owned by,
controlled by or subject to the jurisdiction of a foreign adversary,
the licensed software would be prohibited, unless it qualifies for a
general or specific authorization granted by BIS.
Example 5: A U.S. person purchases a V850 CAN controller from a
vendor who is a foreign person. The V850 CAN controller includes a
software subcomponent that is embedded into the controller's non-
volatile memory and directly enables the transmission and receipt of
analog electric signals by interacting with the VCS hardware system's
application software. This software component would be considered
firmware. Assuming no other facts, this purchase does not involve
covered software and would not be affected by the covered software
prohibition (but may be affected by the VCS hardware prohibition,
depending on other facts and circumstances of the transaction).
BIS determined that it was necessary to exclude firmware because
firmware is often shipped with and designed in coordination with the
provision of automotive hardware subcomponents. Therefore, while there
are similar national security and cybersecurity risks at the firmware
level, BIS determined that a firmware prohibition would be tantamount
to a hardware prohibition. Finally, BIS made slight modifications to
the open-source software definition from the 2019 National Defense
Authorization Act when crafting the ``covered software'' definition.
These minor modifications are to make clear that large language models
or neural networks that may bill themselves as ``open source'' but do
not openly share their source code or training data in their entirety
do not meet the commonly held definition of open-source software.
Furthermore, the clause appended to the end of the definition is
redundant but meant to emphasize that if an open-source product is
modified outside the
[[Page 5380]]
limits of the open-source license and not shared, the resulting product
is definitionally not open source. However, modification would not
include integration into an existing code base by engaging with an
open-source product's application programming interface, permissible
customization within the terms of the open-source license, or selection
of modular sections of the open-source product while excluding others.
In light of comments the agency received, BIS emphasizes that
regulated entities are not absolved of conducting due diligence on
open-source software when that open-source software has been modified
outside the scope of its license. Additionally, BIS declines to
introduce a static list of approved or excluded open-source software
libraries and tools into the text of the rule, as these libraries and
tools are dynamic by nature. BIS will maintain and update compliance
information on its website and will also be available to work with
regulated entities through advisory opinions or compliance education
and outreach programs.
BIS included the term ``item'' within its definition of covered
software because industry standards define ``item'' as a scoping
boundary when analyzing specific automotive systems for cybersecurity
and functional safety requirements to ensure that assessments are
targeted and comprehensive. For example, ISO 21434's threat analysis
and risk assessment methodology for assessing cybersecurity relies on
``item definition'' boundaries. Entities seeking additional guidance on
the term ``item'' in this context may find it helpful to refer to its
use in ISO 21434 and ISO 26262, and its use by automotive cybersecurity
and safety professionals when making a reasonable determination whether
a component is part of a covered software system item. Comments about
this term are further explained in the ``item'' subsection of this
Definitions section. BIS has incorporated specific language to ensure
that legacy parts are not subject to the covered software prohibitions
of this regulation. This ``legacy'' code exclusion in covered software
protects products that have already gone to market. By incorporating a
one-year timeline, BIS allows regulated entities time to transfer
intellectual property rights as well as responsibility for development
and maintenance of code within their organizations to come into
compliance with the covered software prohibition.
6. Declarant
In this final rule, BIS includes a new definition for ``declarant''
to mean the U.S. person submitting a Declaration of Conformity to BIS.
BIS has included ``declarant'' in the final rule text to provide more
clarity in the regulation since the term is used throughout.
7. FCC ID Number
In the NPRM, BIS proposed defining the term ``FCC ID Number'' to
mean the unique alphanumeric code identifying a product subject to
certification by the Federal Communications Commission composed of a:
(1) grantee code; and (2) product code. Commenters provided no feedback
about this particular definition. BIS retains its definition in the
final rule.
While commenters did not provide feedback on the definition of
``FCC ID Number,'' they provided input in how the regulation
incorporates them. Commenters pointed out that not all VCS hardware
items have FCC Numbers. Taking this point into consideration, BIS will
only require an FCC ID Number if known by the submitting party. This
change is reflected in 791.305 of the regulation text, which discusses
Declarations of Conformity.
8. Foreign Interest
In the NPRM, BIS proposed to define ``foreign interest'' to mean
any interest in property of any nature whatsoever, whether direct or
indirect, by a non-U.S. person. Many commenters encouraged BIS to
narrow its definition of foreign interest or otherwise provide greater
clarity. After consideration of these comments, BIS retains this
definition of foreign interest in the final rule.
Several commenters, for example, requested that BIS clarify this
definition to mean a legally cognizable interest in property. BIS
declines to limit this definition to a legally cognizable interest
because ``legally cognizable'' may be overly narrow for purposes of
this regulation. Moreover, BIS's approach retains consistency with
other IEEPA-based programs, which similarly use a broad definition of
``foreign interest.'' Some commenters suggested that requiring a
legally cognizable interest would address the scenario in which the
only foreign interest in software is the fact that foreign persons
worked on the development of the software. In response, BIS notes that
a foreign interest must be an interest in property, and the sole fact a
foreign individual worked on a software development team would not meet
this requirement unless additional factors (such as ongoing financial
or beneficial interests or contractual rights) are present.
Multiple commenters encouraged BIS to carve out allied persons from
the definition of foreign interest, defined as citizens of, residents
of, or corporations incorporated in nations in ``Country Group A'' of
BIS's own Export Administration Regulations. BIS declines to amend the
definition of foreign interest to exclude certain allied nations or to
grant preferential status for entities in allied nations as this would
inadequately mitigate the national security risk this rule seeks to
address. The mere fact that a connected vehicle manufacturer is
headquartered in, incorporated in, or otherwise organized under the
laws of a non-foreign adversary country does not imply that the
manufacturer has appropriate practices in place to address the risks
identified by this rule. For example, a connected vehicle manufacturer
located in a non-foreign adversary country may actually be controlled
by a PRC or Russian entity, or the manufacturer sources design and
development of its ADS software or VCS hardware from an entity located
in or controlled by the PRC or Russia. However, the fact that a
transaction has a foreign interest does not mean that the transaction
is prohibited. Rather, the presence of a non-PRC and non-Russian
foreign interest in a transaction without the requisite foreign
adversary nexus would require the connected vehicle manufacturer or VCS
hardware importer to submit a declaration of conformity, a requirement
that BIS has substantially streamlined in this rule to facilitate
compliance and reduce the burden on regulated entities. BIS is
separately working to identify if any security standards or best
practices exist, or may be developed, that will sufficiently mitigate
this national security risk and allow companies, wherever located, to
engage in transactions without need to notify BIS through a Declaration
of Conformity.
One commenter also urged BIS to ensure that software developed in
the PRC or Russia by wholly owned subsidiaries of U.S. companies would
not be considered to contain a foreign interest. BIS declines to create
an exemption for software developed by wholly owned subsidiaries of
U.S. businesses from the definition of foreign interest. As articulated
in this rule, entities operating in the PRC or Russia are subject to
the jurisdiction and control of the PRC or Russian governments, even if
wholly owned by a U.S. or allied entity. These types of entities,
despite their ownership, are
[[Page 5381]]
subject to the regulations and laws of the PRC or Russia that could
obligate them to comply with information or access requests resulting
in undue or unacceptable risks, as discussed in Section IV of this
rule.
One commenter stated that BIS's broad definition of foreign
interest would mean that a publicly traded company with some foreign
shareholders would be required to submit a Declaration of Conformity
even if the company's covered software itself contained no foreign
interest. In response to this comment, BIS has introduced an exemption
for the submission of Declarations of Conformity for those transactions
where the only foreign interest in the product arises from a foreign
entity's equity ownership in a U.S. person. This exemption is narrowly
tailored intentionally to minimize the compliance burden. BIS continues
to understand equity ownership to be a form of foreign interest.
However, BIS recognizes that attaching a static percentage foreign
interest threshold would be particularly challenging for regulated
entities and their compliance teams in practice. For example,
shareholders change daily, and while there are some reporting
requirements for principal shareholders according to Regulation D of
the Securities Exchange Act of 1934, setting a percentage threshold
based on equity ownership alone would mean there could be no reporting
obligations for a transaction one day and foreign interest that
required a Declaration of Conformity. To avoid this outcome, BIS
clarifies through this exemption that Declarations of Conformity are
not required for transactions where the only foreign interest arises
from foreign equity ownership of one of the U.S.-based parties to a
transaction. If the foreign equity ownership is paired with another
foreign interest (e.g., degree of control over the U.S. entity or
licensing of intellectual property), a Declaration of Conformity would
be required. To provide further clarity regarding transactions
involving foreign interest as a result of public shareholder ownership,
BIS offers the following examples.
Example 6: Company A develops VCS. Company A is incorporated in the
United States and is publicly traded on the New York Stock Exchange. No
foreign entity owns more than 5% of Company A's common stock. Assuming
no other facts, because no foreign entity shareholder of Company A's
common stock can materially affect Company A's operations and corporate
management, there is not a foreign interest in Company A's VCS. As
such, the sale of completed connected vehicles incorporating Company
A's VCS does not require a Declaration of Conformity.
Example 7: Same facts as previous example, except Company A is
headquartered in a foreign jurisdiction. The import of completed
connected vehicles incorporating Company A's VCS software from a
foreign jurisdiction would require a Declaration of Conformity because
the import gives rise to a foreign interest independent of equity
ownership.
Example 8: Company A develops VCS software, is incorporated in the
United States, and is publicly traded on the NASDAQ Stock Exchange.
Company A states that one of its shareholders is a foreign person
holding 60% of Company A's outstanding shares and is not a person owned
by, controlled by, or subject to the jurisdiction or direction of a
foreign adversary. Assuming no other facts, because a foreign entity is
a shareholder whose holding is such that the foreign entity can
materially affect Company A's operations and corporate management,
there is a foreign interest in Company A's VCS software other than
equity ownership. As such, the sale of completed connected vehicles
incorporating VCS software developed by Company A requires submission
of a Declaration of Conformity.
Example 9: Company A is incorporated in the United States and is
publicly traded on a U.S. stock exchange. In aggregate, foreign
shareholders hold 28 percent of Company A's outstanding shares. These
shareholders have an informal agreement to act in concert with respect
to voting decisions for Company A. The collective 28 percent would
allow such foreign shareholders to block resolutions and important
decisions regarding Company A's management. The foreign shareholders
have an interest in Company A's VCS software independent of their
equity ownership by virtue of their control over the company. As such,
the sale of completed connected vehicles incorporating VCS software
developed by Company A requires submission of a Declaration of
Conformity.
Example 10: Company A, a U.S. person completed connected vehicle
manufacturer, purchases ADS software from Company B. Company B is a
U.S. person publicly traded company that designs, develops, and
manufactures its ADS software solely in the United States. A foreign
entity holds 15% of Company B's outstanding public shares. The foreign
investor has no board seat and exerts no management or control over
Company B. Assuming no other facts, Company A is exempt from the
requirement to file a Declaration of Conformity.
Another commenter requested that BIS clarify that foreign IP
claims, which may not be recognized under U.S. law, do not constitute a
foreign interest. BIS declines to insert language that would require an
extensive inquiry into the legal status of IP claims in multiple
jurisdictions in order to determine whether a foreign interest is
present. BIS notes that there may be situations, such as where a
foreign IP claim is frivolous, in which the foreign IP claim would not
constitute a valid interest. The commenter suggests revising the
definition of foreign interest to add that it does not include ``legal
claims or other allegations, or rights that might be afforded by law
even when all other rights have been assigned to another party, such as
employee-inventor remuneration obligations and moral rights in works of
authorship.'' BIS believes that many such claims would fall outside of
the scope of foreign interest. For example, rights that cannot legally
be transferred might not meet the definition of ``property.'' BIS does
not believe it necessary to amend the definition to specify this point
or to provide an exhaustive list of claims that are not included under
the definition of foreign interest. If regulated parties have a
question about whether a foreign IP interest constitutes a foreign
interest in specific cases, they may request an advisory opinion from
BIS.
Multiple commenters also requested that BIS amend the provisions on
the import of VCS hardware to clarify that a Declaration of Conformity
is required only when the VCS hardware itself contains a foreign
interest. Others suggested that BIS remove the foreign interest
requirement from the definition of covered software. BIS declines to
make these changes. As discussed in the NPRM, IEEPA requires a foreign
interest in the property that BIS seeks to regulate. BIS has included a
foreign interest requirement in the definition of covered software
because some prohibited covered software transactions are sales that
occur within the United States. By requiring a foreign interest in the
definition of covered software, BIS ensures that this rule only
captures those sales covered by IEEPA. By contrast, this rule prohibits
imports (not sales within the United States) of VCS hardware. BIS
assesses that items crossing into the United States from a foreign
jurisdiction will necessarily contain a foreign interest by nature of
the transaction, and therefore does not find it necessary to include a
foreign interest requirement in the definition.
[[Page 5382]]
Additionally, the final rule does not require a Declaration of
Conformity to be submitted if the only foreign interest related to
covered software resides in open-source or legacy code.
After considering all comments, BIS has retained the definition of
foreign interest, when used with respect to property, to mean any
interest in property, of any nature whatsoever, whether direct or
indirect, by a non-U.S. person. Under this definition, a foreign
interest can include, but is not limited to, an interest through
ownership of the item itself, intellectual property present in the
item, a contractual right to use, update, or otherwise impact the
property, (e.g., ongoing maintenance commitments, any license agreement
related to the use of intellectual property), profit-sharing or fee
arrangement linked to the property, as well as any other cognizable
interest. This definition is consistent with the definition of
``interest'' used in the context of OFAC sanctions, which are, in
relevant part, also established pursuant to the statutory requirements
of IEEPA. See 31 CFR Chapter V, and, e.g., 31 CFR 510.313, 535.312.
With respect to VCS hardware that is designed, developed,
manufactured, or supplied by a person owned by, controlled by, or
subject to the jurisdiction or direction of the PRC or Russia, this
rule regulates the importation of VCS hardware, making VCS hardware
importers responsible for compliance.
With respect to covered software, based on feedback from connected
vehicle manufacturers, automotive suppliers, and other stakeholders,
BIS continues to understand that typically, ADS and VCS software are
designed or developed to a connected vehicle manufacturer's
specification. ADS and VCS software is frequently designed, developed,
or supplied by foreign persons, and those persons frequently retain an
interest in the underlying software, even after it has been integrated
into the connected vehicle. For example, foreign software developers
may earn profits from use of their software, retain data access and
sharing rights to the software, have obligations to maintain and update
the software, or participate in other ongoing contractual arrangements.
Such arrangements are among the types of interests that BIS identifies
as giving rise to an obligation to submit a Declaration of Conformity
or, if the software designer, developer, or supplier is a person owned
by, controlled by, or subject to the jurisdiction or direction of a
foreign adversary, an obligation to qualify for a general authorization
or seek a specific authorization under this final rule. BIS therefore
will regulate covered software by regulating the importation or sale of
completed connected vehicles, making connected vehicle manufacturers
responsible for compliance.
Finally, in addition to the general regulations related to VCS
hardware and covered software described above, with respect to
connected vehicle manufacturers who are owned by, controlled by, or
subject to the jurisdiction or direction of the PRC or Russia, this
rule additionally regulates VCS hardware and covered software by
regulating the sale of completed connected vehicles that incorporate
VCS hardware or covered software. In this circumstance, BIS understands
from extensive engagement with connected vehicle manufacturers and
automotive suppliers that persons who own, control, or direct the
operations of the connected vehicle manufacturer would maintain an
interest in the vehicle transactions that the connected vehicle
manufacturer carries out. For example, this could include, but is not
limited to, profit sharing agreements between a parent company and its
U.S. subsidiary; data sharing agreements; intellectual property rights
transfers from the U.S. subsidiary to the parent company; cooperation
in technological development between the parent and U.S. subsidiary;
arrangements by which the parent company directly or indirectly
appoints the leadership of the U.S. subsidiary; the ability of the
parent company to direct some or all corporate decision making by the
U.S. subsidiary; and parent company influence over procurement by the
U.S. subsidiary. BIS understands many if not all of these arrangements
to be standard for the automotive industry. Additionally, because the
PRC and Russian legal regimes discussed in Section IV of this rule
could compel a PRC or Russia-based parent company of a connected
vehicle manufacturer to provide those governments with information on
or access to the operations of the U.S.-based connected vehicle
manufacturer, BIS understands that the foreign parent company typically
retains a legal right to access the data collected by the U.S.
subsidiary, representing a foreign interest in that U.S. subsidiary and
its connected vehicle sales.
BIS provides the following examples to assist in interpreting
whether a foreign interest is present.
Example 11: Company A is headquartered in a foreign jurisdiction
and is the owner of the code, algorithms, and other design elements in
a software development kit (SDK) that is used to develop software used
in certain payment systems. Company A provides its SDK to Company B, a
U.S. person, who uses it to develop software that is installed in
connected vehicles in the United States to provide secure communication
and payment with transportation infrastructure. Even though Company A
has no legal property interest in the software itself, it has an
indirect beneficial interest in the use of such software because
updates to the software will need to be made using Company A's SDK.
Thus, the software Company B develops with Company A's SDK retains a
continuing foreign interest.
Example 12: Company A is a wholly owned U.S.-based subsidiary of
Company B, a multinational holding corporation incorporated in the
British Virgin Islands. Company A imports products for sale in the
United States, which generate revenue. Based on Company B's corporate
structure and governance of its subsidiary holding companies including
Company A, Company B dictates how Company A's revenue and profits are
allocated across Company B's holdings. Because Company B, a foreign
person, benefits from each of Company A's domestic transactions and
because Company B directs the allocation of revenue generated by those
transactions, there is a foreign interest in Company A's domestic
United States transactions.
Example 13: Company A is a U.S. based connected vehicle
manufacturer. Company B is a parts manufacturer headquartered in a
foreign jurisdiction. Company B manufactures systems on chip (SoC)
based on customer specifications that are specifically used in VCS.
Company A and Company B have entered into a multi-year agreement
whereby, among other conditions, Company B will be the exclusive
supplier, with rights of first refusal, for replacements and any
maintenance and services repairs of SoCs to Company A for the term of
the agreement. Because Company B is a foreign entity and because
Company A may use no other parts supplier for its VCS SoCs during the
term of the agreement, the SoCs that Company B provides to Company A
under the agreement retain a continuing foreign interest once those
SoCs enter the United States.
Example 14: Company A is a U.S. based connected vehicle
manufacturer. Company B is a U.S. subsidiary of a foreign software
company, Company C. Company B sells ADS software licenses on behalf of
its foreign parent Company C, who holds the intellectual property
rights to the software. Company B
[[Page 5383]]
licenses Company C's ADS software to Company A for system integration
and further commercialization within the limits of its licensing
agreement. Company C, a foreign entity, will have a continued interest
in Company A's use of its software after commercialization.
9. Hardware Bill of Materials
In the NPRM, BIS defined Hardware Bill of Materials (HBOM) to mean
a comprehensive list of parts, assemblies, documents, drawings, and
components required to create a physical product, including information
identifying the manufacturer, related firmware, technical information,
and descriptive information. Public comment provided feedback that led
BIS to change the final rule definition of HBOM. Commenters provided a
variety of opinions on the HBOM requirements of this regulation.
Several commenters expressed opposition to the inclusion of HBOMs in
Declaration of Conformity submissions on the grounds that they contain
highly confidential business information and intellectual property,
citing security issues related to storage and transmission. Several
commenters noted that the HBOM requirement is overly broad and
suggested that they only include ``electronic components that execute
software.'' Several commenters recommended that BIS provide a
``specific'' resource as an example of an HBOM, such as the HBOM
Framework for Supply Chain Risk Management. Commenters also suggested
that BIS remove references to documents and drawings within the HBOM
definition to exclude protected intellectual property from compliance
submissions. Other commenters requested that BIS provide an HBOM sample
model.
After considering the issues raised in these comments, BIS will no
longer require the submission of HBOMs as part of Declarations of
Conformity. However, BIS will require entities to maintain primary
business records related to their certification that due diligence was
conducted in analyzing their VCS hardware supply chains, which could
include HBOMs. These primary business records must be made available to
BIS upon request. BIS has also included a section in the rule dedicated
to the submission of CBI, which would cover the submission of HBOMs.
BIS will continue to work with industry partners to identify best
practices in HBOM development, including templates and advisory
documents.
To better align HBOM criteria with industry practices, BIS has
modified its definition of HBOM. Specifically, BIS has removed
documents, drawings, technical information, and descriptive information
from the HBOM definition because these elements do not strictly fall
under the scope of a bill of materials. This change also addresses
industry concerns about the potential exposure of intellectual property
and CBI. Additionally, BIS has replaced the term ``comprehensive list''
with ``formal record'' since ``record'' is a more general term and
``comprehensive'' is difficult to define precisely.
BIS has chosen to define ``Hardware Bill of Materials (HBOM)'' as a
formal record of the supply chain relationships of parts, assemblies,
and components required to create a physical product, including
information identifying the manufacturer, and related firmware.
10. Import
In the NPRM, BIS proposed to define the term ``import'' to mean,
with respect to any article, the entry of such article into the United
States Customs Territory. It does not include admission of an article
from outside the United States into a foreign-trade zone for storage
pending further assembly in the foreign-trade zone or shipment to a
foreign country. BIS did not receive comment on its definition of
``import'' or how the term is used in the regulation text. Therefore,
BIS retains the NPRM definition of ``import'' in the final rule. For
clarity, BIS has added a sentence clarifying that the same definition
applies to related terms such as ``importing'' and ``imported.''
While BIS did not receive any comment on the proposed meaning of
``import,'' one commenter requested that BIS clarify that for the
purposes of the regulation, ``article'' means VCS hardware and covered
software as defined in this regulation. BIS is confirming for the
purposes of this rule that ``article'' is referring to VCS hardware and
covered software.
11. Item
In the NPRM, BIS proposed to define ``item'' to mean a component or
set of components with a specific function at the vehicle level. A
system may also be considered an item if it implements a function. BIS
received a few comments on how this term is used within its regulation
text but based on further research chooses to retain this definition of
``item'' for the final rule. Some commenters urged BIS to replace the
term item with ``system,'' both in the context of VCS hardware and
covered software to clarify that the terms refer to overall systems.
BIS declines this suggestion and maintains the use of the term item.
This term is used both in ISO 26262 and ISO/SAE 21434 to delineate
system boundaries. BIS further believes the use of the term item in
both covered software and VCS will allow regulated entities to
harmonize compliance with this rule with existing cybersecurity and
functional security work as dictated by ISO/SAE 21434 and ISO 26262.
12. Knowingly
In the NPRM, BIS proposed to define ``knowingly'' to mean ``having
knowledge of a circumstance (the term may be a variant, such as `know,'
`reason to know,' or `reason to believe'), to include not only positive
knowledge that the circumstance exists or is substantially certain to
occur, but also an awareness of a high probability of its existence or
future occurrence. Such awareness is inferred from evidence of the
conscious disregard of facts known to a person and is also inferred
from a person's willful avoidance of facts.'' BIS received no comments
requesting changes to this definition and retains this definition for
the final rule.
BIS did receive some public comments relating to due diligence and
Declaration of Conformity requirements, which are relevant to the
context in which the definition of ``knowingly'' would be applied.
Commenters suggested that BIS consider implementing a whitelist of
vendors that do not require additional due diligence. According to
commenters, a whitelist would provide more clarity on the compliance
requirement for regulated entities. One commenter also stated that a
whitelist would preclude the need for Declarations of Conformity. BIS
declines to create a whitelist at this time. Due to the complexity of
connected vehicle supply chains and the multitude of factors involved
in each unique transaction undertaken by manufacturers, BIS believes
the creation of a whitelist would insufficiently address the national
security risks present in the connected vehicle supply chain. However,
BIS maintains the flexibility to grant general authorizations for
certain types of transactions subject to the prohibitions at a future
date.
Several commenters also requested clarity on how far into a supply
chain importers are required to maintain visibility. BIS encourages
entities to reference the definitions of VCS hardware and covered
software when determining the depth of supply chain due diligence
necessary to certify that the VCS hardware or covered software was not
designed, developed, manufactured, or supplied by persons owned by,
controlled by, or subject to the jurisdiction or direction of the PRC
[[Page 5384]]
or Russia. Based on the definitions provided in this rule, importers
would need to conduct due diligence on supply chain components if these
components directly enable the function of and are directly connected
the VCS systems or are part of an item that directly enable the
function of the VCS. Component parts that do not contribute to the
communication function of VCS hardware are not considered VCS hardware
per the above, and so would not have due diligence requirements.
One commenter suggested that suppliers should be prohibited from
importing or selling covered software or VCS hardware linked to the PRC
or Russia if they have knowledge that it will be integrated in
connected vehicles built for the U.S. market. BIS declines to place the
onus of this prohibition on suppliers of VCS hardware and covered
software rather than on VCS hardware importers and connected vehicle
manufacturers due to the numerous suppliers of the myriad components
involved in the VCS hardware and covered software supply chain from
which BIS would need to accept specific authorization applications in
such circumstances. Instead, through requiring specific authorization
applications and Declarations of Conformity from VCS hardware importers
and connected vehicle manufacturers, BIS has implemented a more
targeted approach, which BIS believes will still create the necessary
changes to VCS hardware and covered software supply chains in the
interest of national security. However, VCS hardware importers and
connected vehicle manufacturers may rely on statements and
documentation from suppliers in support of specific authorization
applications and Declarations of Conformity so long as all necessary
due diligence is documented and made available to BIS (section 791.313,
``Reports to be furnished on demand'').
Another commenter asked for clarity that a ``regulated entity can
wholly and reasonably rely on statements of its tier 1 suppliers that a
supplied part or piece of equipment does not contain a restricted
component or subcomponent.'' As stated above, BIS clarifies that VCS
hardware importers and connected vehicle manufacturers may rely on
statements and documentation from suppliers in any Declarations of
Conformity or specific authorization application. For example, in
certifying that regulated entities have conducted due diligence in
their covered software and VCS hardware supply chains, entities must
also certify that they maintain documentation specifying their due
diligence efforts and that they have made arrangements with suppliers
to furnish any necessary documentation upon request by BIS (section
791.312, ``Recordkeeping''). In making these certifications to BIS,
entities may rely on statements from suppliers that a component is not
designed, developed, manufactured, or supplied by persons owned by,
controlled by, or subject to the jurisdiction or direction of the PRC
or Russia.
13. Model Year
In the NPRM, BIS proposed to define ``model year'' to mean the year
used to designate a discrete vehicle model, irrespective of the
calendar year in which the vehicle was actually produced, provided that
the production period does not exceed 24 months. While many commenters
raised issues with the specific model years selected by BIS as the
implementation dates for this regulation, none addressed BIS's
definition of the term. BIS has addressed concerns over implementation
dates further below, under ``Exemptions.'' BIS retains the NPRM
definition of ``model year'' in the final rule.
Several commenters raised the concept of vehicle generations and
highlighted that connected vehicle manufacturers do not conduct a major
refresh of vehicle technologies every year. Rather, vehicle generation
refreshes may only take place every four to six years. As discussed
further below, BIS understands that the implementation dates for the
rule may fall mid-generation for many connected vehicle manufacturers.
In this situation, BIS would consider issuing a time-bound specific
authorization in cases where connected vehicle manufacturers are able
to demonstrate that they are moving into compliance with the rule for
the next vehicle generation refresh. BIS may also contemplate allowing
a phased-in implementation of the prohibitions, as advocated for by
some commenters, in a specific authorization for manufacturers mid-
generation during the implementation period. Please see the specific
authorizations section to learn more about how a phased approach can
occur under this regulation.
14. Person Owned by, Controlled by, or Subject to the Jurisdiction or
Direction of a Foreign Adversary
In the NPRM, BIS proposed to define ``person owned by, controlled
by, or subject to the jurisdiction or direction of a foreign
adversary'' to mean:
(1) Any person, wherever located, who acts as an agent,
representative, or employee, or any person who acts in any other
capacity at the order, request, or under the direction or control,
of a foreign adversary or of a person whose activities are directly
or indirectly supervised, directed, controlled, financed, or
subsidized in whole or in majority part by a foreign adversary;
(2) Any person, wherever located, who is a citizen or resident
of a foreign adversary or a country controlled by a foreign
adversary, and is not a United States citizen or permanent resident
of the United States;
(3) Any corporation, partnership, association, or other
organization with a principal place of business in, headquartered
in, incorporated in, or otherwise organized under the laws of a
foreign adversary or a country controlled by a foreign adversary; or
(4) Any corporation, partnership, association, or other
organization, wherever organized or doing business, that is owned or
controlled by a foreign adversary, to include circumstances in which
any person identified in paragraphs (a) through (c) possesses the
power, direct or indirect, whether or not exercised, through the
ownership of a majority or a dominant minority of the total
outstanding voting interest in an entity, board representation,
proxy voting, a special share, contractual arrangements, formal or
informal arrangements to act in concert, or other means, to
determine, direct, or decide important matters affecting an entity.
BIS has retained this definition in its final rule. However, it has
provided further examples on how to apply this definition below.
Example 15: Company A, incorporated in the United States, is a
wholly owned subsidiary of Company B. Company B is a state-owned
enterprise of the PRC or Russia. Because Company B is a state-owned
enterprise, Company A would be considered ``owned by'' the PRC or
Russia.
Example 16: Company A is a joint venture between Company B and
Company C where Company C owns a majority share of Company A. Company B
is a corporation incorporated in a third-party jurisdiction. Company C
is a state-owned enterprise of the PRC or Russia. Company A would be
considered ``owned by'' the PRC or Russia.
Example 17: Company A is majority owned in aggregate by multiple
state-owned enterprises and state-owned investment funds of the PRC or
Russia. Company A would be considered ``owned by'' the PRC or Russia.
Example 18: Company A, incorporated in the United States, is a
subsidiary of Company B. Company B is a private company incorporated in
the PRC or Russia with its principal place of business in the PRC or
Russia. Because Company B is subject to the jurisdiction of the PRC or
Russia,
[[Page 5385]]
Company B's subsidiary, Company A, is controlled by an entity subject
to the jurisdiction of the PRC or Russia and would be considered
``controlled by'' and ``subject to the direction of'' the PRC or
Russia.
Example 19: Company A is a multinational company where a majority
of the voting power is held by Company B, a PRC or Russian government
investment fund. Company A would be ``controlled by'' and ``subject to
the direction of'' the PRC or Russia.
Example 20: Company A is a holding company organized in a tax-
advantaged jurisdiction. Company A is publicly listed on a stock
exchange and its corporate voting structure is characterized by Class A
and Class B shares, Class B shares having 10 times the voting power of
Class A shares. If the aggregate voting power of shareholders subject
to the jurisdiction of the PRC or Russia holding either Class A and
Class B shares constitutes a majority or a dominant minority of total
voting power, then Company A would be ``controlled by'' and ``subject
to the direction of'' the PRC or Russia.
Example 21: Company A, a company that is organized under the laws
of the PRC or Russia, owns a minority interest in Company B, a U.S.
business. Based on special voting powers vested in that minority
interest, Company A maintains certain veto rights that determine
important matters affecting Company B, including the right to veto the
dismissal of senior executives of Company B. Company B would be
considered ``controlled by'' and ``subject to the direction of''
Company A, and therefore ``controlled by'' and ``subject to the
direction'' of the PRC or Russia.
Example 22: Company A is an entity incorporated in a third country
and Company B is an entity incorporated in the PRC or Russia. Company A
and Company B create a new joint venture, Company C, to design,
develop, and manufacture a new product. Company A and Company B own
minority shares of the joint venture while Company D, a holding company
wholly owned by a PRC citizen, owns the largest minority share. If
aggregate voting power of Company B and Company D constitutes majority
or dominant minority voting share, Company C would be ``controlled by''
and ``subject to the direction of'' the PRC or Russia.
Example 23: Company A has eight members on its board of directors.
Company A is characterized by a shareholder and corporate governance
structure that requires a 75 percent supermajority for any significant
business decision. Three of the members of the board are citizens of,
and therefore subject to the jurisdiction of, the PRC or Russia.
Because these three members make up 37.5 percent of the voting power of
the board, they can block any supermajority and therefore determine,
direct, or decide important matters affecting Company A. Company A
would be ``controlled by'' or ``subject to the direction of'' the PRC
or Russia.
Example 24: The PRC or Russian government, through an investment
fund, acquires a 1 percent special management share in Company A. This
share grants the PRC or Russian government the right to appoint a
director to the board of Company A and veto certain key business
decisions, such as major strategic changes or mergers. This share
allows the government to influence Company A's operations and strategy.
Company A would be ``controlled by'' the PRC or Russia.
Example 25: Company A maintains its principal place of business in
the PRC or Russia. Company A would be ``subject to the jurisdiction''
of the PRC or Russia.
Example 26: Company A is a publicly listed U.S. corporate entity.
Company A has a wholly owned subsidiary, Company B, that is organized
under the laws of the PRC or Russia and manufactures goods in the PRC
or Russia. Because Company B is organized under the laws of the PRC or
Russia, Company B would be subject to the jurisdiction of the PRC or
Russia. However, Company A is not subject to the jurisdiction of the
PRC or Russia.
Example 27: Company A is privately held and incorporated in the
United States. One member of Company A's board of directors, Person X,
a former chairman of the board of a large PRC corporation, has known
ties to the government of the PRC, owns a large minority share of
Company A, and has previously made significant investments in other
companies founded by Company A's chief executive officer. Person X also
facilitated a large minority investment in Company A by the large PRC
corporation where they were previously chairman of the board. Person
X's professional background indicates that they are directly or
indirectly supervised, directed, controlled, financed, or subsidized by
the PRC government. The combination of Person X's close ties to Company
A's CEO, Person's X's ownership interest and ability to direct
investment from large, highly regulated PRC corporate entities, and
Person X's close ties to the PRC government indicate that Company A
would be ``subject to the direction'' of the PRC.
Example 28: Company A is an automobile company based in a
jurisdiction that is not the PRC or Russia. Company A maintains a
supervisory committee established by the company's articles of
association that is responsible for supervising the management of the
company and is not part of the board of directors. Each member of the
committee exercises significant managerial authority over the nature,
scope, and attributes of the company's business. An independent member
of this committee has known ties to the government of the PRC and
previously served as board director for a PRC state-owned enterprise.
Since Company A's supervisory committee contains a member that can
affect important matters of the company, has ties to the PRC
government, Company A is subject to the direction of the PRC.
For additional clarity for determining what is and what is not
designed, developed, manufactured, or supplied by the entities
mentioned above, BIS offers the following examples below.
Example 29: Company A is a U.S. person. Company B is headquartered
in the PRC and is a fabless semiconductor design company that produces
systems on chips for vehicle telematics systems. Through a joint
development agreement, Company A collaborates with Company
[…truncated; see source link]Indexed from Federal Register on January 16, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.