Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 79088-79123 [2024-21903]

Download as PDF 79088 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules • The Regulatory Impact Analysis is available at https://www.regulations.gov at docket number BIS–2024–0005. FOR FURTHER INFORMATION CONTACT: Marc Coldiron, U.S. Department of Commerce, telephone: (202) 482–3678. For media inquiries: Jessica Stallone, Office of Congressional and Public Affairs, Bureau of Industry and Security, U.S. Department of Commerce: OCPA@ bis.doc.gov. SUPPLEMENTARY INFORMATION: DEPARTMENT OF COMMERCE Bureau of Industry and Security 15 CFR Part 791 [Docket No. 240919–0245] RIN 0694–AJ56 Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles AGENCY: I. Background In this notice of proposed rulemaking (NPRM), the Department of Commerce’s (Department) Bureau of Industry and Security (BIS) proposes a rule to address undue or unacceptable risks to national security and U.S. persons posed by classes of transactions involving information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries, and which are integral to connected vehicles, as defined herein. BIS is soliciting comment on this proposed rule, which builds on the advance notice of proposed rulemaking (ANPRM) issued by BIS on March 1, 2024. DATES: Comments to this proposed rule must be received on or before October 28, 2024. ADDRESSES: All comments must be submitted by one of the following methods: • By the Federal eRulemaking Portal: https://www.regulations.gov at docket number BIS–2024–0005. • By email directly to: connectedvehicles@bis.doc.gov. Include ‘‘RIN 0694–AJ56’’ in the subject line. • Instructions: Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. For those seeking to submit confidential business information (CBI), please clearly mark such submissions as CBI and submit by email, as instructed above. Each CBI submission must also contain a summary of the CBI, clearly marked as public, in sufficient detail to permit a reasonable understanding of the substance of the information for public consumption. Such summary information will be posted on regulations.gov. Comments that contain profanity, vulgarity, threats, or other inappropriate language or content will not be considered. In this notice, BIS solicits comment on a proposed rule to prohibit transactions involving Vehicle Connectivity System (VCS) hardware and covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China, including the Hong Kong Special Administrative Region (PRC), or the Russian Federation (Russia). It follows an advance notice of proposed rulemaking (ANPRM), 89 FR 15066 (Mar. 1, 2024), in which BIS sought public comment to inform a rulemaking that would address the undue or unacceptable risks, as identified in Executive Order (E.O.) 13873, ‘‘Securing the Information and Communications Technology and Services Supply Chain,’’ 84 FR 22689 (May 17, 2019), posed by a class of transactions that involve information and communications technology and services (ICTS) designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and integral to Connected Vehicles. In E.O. 13873, the President delegated to the Secretary of Commerce (Secretary), to the extent necessary to implement the order, the authority granted under the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701, et seq.), ‘‘to deal with any unusual and extraordinary’’ foreign threat to the United States’ national security, foreign policy, or economy, if the President declares a national emergency with respect to such threat. 50 U.S.C. 1701(a). In E.O. 13873, the President declared a national emergency with respect to the ‘‘unusual and extraordinary’’ foreign threat posed to the ICTS supply chain and has, in accordance with the National Emergencies Act (NEA), extended the declaration of this national emergency in each year since E.O. 13873’s publication. See Continuation of the National Emergency With Respect Bureau of Industry and Security, Department of Commerce. ACTION: Notice of proposed rulemaking. khammond on DSKJM1Z7X2PROD with PROPOSALS3 SUMMARY: VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 to Securing the Information and Communications Technology and Services Supply Chain, 85 FR 29321 (May 14, 2020); Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain, 86 FR 26339 (May 13, 2021); Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain, 87 FR 29645 (May 13, 2022); Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain, 88 FR 30635 (May 11, 2023); Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain, 89 FR 40353 (May 9, 2024). Specifically, the President identified the ‘‘unrestricted acquisition or use in the United States of ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries’’ as ‘‘an unusual and extraordinary’’ foreign threat to the national security, foreign policy, and economy of the United States that ‘‘exists both in the case of individual acquisitions or uses of such technology or services, and when acquisitions or uses of such technologies are considered as a class.’’ See E.O. 13873, and 50 U.S.C. 1701(a)–(b). Once the President declares a national emergency, IEEPA empowers the President to, among other acts, investigate, regulate, prevent, or prohibit, any ‘‘acquisition, holding, withholding, use, transfer, withdrawal, transportation, importation or exportation of, or dealing in, or exercising any right, power, or privilege with respect to, or transactions involving, any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States.’’ 50 U.S.C. 1702(a)(1)(B). To address the identified risks to national security from ICTS transactions, the President in E.O. 13873 imposed a prohibition on transactions determined by the Secretary, in consultation with relevant agency heads, to involve foreign adversary ICTS and to pose certain risks to U.S. national security, technology, or critical infrastructure. Specifically, to fall within the scope of the prohibition, the Secretary must determine that a transaction: (1) ‘‘involves [ICTS] E:\FR\FM\26SEP3.SGM 26SEP3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,’’ defined in E.O. 13873 as ‘‘any foreign government or foreign nongovernment person engaged in a longterm pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons;’’ and (2): A. ‘‘Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;’’ B. ‘‘Poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States;’’ or C. ‘‘Otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.’’ These factors are collectively referred to as ‘‘undue or unacceptable risks.’’ Further, E.O. 13873 grants the Secretary the authority to design or negotiate mitigation measures that would allow an otherwise prohibited transaction to proceed. E.O. 13873 section 1(b). The President also delegated to the Secretary the ability to promulgate regulations that, among other things, establish when transactions involving particular technologies may be categorically prohibited. E.O. 13873 section 2(a)–(b); see also 3 U.S.C. 301– 02. Specifically, the Secretary may issue rules establishing criteria, consistent with section 1 of E.O. 13873, by which particular technologies or market participants may be categorically included in or categorically excluded from prohibitions established pursuant to E.O. 13873. II. Introduction Today’s vehicles contain a myriad of connected components that provide greater convenience for consumers and increase road safety for both drivers and pedestrians, such as Wi-Fi, Bluetooth, cellular, and satellite connectivity. However, the incorporation of progressively more complex hardware and software systems that facilitate these features has also increased the attack surfaces through which malign actors may exploit vulnerabilities to gain access to a vehicle. As BIS outlined in its March 1, 2024, ANPRM, certain ICTS integral to Connected Vehicles could present an undue or unacceptable risk to U.S. national security when those VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 systems are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. In the Securing the Information and Communications Technology and Services Supply Chain interim final rule, 86 FR 4909 (January 19, 2021), the Secretary determined that certain foreign governments or foreign nongovernment persons including the PRC, Republic of Cuba, Islamic Republic of Iran, Democratic People’s Republic of Korea, Russia, and Venezuelan politician Nicolás Maduro constitute foreign adversaries for purposes of E.O. 13873 and rules promulgated pursuant to E.O. 13873. See 15 CFR 791.4 (to the extent that the list of foreign adversaries identified in 15 CFR 791.4 is updated to add or remove governments or nongovernment persons, this proposed rule intends to reflect the most up-to-date designations of foreign adversaries). Additionally, E.O. 13873 provides that the Secretary may issue rules that identify particular technologies or countries with respect to which transactions involving ICTS warrant particular scrutiny. E.O. 13873 2(b). For the purposes of this proposed rule regarding transactions involving ICTS integral to Connected Vehicles, BIS is focusing its regulatory efforts on ICTS that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. BIS has identified that, for the purposes of addressing the national security risks posed by Connected Vehicles, these two foreign adversaries pose particular risks to U.S. national security because of their legal, political, and regulatory regimes, combined with their current and anticipated growth and involvement in the automotive sector, to include Connected Vehicles. However, BIS specifically seeks public comment on whether the other identified foreign adversaries pose similar risks to U.S. national security in the connected vehicle supply chain. The PRC and Russia are able to leverage domestic legislation and regulatory regimes to compel companies subject to their jurisdiction, including carmakers and their suppliers, to cooperate with security and intelligence services. Such control over companies and their products and services means that equipment is easily exploitable by PRC and Russian authorities. The privileged access that the PRC and Russia may gain to Connected Vehicles through their components, including software, could enable those foreign adversaries to exfiltrate sensitive data PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 79089 collected by connected vehicles and, potentially, allow remote access and manipulation of connected vehicles driven by U.S. persons. Pursuant to E.O. 13873, BIS has determined that certain classes of transactions that facilitate the exfiltration of data and remote manipulation of connected vehicles pose undue or unacceptable risks to U.S. national security and the safety and security of U.S. persons. a. Overview of Proposed Rule To address these identified undue or unacceptable risks, BIS is proposing regulations that would, absent a General or Specific Authorization, (1) prohibit VCS Hardware Importers from knowingly importing into the United States certain hardware for VCS (‘‘VCS Hardware,’’ as further defined below); (2) prohibit connected vehicle manufacturers from knowingly importing into the United States completed connected vehicles incorporating certain software that supports the function of VCS or ADS (VCS and ADS software are collectively referred to herein as ‘‘covered software,’’ as further defined below); (3) prohibit connected vehicle Manufacturers from knowingly Selling within the United States completed connected vehicles that incorporate covered software; and (4) prohibit connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software. The prohibitions would apply when such VCS hardware or covered software is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. If, following consideration of comments received on this proposed rule, BIS issues a final rule to adopt the proposal, that final rule would take effect 60 days after publication in the Federal Register. However, VCS Hardware Importers would be permitted to engage in otherwise Prohibited Transactions involving VCS Hardware and exempt from certain requirements so long as: (1) for VCS Hardware not associated with a Model Year, the import of the VCS Hardware takes place prior to January 1, 2029; or (2) the VCS Hardware unit is associated with a vehicle Model Year prior to 2030 or the VCS Hardware is integrated into a connected vehicle (completed or incomplete) with a Model Year prior to 2030. connected vehicle manufacturers would be permitted to engage in E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 79090 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules otherwise prohibited transactions involving covered software and exempt from certain requirements, so long as the completed connected vehicle that is imported, or sold within the United States, is of a model year prior to 2027. connected vehicle Manufacturers that are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia would be permitted to sell completed connected vehicles with a model year prior to 2027 that incorporate VCS hardware or covered software. BIS is also proposing to implement several mechanisms to facilitate compliance with these prohibitions: (1) Declarations of Conformity submitted to BIS by VCS hardware importers and connected vehicle manufacturers to confirm that they are not engaging in prohibited transactions involving VCS hardware or covered software, as defined herein; (2) Advisory opinions to allow VCS hardware importers and connected vehicle manufacturers to seek guidance from BIS on whether a prospective transaction may be prohibited; (3) General authorizations to allow certain VCS hardware importers and connected vehicle manufacturers to engage in otherwise prohibited transactions without the need to notify BIS prior to the prohibited activity if they qualify under stated conditions; (4) Specific authorizations which, following an application to and approval by BIS, grant VCS hardware importers and connected vehicle manufacturers the ability to engage in otherwise prohibited transactions, including because the associated undue or unacceptable risks have been, or can be, mitigated; and (5) A process to inform VCS hardware importers and connected vehicle manufacturers that a specific authorization may be required because an activity could constitute a Prohibited Transaction. This proposed rule benefits from the responses received during the public comment period for the ANPRM and incorporates significant portions of that feedback. For example, BIS considered public feedback to define the scope of connected vehicles, identify ICTS integral to Connected Vehicles, and better understand the effects of any potential prohibition. Determining the scope of the prohibitions outlined in this proposed rule required balancing the need to address the undue or unacceptable risk posed by foreign adversary involvement in the connected vehicles supply chain with the impact on the public and industry. VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 III. Comments on the Advance Notice of Proposed Rulemaking On March 1, 2024, the Department published in the Federal Register an ANPRM, 89 FR 15066, pursuant to the authority the President delegated to the Secretary in E.O. 13873. The purpose of the ANPRM was to solicit stakeholder feedback and to gather information to further BIS’s consideration of a proposed rule to address any undue or unacceptable risks to U.S. national security posed by ICTS used in connected vehicles, when designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. Specifically, BIS sought public input on certain definitions, capabilities of connected vehicles that may increase the likelihood of vulnerabilities, and consequences to U.S. persons and critical infrastructure if these vulnerabilities are exploited by a foreign adversary. BIS also solicited input on the ICTS most integral to connected vehicles and most vulnerable to compromise, as well as input on mechanisms to address identified risks through potential design, implementation standards and protocols, manufacturing integrity protection systems and procedures, or prohibitions. BIS received 57 comment submissions in response to the ANPRM, from original equipment manufacturers (OEMs), component suppliers, two foreign governments, nonprofit organizations, and individuals. Five comments contained CBI, and one comment was retracted at the request of the commenter. Each of the comments is available on the public rulemaking docket at https://www.regulations.gov. In general, commenters expressed agreement with BIS on the overall risks posed by compromised ICTS in Connected Vehicles, as outlined in the ANPRM. Commenters were also generally aligned on the need for further clarity on what would constitute a person ‘‘owned by, controlled by, or subject to the jurisdiction or direction’’ of a foreign adversary, the challenge of implementing due diligence requirements due to the complexity of the global automotive supply chain, the need for substantial lead time to implement a regulation given the difficulty of sourcing alternative suppliers, the breadth and depth of data collected by ICTS integral to Connected Vehicles, and the potential negative impact such a regulation could have on long-term U.S. innovation, competitiveness, and health and safety. PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 On the other hand, commenters disagreed on a number of issues, including the ICTS most integral to connected vehicles, the level of risk that may be posed by transactions involving the identified connected vehicle systems, the definition of connected vehicle, and approaches for how the proposed rule could be most effective in risk mitigation. Below, BIS addresses in more detail the key issues raised by the comments received and describes how they were considered and, where applicable, addressed in the proposed rule. a. Definitions In the ANPRM, BIS sought comments on the definition of the term ‘‘connected vehicle,’’ proposing to define it as ‘‘an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.’’ Commenters offered differing views on BIS’s proposed definition with some, but not all, commenters agreeing that it appropriately captured the platform BIS seeks to regulate. Commenters that disagreed with BIS’s proposed definition offered several reasons. For example, many commenters viewed the term as overly broad and noted that it failed to identify the specific types of vehicles that would be captured by a regulation (e.g., commercial, industrial, agricultural, rolling stock). Commenters also noted that the phrase ‘‘connected vehicle’’ is an existing term of art within the automotive industry referring to vehicles with external communication capabilities, particularly in short-range communication. As an alternative, some commenters suggested that BIS adopt the term ‘‘networked vehicle’’ to capture the ability of a vehicle to communicate with networks or devices external to a vehicle while others suggested the term ‘‘software-defined vehicles’’ which would encompass the technologies and capabilities outlined in the ANPRM’s proposed connected vehicle definition while also capturing internal software capabilities for functions within a vehicle beyond communication (e.g., starting a vehicle, malfunction checks, navigation). After full consideration of each of the comments, BIS maintains the use of the term ‘‘connected vehicle’’ in the proposed rule. However, BIS proposes to narrow its definition to mean, ‘‘[a] vehicle driven or drawn by mechanical E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. Vehicles operated only on a rail line are not included in this definition.’’ This definition captures the vehicles that would be subject to the rule (e.g., passenger vehicles, motorcycles, buses, small and medium trucks, class 8 commercial trucks, recreational vehicles), while excluding those that pose a less acute risk of data exfiltration, modification, or sabotage by foreign adversaries. BIS further believes that the term connected vehicle, as defined in this proposed rule, will capture future trends in vehicle development, particularly as software comes to play a larger role in vehicle operation. BIS emphasizes its belief that, with very few exceptions, all new vehicles sold in the United States will be captured by this definition. BIS seeks comment on this assessment. In the interest of issuing a rule that is narrow, yet also would address the risks posed by connected vehicles, BIS declines to extend this definition to all ‘‘rolling stock’’ or unmanned aerial vehicles as suggested by some comments, although BIS does not preclude the possibility of addressing these vehicles in future regulation. BIS believes that these sectors, to include vehicles operating on a rail line, are materially different from the connected vehicle sector as defined by this proposed rule, and capturing these vehicles in a regulation primarily targeting wheeled on-road vehicles could lead to unintended consequences and supply chain disruption. A subset of commenters requested further clarity on what would constitute an entity ‘‘subject to the jurisdiction or direction’’ of a foreign adversary and expressed concerns that foreign subsidiaries of U.S. businesses or foreign nationals working in the United States would potentially be captured by this term. Others suggested that BIS should ensure that the subsidiaries of companies located in foreign adversary countries are captured by the proposed rule, even when the subsidiaries are located in third countries outside the United States that are not foreign adversaries, but supply entities within the United States. After full consideration of the comments, BIS has adopted the definition of a ‘‘person owned by, controlled by, or subject to the VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 jurisdiction or direction of a foreign adversary’’ to mean, (a) any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; (b) any person, wherever located, who is a citizen or resident of a foreign adversary or a country controlled by a foreign adversary, and is not a United States citizen or permanent resident of the United States; (c) any corporation, partnership, association, or other organization with a principal place of business in, headquartered in, incorporated in, or otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary; or (d) any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary, to include circumstances in which any person identified in paragraphs (a) through (c) possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity. BIS has also provided, below in Section V, numerous non-exhaustive examples to explain how this term will apply in various representative situations. b. ICTS Supply Chain for Connected Vehicles In the ANPRM, BIS sought comments on ‘‘the ICTS supply chain for Connected Vehicles in the United States,’’ in order to better understand the role played by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries within it. Public comments broadly discussed the ICTS incorporated into Connected Vehicles and noted the difficulty that manufacturers and suppliers may face in conducting supply chain due diligence for the purposes of complying with any potential final rule. Submissions explained the complexity of ICTS systems contained within Connected Vehicles and outlined several categories of technologies incorporated into Connected Vehicles, PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 79091 including microcontrollers, applications processors, analog products (e.g., power management integrated circuits and transceiver physical layers), automotive software operating systems (OS), automotive vision, light detection and ranging (LiDAR) systems, radar, and other application software systems. Many commenters who identified as OEMs also noted that they do not always know the source of all inputs from hardware and software suppliers, making conducting due diligence beyond tier one and tier two suppliers particularly difficult. Moreover, submissions highlighted that suppliers are often capable of updating the firmware on their components independently of an OEM, further complicating efforts to understand which entities have access to software and when such access occurs. The comments received on this topic highlight the depth and complexity of connected vehicle supply chains, indicating that it is not always clear to OEMs which suppliers have access to connected vehicle software and when they have access to it. As some commenters pointed out, some of these technologies and their associated supply chains are still in development and will grow even more complex as the industry develops. Such existing and growing complexity, coupled with the likelihood of ICTS that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary being incorporated into connected vehicles, demonstrates the need for regulation to protect U.S. national security. Such regulation will also incentivize greater supply chain transparency for not only existing supply chains but also for developing supply chains. To facilitate compliance, the rule would include a delayed implementation timeline so that industry can adjust their existing supply chains and plans for future supply chains. BIS is not currently proposing specific due diligence requirements. Instead, VCS hardware importers and connected vehicle manufactures are given flexibility to provide evidence of compliance efforts tailored to their unique operations. Such efforts could include using third-party researchers or independently conducting supply chain diligence. Several commenters raised a variety of potential trade-related concerns relating to this proposed rulemaking and other recent U.S. government actions related to automotive trade involving the PRC. While some commenters explicitly advocated for exclusionary tariffs on the import of all E:\FR\FM\26SEP3.SGM 26SEP3 79092 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 PRC vehicles into the United States, others cautioned BIS to avoid creating unnecessary trade barriers when crafting a proposed rule. One commenter specifically warned that BIS regulation of connected vehicle software could amount to a digital trade barrier and urged BIS to avoid certain policies such as data localization requirements, digital service taxes, or forced code inspection. BIS underscores the U.S. government’s commitment to the trusted and secure flow of data across borders. This proposed rule seeks to narrowly address, pursuant to E.O. 13873, the acute national security concerns posed by certain foreign adversary ICTS in connected vehicle supply chains while minimizing any unnecessary disruptions in manufacturing and trade. BIS has drafted this proposed rule irrespective of any other automobilerelated trade actions taken by the U.S. government. c. ICTS Most Integral to Connected Vehicles and Their Capabilities In its ANPRM, BIS identified six systems (i.e., vehicle operating systems (OS), telematics systems, Advanced Driver-Assistance System (ADAS), Automated Driving Systems (ADS), satellite or cellular telecommunications systems, and battery management systems (BMS)) that it was considering identifying as the ICTS in Connected Vehicles most likely to present undue or unacceptable risks if exploited by foreign adversaries. BIS requested comment on the levels of risk associated with these various ICTS as well as any additional ICTS that commenters might consider integral to Connected Vehicles. Commenters held differing views on which ICTS are integral to connected vehicles and should be captured by the scope of a rule. For example, whereas some commenters noted that ADAS present a low risk of data exfiltration given that these systems often lack direct external connectivity, others noted that such systems may nevertheless be indirectly connected to external devices and systems (e.g., microcontrollers), thus offering indirect access to the data they collect. As another example, while many commenters identified LiDAR systems as a concern, there was disagreement about the nature of the vulnerability posed by these systems. Some commenters noted that LiDAR systems could be manipulated to cause grave harm (e.g., to ignore pedestrians) given their instrumental role in vehicle guidance. However, BIS’s further technical analysis found that LiDAR generally lacks the ability to transmit from the vehicle and does not, as a VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 standalone system, control the vehicle. Importantly, BIS notes that in many cases, ADS exerts control over both LiDAR and the vehicle and thus presents a higher risk. Other commenters pointed to the growing role of mobile applications that allow drivers to access and control core functions of the vehicle remotely (e.g., keyless driving). A number of commenters also highlighted concerns related to aftermarket connected devices. These devices, which often feature some forms of connectivity, are introduced to the vehicle after manufacture and sale and may contain vulnerabilities over which OEMs have little to no oversight. Several submissions expressed a desire for BIS to tailor any regulation as narrowly as possible, arguing that BIS should focus only on those systems with direct connectivity to the connected vehicle or the ability to transmit from the connected vehicle. Some commenters pointed specifically to devices that connect to a vehicle’s controller area network (CAN) bus as posing a specific cybersecurity risk. Others recommended that BIS should critically examine electric vehicle charging infrastructure and associated technologies due to a potential risk of exploitation by foreign adversaries. A few OEM commenters ascribed the highest level of potential risk to ‘‘finished’’ or ‘‘vertically integrated’’ vehicles from suppliers with a foreign adversary nexus that are operating in the United States. One commenter pointed to ICTS components inside safety-critical systems (e.g., braking systems, steering systems, traction systems, battery-charging and management systems, airbag systems) as posing greater levels of potential risk. On the other hand, some commenters recommended that BIS should aim to address the widest possible aperture of risk by regulating a wide variety of the technologies enumerated in the ANPRM along with additional technology categories (e.g., microcontrollers, analog products). Following consideration of these comments, BIS is proposing a rule that aims to strike a balance between minimizing supply chain disruptions and the need to address the national security risks posed by Connected Vehicles. BIS proposes to achieve this balance by focusing the rule only on those systems that most directly facilitate the transmission of data both into and from the vehicle, rather than focusing on all systems. Therefore, BIS is proposing to regulate transactions involving two systems of ICTS integral to connected vehicles, VCS and ADS. As further discussed below, in many cases, PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 these systems serve as controllers for subordinate systems within the Connected Vehicle, like those highlighted in the ANPRM, making them a target for exploitation related to data exfiltration or remote vehicle manipulation. After reviewing comments, BIS has determined that aftermarket telematics devices, including fleet tracking devices and systems, that fulfill functions consistent with the definition of VCS hardware are covered by this proposed rule. Additionally, the proposed rule does not cover ICTS with the function of enabling the transmission, receipt, conversion, or processing of radio frequency communications at a frequency below 450 megahertz. Setting such a threshold enables BIS to capture those ICTS that pose a higher risk due to their connectivity and transmission functions, while lowering compliance burden by excluding from regulation those ICTS with functions that pose a lower risk and offer high utility to consumers (e.g., tire pressure monitoring systems, electronic key fobs). For similar reasons, BIS ultimately chose to exclude other systems highlighted in the ANPRM—such as OS, ADAS, or BMS—from this proposed rule unless they have VCS components and fall within the proposed rule’s definition of VCS hardware. For example, automotive software systems like BMS and automotive OS do not have their own connectivity, and require communication through a VCS, thereby making VCS a more effective focus for rulemaking. BMS traditionally do not have their own external wireless data link and instead rely on VCS for wireless communication through a VCS. Likewise, automotive OS software, which generally resides on an in-vehicle infotainment unit or centralized head unit, are characterized by a wide diversity in architecture, design, and supply chain among OEMs while also generally lacking their own data link, instead relying on communication through a VCS. Given how these systems are typically placed within connected vehicles and the ways in which they achieve connectivity, BIS has chosen to focus on the systems that ultimately facilitate the transmission of data both to and from the vehicle as opposed to these subordinate systems. Additionally, to reduce unnecessary economic impacts and supply disruption, BIS is proposing to regulate ADS software rather than the hardware components of ADAS and ADS. The hardware that enables ADAS and ADS varies widely between different OEMs. In contrast, the hardware that enables E:\FR\FM\26SEP3.SGM 26SEP3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 VCS are relatively consistent across different automotive architectures and designs. ADAS and ADS hardware encompasses a wide variety of different sensors, distributed electronic control units (ECUs), centralized computing units, actuators, and signaling units, among others. These sensors and internal vehicle networking hardware rarely have independent connectivity. Most, if not all, scalable cybersecurity vulnerabilities to these systems are achieved by connectivity through VCS systems. A rule that coherently and feasibly addresses these varied supply chains would have disproportionate economic and supply chain impacts relative to the reduction of national security risks. Further, focusing on the ADS software supply chain appropriately mitigates the national security risks that they present while limiting the supply chain and economic impact. While BIS recognizes that the scope of data captured by connected automotive systems is vast and that multiple systems may pose national security risks, as discussed above, it has decided to focus its current efforts on VCS hardware and covered software. However, BIS does not foreclose the possibility of further addressing other systems, including additional aspects of VCS and ADS, in future regulation. BIS therefore also specifically seeks comment on its determination that VCS and ADS are automotive ICTS integral to Connected Vehicles and pose the greatest and most addressable national security risk, and on its decision to focus this rule on those systems. BIS also specifically seeks comment on whether any risks posed by other connected vehicle ICTS should also be addressed in this rule. d. Cybersecurity Best Practices In the ANPRM, the Department requested comments regarding cybersecurity concerns with the connected vehicle supply chain, as well as standards, best practices, and norms that are relied upon and built up by the connected vehicle industry. Commenters largely emphasized that OEMs dedicate significant resources to bolstering the cybersecurity of connected vehicle systems in addition to following or conforming to relevant, established best practices and standards. Some commenters referenced work by vehicle manufacturers to deploy advanced encryption techniques as well as the importance of conducting thorough testing on connected vehicle systems and components, to include penetration testing, fuzz testing, and static code analysis. Others identified specific techniques and best practices, VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 including role-based access controls. Among the best practices and standards most referenced by commenters were the National Highway Traffic Safety Administration’s (NHTSA) Cybersecurity Best Practices for the Safety of Modern Vehicles, International Organization for Standardization’s (ISO) and SAE International’s standard ISO/ SAE 21434, Institute of Electrical and Electronics Engineers Standards Association’s (IEEE) standard IEEE 1609.2, SAE J3061, and SAE J3161. At the international level, commenters also referenced the United Nations Economic Commission for Europe (UNECE) Regulations 155 (R155) and R156, which address whole-of-vehicle and software update cybersecurity, respectively. One commenter encouraged BIS to pay particular attention to R155 and R156 given the standards’ mandatory coverage in UNECE member states and their ability to provide common best practices to vehicle manufacturers globally. Many commenters underscored that security is a shared responsibility between OEMs and cloud service providers (CSPs), explaining that while CSPs manage the infrastructure layer, CSP customers are responsible for implementing appropriate configurations and controls in the cloud to protect their data. Commenters also emphasized that practices for automotive cloud security and cloud data access vary between OEMs and according to the specific contractual terms between the OEM and CSP. Some submissions pointed to ISO’s and International Electrotechnical Commission’s (IEC) standard ISO/IEC 27001 and third-party certifications and attestations, such as the Cloud Security Alliance Cloud Controls Matrix, as models for cloud security best practices and standards. With regard to electric vehicle charging infrastructure, commenters pointed to ISO 15118, National Institute of Standards and Technology’s (NIST) Internal Report (IR) 8473, and German technical specification DIN 70121, but they emphasized that specific practices vary according to OEM due to differing battery types and configurations. BIS acknowledges that cybersecurity standards and best practices, particularly many of those mentioned in submissions, serve a crucial function in promoting the safety and security of vehicles. While BIS generally encourages the use of cyber security standards and best practices, BIS also acknowledges that no standard BIS is aware of or that was identified in comments—either currently in effect or under development—would sufficiently PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 79093 mitigate the undue or unacceptable risks posed by foreign adversary involvement in connected vehicle ICTS supply chains as described in this proposed rule, even if widely adopted by industry. The standards and guidance BIS reviewed are primarily focused on hardening automotive systems from external access. Standards and guidance alone are insufficient to address risks from within the supply chain, as the systems are not, and cannot be hardened against the OEM or tier 1 and 2 suppliers that have or maintain privileged access to them. As a result, BIS is not proposing to adopt cybersecurity standards and best practices as part of the rule but may consider the scope and nature of their adoption on a case-by-case basis as part of the Specific Authorizations process described in greater detail below. e. Authorizations and Mitigations In the ANPRM, BIS sought comment on processes and mechanisms that BIS could implement to authorize an otherwise prohibited transaction with the adoption of mitigation measures. Commenters were generally aligned regarding authorizations and potential mitigation schemes. Several commenters requested that BIS adopt (1) an advisory opinion program for connected vehicles; (2) a trusted trader program to simplify compliance and avoid the complexity and uncertainty associated with a licensing regime; and (3) a program allowing OEMs and suppliers to self-certify compliance with the regulation. BIS has considered each of the comments in full and is proposing an advisory opinion program; procedures for VCS hardware importers and connected vehicle manufacturers to submit Declarations of Conformity, which allow OEMs and suppliers to self-certify their compliance with the regulation; as well as procedures for VCS hardware importers and connected vehicle manufacturers to determine eligibility for a General Authorization or apply for a Specific Authorization. BIS is not proposing a trusted trader program at this time because of the complexity, scale, and opacity of existing connected vehicle supply chains, but may consider establishing such a program to facilitate compliance as supply chains evolve and welcomes comment on such a program as well as any other alternate compliance mechanisms. A significant portion of commenters raised and rejected data localization requirements as a potential solution to the data exfiltration concerns associated with connected vehicles. Instead, many argued that data exfiltration concerns E:\FR\FM\26SEP3.SGM 26SEP3 79094 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 could instead be mitigated by securing a demonstrated commitment to privacy and security from OEMs and suppliers, primarily through the adoption of industry cybersecurity best practices and standards. Some commenters also pointed to company membership in the Automotive Information Sharing and Analysis Center (Auto-ISAC) as another method for entities to demonstrate commitment to cybersecurity best practices. As discussed above, BIS has opted not to require adherence to any specific standard or best practice as a prerequisite to securing an authorization to engage in an otherwise prohibited transaction, but BIS reserves the right to consider compliance with them on a case-by-case basis in conjunction with other potential mitigations. f. Economic Impacts Comments generally agreed that prohibitions affecting a major supplier of a component used in Connected Vehicles could result in negative economic outcomes. Commenters raised several concerns, including increased manufacturing costs for U.S. auto manufacturers that would likely be passed onto consumers; a decline in long-term U.S. competitiveness vis-à-vis foreign auto manufacturers; disincentivizing further investment in connected vehicles and autonomous vehicle research and development (R&D), potentially reducing future employment in the U.S. auto industry; and a decline in the safety and quality of connected vehicles available to U.S. consumers. Several commenters also noted that regulation may have an outsized impact on small businesses, which often lack the due diligence and compliance resources of their larger competitors. To mitigate these outcomes, several commenters requested substantial lead time for manufacturers to identify and source from alternative suppliers. Lastly, multiple submissions emphasized that not all components in connected vehicles produced by entities owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary necessarily pose a cybersecurity or national security risk, especially for components with minimal or no connectivity capability. Following consideration of these comments, BIS proposes to allow (1) until Model Year 2027, for connected vehicle manufacturers to come into compliance for transactions involving covered software, (2) until model year 2030, or January 1, 2029, for VCS hardware importers to come into compliance for transactions involving VCS hardware; and (3) until model year VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 2027 for connected vehicle manufacturers that are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia to sell connected vehicles with VCS hardware and/or covered software. Moreover, to address concerns about the resources small businesses are able to devote to compliance, BIS is proposing a general authorization that would permit certain small businesses to engage in otherwise prohibited transactions. BIS also emphasizes that this rule would narrowly target the specific automotive systems that pose the greatest risk when designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries. As such, the rule would not broadly prohibit the import of connected vehicle technologies from foreign adversary nations, nor would it require market participants to alter supply chains for low-risk or unconnected components. BIS believes that the implementation timeline strikes an appropriate balance between minimizing significant disruptions to the connected vehicles supply chain and mitigating the national security risk posed by foreign adversary involvement in the connected vehicles supply chain. Given the relatively limited amount of foreign adversary linked hardware and software in U.S. vehicles today, the software prohibitions proposed in this rule would address the most immediate threats to U.S. national security while allowing industry time to come into compliance with the prohibitions on VCS Hardware. IV. Risks Associated With Vehicle Connectivity Systems and Automated Driving Systems When Designed, Developed, Manufactured, or Supplied by Persons Owned by, Controlled by, or Subject to the Jurisdiction or Direction of the PRC and Russia Following consideration of comments received on the ANPRM, and further consideration of the risks and vulnerabilities associated with various ICTS components that are critical to the operation of CVs, BIS proposes to focus its rule on two integral ICTS systems— VCS and ADS—when designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of two foreign adversary entities—the PRC and Russia. Below, BIS further explains its understanding of the undue and unacceptable risks associated with these particular systems, and these particular foreign adversaries, and seeks public comment on the systems and foreign PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 adversaries addressed in the proposed rule. a. Vulnerabilities Associated With Vehicle Connectivity Systems and Automated Driving Systems 1. Vehicle Connectivity Systems The term VCS encompasses hardware and software systems—such as the telematics control unit (TCU), cellular modems and antennas, and other automotive components—that integrate various radio frequency communication technologies and enable Connected Vehicles to access external data sources, facilitate vehicle-to-vehicle communication, and provide enhanced services to users through seamless connectivity options. For example, as the primary automotive VCS component, a TCU acts as the primary interface between the internal network and external communication channels. It collects data from onboard sensors such as GPS, accelerometers, gyroscopes, BMS, and other ECUs via wired networks like CAN bus, LIN, FlexRay, Automotive Ethernet, K-Line, as well as wireless protocols such as Bluetooth and Wi-Fi. Some systems use cameras and microphones to facilitate facial recognition of drivers, or to respond to voice commands of drivers. Once gathered, the TCU converts this internal data into radio frequency signals suitable for transmission over the chosen wireless protocol. In other words, as the vast array of sensors on a connected vehicle collect information about a driver’s location, speed, voice patterns, battery state of charge, or other vehicle diagnostic and operational information, the TCU converts that data into a format that can be transmitted to systems outside the vehicle and then enables that transmission. While the increased degree of vehicle connectivity offers benefits to both consumers and manufacturers, it also increases risks to consumers and manufacturers due to the number of access points into the internal vehicle network, each of which may present multiple new software vulnerabilities for adversaries to exploit. See National Renewable Energy Laboratory, ‘‘Vehicle Cybersecurity Threats and Mitigation Approaches,’’ (Aug. 2019), https:// www.nrel.gov/docs/fy19osti/74247.pdf. Such compromise of VCS software could occur at various points of the software development lifecycle, including tool development, source code repositories, open-source dependencies, software updates, and shipment interdiction. For instance, Upstream’s 2024 Global Automotive Cybersecurity Report documented a case E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules where security researchers installed malicious software on the VCS by performing a simulated jailbreak attack of an OEM’s VCS using a voltage fault injection on the chip-maker’s processor. This malicious software unlocked vehicle manipulating features such as acceleration and heated seats, provided access to private user data such as a user’s phonebook and calendar entries, and enabled decryption of encrypted Non-Volatile Memory Express (NVMe) storage, manipulation of the car’s identity, and extraction of the vehicleunique credential used for authenticating and authorizing the OEM’s internal service network. See Upstream, 2024 Global Automotive Cybersecurity Report (Feb. 2024), https://upstream.auto/reports/globalautomotive-cybersecurity-report/. By compromising software or its dependencies, malign actors may surveil, disrupt, damage, or otherwise exploit the data or systems of those who use the software. See National Counterintelligence and Security Center, ‘‘Software Supply Chain Attacks,’’ (Mar. 2021), https:// www.dni.gov/files/NCSC/documents/ supplychain/Software_Supply_Chain_ Attacks.pdf. The threat of such a cyber operation by malicious actors can grow significantly when firmware or hardware components are intentionally designed with vulnerabilities. Access to the hardware supply chain for VCS provides an avenue for threat actors to manipulate or insert, with malicious intent, hardware, or firmware modules into telematics hardware components such as modems, Systems on Chip (SoC), Printed Circuit Boards (PCB), central processing units, and antennae. Manipulating or modifying hardware and associated firmware in the supply chain could also allow foreign adversaries to insert a backdoor, granting them control over the VCS. See Cybersecurity and Infrastructure Security Agency, Defending Against Software Supply Chain Attacks (April 2021), https://www.cisa.gov/sites/ default/files/publications/defending_ against_software_supply_chain_ attacks_508.pdf, and National Counterintelligence and Security Center, ‘‘Software Supply Chain Attacks,’’ (Apr. 2023), https:// www.dni.gov/files/NCSC/documents/ supplychain/Software-Supply-ChainAttacks.pdf. For instance, cellular and satellite telecommunications transceivers are pivotal connectivity components in the VCS, utilizing radio frequency (RF) energy to facilitate the transmission and reception of data VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 between a vehicle and the external world. If these transceivers are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, such actors would have the means and capability to introduce vulnerabilities that could be exploited to intercept and/or compromise the information exchanged between the connected vehicle and the external world. 2. Automated Driving Systems The complexity of ADS software, the large foundation of data sources, and the driving responsibilities inherent to ADS render it a valuable target for exploitation. An ADS encompasses the upper end of the spectrum of autonomy levels that dictate the vehicle’s independence and the extent of driver intervention required. As defined by the SAE J3016, autonomy levels range from Level 0 (no automation) where the driver controls all aspects of driving, to Level 5 (full automation) where the vehicle can operate independently under all conditions without human intervention. Levels 1 and 2 offer driver assistance through systems that control either steering or acceleration and braking, while Levels 3 through 5 (which generally comprise ADS) progressively increase the system’s responsibility for driving tasks, with Level 4 requiring the ability to complete all driving functions within defined operational design domains (ODDs). As the autonomy level increases, the reliability and safety of the ADS become increasingly reliant on the system’s operational performance, safety protocols, and cybersecurity measures. See Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles, SAE International, (Apr. 2021), https:// www.sae.org/standards/content/j3016_ 202104/. An ADS must be able to execute Dynamic Driving Tasks (DDTs) within specific ODDs. DDTs include critical tasks such as steering, braking, acceleration, and Object and Event Detection, Classification and Response (OEDR). OEDR enables an ADS to perceive and respond to surrounding objects and events, a responsibility that shifts progressively from the driver to the ADS itself as the degree of vehicle autonomy increases. See Edward Griffor, David Wollman, and Christopher Greer ‘‘Automated Driving System Safety Measures Part 1: Operating Envelope Specification,’’ NIST Special Publication 1900–301 (2021), https://nvlpubs.nist.gov/ PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 79095 nistpubs/SpecialPublications/NIST. SP.1900-301.pdf. An ADS relies on a large foundation of connected information sources for decisions and outputs which in turn could create inherent vulnerabilities. As a result, the complex software systems that drive decisions for an ADS are valuable targets for malicious actors to exploit. Software-based threats to Connected Vehicles equipped with an ADS include manipulation of sensors to create phantom objects; manipulation of ADS software to detect, capture, and retain information about specific geographic areas or other sensitive data; or other manipulation of sensor fusion processing software that could lead to faulty and dangerous vehicle decision making, to include unauthorized control over the Connected Vehicle. See National Counterintelligence and Security Center, ‘‘Autonomous Automotive Vehicle Supply Chain Risk,’’ (2022), https://www.dni.gov/files/ NCSC/documents/supplychain/ autonomous-vehicles-placemat-2022D9A54B50-.pdf. A compromised ADS creates opportunities for data exfiltration and unauthorized vehicle manipulation due to the direct access it has to the internal vehicle network (IVN). The IVN controls the communication framework within a Connected Vehicle, overseeing the ECUs responsible for engine control, traction control, door locks, climate control, battery management, powertrain, airbags, cameras, and radar functionalities. These ECUs also communicate via overlayed communication networking protocols such as a CAN bus, Local Interconnect Network (LIN), and ethernet. See Anastasios Giannaros, et al. ‘‘Autonomous Vehicles: Sophisticated Attacks, Safety Issues, Challenges, Open Topics, Blockchain and Future Directions,’’ Journal of Cybersecurity and Privacy 3.3 (2023). Because ADS interacts with ECUs through the IVN, a compromised ADS has the capability to execute functions that affect nearly all of a Connected Vehicle’s software and hardware components. For example, an update to an ADS could alter the outputs the ADS makes to a body control unit, enabling the ADS to erroneously and dangerously open a vehicle’s door while in motion. Moreover, because many Connected Vehicles maintain their own networks and actively scan their operating environment for other proximate networks, an ADS can also potentially be used to impact the IVN of other vehicles or transportation infrastructure networks through vehicle-to-vehicle communication. See National E:\FR\FM\26SEP3.SGM 26SEP3 79096 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 Counterintelligence and Security Center, Autonomous Automotive Vehicle Supply Chain Risk, (Apr. 2022), https://www.dni.gov/files/NCSC/ documents/supplychain/autonomousvehicles-placemat-2022-D9A54B50-.pdf, and Patrick Wagner, Nikolai Puch, and David Emeis, ‘‘Cybersecurity risk analysis of an automated driving system,’’ Fraunhofer Institute AISEC, (Oct. 2023), https://publica. fraunhofer.de/entities/publication/ 4d66e81e-3570-4c49-9f8c8c9967a34ca6/details. Given the significant processing power and complex decision-making ability of an ADS, the risks arising from ADS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary extend beyond the IVN itself and can include risks to the fidelity and integrity of data that flows to downstream or adjacent transportation infrastructure. Foreign adversaries can corrupt ADS data by exploiting existing vulnerabilities in ADS connectivity environments (see section IV(b) below). As such, direct access to an ADS afforded to a malicious actor through the design, development, manufacture, or supply of ADS software has the potential to cause severe adverse consequences to U.S. national security and U.S. persons. b. Threats Associated With the PRC and Russia The design, development, manufacture, or supply of certain VCS and ADS components by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia poses undue or unacceptable risks to national security and U.S. persons. The PRC and Russia have adopted political, legal, and regulatory regimes that enable their governments to exercise direct and indirect ownership, control, or influence over entities in the connected vehicle supply chain. Unlike other foreign adversaries, the PRC and Russia also have certain current and anticipated industrial capabilities and expertise that uniquely position them within the global automotive market to pose an outsized risk, particularly when paired with the vulnerabilities present within certain connected vehicle systems. 1. PRC The PRC’s role in the U.S. connected vehicle supply chain presents undue and unacceptable risks. The PRC has a large and growing automotive sector VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 with strong connections to non-PRC, including U.S., automakers providing it potential increased access to the U.S. automotive market. Further, the PRC’s automotive sector has historical and ongoing links to the PRC military and is influenced by pervasive government intervention, including through legal and regulatory structures that increase government oversight of and control over PRC-based companies and their foreign subsidiaries. See Du Xiaoying and Wang Siyi, ‘‘Dongfeng plays pivotal role in supporting China’s military,’’ China Daily, (Sept. 25, 2015), https:// www.chinadaily.com.cn/cndy/2015-09/ 25/content_21976945.htm, and Matthew Funaiole et al., ‘‘China Accelerates Construction of ‘Ro-Ro’ Vessels, with Potential Military Implications,’’ Center for Strategic and International Studies, (Oct. 2023), https://chinapower.csis.org/ analysis/china-construct-ro-ro-vesselsmilitary-implications/. Moreover, the PRC possesses advanced cyber espionage capacities that it exercises through both state and non-state cyber actors exacerbating such risks. First, the size and scale of state control in the PRC auto sector poses outsized risks, increasing the vectors by which the national security threats associated with Connected Vehicles can enter the United States. The PRC automotive sector has played an important role in its domestic industrial policy since 1986, when the sector was first named a ‘‘pillar industry’’ in the Seventh Five-Year Plan. The Fourteenth Five-Year Plan, the latest strategic framework for the PRC, continues to prioritize the technology innovation and sustainable development of the automobile market, including new energy vehicles and connected vehicle software and hardware systems. See Ben Murphy, ‘‘Outline of the People’s Republic of China 14th Five-Year Plan for National Economic and Social Development and Long-Range Objectives for 2035,’’ Center for Security and Emerging Technology, (May 2021), https://cset.georgetown.edu/wp-content/ uploads/t0284_14th_Five_Year_Plan_ EN.pdf. For many years, the state has pursued a number of policies and practices to further its industrial policy objectives in the automotive sector, including mandatory joint venture requirements, foreign equity restrictions, massive subsidies and other financial support measures, and various other preferences and discriminatory policies and practices. The PRC automotive sector’s growth was also led in part by several prominent state- PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 owned firms that began as military equipment suppliers (e.g., Chang’an Automobile, Changhe, Hunan Changfeng Motor) or have since risen to become prominent state-owned firms (e.g., GAC Group, Chery Automobile Co.). See Mattias Holweg, Jianxi Luo, and Nick Oliver, The past, present and future of China’s automotive industry: a value chain perspective, International Journal of Technological Learning, Innovation and Development 2 (Feb. 2009), https://www.pure.ed.ac.uk/ws/ portalfiles/portal/7765689/Oliver.pdf. In recent years, this growth and development has led to a massive surge in domestic vehicle production, with Chinese vehicle production increasing by 1.5 times over the 15-year span between 2008 and 2023. Indeed, in 2023, the PRC alone was responsible for nearly 33 percent of global passenger vehicle production. See VDA, Global passenger vehicle production in 2023, by country [Graph], (Retrieved July 23, 2024), https://www.statista.com/ statistics/277055/global-market-shareof-regions-on-auto-production/, and OICA & Statista, China’s share in global vehicle production from 2008 to 2021 [Graph], (Mar. 17, 2022), https:// www.statista.com/statistics/233942/ chinas-share-of-global-productioncapacity-of-the-automobile-industry/. Amid this significant growth in the PRC’s domestic auto industry, Chinese automakers, both state-owned and private firms, have leveraged their significant state-backed support, including subsidies, to fuel a global expansion that has seen Chinese automakers establishing foreign operations in countries like South Africa, the Netherlands, Thailand, Japan, and Brazil, among others, increasing the risks stemming from PRC auto manufacturing in third countries. This expansion, combined with recent investment announcements, has spurred concerns that Chinese automakers may soon seek to further expand into the United States either through exports or the establishment of additional manufacturing facilities. Some PRCbased companies have announced plans to establish manufacturing facilities in Mexico, which could enable them to receive favorable trade terms contained in the U.S.-Mexico-Canada Agreement (USMCA). Such a significant position within the global auto sector greatly expands the number of potential nexus points between PRC connected vehicle suppliers and U.S. automakers and U.S. consumers, including indirectly through auto manufacturers in third countries. E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules Second, the military linkage between the PRC government and the automotive sector continues to the current day with the PRC’s military-civil fusion strategy—which seeks to, among other goals, exploit investment and innovation within the PRC’s private sector to achieve military modernization goals—and has prioritized specific information and communication technologies that are integral to connected vehicle supply chains (e.g., telecommunications, artificial intelligence). See Ben Murphy, ‘‘Outline of the People’s Republic of China 14th Five-Year Plan for National Economic and Social Development and LongRange Objectives for 2035,’’ Center for Security and Emerging Technology (May 2021), https:// cset.georgetown.edu/wp-content/ uploads/t0284_14th_Five_Year_Plan_ EN.pdf. Strategies to achieve these goals include mandating collaboration between PRC-based companies and the military and establishing public and private firms as vectors to facilitate technology transfer, industrial espionage, and intellectual property theft that would be advantageous for the PRC military. See Office of the Dir. of Nat’l Intelligence, Annual Threat Assessment of the U.S. Intelligence Community, (Feb. 6, 2023), https:// www.odni.gov/files/ODNI/documents/ assessments/ATA-2023-UnclassifiedReport.pdf. Third, even beyond military-civil fusion, the role of the PRC government in the auto sector has only grown as government intervention in the market increases, including through direct ownership of prominent industry participants, the purchasing of so-called ‘‘golden shares’’ to gain significant levels of influence within otherwise private firms, embedding Chinese Communist Party (CCP) representatives within corporate boards and management, and the forceful application, or threat thereof, of the PRC’s expanding security laws, including its digital era legal structure. See Lingling Wei, ‘‘China’s New Way to Control Its Biggest Companies: Golden Shares,’’ Wall Street Journal (Mar. 2023), https://www.wsj.com/articles/xijinpings-subtle-strategy-to-controlchinas-biggest-companies-ad001a63. Laws promulgated in recent years provide the PRC government increased oversight and control over PRC-based companies and their foreign subsidiaries, providing a lever for influence over corporate operations that further exacerbates the threat that the PRC poses to U.S. national security. These laws require PRC-based VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 companies, wherever located, to comply with certain access and information requests upon demand from the PRC, and therefore could be used by the PRC to obtain business or other data from PRC-based companies involved in the connected vehicle supply chain. Companies operating under these laws frequently highlight the lack of transparency, consistency, clarity, and predictability of the enforcement of these laws, publicly stating that PRC laws relating to cybersecurity, data storage, or cryptography are not subject to the same degree of judicial accountability as they might be in other jurisdictions. In particular, BIS notes the PRC may utilize a suite of national security laws (e.g., Counter-Espionage Law of the People’s Republic of China [promulgated by the Standing Committee of the National People’s Congress, Nov. 1, 2014, amended Apr. 26, 2023, effective July 1, 2023]; National Security Law of the People’s Republic of China [promulgated by the Standing Committee of the National People’s Congress, July 1, 2015, effective July 1, 2015]; National Intelligence Law of the People’s Republic of China [promulgated by the Standing Committee of the National People’s Congress, June 27, 2017, effective June 28, 2017, amended Apr. 27, 2018]; AntiTerrorism Law of the People’s Republic of China [promulgated by the Standing Committee of the National People’s Congress, Dec. 27, 2015, effective Jan. 1, 2016, amended Apr. 27, 2018]) to compel companies, including those in the connected vehicle supply chain, to support national security efforts—which are more broadly defined in the PRC than in the United States—or military agents upon request, including in some cases through the creation of backdoors and security vulnerabilities in products sold abroad, and in many cases, the PRC prohibits companies from disclosing that such a request was made. See U.S. Department of Homeland Security, ‘‘Data Security Business Advisory: Risks and Considerations for Businesses Using Data Services and Equipment from Firms Linked to the People’s Republic of China,’’ (Dec. 2022), https:// www.dhs.gov/sites/default/files/ publications/20_1222_data-securitybusiness-advisory.pdf. Additionally, PRC authorities have established a regulatory system that effectively allows them to stockpile cyber vulnerabilities. Entities subject to these regulations, including automotive systems manufacturers, are required to report vulnerabilities upon discovery to PRC authorities before patching them. See Cyberspace Administration of China, PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 79097 ‘‘Provisions on the Management of Security Vulnerabilities of Network Products,’’ (Jul. 2021), https:// www.cac.gov.cn/2021-07/13/c_ 1627761607640342.htm. This requirement drastically increases the ability of the PRC government and PRCbacked cyber actors to take action against the United States using connected hardware and its associated software by creating an accessible library of known and potentially unpatched vulnerabilities. And fourth, the PRC has demonstrated a high level of competency in cyber malfeasance. The recent Volt Typhoon action exemplified how PRC cyber actors preposition themselves across U.S. critical infrastructure and military assets in order to, at a potential future date, launch an attack and impede U.S. decision making, induce social panic, and interfere with the deployment of U.S. military forces. See Cybersecurity and Infrastructure Security Agency, ‘‘PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,’’ (Feb. 2024), https://www.cisa.gov/newsevents/cybersecurity-advisories/aa24038a. A 2022 Annual Report to Congress by the U.S.-China Economic and Security Review Commission found that the PRC’s ability and willingness to ‘‘weaponize’’ its own industries, particularly its cybersecurity industry, grants the country an asymmetric advantage over the United States; an argument that was further supported in reporting earlier this year that detailed the methods by which known government-affiliated cyber threat groups utilize private firms to carry out their attacks. See U.S.-China Economic and Security Review Commission, ‘‘2022 Annual Report to Congress,’’ (Nov. 2022), https://www.uscc.gov/sites/ default/files/2022-11/2022_Annual_ Report_to_Congress.pdf; Christian Shepherd et al., ‘‘Leaked files from Chinese firms show vast international hacking efforts,’’ The Washington Post (Feb. 22, 2024), https:// www.washingtonpost.com/world/2024/ 02/21/china-hacking-leak-documentsisoon/. Additionally, a 2012 report from United States Senate Permanent Select Committee on Intelligence examining the national security risks posed by the PRC-based companies Huawei and ZTE specifically argued that there are numerous opportunities for PRC-based threat actors to insert malicious hardware or software components into ICTS products throughout the product development stage. See Permanent Select Committee on Intelligence, ‘‘Investigative Report on the U.S. E:\FR\FM\26SEP3.SGM 26SEP3 79098 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE’’ (Oct. 2012), https://intelligence.house.gov/ sites/intelligence.house.gov/files/ documents/huawei-zte%20 investigative%20report%20(final).pdf. This risk has not diminished, as indicated by a study of designed vulnerabilities in products conducted by the Georgetown Security Studies Review, which outlines five years of persistent insertion of malicious code by PRC-based threat actors. See Georgetown Security Studies Review, ‘‘Flawed by design electronics with preinstalled malware’’ (May 2018), https:// georgetownsecuritystudiesreview.org/ 2018/05/23/flawed-by-designelectronics-with-pre-installed-malware/. Given the above, the PRC’s access to the U.S. connected vehicle supply chain through its growing automotive sector, military-civil fusion and other corporate governance policies, and legal institutions paired with its development of mature cyber espionage capabilities have increased the risk that the PRC could alter the systems in, or obtain and manipulate information to or about, market participants who use connected vehicle ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC. 2. Russia The Russian state has prioritized the growth of its automotive manufacturing industry, instituted a legal and regulatory framework to compel company data sharing with the state, and maintained a long history of malicious cyber operations against the U.S. Under these circumstances, there is an increasing likelihood that Russia emerges as a supplier of connected vehicles technologies for the U.S. market, providing the Russian government a means of exploiting U.S. connected vehicles. Moreover, incorporating Russian hardware or software into the U.S. connected vehicle supply chain poses undue and unacceptable risks to U.S critical infrastructure and U.S. persons. First, while Russia has historically been less active in the global automotive sector than the PRC, the Russian government has recently sought to revitalize its own domestic auto manufacturing industry following the exodus of foreign automakers after the imposition of significant additional sanctions in 2022. In 2024 alone, the Russian auto market is projected to experience a 15 percent increase in passenger vehicle sales, marking a noted uptick since the market crashed VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 following sanctions and some Russian auto manufacturers have continued introducing new models even amid broader economic headwinds. See Reuters, ‘‘Russia’s 2024 car sales forecast raised to 1.45 mln, units, AEB says,’’ (Jul. 2024), https:// www.reuters.com/business/autostransportation/russias-2024-car-salesforecast-raised-145-mln-units-aeb-says2024-07-03. The void left by many foreign firms has made Russia a valuable export market for Chinese auto manufacturers seeking to expand their presence globally with some Chinese auto brands seizing significant market share from Russian competitors accounting for almost 56 percent of domestic auto sales in August 2023. See Gleb Stolayrov and Alexander Marrow, ‘‘Exclusive: Chinese car sales boom in Russia levels off amid shaky local recovery,’’ Reuters (Nov. 2023), https:// www.reuters.com/business/autostransportation/chinese-car-sales-boomrussia-levels-off-amid-shaky-localrecovery-2023-11-24/. In Russia, the revitalization of the domestic economy, in particular the domestic auto sector, has become a key focus of the government since the imposition of sanctions in recent years. The Russian government has released several plans pointing to a prioritization of the development of its domestic automotive market with a particular focus on research and development for new technology, including autonomous vehicles and V2X vehicle connectivity systems. See Russian Federation, Order of the Government of the Russian Federation of December 28, 2022 No. 4261–r On Approval of the Strategy for the Development of the Automotive Industry of the Russian Federation until 2035 (Jan. 4, 2023), https:// www.garant.ru/products/ipo/prime/doc/ 405963861/#1000 and See Russian Federation, Order of the Government of the Russian Federation of August 23, 2021 No. 2290–r On Approval of the Concept for the Development of Electric Vehicle Production and the Transport Strategy of 2030, (2023), https://static. government.ru/media/files/ bW9wGZ2rDs3BkeZHf7ZsaxnlbJzQ bJJt.pdf. The development of these interlocking national transportation and automotive industry strategies involved stakeholders from domestic automakers, technology sectors, and the Russian government, illustrating a coordinated effort across the Russian state and its domestic automotive industry. In order to extend the reach of the state into the Russian auto industry, in February 2024, Russia established a state-owned corporation named Rosavto that will act PO 00000 Frm 00012 Fmt 4701 Sfmt 4702 as liaison between government and industry and will develop production plans for vehicles and automotive spare parts, oversee the development of new models and technologies, and manage order distribution, legislative initiatives, and workforce training. See Eugene Gerden, ‘‘New State Corporation to Oversee Russian Auto Industry,’’ Wards Auto (Feb. 2024), https:// www.wardsauto.com/regulatory/newstate-corporation-to-oversee-russianauto-industry. Concerted efforts by the Russian government to grow the domestic Russian automotive industry increase the likelihood that Russianmanufactured VCS hardware or covered software will enter the U.S. connected vehicle supply chain, which, as described below, would present an undue or unacceptable risk to U.S. national security. Second, like the PRC, the Russian government employs a suite of laws that enable it to compel domestic companies with overseas operations to provide data gleaned through foreign ventures or to surrender similar operational assets to the Russian state. These laws (e.g., Russian Law Federal Security Service No. 40–FZ, ‘‘Operational-Investigative Activity’’ No. 144–FZ, 2014 Amdt. to No. 97–FZ) provide the Russian government direct control over Russian corporations’ activities and facilities, including data or customer information, and mandate that companies cooperate with assisting counterintelligence actions as requested by the state, including the Federal Security Service of the Russian Federation (FSB). The FSB can, in some cases, mandate that companies allow the FSB to install equipment on their infrastructure or collect data. Firms that are required to facilitate this surveillance or intrusion activity can also be required to actively obfuscate such requests and must provide the state with any information essential to the decryption of any communications captured. Together, these laws enable the Russian state to collect and exploit sensitive data on or about U.S. persons via Russian businesses and, should Russian companies become more prominent in the connected vehicle supply chain, create a pathway by which the Russian government could secure wide-ranging access to the vast amounts of data collected and processed by Connected Vehicles in the United States. See internet Governance, ‘‘Report of Peter B. Maggs,’’ (Dec. 2017), https:// www.internetgovernance.org/wpcontent/uploads/12-7-Exhibit-AR-Part6-Maggs-report.pdf. Public reports have consistently raised concerns about E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules Russian government laws concerning data collection, citing a lack of appropriate safeguards to prevent misuse, to include judicial or public oversight. More broadly, reports have repeatedly documented the uneven application of the rule of law, lack of judicial accountability, recurrent violations of judicial proceedings, and challenges with judicial independence. See Justin Sherman, ‘‘Russia is weaponizing its data laws against foreign organizations,’’ Brookings, (Sept. 2022), https://www.brookings.edu/ articles/russia-is-weaponizing-its-datalaws-against-foreign-organizations/; Evegeni Moyakine and A. Tabachnik, ‘‘Struggling to strike the right balance between interests at stake: The ‘Yarovaya’, ‘Fake news’ and ‘Disrespect’ laws as examples of ill-conceived legislation in the age of modern technology,’’ Computer Law & Security Review 40, (Apr. 2021), https:// www.sciencedirect.com/science/article/ pii/S0267364920301175. Third, apart from the access codified in Russia’s legal framework, the country has a longstanding pattern of utilizing cyber operations to gain illicit access to systems that advance the strategic ends of Russian authorities. For example, in December 2020 the company SolarWinds announced it was the target of a two-year-long cyber operation perpetrated by Russian hackers in the Russian Foreign Intelligence Services (SVR). See U.S. Securities and Exchange Commission, ‘‘SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures,’’ (Oct. 2023), https://www.sec.gov/ newsroom/press-releases/2023-227. The perpetrators of the SolarWinds supply chain attack used a software update to deliver its malware to the platform’s users after Russian intelligence services obtained covert access to the computer systems on which the platform was installed and ultimately impacted more than 18,000 users, including more than 100 companies and nine U.S. Government agencies. This attack credibly demonstrates how Russian actors can infiltrate global enterprise systems via software updates and exemplifies how they could similarly leverage software as a means to exploit connected vehicles in the United States. Additionally, a 2023 Cyber Security Advisory suggests that exploitation of information technology firms and their software will continue to be a persistent tactic leveraged by the Russian government to collect intelligence. See Joint Cyber Security Advisory, ‘‘Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 Globally’’ (Dec. 2023), https:// www.cisa.gov/news-events/ cybersecurity-advisories/aa23-347a. BIS has further identified Kaspersky Lab as an example of how Russia has leveraged software companies to give it the ability to collect and weaponize the personal information of Americans. See Bureau of Industry and Security, ‘‘Final Determination: Case No. ICTS–2021– 002, Kaspersky Lab, Inc.’’ (Jun. 2024), https://www.federalregister.gov/ documents/2024/06/24/2024-13532/ final-determination-case-no-icts-2021002-kaspersky-lab-inc. These political, legal, and regulatory frameworks, combined with the PRC’s and Russia’s demonstrated capability to exploit ICTS supply chains through malicious cyber activity, exacerbate BIS’s concern that the threats posed by these foreign adversaries could be directed at the U.S. connected vehicle supply chain, including integral systems such as VCS and ADS. The persistent connectivity and software-driven capabilities of VCS and ADS, combined with the vast amounts of data that traverse these systems, make them valuable and likely targets for the PRC and Russian governments to compromise. c. Consequences Taken together, VCS and ADS designed, developed, manufactured, or supplied by persons under the ownership, control, jurisdiction, or direction of the PRC or Russia manifest undue and unacceptable risks to United States national security in several ways. If left unaddressed, the interaction of threats and vulnerabilities could result in the exfiltration of sensitive U.S. persons’ data to foreign adversaries or the remote or automated manipulation of Connected Vehicles by the PRC and Russia, among other concerns. First, the integration of compromised VCS or ADS into a completed vehicle could undermine the reliability of a connected vehicle or its underlying control systems. Compromised components in VCS or ADS could result in increased frequency and severity of connected vehicle malfunctions that could in turn detrimentally impact U.S. national security, including the resiliency of U.S. critical infrastructure, or the safety of U.S. persons. Given the persistent connectivity of VCS and ADS and the essential functions that they service in the operation of Connected Vehicles, these systems, if compromised and co-opted by an adversary, could serve as a node through which a foreign actor could probe or breach broader ICTS systems within the United States. According to research by Upstream, remote malicious PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 79099 cyber activities—which rely on network connectivity (e.g., Wi-Fi, Bluetooth, 3/4/ 5G networks)—have increased significantly in recent years and consistently outnumber malicious cyber activities carried out through physical access to devices since at least 2010, accounting for 95 percent of all malicious cyber activities in 2023. See Upstream, Upstream’s 2024 Global Automotive Cybersecurity Report (2024), https://upstream.auto/reports/globalautomotive-cybersecurity-report/. Considering the increasingly sophisticated methodologies employed by foreign adversaries to gain access to critical U.S. cyber infrastructure, compromised VCS and ADS, with their inherent connectivity, would easily present another attack surface for foreign adversaries to exploit. As detailed in the previous analysis of vulnerabilities inherent in VCS, adversaries with access to VCS, such as to telematics systems, could inject malicious code into a vehicle’s operational systems. Additionally, such malware could be developed in such a way as to exploit vehicle connectivity to propagate itself across multiple systems as the vehicle travels and connects to those discrete systems. In this way, not only would the ICTS integral to Connected Vehicles be compromised, but vehicle systems could be exploited to spread malware with the intent of harming all ICTS systems to which a vehicle connects. See Anastasios Giannaros, et al. ‘‘Autonomous Vehicles: Sophisticated Attacks, Safety Issues, Challenges, Open Topics, Blockchain and Future Directions,’’ Journal of Cybersecurity and Privacy 3.3 (2023). Second, as discussed, both VCS and ADS have significant control over and access to critical vehicle functions, including steering, braking, speed control, ignition, and almost all other mechanical functions of the vehicle. Such extensive control over vehicle operations could enable a foreign adversary to use a compromised VCS or ADS component to hamper vehicle functions or even to manipulate a connected vehicle for malicious purposes. As VCS and ADS control or link to integral vehicle functions, a foreign adversary could even exploit compromised VCS or ADS components to impair or disable a connected vehicle while in transit. Disabled, impaired, or otherwise improperly functioning vehicles could result in grave damage or impediment to critical infrastructure within the United States, or in physical harm to U.S. persons. A disabled, impaired, or erratically functioning E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 79100 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules Connected Vehicle, or potentially multiple Connected Vehicles all experiencing such problems simultaneously, could result not only in traffic patterns that would effectively block critical transportation arteries, but could cause collisions ultimately damaging transportation features (e.g., roadways, bridges, tunnels) and energy, telecommunications, and similar infrastructure situated near transportation systems. The potential consequences of widespread connected vehicle impairment could be particularly acute if the targets were fleet vehicles operating in support of infrastructure vital to transportation, energy, water, waste, telecommunications, and other essential services. The risks to the resiliency of critical U.S. infrastructure posed by connected vehicle components designed, developed, manufactured, or supplied by persons that are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia are further compounded by the potential for VCS and ADS to collect data on infrastructure. Advances in VCS and ADS necessitate increasingly cutting-edge sensor suites incorporating radar, LiDAR, camera, sonar, and computer vision to gather information on the surrounding environment for both onboard computing and remote cloud computing to process data in informing vehicle operating decisions. This vast wealth of data, collected over time by multiple vehicles likely contains valuable information such as location data about critical U.S. infrastructure. For example, data gathered from GPS/GNSS systems in a connected vehicle could be crossreferenced and collated with a multitude of other data to produce information about the location, function, and operational trends of various transportation, energy, or other critical infrastructure. A foreign adversary could extract such critical infrastructure data using its control over designers, developers, manufacturers, or suppliers of VCS and ADS components subject to the foreign adversary’s ownership, control, jurisdiction, or direction, thereby increasing the risk and precision of attacks on such critical infrastructure. Finally, given the volume of information collected by vehicles to support VCS and ADS operation, exploitation of these systems could enable an adversary to cull a tremendous amount of data on vehicle movement across the United States. This information could potentially include data generated on or from fleet VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 vehicles used by emergency response, law enforcement, or the military. This data, and particularly all metadata and derived data that can be drawn from the raw data, can provide considerable insight into fleet size, composition, and capabilities, as well as information on organizational response times and response procedures. Such information would prove valuable to an adversary seeking to disrupt U.S. emergency response operations. Any potential risks to U.S. national security arising from disrupting emergency response activities are further compounded by the potential for an adversary to exploit access to VCS and ADS to leverage the persistent connectivity required for malign operations, including exploits to trigger improper engine shutdown, brake activation, or electrical system deactivation. Any of these actions have serious consequences for U.S. persons’ health and safety. The PRC or Russia could use similar methods to target U.S. persons other than institutions, thereby imperiling the safety and security of individual U.S. citizens or residents. VCS and ADS, if corrupted by the producer at the direction of a foreign adversary, could improperly access driver mobile devices to collect, exfiltrate, and exploit personally identifiable information (PII) or even protected health information (PHI). It is also possible that a foreign adversary could use covert access to VCS and ADS to provide false or misleading information to a driver, causing degraded and dangerous vehicle operation conditions. Such tactics could be used either indiscriminately to sow panic and cause disruption, or to intentionally target specific drivers. Additionally, and as noted by the Office of the Director of National Intelligence in the 2024 National Counterintelligence Strategy, foreign adversaries, like the PRC and Russia, view this kind of PII and PHI as particularly valuable as it provides them ‘‘not only economic and R&D benefits, but also useful [counterintelligence] information, as hostile intelligence services can use vulnerabilities gleaned from such data to target and blackmail individuals.’’ See The Director of Nat’l Intelligence, 2024 National Counterintelligence Strategy (Aug. 2024), https://www.dni.gov/files/NCSC/ documents/features/NCSC_CI_Strategypages-20240730.pdf. Even when such systems are not subject to compromise, companies owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, if occupying certain positions within the supply chain, may PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 potentially legally gain access to their users’ personal data. For example, one prominent Chinese auto manufacturer with operations in the United States publicly states in its U.S. privacy policy that the personal data it may collect (e.g., identifiers, customer records information, internet or other electronic network activity information, geolocation information, professional or employment-related information) is only stored in the United States ‘‘in principle,’’ but goes on to note that personal data ‘‘may be transferred to our headquarters in China’’ for processing and storage. While the incorporation in the U.S. supply chain of VCS hardware and covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia poses one type of risk, transactions involving VCS hardware and covered software pose a separate risk when the connected vehicle manufacturer is, itself, owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, even when the connected vehicle manufacturer is located in the United States. connected vehicle manufacturers have privileged and direct access to all systems in the vehicle, including the VCS hardware and covered software. Not only are VCS hardware and covered software built to the connected vehicle manufacturers’ specifications but prior to the sale of a completed connected vehicle, connected vehicle Manufacturers are able to exercise significant levels of control over that VCS hardware and covered software with little to no external oversight prior to the sale of the completed connected vehicle. Based on the foregoing, BIS assesses that ICTS transactions involving VCS hardware or covered software designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of the PRC or Russia—including transactions to supply the VCS hardware or covered software into the United States market as part of the sale of the completed connected vehicle—present undue or unacceptable risks to the national security of the United States within the meaning of E.O. 13873. BIS welcomes comment on the vulnerabilities and risks it has identified. V. Discussion of the Proposed Rule and Request for Comments BIS proposes a regulation that would—absent a general or specific authorization otherwise—(1) prohibit VCS hardware importers from knowingly importing into the United E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules States certain hardware for VCS; (2) prohibit connected vehicle manufacturers from knowingly importing into the United States completed connected vehicles incorporating covered software; (3) prohibit connected vehicle manufacturers from knowingly selling within the United States completed connected vehicles that incorporate covered software; and (4) prohibit connected vehicle manufacturers who are persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia from knowingly Selling in the United States completed connected vehicles that incorporate VCS hardware or covered software (collectively, ‘‘Prohibited Transactions’’). These prohibitions would apply to transactions when such VCS hardware or covered software is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. BIS anticipates that this rule would primarily impact market participants who could be considered VCS Hardware Importers or connected vehicle manufacturers, such as OEMs and importers of completed connected vehicles, as well as Tier 1 and Tier 2 suppliers of VCS Hardware. For these entities, three compliance mechanisms—Declarations of Conformity, general authorizations, and specific authorizations—are available, depending on whether the VCS hardware importer or connected vehicle manufacturer wishes to engage in an otherwise prohibited transaction. Importantly, because VCS hardware importers and connected vehicle manufacturers frequently offer many different types of products, any one of the three mechanisms may not be available for their entire business. Rather, depending on the product, VCS hardware importers and connected vehicle manufacturers could be required to use a combination of these three mechanisms to meet their obligations under the rule. First, Declarations of Conformity would have to be submitted to BIS by VCS hardware importers and connected vehicle manufacturers who have not engaged in a prohibited transaction, unless otherwise specified. Such VCS hardware importers and connected vehicle manufacturers would, in this Declaration of Conformity, certify, once per calendar year or model year (or whenever material changes occur) to BIS that the submitter has not engaged in a prohibited transaction and provide certain information on the import of VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 VCS hardware and/or the import or sale of completed connected vehicles. Second, a general authorization could be available for VCS hardware importers and/or connected vehicle manufacturers seeking to engage in an otherwise prohibited transaction, depending on the circumstances. A general authorization would allow the VCS hardware Importer and/or connected vehicle manufacturer to engage in the otherwise prohibited transaction, without the need to notify or seek approval from BIS. General authorizations would be available only in a narrow set of circumstances in which the conditions of the otherwise prohibited transaction appropriately mitigate the level of risk associated with the particular transaction. Such conditions would include, for example, when VCS hardware is imported from the PRC or Russia solely for testing purposes, or where the completed connected vehicle that incorporates VCS hardware or covered software from the PRC or Russia will be driven on public roads for fewer than 30 calendar days per year. Those availing themselves of a general authorization would be required to continuously monitor their use of the VCS hardware or completed connected vehicles covered by the General Authorization to ensure the authorization still applies. If a change would render the transaction ineligible for a general authorization, such as a change in the vehicle’s use, the VCS hardware importer or connected vehicle manufacturer would be required to apply for a specific authorization and to cease engaging in such transaction unless and until a Specific Authorization is granted. For example, if a completed connected vehicle that incorporates covered software or VCS Hardware that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia is no longer used solely for display, research, or testing, the VCS hardware importer or the connected vehicle manufacturer would be required to seek a specific authorization. Similarly, if the VCS Hardware Importer or connected vehicle manufacturer meets or exceeds total model year production of 1,000 units, or if a completed connected vehicle that incorporates covered software or VCS hardware that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia is to be used on public roadways for 30 or more days in any calendar year, the VCS hardware PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 79101 importer or connected vehicle manufacturer would be required to seek a specific authorization from BIS. Lastly, for VCS hardware importers and connected vehicle manufacturers who wish to engage in a prohibited transaction, but do not otherwise qualify for a general authorization, a specific authorization from BIS would be required before they could proceed with the prohibited transaction. A specific authorization would only be available in circumstances where BIS determines, based on the information submitted by the applicant and other collected information, that the otherwise prohibited transaction does not present an undue or unacceptable risk to U.S. national security. However, as a condition of approving the specific authorization, BIS might impose certain requirements and mitigation measures upon the VCS hardware importers and connected vehicles manufacturers seeking to proceed with the prohibited transaction. VCS hardware importers and connected vehicle manufacturers could appeal to the Under Secretary for Industry and Security (Under Secretary) any decision by BIS to deny an application for a Specific Authorization, suspend or revoke a previously granted specific authorization, or issue a written notification that a VCS hardware importer or connected vehicle manufacturer is ineligible for a general authorization. Further, the regulation would establish a method for VCS hardware importers and connected vehicle Manufacturers to seek guidance from BIS, in the form of advisory opinions, on prospective transactions that may be prohibited. BIS also proposes to establish a process through which BIS may inform VCS hardware importers or connected vehicle manufacturers that certain of their activities could constitute a prohibited transaction. In proposing this rule, BIS recognizes that Section 203(b) of IEEPA—i.e., the ‘‘Berman Amendment’’—limits the scope of the authority to regulate or prohibit transactions relating to ‘‘information’’ or ‘‘informational materials.’’ In relevant part, the Berman Amendment states that the ‘‘authority granted to the President by this section does not include the authority to regulate or prohibit, directly or indirectly . . . the importation from any country, or the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials, including but not limited to, publications, films, posters, phonograph E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 79102 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and newswire feeds.’’ 50 U.S.C. 1702(b)(3). Consistent with the statute’s text and purpose, as demonstrated by legislative history and context, as well as judicial interpretations, BIS understands the phrase ‘‘information or informational materials’’ to refer to expressive materials and mediums that may be carrying such expressive content. See, e.g., United States v. Amirnazmi, 645 F.3d 564, 586–87 (3d Cir. 2011). Accordingly, the Berman Amendment prevents BIS from regulating, directly or indirectly, the import or export of expressive materials. It does not, however, prevent BIS from imposing a regulation that is aimed at the functional capabilities of technology. The proposed rule is consistent with the Berman Amendment. Its purpose is to regulate transactions involving certain hardware and software based on functional capabilities that can be exploited by foreign adversaries, not the exchange of ideas and expression that the Berman Amendment protects. As discussed in Section IV, VCS Hardware and covered software process and transmit data such as geolocation information or systems diagnostics reports, which are used to monitor and control the vehicle’s safe operation, and that a foreign adversary could also manipulate in ways that could impair or disable the vehicle’s function, leading to dangerous outcomes that pose a harm to U.S. national security. Similarly, the functional data collected by Covered Software—such as high-definition mapping data of infrastructure and roadways—would pose serious risks to that critical infrastructure if collected and exploited by a foreign adversary. As a result, BIS has determined that the proposed prohibitions in this rule are consistent with the Berman Amendment, which was intended to protect materials involving the free exchange of ideas from regulation under IEEPA. BIS is considering whether and how to address the term ‘‘information or informational materials’’ within the context of the proposed rule and may consider further changes to the final rule to reflect our interpretation of this term. BIS welcomes comment on this issue. Each section of the proposed rule is discussed below. BIS invites comments on all aspects of this proposed rule. software that, collectively, are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis, regardless of whether it is limited to a specific ODD. This definition is consistent with the terminology industry uses for systems that operate at certain advanced levels of autonomy. It is also consistent with definitions issued by NHTSA. Specifically, this definition corresponds to automation levels 3, 4, and 5 as defined by SAE International standard J3016. a. Definitions BIS proposes to define a ‘‘connected vehicle manufacturer’’ to mean a U.S. person (1) manufacturing or assembling completed connected vehicles in the United States; and/or (2) importing 1. Automated Driving System (ADS) BIS proposes to define ‘‘Automated Driving System’’ to mean hardware and VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 2. Completed Connected Vehicle BIS proposes to define ‘‘completed connected vehicle’’ to mean a connected vehicle that requires no further manufacturing operations to perform its intended function. This definition is consistent with definitions issued by NHTSA. Additionally, for the purposes of this proposed definition, the integration of an ADS into a connected vehicle constitutes a manufacturing operation for a Completed Connected Vehicle. BIS intends this caveat to clarify that a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, whose sole manufacturing or assembly operation is integrating ADS into an otherwise Completed Connected Vehicle, would be subject to the prohibitions in the rule and would need to obtain a Specific Authorization before importing or Selling that completed connected vehicle in the United States. 3. Connected Vehicle BIS proposes to define ‘‘connected vehicle’’ to mean a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. Vehicles operated only on a rail line are not included in this definition. This definition incorporates the suggestions of commenters to the ANPRM, many of whom requested that the definition of connected vehicle specify the types of vehicles that would be covered. 4. Connected Vehicle Manufacturer PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 completed connected vehicles for Sale in the United States. 5. Covered Software BIS proposes to define ‘‘covered software’’ to mean the software-based components, in which there is a foreign interest, executed by the primary processing unit of the respective systems that are part of an item that supports the function of VCS or ADS at the vehicle level. covered software does not include firmware, which is characterized as software specifically programmed for a hardware device with a primary purpose of controlling, configuring, and communicating with that hardware device. At a minimum, this definition of covered software would include operating systems such as a real-time operating system (RTOS), and general-purpose operating systems. An example of covered software within the ADS is, if included in the system, the machine learning software that performs the functions of object detection, classification, and decision making. Covered software does not include open-source software. BIS understands open-source software as software that can be freely used, modified, and distributed by anyone, with both access to the source code and the ability to contribute to the software’s development and improvement. Given these qualities of open-source software, it is not designed, developed, manufactured, or supplied by any attributable entity. Therefore, the inclusion of open-source software as a component of covered software is not subject to prohibition. However, if licensed open-source software is modified to create proprietary enterprise software for a specific use not meant for redistribution, the resulting software could be subject to prohibition if the person modifying the open-source software is owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. In addition to other aspects of this proposed rule, BIS specifically seeks comment on this definition. 6. FCC ID Number BIS proposes to define ‘‘FCC ID Number’’ as the unique alphanumeric code identifying a product subject to certification by the Federal Communications Commission (FCC) composed of a (1) grantee code and (2) product code. 7. Foreign Interest For the purposes of this rule, BIS is considering ‘‘foreign interest,’’ when used with respect to property, as any E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules interest in property, of any nature whatsoever, whether direct or indirect, by a non-U.S. person. Under this definition, a foreign interest can include, but is not limited to, an interest through ownership, intellectual property, contract—e.g., ongoing supply commitments such as maintenance, any license agreement related to the use of intellectual property—profit-sharing or fee arrangement, as well as any other cognizable interest. This definition is consistent with the definition of ‘‘interest’’ used in the context of Office of Foreign Asset Control sanctions, which are, in relevant part, also established pursuant to the statutory requirements of IEEPA. See 31 CFR Chapter V, and, e.g., 31 CFR 510.313, 535.312. Consistent with IEEPA, BIS proposes to regulate only transactions involving property in which a foreign country or national thereof has any such interest. A transaction would be subject to the prohibitions in the proposed rule only if it involves ICTS, specifically VCS hardware or covered software, that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. VCS hardware importers and connected vehicle manufacturers wishing to engage in transactions that this rule proposes to prohibit would need to qualify for a general authorization or obtain a specific authorization. In order to provide sufficient visibility into the supply chains of VCS Hardware and covered software including to verify that the transaction does not involve VCS Hardware or covered software that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia (see Section V(c) of this notice and proposed Section 791.305), BIS is proposing to require that VCS hardware importers and connected vehicle manufacturers that import VCS hardware, or import or sell completed connected vehicles that contain covered software in which there is any other foreign interest, submit an annual Declaration of Conformity containing relevant details about the import or Sale. BIS seeks comment on this regulatory approach, including the necessity and efficacy of requiring Declarations of Conformity with respect to VCS hardware and covered software in which there is a foreign interest, though not a foreign adversary interest. BIS also seeks comment on the availability and efficacy of any VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 alternative approach that would require a narrower set of VCS hardware importers and completed connected vehicle manufacturers to submit Declarations of Conformity, while still achieving the goals of the Declaration of Conformity requirement and addressing the declared emergency under Executive Order 13873. With respect to VCS hardware that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, BIS proposes to regulate the importation of VCS hardware, making VCS hardware importers responsible for compliance. With respect to Covered Software, based on discussions with connected vehicle manufacturers, automotive suppliers, and other stakeholders, BIS has come to understand that typically, ADS and VCS software are designed or developed to a connected vehicle manufacturer’s specifications. ADS and VCS software is frequently designed, developed, or supplied by foreign persons, and those persons frequently retain a legally cognizable interest in the underlying software, even after it has been integrated into the connected vehicle. For example, foreign software developers may earn profits from use of their software; retain data access and sharing rights to the software; or have obligations to maintain and update the software. Such arrangements are among the types of interests that BIS contemplates as giving rise to an obligation to submit a Declaration of Conformity or, if the software designer, developer, or supplier is a person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, to qualify for a General Authorization or seek a Specific Authorization under the proposed rule. BIS therefore proposes to regulate covered software by regulating the importation or sale of completed connected vehicles, making connected vehicle Manufacturers responsible for compliance. BIS seeks comment on this understanding of foreign interests in covered software as well as other arrangements in which foreign designers, developers, or suppliers of covered software retain a cognizable legal interest in the software after it is integrated into a connected vehicle. Finally, in addition to the general regulations related to VCS hardware and covered software described above, with respect to connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, BIS additionally proposes to PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 79103 regulate VCS hardware and covered software by regulating the sale of completed connected vehicles that incorporate VCS hardware or covered software. In this circumstance, BIS understands from extensive engagement with connected vehicle manufacturers and automotive suppliers that persons who own, control, or direct the operations of the connected vehicle manufacturer would maintain an interest in the vehicle transactions that the connected vehicle manufacturer carries out. For example, this could include, but is not limited to, profit sharing agreements between a parent company and its U.S. subsidiary, or data sharing agreements between the same. BIS understands this to be standard for the automotive industry and would welcome comments on this issue. Additionally, because the PRC and Russian legal regimes discussed in Section IV of this notice could compel a PRC or Russia-based parent company of a connected vehicle manufacturer to provide those governments with information on or access to the operations of the U.S.-based connected vehicle manufacturer, BIS understands that the foreign parent company typically retains a legal right to access the data collected by the U.S. subsidiary, representing a foreign interest in that U.S. subsidiary and its connected vehicle sales. BIS seeks comment on the nature of foreign interests in transactions related to the connected vehicle supply chain, including as described in the prohibitions outlined herein. BIS also seeks comment as to its understanding of the nature and presence of a Foreign Interest in property subject to the prohibitions described above, as well as whether there are other types of transactions that would involve Foreign Interests, as described above. 8. Hardware Bill of Materials BIS proposes to define ‘‘Hardware Bill of Materials’’ or HBOM as a comprehensive list of parts, assemblies, documents, drawings, and components required to create a physical product. This term includes information identifying the manufacturer, related firmware, technical information, and descriptive information. 9. Import BIS proposes to define ‘‘import’’ to mean, with respect to any article, the entry of such article into the United States Customs Territory. It does not include admission of an article from outside the United States into a foreigntrade zone for storage pending further assembly in the foreign-trade zone, or E:\FR\FM\26SEP3.SGM 26SEP3 79104 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules shipment to a foreign country. This definition only applies to subpart D of 15 CFR part 791. 10. Item BIS proposes to define ‘‘item’’ as a component or set of components with a specific function at the vehicle level. A system may also be considered an item if it implements a function. This definition is consistent with ISO/SAE Standard 21434. khammond on DSKJM1Z7X2PROD with PROPOSALS3 11. Knowingly BIS proposes to define ‘‘knowingly’’ to have the same meaning given to ‘‘knowledge’’ in the Export Administration Regulations (15 CFR 772.1). Knowledge of a circumstance (the term may be a variant, such as ‘‘know,’’ ‘‘reason to know,’’ or ‘‘reason to believe’’) includes not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person’s willful avoidance of facts. 12. Model Year Consistent with the definition used by NHTSA, BIS proposes to define ‘‘model year’’ as the year used to designate a discrete vehicle model, irrespective of the calendar year in which the vehicle was actually produced, provided that the production period does not exceed 24 months. Throughout this proposed rule, BIS refers to both calendar year and model year when referring to the import of VCS Hardware, particularly for the submission of Declarations of Conformity (791.305) and the implementation timeline (791.308 (Exemptions)). BIS generally understands that most VCS hardware is imported into the United States already destined for a known, specific model year of vehicle. BIS also understands that some VCS hardware units may be imported without being associated with a specific vehicle model year. As such, the proposed rule provides separate timelines for each of these cases to accommodate business timelines for VCS hardware importers. BIS is particularly interested in comment on this approach. 13. Person Owned by, Controlled by, or Subject to the Jurisdiction or Direction of a Foreign Adversary BIS proposes to define ‘‘person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary’’ to mean, (a) any person, VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; (b) any person, wherever located, who is a citizen or resident of a foreign adversary or a country controlled by a foreign adversary, and is not a United States citizen or permanent resident of the United States; (c) any corporation, partnership, association, or other organization with a principal place of business in, headquartered in, incorporated in, or otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary; or (d) any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary, to include circumstances in which any person identified in paragraphs (a) through (c) possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity. 14. Prohibited Transactions BIS proposes to define ‘‘prohibited transactions’’ as, collectively, the transactions described in §§ 791.302 (Prohibited VCS hardware transactions), 791.303 (Prohibited covered software transactions), or 791.304 (Related prohibited transactions). The term prohibited transactions refers to the prohibitions on the knowing import of VCS hardware into the United States that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, as specified in section 791.302; the knowing Sale within, or import into, the United States of a completed connected vehicle containing covered software that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, as specified in § 791.303; and the knowing Sale of completed connected vehicles that incorporate VCS Hardware or covered software by connected vehicle PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 Manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, as specified in § 791.304. 15. Sale BIS proposes to define ‘‘sale,’’ in the context of this subpart, as distributing for purchase, lease, or other commercial operations a new completed connected vehicle for a price, to include the transfer of completed connected vehicles from a connected vehicle manufacturer to a dealer or distributor, as those terms are defined in 49 U.S.C. 30102. This definition also applies to the related terms such as sell or selling. This would include direct-to-consumer sales of completed connected vehicles from the connected vehicle manufacturer to the ultimate purchaser. 16. Software Bill of Materials BIS proposes to define ‘‘Software Bill of Materials’’ or SBOM as a formal and dynamic, machine-readable inventory detailing the software supply chain relationships between software components and subcomponents, including software dependencies, hierarchical relationships, and baseline software attributes, including author’s name, timestamp, supplier name, component name, version string, component hash, package URL, unique identifier, and dependency relationships to other software components. BIS understands that this definition generally conforms to industry standards. However, BIS is specifically seeking comment on the feasibility, technical burden, cost, and effectiveness of identifying and disclosing to BIS the listed SBOM attributes. 17. Vehicle Connectivity System BIS proposes to define ‘‘Vehicle Connectivity System’’ or VCS as a hardware or software item for a completed connected vehicle that has the function of enabling the transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz. This definition would exempt most remote keyless entry fobs and immobilizers and certain internal wireless sensors and relays. VCS software is included in the definition of Covered Software. 18. VCS Hardware BIS proposes to define ‘‘VCS hardware’’ as the following softwareenabled or programmable components and subcomponents that support the function of Vehicle Connectivity Systems or that are part of an item that E:\FR\FM\26SEP3.SGM 26SEP3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules supports the function of Vehicle Connectivity Systems: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite navigation systems, satellite communication systems, other wireless communication microcontrollers or modules, and external antennas. VCS hardware does not include component parts that do not contribute to the communication function of VCS hardware (e.g., brackets, fasteners, plastics, and passive electronics). VCS hardware would include aftermarket devices not contained in a completed connected vehicle at sale but that could be later integrated into or attached to the vehicle to perform VCS functions. BIS believes this definition appropriately identifies the various components, contained within a TCU or other connected systems of a connected vehicle, that facilitate off-board data transmission, and, thus, are most likely to pose the risks identified in Section IV of this notice. BIS specifically seeks comment on this list of components and the appropriateness of their inclusion to address the national security risks that BIS has identified in this notice. khammond on DSKJM1Z7X2PROD with PROPOSALS3 19. VCS Hardware Importer BIS proposes to define ‘‘VCS hardware importer’’ as a U.S. person importing VCS hardware for further manufacturing, integration, resale, or distribution. A connected vehicle manufacturer may be a VCS Hardware Importer if VCS hardware has already been installed in a connected vehicle when imported by the connected vehicle manufacturer. This definition would capture OEMs, and tier 1 and tier 2 suppliers importing VCS hardware into the United States. BIS specifically seeks comment on the scope of this definition, particularly regarding whether it captures the breadth of market participants dealing in VCS Hardware. 20. United States BIS proposes to define ‘‘United States’’ to mean the United States of America, the States of the United States, the District of Columbia, and any commonwealth, territory, dependency, or possession of the United States, or any subdivision thereof, and the territorial sea of the United States. b. Prohibitions on Certain Transactions Related to Connected Vehicles 1. Prohibited Transactions Under the proposed rule, VCS hardware importers would be VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 prohibited from knowingly importing into the United States any VCS hardware that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. BIS specifically seeks comment on this approach and whether additional components should be included in or excluded from this prohibition. Connected vehicle manufacturers would be prohibited from knowingly Selling within the United States, or importing into the United States, completed connected vehicles that incorporate covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. Connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia would also be prohibited from knowingly Selling in the United States completed connected vehicles that incorporate covered software or VCS hardware. As with other connected vehicle manufacturers, connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia participate in the design and development of VCS hardware and covered software, which are generally built to the manufacturers’ specifications. However, this prohibition applies even if connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia were not involved in the design or development of the VCS Hardware and Covered Software. Their Sale of those completed connected vehicles constitutes the supply of VCS hardware and covered software and is thus captured by this prohibition. To be clear, BIS anticipates that because of the role connected vehicle manufacturers play in the design and development of the key components in connected vehicles, in many cases, this prohibition will be duplicative of the other prohibitions in this proposed rule. BIS seeks comments on the efficacy of all of the proposed prohibitions detailed above. As noted above, for the purposes of this proposed rule, BIS defines the term ‘‘person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary’’ to mean (a) any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 79105 adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; (b) any person, wherever located, who is a citizen or resident of a foreign adversary or a country controlled by a foreign adversary, and is not a United States citizen or permanent resident of the United States; (c) any corporation, partnership, association, or other organization with a principal place of business in, headquartered in, incorporated in, or otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary; or (d) any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary, to include circumstances in which any person identified in paragraphs (a) through (c) possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity. To provide further clarity regarding transactions involving VCS hardware and covered software that would be prohibited, BIS offers the following examples of persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC and Russia: Example 1: Company A, incorporated in the United States, is a wholly owned subsidiary of Company B. Company B is a state-owned enterprise of the PRC or Russia. Because Company B is a stateowned enterprise, Company A would be considered ‘‘owned by’’ the PRC or Russia. Example 2: Company A is a joint venture between Company B and Company C where Company C owns a majority share of Company A. Company B is a corporation incorporated in a third-party jurisdiction. Company C is a state-owned enterprise of the PRC or Russia. Company A would be considered ‘‘owned by’’ the PRC or Russia. Example 3: Company A is majority owned in aggregate by multiple stateowned enterprises and state-owned investment funds of the PRC or Russia. Company A would be considered ‘‘owned by’’ the PRC or Russia. Example 4: Company A, incorporated in the United States, is a subsidiary of E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 79106 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules Company B. Company B is a private company incorporated in the PRC or Russia with its principal place of business in the PRC or Russia. Because Company B is subject to the jurisdiction of the PRC or Russia, Company B’s subsidiary, Company A, is controlled by an entity subject to the jurisdiction of the PRC or Russia and would be considered ‘‘controlled by’’ and ‘‘subject to the direction of’’ the PRC or Russia. Example 5: Company A is a multinational company where a majority of the voting power is held by Company B, a PRC or Russian government investment fund. Company A would be ‘‘controlled by’’ and ‘‘subject to the direction of’’ the PRC or Russia. Example 6: Company A is a holding company organized in a tax-advantaged jurisdiction. Company A is publicly listed on a stock exchange and its corporate voting structure is characterized by Class A and Class B shares, Class B shares having ten times the voting power of Class A shares. If the aggregate voting power of shareholders subject to the jurisdiction of the PRC or Russia holding either Class A and Class B shares constitutes a majority or a dominant minority of total voting power, then Company A would be ‘‘controlled by’’ and ‘‘subject to the direction of’’ the PRC or Russia. Example 7: Company A, a company that is organized under the laws of the PRC or Russia, owns a minority interest in Company B, a U.S. business. Based on special voting powers vested in that minority interest, Company A maintains certain veto rights that determine important matters affecting Company B, including the right to veto the dismissal of senior executives of Company B. Company B would be considered ‘‘controlled by’’ and ‘‘subject to the direction of’’ Company A, and therefore owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. Example 8: Company A is an entity incorporated in a third country and Company B is an entity incorporated in the PRC or Russia. Company A and Company B create a new joint venture, Company C, to design, develop, and manufacture a new product. Company A and Company B own minority shares of the joint venture while Company D, a holding company wholly owned by a PRC citizen, owns the largest minority share. If aggregate voting power of Company B and Company D constitutes majority or dominant minority voting share, Company C would be ‘‘controlled by’’ and ‘‘subject to the direction of’’ the PRC or Russia. VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 Example 9: Company A has eight members on its board of directors. Company A is characterized by a shareholder and corporate governance structure that requires a 75 percent supermajority for any significant business decision. Three of the members of the board are citizens of, and therefore subject to the jurisdiction of, the PRC or Russia. Because these three members make up 37.5 percent of the voting power of the board, they can block any supermajority and therefore determine, direct, or decide important matters affecting Company A. Company A would be ‘‘controlled by’’ or ‘‘subject to the direction of’’ the PRC or Russia. Example 10: The PRC or Russian government, through an investment fund, acquires a 1% special management share in Company A. This share grants the PRC or Russian government the right to appoint a director to the board of Company A and veto certain key business decisions, such as major strategic changes or mergers. This share allows the government to influence Company A’s operations and strategy. Company A would be ‘‘controlled by’’ the PRC or Russia. Example 11: Company A maintains its principal place of business in the PRC or Russia. Company A would be ‘‘subject to the jurisdiction’’ of the PRC or Russia. Example 12: Company A is a publicly listed U.S. corporate entity. Company A has a wholly owned subsidiary, Company B, that is organized under the laws of the PRC or Russia and manufactures goods in the PRC or Russia. Because Company B is organized under the laws of the PRC or Russia, Company B would be subject to the jurisdiction of the PRC or Russia. However, Company A is not subject to the jurisdiction of the PRC or Russia by nature of its subsidiary, Company B, being ‘‘subject to the jurisdiction’’ of the PRC or Russia. Example 13: Company A is privately held and incorporated in the United States. One member of Company A’s board of directors, Person X, a former chairman of the board of a large PRC corporation, has known ties to the government of the PRC, owns a large minority share of Company A, and has previously made significant investments in other companies founded by Company A’s chief executive officer. Person X also facilitated a large minority investment in Company A by the large PRC corporation where they were previously chairman of the board. Person X’s professional background indicates that they are directly or indirectly supervised, directed, PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 controlled, financed, or subsidized by the PRC government. The combination of Person X’s close ties to Company A’s CEO, Person’s X’s ownership interest and ability to direct investment from large, highly regulated PRC corporate entities, and Person X’s close ties to the PRC government indicate that Company A would be ‘‘subject to the direction’’ of the PRC. BIS seeks comment on whether the definition of, and examples provided to illuminate, who is a ‘‘person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,’’ provides sufficient clarity regarding the circumstances under which the rule’s prohibitions might apply. For additional clarity in determining whether a transaction involving VCS hardware or covered software designed, developed, manufactured, or supplied by entities described above would be prohibited under the proposed rule, BIS offers the below examples. In offering these examples, BIS emphasizes that VCS hardware and covered software would not be considered designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, solely based on the country of citizenship of natural persons who are employed, contracted, or otherwise similarly engaged to participate in the design, development, manufacture, or supply of that VCS hardware or covered software: Example 14: A U.S. person has a contractual relationship with a foreign person to import a cellular module, and the cellular module will later be integrated into a VCS for a completed connected vehicle. The U.S. person is, under the proposed rule, a VCS hardware importer. The U.S. person knows the cellular module was manufactured at a facility located in the PRC or Russia and is being imported through a third country. Since the entity manufacturing the module would, at a minimum, be ‘‘subject to the jurisdiction’’ of the PRC or Russia, the import of the module would be a prohibited transaction under the proposed rule, unless it qualifies for a general authorization or a specific authorization from BIS. Example 15: A U.S. person imports a TCU that was assembled in a third country, but that contains a microcontroller that is manufactured in the PRC or Russia and is Sold to the third-country assembler of the TCU. The U.S. person knows that the microcontroller was manufactured by an entity located in the PRC or Russia. As the microcontroller is included in the E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules definition of VCS hardware, the import of the TCU for a completed connected vehiclewould be a prohibited transaction under the proposed rule unless it qualifies for a general authorization, or a specific authorization granted by BIS. Example 16: A U.S. person imports a completed connected vehicle, making the U.S. person a connected vehicle manufacturer under the proposed rule’s definition. The completed connected vehicle contains a TCU that operates software supporting off-vehicle connectivity above 450 MHz, and that software is designed, developed, or otherwise supplied (in whole or in part) by an entity located in the PRC or Russia. Under the proposed rule, the import of the completed connected vehicle would be prohibited, unless it was authorized by a general authorization or a Specific Authorization. Example 17: A U.S. person who is a connected vehicle manufacturer that manufactures or assembles completed connected vehicles in the United States Sells to a dealer within the United States a completed connected vehicle in which the vehicle’s ADS software for object detection, classification, and decision making is proprietary software designed, developed, or supplied by an entity in the PRC or Russia. The Sale or transfer of the completed connected vehicle would be a prohibited transaction under the proposed rule unless it qualifies for a general authorization or specific authorization granted by BIS. Example 18: A U.S. person who is a connected vehicle manufacturer utilizes foreign VCS and ADS software development teams through various subsidiaries, joint ventures, and contract arrangements, some of which retain servicing obligations, contractual and licensing rights, and other interests in the software they have developed. One of those software development teams is located in the PRC or Russia, and as such, that software team is subject to the jurisdiction of the PRC or Russia. Given the role of PRC or Russian developers in the creation of the VCS or ADS software (covered software), the sale of a completed connected vehicle within the United States that integrates this proprietary covered software, would be a prohibited transaction under the proposed rule, unless it qualifies for a general authorization or specific authorization granted by BIS. Example 19: A U.S. person who is a connected vehicle manufacturer utilizes VCS and ADS software development teams around the world through various subsidiaries, joint ventures, and contract VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 arrangements. One of those software development teams is comprised of individuals who are PRC or Russian citizens working in a foreign jurisdiction other than the PRC or Russia for a company that is not owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. Although the individuals technically meet the definition of ‘‘person owned by, controlled by, or subject to the direction of a foreign adversary,’’ the sole fact that PRC or Russian citizens work on the connected vehicle manufacturer’s software development would not make the Sale of a completed connected vehicle within the United States that integrates this VCS or ADS software a Prohibited Transaction under the proposed rule. Example 20: Company A, which is a wholly owned subsidiary of a foreign corporation in which a PRC or Russian entity owns a controlling interest, imports completed connected vehicles that incorporate covered software and VCS hardware, none of which was originally designed, developed, manufactured, or supplied by an entity owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. In such rare circumstance where Company A did not participate in the design or development of the covered software or VCS hardware, Company A would submit (once per Model Year) a Declaration of Conformity for the import of the completed connected vehicles containing covered software and VCS hardware. However, any subsequent sale by Company A of such completed connected vehicle in the United States would be prohibited. For example, Company A subsequently Sells such completed connected vehicles to a dealer in the United States. Because Company A is a person controlled by the PRC or Russia and has direct privileged access to the VCS Hardware and covered software prior to the sale, the knowing sale by Company A of the completed connected vehicle with VCS hardware and covered software would be a prohibited transaction under the proposed rule, and a specific authorization from BIS would be required before engaging in such a transaction. Example 21: Company A, a wholly owned subsidiary of a PRC or Russia corporation manufactures completed connected vehicles in the United States. The completed connected vehicles that Company A manufactures incorporate covered software and VCS hardware provided by Company B, a company that is not owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. Because Company A PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 79107 is owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, participated in the design and development of the covered software or VCS hardware, and in any event, has direct and privileged access to its completed connected vehicles— including the incorporated covered software and VCS hardware—Company A’s sale of the completed connected vehicles is a prohibited transaction under the proposed rule, and a specific authorization from BIS would be required before engaging in such a transaction. c. Compliance 1. Declaration of Conformity BIS proposes to require VCS Hardware Importers and connected vehicle manufacturers engaged in specified transactions to submit Declarations of Conformity to BIS certifying that they have not engaged in a prohibited transaction. Under the proposed rule, declarants would be responsible for submitting information to BIS, including documentation collected from suppliers of components of VCS hardware and from suppliers of covered software, to verify compliance with the regulations. These requirements include obtaining and analyzing the HBOMs for VCS hardware and the SBOMs for covered software and providing documentation of the steps the declarant took to verify that the transactions comply with the provisions of the rule. In an effort to facilitate compliance, BIS is not currently proposing to mandate particular due diligence requirements but would rather allow VCS hardware importers and connected vehicle Manufacturers to provide evidence of their own efforts tailored to their unique operations. BIS seeks comment on this approach. The proposed rule generally contemplates that Declarations of Conformity would be submitted in three instances by persons not engaged in prohibited transactions: (1) Declarations submitted by VCS hardware importers; (2) Declarations submitted by connected vehicle manufacturers importing completed connected vehicles containing covered software into the United States; and (3) Declarations submitted by connected vehicle manufacturers selling completed connected vehicles in the United States that they have manufactured or assembled in the United States and which contain covered software, so long as there is a continuing foreign interest in the covered software. Persons required to submit a Declaration of E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 79108 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules Conformity need do so once per model year for units associated with a vehicle model year, or calendar year for units not associated with a vehicle model year, and only for the categories of transactions they seek to execute during that period. VCS hardware importers or connected vehicle manufacturers engaging in multiple transactions that require submissions of Declarations of Conformity under separate paragraphs of § 791.305 may, if they prefer, submit a single compiled Declaration of Conformity containing all required information for all transactions. For example, an OEM that manufactures or assembles completed connected vehicles in the United States, imports connected vehicles into the United States, and imports VCS hardware into the United States would be able to submit a single Declaration of Conformity based on vehicle make, model, and trim and VCS hardware that will be imported or manufactured that Model Year. BIS believes that Declarations of Conformity will be an important tool for advancing the goals of this proposed rule, and addressing the emergency declared in E.O. 13873. Declarations of Conformity will first and foremost provide BIS with a means to verify VCS hardware importers’ and completed connected vehicle manufacturers’ compliance with the proposed prohibitions. Through extensive engagement with connected vehicle manufacturers and automotive suppliers, BIS has come to understand that connected vehicle supply chains are complex and often opaque, with potentially hundreds of suppliers for a single connected vehicle in a given model year. Such complexity and opacity could result in the incorporation into connected vehicles of VCS hardware and covered software that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries, without the full knowledge of the connected vehicle manufacturer. While connected vehicle manufacturers typically have strong relationships with their immediate suppliers, to include the development of years-long supply contracts that span entire vehicle generations, their understanding of the deeper supply chain (to include who is supplying their suppliers) is substantially weaker. Additionally, while the COVID–19 pandemic and associated supply chain crisis forced connected vehicle manufacturers to more critically evaluate their hardware supply chains, illumination of software VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 supply chains remains largely unachieved. Consequently, BIS believes that the requirement to submit annual Declarations of Conformity will serve as an important mechanism for ensuring that parties subject to this proposed rule implement the due diligence and other procedures necessary to fully understand the supply chains for their VCS hardware and covered software and thus comply the proposed rule’s prohibitions on the incorporation of VCS Hardware or covered software that has been designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. BIS also believes that the collection of annual Declarations of Conformity from connected vehicle manufacturers and VCS hardware importers would facilitate enforcement of the proposed rule, including by allowing BIS to proactively identify red flags and potential violations of the proposed prohibitions. For example, BIS may rely on the broad perspective provided by the Declarations of Conformity from multiple connected vehicle manufacturers and VCS hardware importers to identify previously undetected participation by PRC or Russian designers, developers, manufacturers, or suppliers that are subject to the prohibitions of this proposed rule yet remain entrenched in the U.S. connected vehicle supply chain. Additionally, these Declarations of Conformity would allow BIS to maintain an understanding of technological advancements and changes in the U.S. connected vehicle industry—both in hardware and software—and consequently enable BIS to propose updates to the rule as needed to maximize its effectiveness in mitigating the undue and unacceptable risks posed by the PRC and Russia while minimizing burden on industry. The sections below explain in greater detail the types of Declaration of Conformity that would be required under the proposed rule. BIS seeks comment on this regulatory approach, including the necessity and efficacy of requiring Declarations of Conformity with respect to VCS hardware and covered software in which there is a Foreign Interest. BIS also seeks comment on the availability and efficacy of any alternative approach that would require a narrower set of VCS Hardware Importers and completed connected vehicle manufacturers to submit Declarations of Conformity, while still achieving the goals of the Declaration of Conformity requirement PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 and addressing the declared emergency under E.O. 13873. i. Import of VCS Hardware The Declaration of Conformity described in § 791.305(a)(1) would require VCS hardware Importers to provide information on the specific VCS hardware that the declarant plans to import into the United States for a given model year, or, for units not associated with a model year, a given calendar year. BIS proposes to require the Declaration of Conformity to contain the FCC ID number(s) of the VCS hardware, and, if applicable, any subcomponents in the VCS hardware that also have an FCC ID number. FCC regulations at 47 CFR 2.925 require any electronic device that emits RF waves, including those imported into the United States, to have an FCC ID number, which is used to identify and certify that the device meets the necessary regulatory standards for wireless communication. The proposed rule would additionally require VCS Hardware Importers to report all third-party information technology external endpoints to which the VCS Hardware is programmed to connect, including the country in which said endpoint is located and/or the identity and location of the service provider. This would include any thirdparty that is not the VCS hardware importer nor the final recipient, such as the connected vehicle manufacturer that integrates the VCS hardware and receives data on an episodic or ongoing basis from the VCS hardware. Additionally, VCS hardware importers would be required to submit an HBOM as part of the Declaration of Conformity. BIS would expect, consistent with the proposed definition for this term, this HBOM to include a comprehensive list of parts and technical information, including the provenance of subcomponents contained within the VCS hardware. ii. Import of Completed Connected Vehicles The Declaration of Conformity described in section 791.305(a)(2) would require connected vehicle manufacturers that import completed connected vehicles, including U.S.based OEMs and foreign-headquartered OEMs with operations in the United States, to provide information to BIS on the make, model, and trim (if known) of the imported group of completed connected vehicles and the covered software contained within the completed connected vehicles. BIS proposes to require declarants to submit an SBOM for the covered software related to both VCS and ADS. The E:\FR\FM\26SEP3.SGM 26SEP3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules minimum requirements for the SBOM are author’s name, timestamp, supplier name, component name, version string, component hash, package URL, unique identifier, and dependency relationships to other software components. Declarants may submit additional SBOM information as evidence demonstrating the covered software is not sourced from PRC or Russian-linked entities. BIS seeks comment on all aspects of this SBOM requirement. khammond on DSKJM1Z7X2PROD with PROPOSALS3 iii. Manufacture or Assembly of Completed Connected Vehicles for Sale in the United States Similarly, this proposed rule, as described in section 791.305(a)(3), would require connected vehicle Manufacturers that manufacture or assemble completed connected vehicles for sale in the United States to submit a Declaration of Conformity that includes information on the make, model, and trim of the group of completed connected vehicles and the covered software contained within the completed connected vehicles that the connected vehicle manufacturer will sell for a Model Year. BIS emphasizes that this requirement would apply only to connected vehicle manufacturers whose vehicles incorporate covered software in which there is a foreign interest. Connected vehicle manufacturers who manufacture or assemble completed connected vehicles in the United States and whose vehicles contain no covered software in which there is a foreign interest would not be required to submit a Declaration of Conformity. However, given the global nature of automotive software supply chains, BIS anticipates that nearly all connected vehicle manufacturers of completed connected vehicles for Sale in the United States would be required to submit an annual Declaration of Conformity covering all completed connected vehicles by make, model, and trim to be manufactured for Sale in the United States for each Model Year. As detailed above, this requirement would include the submission of an SBOM for covered software incorporated into the group of completed connected vehicles. iv. Procedures To Submit Declarations of Conformity VCS Hardware Importers and connected vehicle manufacturers submitting a Declaration of Conformity under this rule would be required to submit the Declaration of Conformity to BIS annually, 60 days prior to the first sale or first import of a Vehicle Identification Number (VIN) series of completed connected vehicles VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 comprised of a single model year, or 60 days prior to the import of VCS hardware covered by the Declaration of Conformity. VCS hardware importers and connected vehicle manufacturers may, at their discretion, submit a combined Declaration of Conformity, or may submit separate Declarations of Conformity (e.g., one Declaration covering import of VCS hardware and another covering import of completed connected vehicles). Declarations of Conformity covering both the import or manufacture of completed connected vehicles and the import of VCS Hardware should be submitted by the earlier of the two reporting dates. connected vehicle manufacturers that would submit a Declaration of Conformity for the import of a group of completed connected vehicles into the United States should not submit a Declaration of Conformity related to the subsequent Sale of that same group of Completed Connected Vehicles. In the event of material changes that impact the content of the Declaration of Conformity, VCS hardware importers or connected vehicle manufacturers would be required to submit an updated Declaration of Conformity and an updated HBOM or SBOM within 30 days of such a change. Such changes may include changes in the suppliers of key subcomponents or functional aspects of the VCS hardware or covered software incorporated in the completed connected vehicle. BIS would make a web portal available on its website (https://www.bis.gov) through which VCS Hardware Importers and connected vehicle manufacturers may submit Declarations of Conformity. 2. General Authorizations General Authorizations would allow certain VCS Hardware Importers and connected vehicle manufacturers to engage in otherwise prohibited transactions without the need to notify BIS prior to engaging in the transaction. connected vehicle manufacturers or VCS hardware importers (and entities under common control, including parents) who produce small quantities of completed connected vehicles or VCS hardware, which the proposed rule defines as fewer than 1,000 units in a calendar year, would be eligible for a general authorization. This is in line with requirements for high-volume and low-volume manufacturers found in 49 CFR part 565. BIS specifically seeks comment on this threshold for both completed connected vehicles and VCS Hardware. connected vehicle manufacturers would be eligible for a general authorization if the completed connected vehicle is otherwise subject PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 79109 to a prohibition but will be used on public roadways fewer than 30 days in any calendar year. For purposes of this general authorization, each use of a completed connected vehicle on public roadways on a distinct calendar day will count toward the 30-day limit, regardless of the duration of a vehicle’s use on a particular day. VCS hardware importers and connected vehicle manufacturers would also qualify for a general authorization for otherwise prohibited transactions involving completed connected vehicles incorporating covered software or VCS hardware if the completed connected vehicles are used only for testing display, or research purposes and not on public roads in the United States. Lastly, VCS hardware importers or connected vehicle manufacturers would qualify for a general authorization for the importation of completed connected vehicles incorporating covered software or the importation of VCS Hardware solely for the purposes of repair, alteration, or competition off public roads, and the vehicle or hardware will be reexported from the United States within one year of the time of import. BIS proposes to allow persons using General Authorizations to self-certify their compliance with the applicable General Authorization. As such, these persons would not need to submit documentation to BIS but would be required to gather and maintain full records for a period of 10 years documenting compliance for all completed connected vehicles and VCS hardware covered by the general authorization. Furthermore, persons availing themselves of a general authorization would be required to continuously monitor for any changes that render a transaction ineligible for continued reliance on the general authorization. A VCS hardware importer or connected vehicle manufacturer that is no longer eligible for a general authorization would need to apply for and receive a specific authorization before engaging in an otherwise prohibited transaction. For example, connected vehicle manufacturers who import a certain model or trim of completed connected vehicles containing covered software that are originally used for display or testing purposes must seek a specific authorization before importing that model or trim of completed connected vehicle for more general use in the United States. A connected vehicle manufacturer or VCS hardware importer that is a subsidiary, joint venture, affiliate, or other entity subject to the ownership, control, jurisdiction, or direction of the E:\FR\FM\26SEP3.SGM 26SEP3 79110 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 PRC or Russia would be ineligible for general authorizations and would be required to apply for a specific authorization before engaging in an otherwise prohibited transaction. 3. Specific Authorizations VCS hardware importers and connected vehicle manufacturers wishing to engage in an otherwise prohibited transaction who are ineligible for an exemption or general authorization would have to apply for and receive a specific authorization to engage in the otherwise prohibited transaction. The purpose of specific authorizations is to allow BIS on a caseby-case basis to determine the nature and scope of the undue or unacceptable risk to U.S. national security posed by transactions involving VCS hardware and covered software, including the extent of foreign adversary involvement in the transactions, as well as potential mitigations. VCS hardware importers and connected vehicle manufacturers must not engage in an otherwise prohibited transaction until BIS grants the application for a specific authorization. If a party engages in a prohibited transaction prior to receiving a specific authorization from BIS, that transaction would constitute a violation of the regulation. Specific authorization requests will be reviewed on a case-bycase basis, and the time to reach a decision on an application for a specific authorization will vary based on the complexity of the case. However, BIS will respond to applicants with a processing update within 90 days of the initial application for a specific authorization, and typically endeavor to provide either a request for more information or a decision within that time period. Applications for a specific authorization must contain complete information on the proposed transaction, including every party involved, an overview of the covered software and/or the VCS hardware designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, the intended use of the covered software and/or VCS hardware, and documentation to support the information contained in the application. Persons seeking a specific authorization would submit an application via a web portal that would be available on the BIS website. Applicants should take care to submit to BIS only one copy of an application pertaining to each transaction for which they seek specific authorization to avoid VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 processing delays. BIS may request additional information from an applicant about any matter related to the specific authorization request. In rare situations, as part of its review of an application for specific authorization, BIS may, in its sole discretion, request an oral briefing by the applicant and any other relevant parties. At any point between initial submission of an application for specific authorization and a final decision issued by BIS, an applicant may submit additional information to bolster the application or provide clarity on any aspect thereof. When reviewing applications for a specific authorization, BIS will consider the factors that may pose undue or unacceptable risks, particularly as they relate to transactions that could result in the exfiltration of connected vehicle or U.S. persons’ data, or the remote manipulation or operation of a connected vehicle. Examples of factors that BIS may consider include: the applicant’s ability to limit PRC or Russian government access to, or influence over the design, development, manufacture, or supply of the VCS hardware or covered software; security standards used by the applicant and if such standards can be validated by BIS or a third-party; and other actions or proposals the applicant offers to implement as a way to mitigate undue or unacceptable risk. BIS’s decision regarding any application for specific authorization will apply only to the specific parties and transaction outlined in the application and described in the decision notice. Additionally, the decision notice from BIS to the applicant(s) may contain any conditions that must be met by the parties for a transaction to be authorized. Such conditions, which are subject to revision by BIS, may include technical controls (e.g., software validation) or operational controls (e.g., physical and logical access monitoring procedures), that are either permanent or temporary. These controls will focus on the supply chain element that involves a link to a foreign adversary to mitigate any undue or unacceptable risk posed by the transaction. For connected vehicle manufacturers owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, a specific authorization may include a requirement that all VCS hardware and covered software be assembled and integrated into the connected vehicle in the United States. In the approval letter for specific authorization, BIS will determine the effective date and duration of the authorization on a caseby-case basis. PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 While applicants denied authorizations would not be precluded from submitting new applications for specific authorizations with regard to different transactions (involving different parties and/or different covered software or VCS hardware), BIS will reconsider a previously denied application for a specific authorization only if the applicant demonstrates a material change in circumstances. 4. Exemptions Transactions by VCS hardware importers and connected vehicle manufacturers would be exempt from the proposed prohibitions for a limited period. BIS proposes a shorter implementation period for transactions involving covered software and proposes a longer implementation period for transactions involving VCS hardware to allow market participants adequate time to establish alternative supply chains if necessary. This reflects BIS’s understanding, and numerous public comments underscoring, that hardware supply chains for Connected Vehicles are complex and require multiple years to alter. VCS hardware importers would be permitted to engage in otherwise prohibited transactions involving VCS Hardware and would also be exempt from a requirement to submit a Declaration of Conformity for transactions not otherwise prohibited so long as: (1) for VCS hardware units not associated with a vehicle model year, the import of the VCS hardware takes place prior to January 1, 2029; or (2) the VCS hardware is integrated into a connected vehicle (completed or incomplete) or destined for a connected vehicle with a model year prior to 2030. Beginning January 1, 2029, any VCS hardware importer seeking to engage in a transaction subject to the VCS hardware prohibitions in § 791.302 (other than the import of a connected vehicle with a model year prior to 2030) would be required to obtain a specific authorization if the transaction is not otherwise permitted by a general authorization. Furthermore, VCS hardware importers seeking to import VCS hardware beginning on January 1, 2029, or VCS Hardware in completed connected vehicles or that is destined for connected vehicles starting with Model Year 2030, would be required to submit an annual Declaration of Conformity to BIS, unless obligated to seek a Specific Authorization. Connected vehicle manufacturers would be permitted to engage in otherwise Prohibited Transactions involving covered software designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to E:\FR\FM\26SEP3.SGM 26SEP3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 the jurisdiction or direction of the PRC or Russia, so long as the completed connected vehicle that is imported or sold is of a model year prior to 2027. Beginning Model Year 2027 (as imported into or sold in the United States), any connected vehicle manufacturer seeking to engage in a prohibited transaction involving covered software specified in section 791.303 would be required to obtain a specific authorization if the transaction is not otherwise permitted by a general authorization. Furthermore, connected vehicle manufacturers would be required to submit an applicable Declaration of Conformity for imports or Sales of all completed connected vehicles beginning in Model Year 2027. Connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia would be permitted to engage in otherwise prohibited transactions so long as the completed connected vehicle that is Sold is of a Model Year prior to 2027. Beginning Model Year 2027 (as Sold in the United States), these particular connected vehicle manufacturers seeking to engage in a prohibited transaction specified in § 791.304 would be required to obtain a specific authorization if the transaction is not otherwise permitted by a general authorization. 5. Appeals BIS proposes to create a mechanism by which any person whose application for a specific authorization is denied, whose specific authorization is suspended or revoked, or who has received a written notification of ineligibility for a general authorization may appeal that decision to the Under Secretary. Appeals must be submitted in writing by email or mail to the Office of the Under Secretary within 45 days of the date on the notice of the adverse administrative action by BIS. The appeal must detail how the party submitting the appeal has been directly and adversely affected by BIS’s action, and the reasons that BIS’s action should be reversed or otherwise modified. The Under Secretary, at his or her discretion, may delegate to the Deputy Under Secretary for Industry and Security or another BIS official the review of appeals, including arranging, at the official’s discretion, informal hearings with relevant parties regarding the appeal. Appellants may submit supplementary information in support of their appeal, whether sua sponte or at the request of the Under Secretary or the designated official, but, though the Under Secretary or designated official VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 generally would not consider additional information submitted sua sponte more than 30 days after submission of the original appeal. If the Under Secretary or designated official requests supplementary information, appellants will have no more than 30 calendar days to respond to the request. Appellants may also request an in-person informal hearing in writing at the time of submission. A hearing is not required, and the Under Secretary or designated official may, at his or her discretion, grant or deny a request for an informal hearing. 6. Advisory Opinions In response to public comments regarding the ANPRM, BIS proposes to include a mechanism for BIS to issue advisory opinions, similar to the process outlined in the Export Administration Regulations (EAR). BIS anticipates this process will provide connected vehicle manufacturers, VCS hardware importers, and other interested parties with greater clarity about how to comply with the proposed rule on an asneeded basis. As with the EAR, BIS emphasizes that advisory opinions provided under this proposed rule would in no way serve as evidence that the ICTS transaction addressed in the opinion is not subject to the jurisdiction of another U.S. Government agency. BIS may publish on its website an advisory opinion that may be of broad interest to the public, with redactions where necessary to protect Confidential Business Information. To solicit an advisory opinion from BIS, persons would be required to submit a written request to BIS by email or through a portal that will be available on the BIS website. BIS will not accept advisory opinion requests submitted by mail. A request for an advisory opinion must contain contact information for the submitter as well as all current information on the prospective transaction to assist BIS in making a determination. This would include technical details on the involved VCS hardware or covered software, information on the completed connected vehicle (if applicable), the SBOM and/or HBOM for the covered software and/or VCS hardware, and any other supporting materials that the submitter assesses will assist BIS in determining if the transaction may be prohibited by this rule. Persons seeking an advisory opinion are encouraged to submit as much pertinent information as possible in the initial request for an advisory opinion, but BIS may request more information as needed to formulate its opinion. BIS will only consider advisory opinion requests for PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 79111 actual, not hypothetical, prospective transactions in which all parties, as opposed to anonymous parties, are identified. Additionally, parties may only rely on an advisory opinion when engaging in a transaction if the original Advisory Opinion request contained complete and accurate information and only so long as such information remains accurate following the issuance of the Advisory Opinion. 7. ‘‘Is-Informed’’ Notices BIS could notify connected vehicle manufacturers or VCS hardware importers, either through direct letters or through a Federal Register notice meant to inform a broader set of persons, that a transaction involving certain covered software, VCS hardware, or entities requires a specific authorization because it would constitute a Prohibited Transaction according to the terms of this proposed rule. Any person who engages in a transaction covered by an ‘‘Is-Informed’’ notice without first receiving a Specific Authorization from BIS would have knowledge that such transaction is prohibited and would therefore be in violation of the rule. Is-Informed notices may only be delivered by or at the direction of the Under Secretary or a BIS employee designated by the Under Secretary. 8. Recordkeeping and Reporting Requirements BIS proposes to require connected vehicle manufacturers and VCS hardware importers to maintain complete records related to any transaction for which a Declaration of Conformity, general authorization, or specific authorization would be required by this rule, for a period of ten years. This recordkeeping requirement applies regardless of whether the transaction is subject to a general authorization, specific authorization, or whether the connected vehicle manufacturer or VCS hardware importer has not yet sought an authorization. BIS would expect said records to include all information pertinent to a general authorization or submitted when applying for a Specific Authorization, as well as business records related to the execution of the transaction, such as contracts, import records, bills of sale, relevant correspondence, and all other files specified in sections 791.312 and 791.313 to assess compliance with the rule. All connected vehicle manufacturers and VCS hardware importers would be required to submit records when requested by BIS related to any transaction for which a Declaration of E:\FR\FM\26SEP3.SGM 26SEP3 79112 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules Conformity, general authorization, or specific authorization would be required by this rule, whether or not said transaction was carried out under a general authorization, specific authorization, or without an authorization from BIS. As such, BIS would be allowed to request business records, before, during, or after the transaction in question has taken place. khammond on DSKJM1Z7X2PROD with PROPOSALS3 d. Enforcement 1. Penalties IEEPA authorizes this rulemaking. Thus, persons who violate, attempt to violate, conspire to violate, or knowingly cause a violation of this rule, if finalized, may be subject to civil and/ or criminal penalties under IEEPA (50 U.S.C. 1705), depending on the circumstances of the violation. Potential violations of this proposed rule that would be subject to penalties include engaging in a prohibited transaction without an applicable general authorization or specific authorization, or failure to abide by the conditions enumerated in a specific authorization. Willfully providing false or fictitious information to the U.S. Government may be subject to criminal fines, imprisonment, or both. A civil penalty may be imposed on any person who violates, attempts to violate, conspires to violate, or causes a violation of any authorization, order, regulation, or prohibition issued under IEEPA. Under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, the specific maximum civil penalty will be adjusted by notice in the Federal Register effective each calendar year by the Office of the Secretary of the Department of Commerce. At the time of publishing of this proposed rule, the maximum civil penalty for violations of IEEPA is $368,136 per violation and the maximum criminal penalty is $1,000,000. Under the proposed rule, should BIS have reason to believe that a violation has occurred and intends to issue a civil monetary penalty, it will inform the alleged violator through a written notice of the intent to impose a penalty (‘‘PrePenalty Notice’’). BIS will generally transmit the Pre-Penalty Notice electronically but may additionally issue a mailed notice. The recipient of a Pre-Penalty Notice may respond in writing to BIS to provide additional information or otherwise contest the penalty. BIS must receive this response within 30 days of the transmission of the original pre-penalty notice. A response to a pre-penalty notice does not constitute a formal appeal, but it allows the recipient of the pre-penalty VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 notice to contest facts set forth by BIS in the pre-penalty notice, provide exculpatory evidence, or otherwise respond to the pre-penalty notice. BIS may seek to initiate settlement discussions in the pre-penalty notice or may conduct separate outreach following transmission of the prepenalty notice. Recipients of a prepenalty notice may additionally request to initiate settlement discussions in their response to BIS or may conduct separate outreach to do so. Following the delivery of the prepenalty notice and after considering any responses from the alleged violator, BIS will inform the alleged violator in writing as to whether it has found that a violation in fact occurred. Should BIS find that a violation has indeed taken place and no settlement has been reached, BIS will issue a final penalty notice to the violator specifying the violation and determining the specific civil monetary penalty to be imposed. This penalty may not be appealed following the procedures in section 791.309, but is a final agency action that the violator may contest in the appropriate U.S. District Court. Should a violator fail to pay the penalty as specified in the final penalty notice or fail to make alternative payment arrangements approved by BIS, BIS may refer the matter to the Department of Treasury for administrative collection or to the Department of Justice for collection via civil suit in U.S. District Court. 2. Finding a Violation Under the proposed rule, there may be cases in which BIS determines that a violation has taken place but that a civil monetary penalty is not appropriate. In such cases, BIS would issue a finding of violation that identifies the violation. The finding of violation could also contain an administrative response other than a civil monetary penalty, such as an order to cease and desist from conduct or activities that are prohibited by the proposed rule. Consistent with the procedures listed above regarding a prepenalty notice, recipients of a finding of violation may file a response within 30 days contesting the facts of the finding of violation and/or providing information relevant to BIS’s determination of whether a violation has occurred. BIS will consider any new information and inform the party in writing whether a violation has or has not occurred. A recipient that does not respond within 30 days of receipt of the finding of violation will be deemed to have waived the right to respond. Any action taken in a finding of violation PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 issued by BIS constitutes a final agency action that is not subject to appeal following the procedures in section 791.309. 3. Severability BIS intends for the provisions of this proposed rule, as finalized to be severable from each other. If a court holds that any provision in a final 15 CFR part 791, subpart D, is invalid or unenforceable, BIS intends that the remaining provisions of a final 15 CFR part 791, subpart D, as relevant, would continue in effect to the greatest extent possible. In addition, if a court holds that any such provision is invalid or unenforceable as to a particular person or circumstance, BIS intends that the provision would remain in effect as to any other person or circumstance. Depending on the circumstances and the scope of the court’s order, BIS believes that the remaining provisions of a final rule likely could continue to function sensibly independent of any provision or application held invalid or unenforceable. For example, the prohibitions related to transactions involving VCS Hardware could continue to apply as intended, even if a court finds that the prohibitions on transactions involving ADS are invalid. Similarly, the proposed rule could be applied with respect to relevant hardware and software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC, even if a court finds its application with respect to relevant hardware and software from Russianlinked persons is invalid. e. Classification 1. Executive Order 12866 Executive Order 12866, as reaffirmed by Executive Order 13563 and amended by Executive Order 14094, directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributed impacts, and equity). This proposed rule has been designated a significant regulatory action by the Office of Information and Regulatory Affairs (OIRA) under section 3(f)(1) of Executive Order 12866, as amended by Executive Order 14094. 2. Unfunded Mandates Reform Act of 1995 This proposed rule would not produce a federal mandate (under the regulatory provisions of title II of the E:\FR\FM\26SEP3.SGM 26SEP3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules Unfunded Mandates Reform Act of 1995) for state, local, and tribal governments or the private sector. 3. Executive Order 13132 (Federalism) This proposed rule does not contain policies having federalism implications requiring preparations of a Federalism Summary Impact Statement. 4. Executive Order 12630 (Governmental Actions and Interference With Constitutionally Protected Property Rights) This proposed rule does not contain policies that have takings implications. 5. Executive Order 13175 (Consultation and Coordination With Indian Tribes) The Department has analyzed this proposed rule under Executive Order 13175 and has determined that the action would not have a substantial direct effect on one or more Indian tribes, would not impose substantial direct compliance costs on Indian tribal governments, and would not preempt tribal law. khammond on DSKJM1Z7X2PROD with PROPOSALS3 6. National Environmental Policy Act The Department has reviewed this rulemaking action for the purposes of the National Environmental Policy Act (42 U.S.C. 4321, et seq.). It has been determined that this proposed rule would not have a significant impact on the quality of the human environment. 7. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (44 U.S.C. 3501, et seq.) (PRA) provides that an agency generally cannot conduct or sponsor a collection of information, and no person is required to respond nor be subject to a penalty for failure to comply with a collection of information subject to the requirements of the PRA, unless that collection has obtained OMB approval and displays a currently valid Office of Management and Budget (OMB) Control Number. This proposed rule will create new information collection requirements, which are subject to review and approval by OMB under the PRA. Specifically, this proposed rule would require connected vehicle manufacturers and VCS hardware importers to submit annual Declarations of Conformity certifying that their import of VCS hardware and/or import or manufacture of completed connected vehicles does not involve hardware or software subject to the prohibitions in this proposed rule. Additional requirements for the Declarations of Conformity include supplying technical information regarding the hardware or software in question and providing a VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 Bill of Materials for applicable software, hardware, or both. Moreover, entities seeking specific authorizations from BIS to engage in otherwise prohibited transactions will have to file information with the Department, submissions of which are also subject to the PRA. Applications for a specific authorization would require, but are not limited to, a description of the nature of the otherwise prohibited transaction(s). For entities that are covered by a General Authorization, a self-certification, without need to notify BIS, would be required (see Section VI of the NPRM). BIS proposes to require connected vehicle manufacturers and VCS hardware importers to maintain complete records related to any transaction for which a Declaration of Conformity, general authorization, or specific authorization would be required by this rule for a period of ten years, consistent with IEEPA’s statute of limitations. These records would include any transaction for which the connected vehicle manufacturer or VCS hardware importer has not yet sought an authorization. BIS expects said records to include all information submitted in applications, as well as business records related to the execution of any ICTS transaction subject to the rule, such as contracts, import records, bills of sale, and all other files BIS may deem pertinent in assessing compliance with this proposed rule. Lastly, entities seeking an advisory opinion from BIS would have to file information with the Department, though this is an optional process for parties looking for additional clarity on proposed transactions. BIS anticipates that this collection would be largely similar to its program in administering 15 CFR 748.3, as it would require similar information and the process for submission is analogous. BIS seeks comment on how many entities would request an advisory opinion in order to better understand the associated costs. BIS estimates that the initial burden placed on applicable entities would be 180 to 240 hours. This estimate takes into account the one-time initial cost (in hours) per entity to comply with the rule, including reading and understanding the rule’s provisions. Every subsequent year, BIS anticipates that the total annual cost burden (in hours) for applicable entities to implement the rule would be 100 to 500 hours. BIS assesses that there are 42 to 281 entities potentially impacted by the proposed rule and that the initial cost burden for these entities is between $30,964 and $38,554. This estimate takes into account the one-time initial PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 79113 cost per entity to comply with the rule, including reading and understanding the rule’s provisions. Every subsequent year, BIS anticipates that the total annual cost burden for applicable entities to implement the rule will be $16,133 to $80,667 a year (average of operations manager, engineer, and lawyer hourly salaries in Table 2 [$484/ hour/3 = $161.33] * [100 and 500 hours]). The annual cost burden placed on impacted entities includes (but is not limited to) producing the necessary HBOMs and SBOMs and documenting due diligence efforts. These hour and cost estimates are subject to variations among responsible entities due to application type. Declarations of Conformity will need to be submitted annually at minimum, while Specific Authorizations will need to be updated on an as-needed basis. The estimated annual federal salary cost to the U.S. Government is $1,130,000 [500 Declaration of Conformity/Specific Authorization notifications per year * two staff at a GS–13 salary ($113/hour * 2 = $226/ hour) * average of 10 hours each to review each notification]. The $113 per staff member per hour cost estimate for this information collection is consistent with the GS-scale salary data for a GS– 13 Step 1 (https://www.opm.gov/policydata-oversight/pay-leave/salarieswages/salary-tables/pdf/2024/DCB.pdf) multiplied by a factor of 2 to include the cost of benefits and overhead. The total estimated annual cost to the U.S. Government is $1,437,982.00. The calculation is as follows: Federal Employee Salaries (2 full-time employees) [$1,130,000.00] + Federal Government Overhead @20% [$226,000.00] + Legal Support (GS–15 Step 1 salary (multiplied by 2 to include the cost of benefits and overhead) @ 25%) [$81,982.00] = $1,437,982.00. BIS requests comments on the information collection and recordkeeping requirements associated with this proposed rule. These comments will help BIS: i. Evaluate whether the information collection is necessary for the proper performance of our agency’s functions, including whether the information will have practical utility; ii. Evaluate the accuracy of our estimate of the burden of the information collection, including the validity of the methodology and assumptions used; iii. Enhance the quality, utility, and clarity of the information to be collected; and iv. Minimize the burden of the information collection on those who are to respond (such as through the use of E:\FR\FM\26SEP3.SGM 26SEP3 79114 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS3 appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses). 8. Regulatory Flexibility Act In compliance with Section 603 of the Regulatory Flexibility Act (RFA), 5 U.S.C. 601–612, the Department has prepared an initial regulatory flexibility analysis (IRFA) for this proposed rule. The IRFA describes the economic impacts the proposed action may have on small entities. The Department seeks comments on all aspects of the IRFA. 1. A description of the reasons why action by the agency is being considered. Connected Vehicles contain a growing number of connected components. While these components provide greater safety and convenience through features like Wi-Fi, Bluetooth, cellular telecommunication, and satellite connectivity, the incorporation of progressively complex hardware and software systems enabling vehicle connectivity has also increased the attack surfaces through which malign actors may exploit vulnerabilities to gain access to a vehicle. ICTS integral to Connected Vehicles present an undue or unacceptable risk to U.S. national security when those systems are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. Furthermore, the PRC and Russia are able to leverage legal and regulatory regimes to compel private companies subject to their jurisdiction, including carmakers and vehicle suppliers, to cooperate with state security and intelligences services. Cooperation can include providing data, logical access, encryption keys, and other vital technical information, as well as by installing backdoors or bugs on equipment or in software updates, ultimately making vehicle equipment exploitable by foreign adversaries. Such privileged access potentially enables the PRC and Russia to exfiltrate sensitive data collected by Connected Vehicles through their components and allow remote manipulation for vehicles driven by U.S. persons. 2. A succinct statement of the objectives of, and legal basis for, the proposed rule. The Department is proposing this rule pursuant to authority under the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701, et seq.), the National Emergencies Act (NEA) (50 U.S.C. 1601, et seq.), and Section 301 of Title 3, United States Code, and in accordance with E.O. 13873, ‘‘Securing VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 the Information and Communications Technology and Services Supply Chain,’’ 84 FR 22689 (May 17, 2019), which delegated to the Secretary of Commerce (Secretary) certain authorities provided to the President by IEEPA, the NEA, and Section 301 of Title 3 of the United States Code. In accordance with the National Emergencies Act, the President has declared each year since E.O. 13873 was published that the national emergency declared in E.O. 13873 regarding the ICTS supply chain continues to remain in effect. To address identified risks to national security from ICTS transactions, E.O. 13873 directs the Secretary (in consultation with other agency heads identified in E.O. 13873) to review any ICTS transaction, defined as any acquisition, importation, transfer, installation, dealing in, or use of any ICTS by any person, or with respect to any property, subject to United States jurisdiction, where the transaction involves any property in which a foreign country or national has any interest. When the Secretary, in consultation with the appropriate agency heads, finds that an ICTS transaction or class of ICTS transactions pose undue risks (including of sabotage, subversion, or catastrophic effects on the security and resiliency of U.S. critical infrastructure), or unacceptable risks to national security or the security and safety of U.S. persons, the Secretary may identify the ICTS transaction as prohibited by Section 1 of E.O. 13873 or impose mitigation measures on the ICTS transaction or class of ICTS transactions reviewed. E.O. 13873 additionally provides that the Secretary issue rules establishing criteria by which particular technologies or market participants may be categorically included in or categorically excluded from prohibitions established pursuant to the E.O. 3. A description of and, where feasible, an estimate of the number of small entities to which the proposed rule will apply. BIS anticipates that the entities primarily responsible for compliance with this regulation will be connected vehicle manufacturers and VCS hardware importers. BIS assesses, based on publicly available information, that the U.S. connected vehicle market is dominated by a small set of manufacturers, few of which would be considered ‘‘small entities’’ under the Small Business Administration’s definitions. The Small Business Administration small business size standard for NAICS 336110: Automobile and Light Duty Motor Vehicle Manufacturing and NAICS 336120: PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 Heavy Duty Truck Manufacturing is 1,500 employees or fewer. However, BIS has limited data on how many of these suppliers engage in covered software and VCS hardware transactions, and therefore cannot estimate how many of these suppliers qualify as small entities. BIS specifically seeks comments on the number of suppliers engaged in covered software and VCS Hardware transactions in the United States, as well as the percentage of those entities that might or could qualify as small entities. 4. A description of the projected reporting, recordkeeping, and other compliance requirements of the proposed rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record. As stated above, connected vehicle manufacturers and VCS hardware importers will bear the majority of the proposed rule’s compliance costs. BIS estimates that the recordkeeping and compliance burden placed on responsible small entities would involve operations managers, engineers, and lawyers. On an annual basis, these entities will need to, at minimum and if applicable, submit a Declaration of Conformity certifying that their import of VCS hardware and/or import or manufacture of completed connected vehicles does not involve hardware or software subject to the prohibitions in this proposed rule. The Declaration of Conformity would also include technical information regarding the hardware or software in question and a Bill of Materials for applicable software, hardware, or both. BIS proposes to require connected vehicle manufacturers and VCS hardware importers to maintain complete records related to any transaction for which a Declaration of Conformity, general authorization, or specific authorization would be required by this rule, for a period of ten years, consistent with IEEPA’s statute of limitations. These records would be expected to assist BIS’s enforcement efforts for the prohibitions in the proposed rule. The required records would include those related to any transaction that is subject to a general authorization (including records of any entities producing fewer than 1,000 connected vehicle or VCS hardware units in a calendar year), any transaction that is subject to a specific authorization, and any transaction involving covered software or VCS Hardware for which the connected vehicle manufacturer or VCS hardware importer has not yet sought an E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules authorization. BIS expects such records to include all information submitted in applications, as well as business records related to the execution of any ICTS transaction subject to the rule, such as contracts, import records, bills of sale, and all other files BIS may deem pertinent in assessing compliance with this proposed rule. Because small entities could avail themselves of a general authorization, the maintenance of records in support of such authorization would be the only compliance requirement. These records would serve as the small entities’ selfcertification, which does not need to be submitted to BIS. A general authorization would allow the VCS hardware importer and/or connected vehicle manufacturer to engage in the otherwise prohibited transaction, without the need to notify or seek approval from BIS. General Authorizations would be available only in a narrow set of circumstances in which the conditions of the otherwise prohibited transaction appropriately mitigate the level of risk associated with the particular transaction. Such conditions would include, for example, when VCS hardware is imported from the PRC or Russia solely for testing purposes, or where the completed connected vehicle that incorporates VCS hardware or covered software from the PRC or Russia will not be driven on public roads for more than 30 calendar days per year. Those availing themselves of a general authorization would be required to continuously monitor their use of the VCS hardware or completed connected vehicles covered by the general authorization to ensure the authorization still applies. If a change would render the transaction ineligible for a general authorization, such as a change in the vehicle’s use, the VCS hardware importer or connected vehicle manufacturer would be required to apply for a specific authorization and to cease engaging in such transaction unless and until a specific authorization is granted. For example, if a completed connected vehicle that incorporates covered software or VCS Hardware that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia is no longer engaged in display, research, or testing, the VCS hardware importer or the connected vehicle manufacturer would be required to seek a specific authorization. Similarly, if the VCS Hardware Importer or connected vehicle manufacturer exceeds total model year production of 1,000 units, or VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 if a completed connected vehicle that incorporates covered software or VCS hardware that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia is to be used on public roadways for 30 or more days in any calendar year, the VCS hardware importer or connected vehicle manufacturer would be required to seek a specific authorization from BIS. 5. An identification, to the extent practicable, of all relevant Federal rules that may duplicate, overlap, or conflict with the proposed rule. This rulemaking does not duplicate or conflict with any Federal rules. 6. A description of any significant alternatives to the proposed rule that accomplish the stated objectives of Executive Order 13984 and Executive Order 14110 and applicable statutes and that would minimize any significant economic impact of the proposed rule on small entities. The Department has proposed what it believes to be ‘‘the least restrictive means necessary [by] tailor[ing] the prohibition to address the undue or unacceptable risk’’ (see 15 CFR part 791.109(c)) and believes that the proposed rule will materially address significant risks for the United States or U.S. persons while balancing the overall compliance costs of the rule and minimizing the impact on small entities. Below is a description of alternatives considered by the Department; the Department invites comment on these alternatives. No-action alternative: While the alternative of taking no action would be less costly for connected vehicle manufacturers and VCS hardware importers, the no-action alternative is not preferred because the risks presented by foreign adversary involvement in the ICTS of the U.S. connected vehicle market could lead to catastrophic negative events for U.S. national security, including the security of U.S. critical infrastructure, and U.S. persons. More stringent alternatives: The Department considered several more stringent regulatory approaches, including regulating additional connected vehicle component systems not included in this proposed rule. For example, the Department considered the risks posed by various connected vehicle component systems, including ADS, telematics, battery management systems (BMS), automated driver assistance systems (ADAS), vehicle operating systems (OS), and satellite or cellular telecommunication systems. The Department currently believes the PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 79115 best approach to address the risks posed by connected vehicles and connected vehicle components from foreign adversary nations is to focus the scope of the NPRM on PRC- and Russiansupplied VCS hardware (which encompasses both telematics and satellite or cellular telecommunication systems) and covered software. Other systems under consideration, such as ADAS, seem to have a low risk of data exfiltration or, in the case of vehicle OS, would involve regulation that is expected to be extremely burdensome on industry. Preferred alternative: The proposed rule is the preferred alternative. BIS assesses that the regulatory approach outlined in this proposed rule would have the highest net benefit for connected vehicle manufacturers, VCS hardware importers, and consumers. BIS currently believes the provisions in the proposed rule are also to be, for the reasons articulated above and in the NPRM’s preamble, ‘‘the least restrictive means necessary. . .to address the undue or unacceptable risk’’ presented by covered software and VCS hardware in connected vehicles. List of Subjects in 15 CFR Part 791 Business and industry, Communications, Computer technology, Critical infrastructure, Executive orders, Foreign persons, Investigations, National security, Penalties, Technology, Telecommunications. Elizabeth L.D. Cannon, Executive Director, Office of Information and Communications Technology and Services, Bureau of Industry and Security, United States Department of Commerce. For the reasons set out in the preamble, 15 CFR part 791, is proposed to be amended as follows: PART 791—SECURING THE INFORMATION AND COMMUNICATIONS TECHNOLOGY AND SERVICES SUPPLY CHAIN 1. The authority citation for part 791continues to readas follows: ■ Authority: 50 U.S.C. 1701et seq.; 50 U.S.C. 1601et seq.; E.O. 13873, 84 FR 22689; E.O. 14034, 86 FR 31423. 2. Amend part 791 by adding subpart D, consisting of § 791.300 through § 791.319, to read as follows: ■ Subpart D—ICTS Supply Chain: Connected Vehicles Sec. 791.300 Purpose and scope. 791.301 Definitions. 791.302 Prohibited VCS hardware transactions. E:\FR\FM\26SEP3.SGM 26SEP3 79116 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules 791.303 Prohibited covered software transactions. 791.304 Related prohibited transactions. 791.305 Declaration of Conformity. 791.306 General authorizations. 791.307 Specific authorizations. 791.308 Exemptions. 791.309 Appeals. 791.310 Advisory opinions. 791.311 ‘‘Is-Informed’’ notices. 791.312 Recordkeeping. 791.313 Reports to be furnished on demand. 791.314 Penalties. 791.315 Pre-penalty notice; settlement. 791.316 Penalty imposition. 791.317 Administrative collection; referral to United States Department of Justice. 791.318 Finding of violation. 791.319 Severability. Subpart D—ICTS Supply Chain: Connected Vehicles khammond on DSKJM1Z7X2PROD with PROPOSALS3 § 791.300 Purpose and scope. The inclusion in Connected Vehicles of certain ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries poses undue or unacceptable risks to U.S. national security. To address these undue or unacceptable risks, it is the purpose of this subpart to: (a) Prohibit ICTS transactions that involve certain software and hardware that, are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China (PRC) or the Russian Federation (Russia), as defined in § 791.4 and that enable connected vehicle Automated Driving Systems or Vehicle Connectivity Systems, as defined in this subpart; (b) Implement compliance mechanisms such as Declarations of Conformity to ensure that no Prohibited Transactions, as defined in this subpart, have occurred; (c) Provide general authorizations and a mechanism for specific authorizations for certain transactions that are otherwise prohibited by this subpart, but where any undue or unacceptable risks to national security can be reasonably mitigated, based on defined criteria and conditions; and (d) Incentivize connected vehicle manufacturers, VCS hardware importers, and related suppliers to adopt measures to help secure the U.S. ICTS supply chain for connected vehicles. § 791.301 Definitions. The following definitions apply only to this subpart, 15 CFR part 791 subpart VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 D. For additional definitions applicable to all of part 791, see 15 CFR 791.2. If a term is defined differently in this subpart than in 15 CFR 791.2, the definition listed in this section will apply to this subpart. Automated Driving System means hardware and software that, collectively, are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis, regardless of whether it is limited to a specific operational design domain (ODD). Completed connected vehicle means a connected vehicle that requires no further manufacturing operations to perform its intended function. For the purposes of this subpart, the integration of an Automated Driving System into a connected vehicle constitutes a manufacturing operation for a completed connected vehicle. Connected vehicle means a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. Vehicles operated only on a rail line are not included in this definition. Connected vehicle manufacturer means a U.S. person (1) Manufacturing or assembling completed connected vehicles in the United States; and/or (2) Importing completed connected vehicles for sale in the United States. Covered software means the softwarebased components, in which there is a foreign interest, executed by the primary processing unit of the respective systems that are part of an item that supports the function of Vehicle Connectivity Systems or Automated Driving Systems at the vehicle level. Covered software does not include firmware, which is characterized as software specifically programmed for a hardware device with a primary purpose of controlling, configuring, and communicating with that hardware device. Covered software also does not include open-source software that can be freely used, modified, and distributed by anyone, with both access to the source code and the ability to contribute to the software’s development and improvement unless that open-source software has been modified for proprietary purposes and not redistributed or shared. PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 FCC ID Number means the unique alphanumeric code identifying a product subject to certification by the Federal Communications Commission composed of a: (1) Grantee code; and (2) Product code. Foreign interest, for purposes of this subpart, means any interest in property of any nature whatsoever, whether direct or indirect, by a non-U.S. person. Hardware Bill of Materials (HBOM) means a comprehensive list of parts, assemblies, documents, drawings, and components required to create a physical product, including information identifying the manufacturer, related firmware, technical information, and descriptive information. Import means, in the context of this subpart, with respect to any article, the entry of such article into the United States Customs Territory. It does not include admission of an article from outside the United States into a foreigntrade zone for storage pending further assembly in the foreign-trade zone or shipment to a foreign country. Item means a component or set of components with a specific function at the vehicle level. A system may also be considered an item if it implements a function. Knowingly means having knowledge of a circumstance (the term may be a variant, such as ‘‘know,’’ ‘‘reason to know,’’ or ‘‘reason to believe’’), to include not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person’s willful avoidance of facts. Model year means the year used to designate a discrete vehicle model, irrespective of the calendar year in which the vehicle was actually produced, provided that the production period does not exceed 24 months. Prohibited transactions mean, collectively, the transactions described in 791.302 (Prohibited VCS Hardware Transactions), 791.303 (Prohibited Covered Software Transactions), or 791.304 (Related Prohibited Transactions) of this subpart. Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary means: (1) Any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; (2) Any person, wherever located, who is a citizen or resident of a foreign adversary or a country controlled by a foreign adversary, and is not a United States citizen or permanent resident of the United States; (3) Any corporation, partnership, association, or other organization with a principal place of business in, headquartered in, incorporated in, or otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary; or (4) Any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary, to include circumstances in which any person identified in paragraphs (a) through (c) possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity. Sale means, in the context of this subpart, distributing for purchase, lease, or other commercial operations a new completed connected vehicle for a price, to include the transfer of completed connected vehicles from a connected vehicle manufacturer to a dealer or distributor, as those terms are defined in 49 U.S.C. 30102. This definition also applies to the related terms such as Sell or Selling. Software Bill of Materials (SBOM) means a formal and dynamic, machinereadable inventory detailing the software supply chain relationships between software components and subcomponents, including software dependencies, hierarchical relationships, and baseline software attributes, including author’s name, timestamp, supplier name, component name, version string, component hash package URL, unique identifier, and dependency relationships to other software components. Vehicle Connectivity System (VCS) means a hardware or software item for a completed connected vehicle that has the function of enabling the transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz. VCS hardware means the following software-enabled or programmable components and subcomponents that VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 support the function of Vehicle Connectivity Systems or are part of an item that supports the function of Vehicle Connectivity Systems: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/ modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite navigation systems, satellite communication systems, other wireless communication microcontrollers or modules, and external antennas. VCS hardware does not include component parts that do not contribute to the communication function of VCS hardware (e.g., brackets, fasteners, plastics, and passive electronics). VCS hardware importer means a U.S. person importing VCS hardware for further manufacturing, integration, resale, or distribution. A connected vehicle manufacturer may be a VCS hardware importer if VCS hardware has already been installed in a connected vehicle when imported by the connected vehicle manufacturer. United States means the United States of America, the States of the United States, the District of Columbia, and any commonwealth, territory, dependency, or possession of the United States, or any subdivision thereof, and the territorial sea of the United States. § 791.302 Prohibited VCS hardware transactions. (a) VCS hardware importers are prohibited from knowingly importing VCS hardware that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. (b) In the context of this subpart, VCS hardware will not be considered to be designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, solely based on the country of citizenship of natural persons who are employed, contracted, or otherwise similarly engaged to participate in the design, development, manufacture, or supply of the VCS hardware. § 791.303 Prohibited covered software transactions. (a) Connected vehicle manufacturers are prohibited from knowingly importing into the United States completed connected vehicles that incorporate covered software, designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 79117 (b) Connected vehicle manufacturers are prohibited from knowingly selling in the United States completed connected vehicles that incorporate covered software, designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. (c) In the context of this subpart, covered software will not be considered to be designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, solely based on the country of citizenship of natural persons who are employed, contracted, or otherwise similarly engaged to participate in the design, development, manufacture, or supply of the Covered Software. § 791.304 Related prohibited transactions. Connected vehicle manufacturers who are persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, are prohibited from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software. § 791.305 Declaration of Conformity. (a) Requirements—(1) Import of VCS hardware: A VCS hardware importer may not import VCS Hardware as part of a transaction that is not otherwise prohibited by this subpart without first submitting to the Bureau of Industry and Security (BIS) a Declaration of Conformity, unless otherwise specified by this subpart. The Declaration of Conformity shall include: (i) The name and address of VCS hardware importer; (ii) A certification that the declarant has not knowingly engaged in a prohibited VCS hardware transaction; (iii) The FCC ID Number associated with the VCS hardware and, if applicable, of the subcomponents contained therein; (iv) A list of third-party external endpoints to which the VCS hardware connects, including the country where each endpoint is located and/or the identity and location of the service provider; (v) If known, the make, model, and trim of the completed connected vehicles for which the VCS hardware is intended; (vi) A HBOM for the VCS hardware that is the subject of the Declaration of Conformity; (vii) Documentation of the VCS hardware importer’s due diligence efforts, to include independent or hired third-party research, to ensure the VCS E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 79118 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules hardware listed in the HBOM is not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia; (viii) If applicable, an indication of whether the submission is an update to a prior Declaration of Conformity and the date of the last submission; (ix) Identifying information for an individual point of contact (including name, email address, and phone number); and, (x) Any additional material information the VCS hardware importer would like to submit. (2) Import of completed connected vehicles: A connected vehicle manufacturer may not import completed connected vehicles containing covered software as part of a transaction that is not otherwise prohibited by this subpart without first submitting to BIS a Declaration of Conformity, unless otherwise specified by this subpart. The Declaration of Conformity shall include: (i) The name and address of the connected vehicle manufacturer; (ii) A certification that the declarant has not knowingly engaged in a prohibited covered software transaction; (iii) The make, model, trim, and Vehicle Identification Number (VIN) series applicable to the completed connected vehicles; (iv) A SBOM for the covered software that is the subject of the Declaration of Conformity. At a minimum, the SBOM must include author’s name, timestamp, supplier name, component name, version string, component hash, package URL, unique identifier, and dependency relationships to other software components. (v) Documentation of the connected vehicle manufacturer’s due diligence efforts, to include independent or hired third-party research, to ensure that the covered software listed in the SBOM is not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia; (vi) If applicable, an indication of whether the submission is an update to a prior Declaration of Conformity and the date of the last submission; (vii) Identifying information for an individual point of contact (including name, email address, and phone number); and (viii) Any additional material information the connected vehicle manufacturer would like to submit. (3) Sale of completed connected vehicles manufactured in the United States: Connected vehicle VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 manufacturers that manufacture or assemble completed connected vehicles in the United States that incorporate covered software as part of a transaction that is not otherwise prohibited by this subpart, may not Sell completed connected vehicles in the United States without first submitting to BIS a Declaration of Conformity, unless otherwise specified by this subpart. If there is no Foreign Interest in the covered software that is incorporated in completed connected vehicles manufactured or assembled in the United States, the connected vehicle manufacturer need not submit a Declaration of Conformity. If submitting a Declaration of Conformity, it shall include: (i) The name and address of the connected vehicle manufacturer; (ii) A certification that there is a foreign interest in the covered software that is incorporated in the completed connected vehicles that will be Sold in the United States; (iii) A certification that the declarant has not knowingly engaged in a prohibited covered software Transaction; (iv) The make, model, trim, and VIN series applicable to the completed connected vehicles; (v) A SBOM for the covered software that is the subject of the Declaration of Conformity. At a minimum, the SBOM must include author’s name, timestamp, supplier name, component name, version string, component hash, package URL, unique identifier, and dependency relationships to other software components. (vi) Documentation of the connected vehicle manufacturer’s due diligence efforts, to include independent or hired third-party research, to ensure the covered software listed in the SBOM is not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia; (vii) If applicable, an indication of whether the submission is an update to a prior Declaration of Conformity and the date of the last submission; (viii) Identifying information for an individual point of contact (including name, email address, and phone number); and (ix) Any additional material information the connected vehicle manufacturer would like to submit. (b) Procedures to submit Declarations of Conformity. Connected vehicle manufacturers and VCS Hardware Importers shall submit Declarations of Conformity annually as specified in this section and any time there is a material PO 00000 Frm 00032 Fmt 4701 Sfmt 4702 change that makes a prior Declaration of Conformity or associated HBOM or SBOM no longer accurate. (1) Connected Vehicles Manufacturers seeking to import or manufacture for Sale in the United States a completed connected vehicle containing covered software shall submit a Declaration of Conformity 60 days prior to the first import or first sale of each model year of completed connected vehicles, grouped by make, model, and trim. (2) VCS hardware importers seeking to import any VCS hardware shall submit a Declaration of Conformity 60 days prior to the first import of VCS hardware for each model year for units associated with a vehicle model year, or calendar year for units not associated with a vehicle model year. VCS hardware importers may submit a single Declaration of Conformity detailing all VCS Hardware models that will be imported in the Model Year or calendar year. (3) Entities that are both connected vehicle manufacturers and VCS hardware importers may, but are not required to, submit a single compiled Declaration of Conformity detailing all required information specified in 791.305 of this subpart. Any compiled Declaration of Conformity shall be submitted 60 days prior to the first import or first sale of the model year of completed connected vehicles or 60 days prior to the first import of VCS hardware, whichever occurs first. (4) Declarants must notify BIS of any material change in the contents of a previously submitted Declaration of Conformity by submitting a revised Declaration of Conformity within 30 days following any such changes. (c) Declarations of Conformity must be delivered to BIS using an official electronic reporting option as specified by BIS on its website (https:// www.bis.gov). (d) Connected vehicle introduced by means of a fraudulent or false declaration. Any person who engages in a prohibited VCS hardware transaction or a prohibited covered software transaction and submits a false or fraudulent Declaration of Conformity made without reasonable cause to believe the truth of the declaration, may incur penalties as defined in § 791.314. § 791.306 General authorizations. (a) VCS hardware importers and connected vehicle manufacturers may qualify for a general authorization if they meet the stated requirements or conditions to engage in otherwise prohibited transactions. Persons availing themselves of any general authorization are required to maintain E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules records documenting each otherwise prohibited transaction for a period of 10 years as specified in § 791.312. (b) General course of procedure. VCS hardware importers and connected vehicle manufacturers may self-certify, without need to notify BIS, that they meet the requirements for one or more of the following general authorizations: (1) The connected vehicle manufacturer or VCS hardware importer and entities under common control, including parents, engaging in an otherwise prohibited transaction produces a total model year production of completed connected vehicles containing covered software or total model year production of VCS hardware is less than 1,000 units; (2) The completed connected vehicle that incorporates covered software or VCS hardware will be used on public roadways on fewer than 30 calendar days in any calendar year; (3) The completed connected vehicle that incorporates covered software or the VCS hardware will be used solely for the purpose of display, testing, or research, and will not be used on public roadways; or (4) The completed connected vehicle that incorporates covered software or the VCS hardware is imported solely for purposes of repair, alteration, or competition off public roads and will be reexported within one year from the time of import; (c) Change in use. In the event of any change in the use of a completed connected vehicle or VCS hardware associated with a general authorization, a VCS hardware importer or connected vehicle manufacturer availing itself of a general authorization must determine if it still qualifies for the general authorization or if it must apply for a specific authorization. (d) Inspection. VCS hardware importers and connected vehicle manufacturers availing themselves of a general authorization are subject to audit and inspection by BIS. (e) Restrictions. VCS Hardware importers and connected vehicle manufacturers shall not avail themselves of any general authorization if any one or more of the following apply: (1) BIS has notified the VCS hardware importer or connected vehicle manufacturer that it is not eligible for a general authorization. (2) The VCS Hardware Importer or connected vehicle manufacturer is a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 § 791.307 Specific authorizations. (a) BIS may provide Specific Authorizations permitting a VCS hardware importer or connected vehicle manufacturer to engage in otherwise prohibited transactions. Persons receiving a specific authorization are required to maintain records for a period of 10 years as required in § 791.312 and submit reports and statements in accordance with the instructions specified in each specific authorization. (b) General course of procedure. Prohibited transactions subject to this subpart, and that are not otherwise permitted under an exemption or a general authorization, may be permitted under a specific authorization. It is the policy of BIS not to grant applications for specific authorizations for transactions that are permitted by a general authorization. (c) Applications for specific authorizations. Applications for specific authorizations shall include, at a minimum, a description of the nature of the otherwise prohibited transaction(s), including the following: (1) The identity of the parties engaged in the transaction, including relevant corporate identifiers and information sufficient to identify the ultimate beneficial ownership of the transacting parties; (2) An overview of the VCS hardware or covered software that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia; (3) If known, the make, model, and trim of the completed connected vehicle in which the VCS hardware or covered software will be integrated; (4) The intended function of the VCS hardware or covered software; (5) Documentation to support the information contained in the application, including ISO/SAE 21434 Threat Analysis and Risk Assessments, to include an assessment on the applicant’s ability to limit PRC or Russian government access to, or influence over the design, development, manufacture or supply of the VCS hardware or covered software; security standards used by the applicant with respect to the VCS hardware or covered software; other actions and proposals such as technical controls (i.e., software validation) or operational controls (i.e., physical and logical access monitoring procedures), the applicant intends to take to mitigate undue or unacceptable risk; and (6) Any other information that BIS may request after receipt of the initial application for a Specific Authorization. PO 00000 Frm 00033 Fmt 4701 Sfmt 4702 79119 (d) Application submission procedures. A VCS hardware importer or connected vehicle manufacturer who seeks to engage in an otherwise prohibited transaction must submit an application for specific authorization in writing prior to engaging in the transaction and await a decision from BIS prior to engaging in the transaction. This application must be delivered to BIS using an official electronic reporting option as specified by BIS on its website (https://www.bis.gov). (e) Additional conditions. Only one application for a specific authorization should be submitted to BIS for each otherwise prohibited transaction; multiple parties submitting an application for a specific authorization for the same transaction may result in processing delays. (f) Information to be supplied. An applicant may be required to furnish additional information as BIS deems necessary to assist in making a decision. The applicant may present additional information concerning an application for a specific authorization at any time before BIS makes its decision with respect to the application. (g) Review and decisions. Applications for specific authorization will be reviewed on a case-by-case basis and determine conditions to be applied to each specific authorization as may be needed to mitigate any risk that arises as a result of the otherwise prohibited transaction. Such review may include an evaluation of the risks and potential mitigation measures proposed by the applicant for the particular transaction, including, but not limited to, risks of data exfiltration from, and remote manipulation or operation of, the connected vehicle; the extent and nature of foreign adversary involvement in the design, development, manufacture, or supply of the VCS hardware or covered software; the applicant’s ability to limit PRC or Russian government access to, or influence over the design, development, manufacture or supply of the VCS hardware or covered software; security standards used by the applicant and if such standards can be validated by BIS or a third-party; other actions and proposals the applicant intends to take to mitigate undue or unacceptable risk. BIS will advise each applicant of the decision respecting the filed application. (h) Processing period. BIS shall respond to any application for a specific authorization with a status update and a request for additional information or documents, if any, within 90 days after receipt of the application. (i) Scope. (1) Unless otherwise specified in the authorization, a specific E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 79120 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules authorization permits the transaction only: (i) Between the parties identified in the specific authorization; (ii) With respect to the otherwise prohibited transaction(s) described in the authorization; and (iii) If the conditions specified in the specific authorization are satisfied. The applicant must inform any other parties identified in the specific authorization of the authorization’s scope and specific conditions. (2) Any specific authorization obtained based on a false or misleading representation in the application or in any document submitted in connection with the application under this section shall be deemed void as of the date of issuance, and the applicant may incur penalties as specified in § 791.314. (3) As a condition for the issuance of any specific authorization, the applicant may be required to file reports with respect to the otherwise prohibited transactions authorized by the specific authorization in such form and at such times and places as may be prescribed in the specific authorization or otherwise communicated to the applicant by BIS. Reports should be sent in accordance with the instructions provided in the applicable specific authorization. (j) Effect of denial. BIS’s denial of a specific authorization may be appealed as described in § 791.309 and does not preclude parties from filing an application for a specific authorization for a separate otherwise prohibited transaction. The applicant may at any time request, by written correspondence, reconsideration of the denial of an application based on new material facts or changed circumstances. (k) Effect of specific authorization. (1) No specific authorization issued under this subpart, or otherwise issued by BIS, permits or validates any prohibited transaction effected prior to the issuance of such specific authorization unless specifically provided for in the specific authorization. (2) No regulation, ruling, instruction, or authorization permits any prohibited transaction under this subpart unless the regulation, ruling, instruction or Authorization is issued by BIS and specifically refers to this subpart. No regulation, ruling, instruction, or authorization referring to this subpart shall be deemed to permit any prohibited transaction prohibited by any provision of this subpart unless the regulation, ruling, instruction, or authorization specifically refers to such provision. Any specific authorization permitting any otherwise prohibited transaction has the effect of removing VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 those prohibitions from the transaction, but only to the extent specifically stated by the terms of the specific authorization. Unless the specific authorization otherwise specifies, such an authorization does not create any right, duty, obligation, claim, or interest in, or with respect to, any property that would not otherwise exist under ordinary principles of law. (3) Nothing contained in this subpart shall be construed to supersede the requirements established under any other provision of law or to relieve a person from any requirement to obtain an authorization from another department or agency of the U.S. Government in compliance with applicable laws and regulations subject to the jurisdiction of that department or agency. (l) Amendment, modification, or rescission. Except as otherwise provided by law, any Specific Authorization or instructions issued thereunder may be amended, modified, or rescinded by BIS at any time. § 791.308 Exemptions. (a) VCS hardware importers may engage in prohibited transactions described in § 791.302 without an authorization as required under §§ 791.306 and 791.307, and are exempt from submitting Declarations of Conformity with respect to all other transactions, as described in § 791.305 provided that: (1) For VCS Hardware units not associated with a vehicle model year, the import of the VCS hardware occurs prior to January 1, 2029; or (2) The VCS hardware is associated with a vehicle model year prior to 2030 or the VCS hardware is imported as part of a connected vehicle with a model year prior to 2030. (b) Connected vehicle manufacturers may engage in prohibited transactions described in § 791.303 without authorization as required under §§ 791.306 or 791.307 and are exempt from submitting Declarations of Conformity with respect to all other transactions, as described in § 791.305, provided that the completed connected vehicle that incorporates covered software described in § 791.303(a)(1) was manufactured prior to Model Year 2027. (c) Connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia may engage in prohibited transactions described in section 791.304 without Authorization as required under §§ 791.306 or 791.307, and are exempt from submitting Declarations of Conformity to all other PO 00000 Frm 00034 Fmt 4701 Sfmt 4702 transactions, provided that the completed connected vehicle that incorporates VCS hardware and/or covered software was manufactured prior to Model Year 2027. § 791.309 Appeals. (a) Scope. Any person directly and adversely affected by any of the listed administrative actions taken by BIS pursuant to this subpart may appeal to the Under Secretary for reconsideration of that administrative action. Only the following types of administrative actions are subject to the appeals procedures described in this subpart: (1) Denial of an application for specific authorization; (2) Suspension or revocation of an issued specific authorization; or (3) Determination of ineligibility for a general authorization. (b) Designated appeals reviewer and coordinator. The Under Secretary may delegate to the Deputy Under Secretary of Commerce for Industry and Security or to another BIS official the authority to review and decide the appeal, and to exercise any other function of the Under Secretary under this section. In addition, the Under Secretary may designate any employee of BIS to be an appeals coordinator to assist in the review and processing of an appeal under this subpart. (c) Appeals procedures. An appeal under this subpart must be submitted to the Under Secretary by email or at the following address: Bureau of Industry and Security, U.S. Department of Commerce, Room 3898, 14th Street and Pennsylvania Avenue NW, Washington, DC 20230 not later than 45 days after the date appearing on the written notice of administrative action. The appeal must include a full written statement in support of the appellant’s position. The appeal must include a precise statement of the reasons that the appellant believes that the administrative action has a direct and adverse effect and should be reversed or modified. The Under Secretary or the designated official may request additional information that would be helpful in resolving the appeal and may accept additional submissions. The Under Secretary or the designated official will not ordinarily accept any submission filed sua sponte more than 30 days after the filing of the appeal. (d) Request for informal hearing. In addition to the written statement submitted in support of an appeal, an appellant may request, in writing, at the time an appeal is filed, an opportunity for an informal hearing. A hearing is not required, and the Under Secretary or the designated official may grant or deny a E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules request for an informal hearing at the Under Secretary or the designated official’s sole discretion. Any hearings will be held in the District of Columbia unless the Under Secretary or the designated official determines, based upon good cause shown, that another location would be preferable. (e) Informal hearing procedures. If a hearing request is granted, the Under Secretary or the designated official may provide an opportunity for the appellant to make an oral presentation at an informal hearing based on the materials previously submitted by the appellant or made available by the Department. The Under Secretary or the designated official may require that any facts in controversy be covered by an affidavit or testimony given under oath or affirmation. The rules of evidence prevailing in courts of law do not apply, and all evidentiary material deemed by the Under Secretary or the designated official to be relevant and material to the proceeding, and not unduly repetitious, will be received and considered. The Under Secretary or the designated official has the authority to limit the number of people attending the hearing, to impose any time or other limitations deemed reasonable, and to determine all procedural questions. A transcript of an informal hearing shall not be made, unless the Under Secretary or the designated official determines that the national interest or other good cause warrants it, or the appellant requests a transcript. If the appellant requests, and the Under Secretary or the designated official approves the taking of, a transcript, the appellant will be responsible for paying all expenses related to production of the transcript. Any person designated by the Under Secretary to conduct an informal hearing shall submit a written report containing a summary of the hearing and recommended action to the Under Secretary. (f) Decisions. In addition to the documents specifically submitted in connection with the appeal, the Under Secretary or the designated official may consider any recommendations, reports, or other relevant documents available to BIS in determining the appeal, but shall not be bound by any such information, nor prevented from considering any other relevant information, or consulting with any other person or groups, in making a decision. The Under Secretary or the designated official may adopt any other procedures deemed necessary and reasonable for considering an appeal, including by providing the appellant with an interim or proposed decision and offering the appellant an opportunity to provide VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 comments. The Under Secretary or the designated official shall decide an appeal within a reasonable time after receipt of the appeal. The decision shall be issued to the appellant in writing and contain a statement of the reasons for the action and address any arguments contrary to the decision presented by the appellant. The decision of the Under Secretary or the designated official shall be final. (g) Effect of appeal. Acceptance and consideration of an appeal shall not affect any administrative action, pending or in effect, unless the Under Secretary or the designated official, upon request by the appellant and with opportunity for a response, grants a stay. § 791.310 Advisory opinions. (a) VCS hardware importers and connected vehicle manufacturers may request an advisory opinion from BIS as to whether a prospective transaction is subject to a prohibition in this subpart. The entire transaction that is the subject of the advisory opinion request must be an actual, as opposed to hypothetical, transaction and involve disclosed, as opposed to anonymous, parties to the transaction. (b) Advisory opinion requests must be made in writing, and may be delivered to BIS by email, through the BIS website, or by any other means that BIS may prescribe. (c) Persons submitting advisory opinion requests are encouraged to provide as much information as possible to assist BIS in making a determination, to include the following information: (1) The name, title, and telephone and email address of the person to contact; (2) The submitter’s complete address comprised of street address, city, state, country, and postal code; (3) All available information identifying the parties to the prospective transaction; (4) Complete information regarding the VCS hardware and/or covered software and any descriptive literature, brochures, technical specifications, or papers that provide sufficient technical detail to enable BIS to verify whether the prospective transaction would constitute a prohibited transaction as defined in this subpart; (5) For connected vehicle manufacturers: the make, model, and trim level, or other identifying information number of the completed connected vehicle; (6) For VCS hardware Importers: the identification of the system; and, if known, the make, model, and trim of the group of completed connected vehicles for which the equipment is intended; PO 00000 Frm 00035 Fmt 4701 Sfmt 4702 79121 (7) An SBOM and/or an HBOM; and (8) Any other information that the submitter believes to be material to the prospective transaction. (d) Each person that submits an advisory opinion request shall provide any additional information or documents that BIS may thereafter request in its review of the matter. (e) Each advisory opinion can be relied upon by the requesting party or parties to the extent the disclosures made pursuant to this subpart were accurate and complete and to the extent the disclosures continue accurately and completely to reflect circumstances after the date of the issuance of the advisory opinion. An advisory opinion will not restrict enforcement actions by any agency other than BIS. It will not affect a requesting party’s obligations to any other agency or under any statutory or regulatory provision other than those specifically discussed in the Advisory Opinion. (f) BIS may publish on its website an advisory opinion that may be of broad interest to the public, with redactions where necessary to protect confidential business information. § 791.311 ‘‘Is-Informed’’ notices. (a) BIS may inform VCS hardware importers or connected vehicle manufacturers either individually by specific notice or, for larger groups, through a separate notice published in the Federal Register, that a specific authorization is required because an activity could constitute a prohibited transaction. (b) Specific notice that a specific authorization is required may be given only by, or at the direction of, the Under Secretary or a BIS official designated by the Under Secretary. § 791.312 Recordkeeping. Except as otherwise provided, VCS hardware importers and connected vehicle manufacturers shall keep a full and accurate record of each transaction engaged in for which a Declaration of Conformity, general authorization, or specific authorization would be required under sections 791.305, 791.306, or 791.307, regardless of whether these transactions are effected pursuant to a general authorization, specific authorization, or otherwise, and such record shall be available for examination for at least 10 years after the date of such transactions. § 791.313 demand. Reports to be furnished on (a) VCS hardware importers and connected vehicle manufacturers are required to furnish under oath, in the E:\FR\FM\26SEP3.SGM 26SEP3 khammond on DSKJM1Z7X2PROD with PROPOSALS3 79122 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules form of reports or as otherwise specified by BIS, from time to time and at any time as may be required by BIS, complete information relative to any transaction involving the import of VCS hardware or the import or Sale of completed connected vehicles incorporating covered software, regardless of whether such transaction is effected pursuant to an authorization or otherwise, subject to the provisions of this subpart. BIS may require that such reports include the production of any books, contracts, letters, papers, or other hard copy or electronic documents relating to any transactions, in the custody or control of the persons required to make such reports. BIS may, through any person or agency, conduct investigations, hold hearings, administer oaths, examine witnesses, receive evidence, take depositions, and require by subpoena the attendance and testimony of witnesses and the production of any books, contracts, letters, papers, and other hard copy or electronic documents relating to any matter under investigation, regardless of whether any report has been required or filed in connection therewith. (b) For purposes of paragraph (a) of this section, the term ‘‘document’’ includes any written, recorded, or graphic matter or other means of preserving thought or expression (including in electronic format), and all tangible things stored in any medium from which information can be processed, transcribed, or obtained directly or indirectly, including correspondence, memoranda, notes, messages, contemporaneous communications such as text and instant messages, letters, emails, spreadsheets, metadata, contracts, bulletins, diaries, chronological data, minutes, books, reports, examinations, charts, ledgers, books of account, invoices, air waybills, bills of lading, worksheets, receipts, printouts, papers, schedules, affidavits, presentations, transcripts, surveys, graphic representations of any kind, drawings, photographs, graphs, video or sound recordings, and motion pictures or other film. (c) Persons providing documents to BIS pursuant to this section must submit documents electronically. Acceptable formats include Portable Document Format (PDF) and Microsoft Excel. Files with embedded, encrypted, or password protected content will not be accepted. § 791.314 Penalties. (a) Section 206 of the International Emergency Economic Powers Act (50 U.S.C. 1705) (IEEPA) is applicable to VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 violations of the provisions of any general authorization, Specific authorization, regulation, order, directive, instruction, or prohibition issued by or pursuant to the direction or authorization of the Secretary of Commerce (Secretary) pursuant to this subpart or otherwise under IEEPA. (1) A civil penalty not to exceed the amount set forth in section 206 of IEEPA may be imposed on any person who violates, attempts to violate, conspires to violate, or causes a violation of any exemption, general authorization, specific authorization, regulation, order, directive, instruction, or prohibition issued under this subpart. (2) A person who willfully commits, willfully attempts to commit, willfully conspires to commit, or aids or abets in the commission of a violation of any exemption, general authorization, specific authorization, regulation, order, directive, instruction, or prohibition issued under this subpart is subject to criminal penalties and may, upon conviction, be fined not more than $1,000,000, or if a natural person, be imprisoned for not more than 20 years, or both. (b) The civil penalties provided in IEEPA are subject to adjustment pursuant to the Federal Civil Penalties Inflation Adjustment Act of 1990 (Pub. L. 101–410, as amended, 28 U.S.C. 2461 note). (c) The criminal penalties provided in IEEPA are subject to adjustment pursuant to 18 U.S.C. 3571. (d) Pursuant to 18 U.S.C. 1001, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the U.S. Government, knowingly and willfully falsifies, conceals, or covers up by any trick, scheme, or device a material fact; or makes any materially false, fictitious, or fraudulent statement or representation; or makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry shall be fined under title 18, United States Code, imprisoned, or both. (e) Violations of this subpart may also be subject to other applicable laws. § 791.315 Pre-penalty notice; settlement. (a) When required. If BIS has reason to believe that there has occurred a violation of any provision of this subpart or a violation of the provisions of any exemption, general authorization, specific authorization, regulation, order, directive, instruction, or prohibition issued by or pursuant to the direction or authorization of the Secretary pursuant to this subpart or otherwise under PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 IEEPA and determines that a civil monetary penalty is warranted, BIS will issue a pre-penalty notice informing the alleged violator of BIS’s intent to impose a monetary penalty. A Pre-Penalty Notice shall be in writing and issued electronically to the alleged violator. The pre-penalty notice may be issued whether or not another agency has taken any action with respect to the matter. (b) Response—(1) Right to respond. An alleged violator may respond to a Pre-Penalty Notice in writing to BIS. (2) Deadline for response. A response to a Pre-Penalty Notice must be made within 30 days as set forth below. The failure to submit a response within 30 days shall be deemed to be a waiver of the right to respond. (i) Computation of time for response. A response to a Pre-Penalty Notice must be electronically transmitted on or before the 30th day after the date of delivery by BIS. (ii) Extensions of time for response. If a due date falls on a federal holiday or weekend, that due date is extended to include the following business day. Any other extensions of time will be granted, at the discretion of BIS, only upon specific request to BIS. (3) Form and method of response. A response to a pre-penalty notice need not be in any particular form, but it must be typewritten and signed by the alleged violator or a representative thereof, contain information sufficient to indicate that it is in response to the pre-penalty notice, and include the BIS identification number listed on the prepenalty notice. A digital signature is acceptable. (4) Information that should be included in response. Any response should set forth in detail why the alleged violator either believes that a violation of the provisions of this subpart did not occur and/or why a civil monetary penalty is otherwise unwarranted under the circumstances. The response should include all documentary or other evidence available to the alleged violator that supports the arguments set forth in the response. BIS will consider all relevant materials submitted in the response. (c) Settlement. Settlement discussions may be initiated by BIS, the alleged violator, or the alleged violator’s authorized representative. (d) Representation. A representative of the alleged violator may act on behalf of the alleged violator, but any oral communication with BIS prior to a written submission regarding the specific allegations contained in the prepenalty notice must be preceded by a written letter of representation, unless the pre-penalty notice was served upon E:\FR\FM\26SEP3.SGM 26SEP3 Federal Register / Vol. 89, No. 187 / Thursday, September 26, 2024 / Proposed Rules the alleged violator in care of the representative. § 791.316 Penalty imposition. (a) If, after considering any written response to the pre-penalty notice and any relevant facts, BIS determines that there was a violation by the alleged violator named in the pre-penalty notice and that a civil monetary penalty is appropriate, BIS may issue a penalty notice to the violator containing a determination of the violation and the imposition of the monetary penalty. (b) The issuance of the penalty notice shall constitute final agency action. The violator may seek judicial review of that final agency action in federal district court. § 791.317 Administrative collection; referral to United States Department of Justice. In the event that the violator does not pay the penalty imposed pursuant to this subpart or make payment arrangements acceptable to BIS, the matter may be referred for administrative collection measures by the Department of the Treasury or to the United States Department of Justice for appropriate action to recover the penalty in a civil suit in a federal district court. § 791.318 Finding of Violation. khammond on DSKJM1Z7X2PROD with PROPOSALS3 (a) When issued. (1) BIS may issue an initial finding of violation that identifies a violation if BIS: (i) Determines that there has occurred a violation of any provision of this subpart, or a violation of the provisions of any exemption, general authorization, specific authorization, regulation, order, directive, instruction, or prohibition issued by or pursuant to the direction or authorization of the Secretary pursuant to this subpart or otherwise under IEEPA; (ii) Considers it important to document the occurrence of a violation; and VerDate Sep<11>2014 17:20 Sep 25, 2024 Jkt 262001 (iii) Concludes that an administrative response is warranted but that a civil monetary penalty is not the most appropriate response. (2) An initial finding of violation shall be in writing and may be issued whether or not another agency has taken any action with respect to the matter. (b) Response—(1) Right to respond. An alleged violator may contest an initial Finding of Violation by providing a written response to BIS. (2) Deadline for response; default determination. A response to an initial Finding of Violation must be made within 30 days as set forth in paragraphs (b)(2)(i) and (ii) of this section. The failure to submit a response within 30 days shall be deemed to be a waiver of the right to respond, and the initial Finding of Violation will become final and will constitute final agency action. The violator may seek judicial review of that final agency action in federal district court. (i) Computation of time for response. A response to an initial finding of violation must be electronically transmitted on or before the 30th day after the date of delivery by BIS. (ii) Extensions of time for response. If a due date falls on a federal holiday or weekend, that due date is extended to include the following business day. Any other extensions of time will be granted, at the discretion of BIS, only upon specific request to BIS. (3) Form and method of response. A response to an initial finding of violation need not be in any particular form, but it must be typewritten and signed by the alleged violator or a representative thereof, contain information sufficient to indicate that it is in response to the initial finding of violation, and include the BIS identification number listed on the initial finding of violation. A digital signature is acceptable. (4) Information that should be included in response. Any response PO 00000 Frm 00037 Fmt 4701 Sfmt 9990 79123 should set forth in detail why the alleged violator either believes that a violation of the provisions of this subpart did not occur and/or why a finding of violation is otherwise unwarranted under the circumstances. The response should include all documentary or other evidence available to the alleged violator that supports the arguments set forth in the response. BIS will consider all relevant materials submitted in the response. (c) Determination—(1) Determination that a finding of violation is warranted. If, after considering the response, BIS determines that a final finding of violation should be issued, BIS will issue a final finding of violation that will inform the violator of its decision. Any action taken in a final finding of violation shall constitute final agency action. The violator has the right to seek judicial review of that final agency action in federal district court. (2) Determination that a finding of violation is not warranted. If, after considering the response, BIS determines a finding of violation is not warranted, then BIS will inform the alleged violator of its decision not to issue a final finding of violation. § 791.319 Severability. If any provision of this subpart is held to be invalid or unenforceable by its terms, or as applied to any person or circumstance, or stayed pending further agency action or judicial review, the provision is to be construed so as to continue to give the maximum effect to the provision permitted by law, unless such holding will be one of utter invalidity or unenforceability, in which event the provision will be severable from this part and will not affect the remainder thereof. [FR Doc. 2024–21903 Filed 9–23–24; 8:45 am] BILLING CODE 3510–33–P E:\FR\FM\26SEP3.SGM 26SEP3

Agencies

[Federal Register Volume 89, Number 187 (Thursday, September 26, 2024)]
[Proposed Rules]
[Pages 79088-79123]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-21903]



[[Page 79087]]

Vol. 89

Thursday,

No. 187

September 26, 2024

Part IV





Department of Commerce





-----------------------------------------------------------------------





Bureau of Industry and Security





-----------------------------------------------------------------------





15 CFR Part 791





Securing the Information and Communications Technology and Services 
Supply Chain: Connected Vehicles; Proposed Rule

Federal Register / Vol. 89 , No. 187 / Thursday, September 26, 2024 / 
Proposed Rules

[[Page 79088]]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Part 791

[Docket No. 240919-0245]
RIN 0694-AJ56


Securing the Information and Communications Technology and 
Services Supply Chain: Connected Vehicles

AGENCY: Bureau of Industry and Security, Department of Commerce.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: In this notice of proposed rulemaking (NPRM), the Department 
of Commerce's (Department) Bureau of Industry and Security (BIS) 
proposes a rule to address undue or unacceptable risks to national 
security and U.S. persons posed by classes of transactions involving 
information and communications technology and services (ICTS) that are 
designed, developed, manufactured, or supplied by persons owned by, 
controlled by, or subject to the jurisdiction or direction of certain 
foreign adversaries, and which are integral to connected vehicles, as 
defined herein. BIS is soliciting comment on this proposed rule, which 
builds on the advance notice of proposed rulemaking (ANPRM) issued by 
BIS on March 1, 2024.

DATES: Comments to this proposed rule must be received on or before 
October 28, 2024.

ADDRESSES: All comments must be submitted by one of the following 
methods:
     By the Federal eRulemaking Portal: https://www.regulations.gov at docket number BIS-2024-0005.
     By email directly to: [email protected]. 
Include ``RIN 0694-AJ56'' in the subject line.
     Instructions: Comments sent by any other method, to any 
other address or individual, or received after the end of the comment 
period, may not be considered. For those seeking to submit confidential 
business information (CBI), please clearly mark such submissions as CBI 
and submit by email, as instructed above. Each CBI submission must also 
contain a summary of the CBI, clearly marked as public, in sufficient 
detail to permit a reasonable understanding of the substance of the 
information for public consumption. Such summary information will be 
posted on regulations.gov. Comments that contain profanity, vulgarity, 
threats, or other inappropriate language or content will not be 
considered.
     The Regulatory Impact Analysis is available at https://www.regulations.gov at docket number BIS-2024-0005.

FOR FURTHER INFORMATION CONTACT: Marc Coldiron, U.S. Department of 
Commerce, telephone: (202) 482-3678. For media inquiries: Jessica 
Stallone, Office of Congressional and Public Affairs, Bureau of 
Industry and Security, U.S. Department of Commerce: [email protected].

SUPPLEMENTARY INFORMATION: 

I. Background

    In this notice, BIS solicits comment on a proposed rule to prohibit 
transactions involving Vehicle Connectivity System (VCS) hardware and 
covered software designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the People's Republic of China, including the Hong Kong 
Special Administrative Region (PRC), or the Russian Federation 
(Russia). It follows an advance notice of proposed rulemaking (ANPRM), 
89 FR 15066 (Mar. 1, 2024), in which BIS sought public comment to 
inform a rulemaking that would address the undue or unacceptable risks, 
as identified in Executive Order (E.O.) 13873, ``Securing the 
Information and Communications Technology and Services Supply Chain,'' 
84 FR 22689 (May 17, 2019), posed by a class of transactions that 
involve information and communications technology and services (ICTS) 
designed, developed, manufactured, or supplied by persons owned by, 
controlled by, or subject to the jurisdiction or direction of a foreign 
adversary and integral to Connected Vehicles.
    In E.O. 13873, the President delegated to the Secretary of Commerce 
(Secretary), to the extent necessary to implement the order, the 
authority granted under the International Emergency Economic Powers Act 
(IEEPA) (50 U.S.C. 1701, et seq.), ``to deal with any unusual and 
extraordinary'' foreign threat to the United States' national security, 
foreign policy, or economy, if the President declares a national 
emergency with respect to such threat. 50 U.S.C. 1701(a). In E.O. 
13873, the President declared a national emergency with respect to the 
``unusual and extraordinary'' foreign threat posed to the ICTS supply 
chain and has, in accordance with the National Emergencies Act (NEA), 
extended the declaration of this national emergency in each year since 
E.O. 13873's publication. See Continuation of the National Emergency 
With Respect to Securing the Information and Communications Technology 
and Services Supply Chain, 85 FR 29321 (May 14, 2020); Continuation of 
the National Emergency With Respect to Securing the Information and 
Communications Technology and Services Supply Chain, 86 FR 26339 (May 
13, 2021); Continuation of the National Emergency With Respect to 
Securing the Information and Communications Technology and Services 
Supply Chain, 87 FR 29645 (May 13, 2022); Continuation of the National 
Emergency With Respect to Securing the Information and Communications 
Technology and Services Supply Chain, 88 FR 30635 (May 11, 2023); 
Continuation of the National Emergency With Respect to Securing the 
Information and Communications Technology and Services Supply Chain, 89 
FR 40353 (May 9, 2024).
    Specifically, the President identified the ``unrestricted 
acquisition or use in the United States of ICTS designed, developed, 
manufactured, or supplied by persons owned by, controlled by, or 
subject to the jurisdiction or direction of foreign adversaries'' as 
``an unusual and extraordinary'' foreign threat to the national 
security, foreign policy, and economy of the United States that 
``exists both in the case of individual acquisitions or uses of such 
technology or services, and when acquisitions or uses of such 
technologies are considered as a class.'' See E.O. 13873, and 50 U.S.C. 
1701(a)-(b).
    Once the President declares a national emergency, IEEPA empowers 
the President to, among other acts, investigate, regulate, prevent, or 
prohibit, any ``acquisition, holding, withholding, use, transfer, 
withdrawal, transportation, importation or exportation of, or dealing 
in, or exercising any right, power, or privilege with respect to, or 
transactions involving, any property in which any foreign country or a 
national thereof has any interest by any person, or with respect to any 
property, subject to the jurisdiction of the United States.'' 50 U.S.C. 
1702(a)(1)(B).
    To address the identified risks to national security from ICTS 
transactions, the President in E.O. 13873 imposed a prohibition on 
transactions determined by the Secretary, in consultation with relevant 
agency heads, to involve foreign adversary ICTS and to pose certain 
risks to U.S. national security, technology, or critical 
infrastructure. Specifically, to fall within the scope of the 
prohibition, the Secretary must determine that a transaction: (1) 
``involves [ICTS]

[[Page 79089]]

designed, developed, manufactured, or supplied, by persons owned by, 
controlled by, or subject to the jurisdiction or direction of a foreign 
adversary,'' defined in E.O. 13873 as ``any foreign government or 
foreign non-government person engaged in a long-term pattern or serious 
instances of conduct significantly adverse to the national security of 
the United States or security and safety of United States persons;'' 
and (2):
    A. ``Poses an undue risk of sabotage to or subversion of the 
design, integrity, manufacturing, production, distribution, 
installation, operation, or maintenance of information and 
communications technology or services in the United States;''
    B. ``Poses an undue risk of catastrophic effects on the security or 
resiliency of United States critical infrastructure or the digital 
economy of the United States;'' or
    C. ``Otherwise poses an unacceptable risk to the national security 
of the United States or the security and safety of United States 
persons.''
    These factors are collectively referred to as ``undue or 
unacceptable risks.'' Further, E.O. 13873 grants the Secretary the 
authority to design or negotiate mitigation measures that would allow 
an otherwise prohibited transaction to proceed. E.O. 13873 section 
1(b).
    The President also delegated to the Secretary the ability to 
promulgate regulations that, among other things, establish when 
transactions involving particular technologies may be categorically 
prohibited. E.O. 13873 section 2(a)-(b); see also 3 U.S.C. 301-02. 
Specifically, the Secretary may issue rules establishing criteria, 
consistent with section 1 of E.O. 13873, by which particular 
technologies or market participants may be categorically included in or 
categorically excluded from prohibitions established pursuant to E.O. 
13873.

II. Introduction

    Today's vehicles contain a myriad of connected components that 
provide greater convenience for consumers and increase road safety for 
both drivers and pedestrians, such as Wi-Fi, Bluetooth, cellular, and 
satellite connectivity. However, the incorporation of progressively 
more complex hardware and software systems that facilitate these 
features has also increased the attack surfaces through which malign 
actors may exploit vulnerabilities to gain access to a vehicle. As BIS 
outlined in its March 1, 2024, ANPRM, certain ICTS integral to 
Connected Vehicles could present an undue or unacceptable risk to U.S. 
national security when those systems are designed, developed, 
manufactured, or supplied by persons owned by, controlled by, or 
subject to the jurisdiction or direction of a foreign adversary.
    In the Securing the Information and Communications Technology and 
Services Supply Chain interim final rule, 86 FR 4909 (January 19, 
2021), the Secretary determined that certain foreign governments or 
foreign non-government persons including the PRC, Republic of Cuba, 
Islamic Republic of Iran, Democratic People's Republic of Korea, 
Russia, and Venezuelan politician Nicol[aacute]s Maduro constitute 
foreign adversaries for purposes of E.O. 13873 and rules promulgated 
pursuant to E.O. 13873. See 15 CFR 791.4 (to the extent that the list 
of foreign adversaries identified in 15 CFR 791.4 is updated to add or 
remove governments or non-government persons, this proposed rule 
intends to reflect the most up-to-date designations of foreign 
adversaries). Additionally, E.O. 13873 provides that the Secretary may 
issue rules that identify particular technologies or countries with 
respect to which transactions involving ICTS warrant particular 
scrutiny. E.O. 13873 2(b). For the purposes of this proposed rule 
regarding transactions involving ICTS integral to Connected Vehicles, 
BIS is focusing its regulatory efforts on ICTS that are designed, 
developed, manufactured, or supplied by persons owned by, controlled 
by, or subject to the jurisdiction or direction of the PRC or Russia. 
BIS has identified that, for the purposes of addressing the national 
security risks posed by Connected Vehicles, these two foreign 
adversaries pose particular risks to U.S. national security because of 
their legal, political, and regulatory regimes, combined with their 
current and anticipated growth and involvement in the automotive 
sector, to include Connected Vehicles. However, BIS specifically seeks 
public comment on whether the other identified foreign adversaries pose 
similar risks to U.S. national security in the connected vehicle supply 
chain.
    The PRC and Russia are able to leverage domestic legislation and 
regulatory regimes to compel companies subject to their jurisdiction, 
including carmakers and their suppliers, to cooperate with security and 
intelligence services. Such control over companies and their products 
and services means that equipment is easily exploitable by PRC and 
Russian authorities. The privileged access that the PRC and Russia may 
gain to Connected Vehicles through their components, including 
software, could enable those foreign adversaries to exfiltrate 
sensitive data collected by connected vehicles and, potentially, allow 
remote access and manipulation of connected vehicles driven by U.S. 
persons. Pursuant to E.O. 13873, BIS has determined that certain 
classes of transactions that facilitate the exfiltration of data and 
remote manipulation of connected vehicles pose undue or unacceptable 
risks to U.S. national security and the safety and security of U.S. 
persons.

a. Overview of Proposed Rule

    To address these identified undue or unacceptable risks, BIS is 
proposing regulations that would, absent a General or Specific 
Authorization, (1) prohibit VCS Hardware Importers from knowingly 
importing into the United States certain hardware for VCS (``VCS 
Hardware,'' as further defined below); (2) prohibit connected vehicle 
manufacturers from knowingly importing into the United States completed 
connected vehicles incorporating certain software that supports the 
function of VCS or ADS (VCS and ADS software are collectively referred 
to herein as ``covered software,'' as further defined below); (3) 
prohibit connected vehicle Manufacturers from knowingly Selling within 
the United States completed connected vehicles that incorporate covered 
software; and (4) prohibit connected vehicle manufacturers who are 
owned by, controlled by, or subject to the jurisdiction or direction of 
the PRC or Russia from knowingly selling in the United States completed 
connected vehicles that incorporate VCS hardware or covered software. 
The prohibitions would apply when such VCS hardware or covered software 
is designed, developed, manufactured, or supplied by persons owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia.
    If, following consideration of comments received on this proposed 
rule, BIS issues a final rule to adopt the proposal, that final rule 
would take effect 60 days after publication in the Federal Register. 
However, VCS Hardware Importers would be permitted to engage in 
otherwise Prohibited Transactions involving VCS Hardware and exempt 
from certain requirements so long as: (1) for VCS Hardware not 
associated with a Model Year, the import of the VCS Hardware takes 
place prior to January 1, 2029; or (2) the VCS Hardware unit is 
associated with a vehicle Model Year prior to 2030 or the VCS Hardware 
is integrated into a connected vehicle (completed or incomplete) with a 
Model Year prior to 2030. connected vehicle manufacturers would be 
permitted to engage in

[[Page 79090]]

otherwise prohibited transactions involving covered software and exempt 
from certain requirements, so long as the completed connected vehicle 
that is imported, or sold within the United States, is of a model year 
prior to 2027. connected vehicle Manufacturers that are owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia would be permitted to sell completed connected vehicles with 
a model year prior to 2027 that incorporate VCS hardware or covered 
software.
    BIS is also proposing to implement several mechanisms to facilitate 
compliance with these prohibitions: (1) Declarations of Conformity 
submitted to BIS by VCS hardware importers and connected vehicle 
manufacturers to confirm that they are not engaging in prohibited 
transactions involving VCS hardware or covered software, as defined 
herein; (2) Advisory opinions to allow VCS hardware importers and 
connected vehicle manufacturers to seek guidance from BIS on whether a 
prospective transaction may be prohibited; (3) General authorizations 
to allow certain VCS hardware importers and connected vehicle 
manufacturers to engage in otherwise prohibited transactions without 
the need to notify BIS prior to the prohibited activity if they qualify 
under stated conditions; (4) Specific authorizations which, following 
an application to and approval by BIS, grant VCS hardware importers and 
connected vehicle manufacturers the ability to engage in otherwise 
prohibited transactions, including because the associated undue or 
unacceptable risks have been, or can be, mitigated; and (5) A process 
to inform VCS hardware importers and connected vehicle manufacturers 
that a specific authorization may be required because an activity could 
constitute a Prohibited Transaction.
    This proposed rule benefits from the responses received during the 
public comment period for the ANPRM and incorporates significant 
portions of that feedback. For example, BIS considered public feedback 
to define the scope of connected vehicles, identify ICTS integral to 
Connected Vehicles, and better understand the effects of any potential 
prohibition. Determining the scope of the prohibitions outlined in this 
proposed rule required balancing the need to address the undue or 
unacceptable risk posed by foreign adversary involvement in the 
connected vehicles supply chain with the impact on the public and 
industry.

III. Comments on the Advance Notice of Proposed Rulemaking

    On March 1, 2024, the Department published in the Federal Register 
an ANPRM, 89 FR 15066, pursuant to the authority the President 
delegated to the Secretary in E.O. 13873. The purpose of the ANPRM was 
to solicit stakeholder feedback and to gather information to further 
BIS's consideration of a proposed rule to address any undue or 
unacceptable risks to U.S. national security posed by ICTS used in 
connected vehicles, when designed, developed, manufactured, or supplied 
by persons owned by, controlled by, or subject to the jurisdiction or 
direction of a foreign adversary. Specifically, BIS sought public input 
on certain definitions, capabilities of connected vehicles that may 
increase the likelihood of vulnerabilities, and consequences to U.S. 
persons and critical infrastructure if these vulnerabilities are 
exploited by a foreign adversary. BIS also solicited input on the ICTS 
most integral to connected vehicles and most vulnerable to compromise, 
as well as input on mechanisms to address identified risks through 
potential design, implementation standards and protocols, manufacturing 
integrity protection systems and procedures, or prohibitions.
    BIS received 57 comment submissions in response to the ANPRM, from 
original equipment manufacturers (OEMs), component suppliers, two 
foreign governments, nonprofit organizations, and individuals. Five 
comments contained CBI, and one comment was retracted at the request of 
the commenter. Each of the comments is available on the public 
rulemaking docket at https://www.regulations.gov.
    In general, commenters expressed agreement with BIS on the overall 
risks posed by compromised ICTS in Connected Vehicles, as outlined in 
the ANPRM. Commenters were also generally aligned on the need for 
further clarity on what would constitute a person ``owned by, 
controlled by, or subject to the jurisdiction or direction'' of a 
foreign adversary, the challenge of implementing due diligence 
requirements due to the complexity of the global automotive supply 
chain, the need for substantial lead time to implement a regulation 
given the difficulty of sourcing alternative suppliers, the breadth and 
depth of data collected by ICTS integral to Connected Vehicles, and the 
potential negative impact such a regulation could have on long-term 
U.S. innovation, competitiveness, and health and safety. On the other 
hand, commenters disagreed on a number of issues, including the ICTS 
most integral to connected vehicles, the level of risk that may be 
posed by transactions involving the identified connected vehicle 
systems, the definition of connected vehicle, and approaches for how 
the proposed rule could be most effective in risk mitigation.
    Below, BIS addresses in more detail the key issues raised by the 
comments received and describes how they were considered and, where 
applicable, addressed in the proposed rule.

a. Definitions

    In the ANPRM, BIS sought comments on the definition of the term 
``connected vehicle,'' proposing to define it as ``an automotive 
vehicle that integrates onboard networked hardware with automotive 
software systems to communicate via dedicated short-range 
communication, cellular telecommunications connectivity, satellite 
communication, or other wireless spectrum connectivity with any other 
network or device.'' Commenters offered differing views on BIS's 
proposed definition with some, but not all, commenters agreeing that it 
appropriately captured the platform BIS seeks to regulate.
    Commenters that disagreed with BIS's proposed definition offered 
several reasons. For example, many commenters viewed the term as overly 
broad and noted that it failed to identify the specific types of 
vehicles that would be captured by a regulation (e.g., commercial, 
industrial, agricultural, rolling stock). Commenters also noted that 
the phrase ``connected vehicle'' is an existing term of art within the 
automotive industry referring to vehicles with external communication 
capabilities, particularly in short-range communication. As an 
alternative, some commenters suggested that BIS adopt the term 
``networked vehicle'' to capture the ability of a vehicle to 
communicate with networks or devices external to a vehicle while others 
suggested the term ``software-defined vehicles'' which would encompass 
the technologies and capabilities outlined in the ANPRM's proposed 
connected vehicle definition while also capturing internal software 
capabilities for functions within a vehicle beyond communication (e.g., 
starting a vehicle, malfunction checks, navigation).
    After full consideration of each of the comments, BIS maintains the 
use of the term ``connected vehicle'' in the proposed rule. However, 
BIS proposes to narrow its definition to mean, ``[a] vehicle driven or 
drawn by mechanical

[[Page 79091]]

power and manufactured primarily for use on public streets, roads, and 
highways, that integrates onboard networked hardware with automotive 
software systems to communicate via dedicated short-range 
communication, cellular telecommunications connectivity, satellite 
communication, or other wireless spectrum connectivity with any other 
network or device. Vehicles operated only on a rail line are not 
included in this definition.'' This definition captures the vehicles 
that would be subject to the rule (e.g., passenger vehicles, 
motorcycles, buses, small and medium trucks, class 8 commercial trucks, 
recreational vehicles), while excluding those that pose a less acute 
risk of data exfiltration, modification, or sabotage by foreign 
adversaries. BIS further believes that the term connected vehicle, as 
defined in this proposed rule, will capture future trends in vehicle 
development, particularly as software comes to play a larger role in 
vehicle operation. BIS emphasizes its belief that, with very few 
exceptions, all new vehicles sold in the United States will be captured 
by this definition. BIS seeks comment on this assessment. In the 
interest of issuing a rule that is narrow, yet also would address the 
risks posed by connected vehicles, BIS declines to extend this 
definition to all ``rolling stock'' or unmanned aerial vehicles as 
suggested by some comments, although BIS does not preclude the 
possibility of addressing these vehicles in future regulation. BIS 
believes that these sectors, to include vehicles operating on a rail 
line, are materially different from the connected vehicle sector as 
defined by this proposed rule, and capturing these vehicles in a 
regulation primarily targeting wheeled on-road vehicles could lead to 
unintended consequences and supply chain disruption.
    A subset of commenters requested further clarity on what would 
constitute an entity ``subject to the jurisdiction or direction'' of a 
foreign adversary and expressed concerns that foreign subsidiaries of 
U.S. businesses or foreign nationals working in the United States would 
potentially be captured by this term. Others suggested that BIS should 
ensure that the subsidiaries of companies located in foreign adversary 
countries are captured by the proposed rule, even when the subsidiaries 
are located in third countries outside the United States that are not 
foreign adversaries, but supply entities within the United States.
    After full consideration of the comments, BIS has adopted the 
definition of a ``person owned by, controlled by, or subject to the 
jurisdiction or direction of a foreign adversary'' to mean, (a) any 
person, wherever located, who acts as an agent, representative, or 
employee, or any person who acts in any other capacity at the order, 
request, or under the direction or control, of a foreign adversary or 
of a person whose activities are directly or indirectly supervised, 
directed, controlled, financed, or subsidized in whole or in majority 
part by a foreign adversary; (b) any person, wherever located, who is a 
citizen or resident of a foreign adversary or a country controlled by a 
foreign adversary, and is not a United States citizen or permanent 
resident of the United States; (c) any corporation, partnership, 
association, or other organization with a principal place of business 
in, headquartered in, incorporated in, or otherwise organized under the 
laws of a foreign adversary or a country controlled by a foreign 
adversary; or (d) any corporation, partnership, association, or other 
organization, wherever organized or doing business, that is owned or 
controlled by a foreign adversary, to include circumstances in which 
any person identified in paragraphs (a) through (c) possesses the 
power, direct or indirect, whether or not exercised, through the 
ownership of a majority or a dominant minority of the total outstanding 
voting interest in an entity, board representation, proxy voting, a 
special share, contractual arrangements, formal or informal 
arrangements to act in concert, or other means, to determine, direct, 
or decide important matters affecting an entity. BIS has also provided, 
below in Section V, numerous non-exhaustive examples to explain how 
this term will apply in various representative situations.

b. ICTS Supply Chain for Connected Vehicles

    In the ANPRM, BIS sought comments on ``the ICTS supply chain for 
Connected Vehicles in the United States,'' in order to better 
understand the role played by persons owned by, controlled by, or 
subject to the jurisdiction or direction of foreign adversaries within 
it. Public comments broadly discussed the ICTS incorporated into 
Connected Vehicles and noted the difficulty that manufacturers and 
suppliers may face in conducting supply chain due diligence for the 
purposes of complying with any potential final rule. Submissions 
explained the complexity of ICTS systems contained within Connected 
Vehicles and outlined several categories of technologies incorporated 
into Connected Vehicles, including microcontrollers, applications 
processors, analog products (e.g., power management integrated circuits 
and transceiver physical layers), automotive software operating systems 
(OS), automotive vision, light detection and ranging (LiDAR) systems, 
radar, and other application software systems. Many commenters who 
identified as OEMs also noted that they do not always know the source 
of all inputs from hardware and software suppliers, making conducting 
due diligence beyond tier one and tier two suppliers particularly 
difficult. Moreover, submissions highlighted that suppliers are often 
capable of updating the firmware on their components independently of 
an OEM, further complicating efforts to understand which entities have 
access to software and when such access occurs.
    The comments received on this topic highlight the depth and 
complexity of connected vehicle supply chains, indicating that it is 
not always clear to OEMs which suppliers have access to connected 
vehicle software and when they have access to it. As some commenters 
pointed out, some of these technologies and their associated supply 
chains are still in development and will grow even more complex as the 
industry develops. Such existing and growing complexity, coupled with 
the likelihood of ICTS that is designed, developed, manufactured, or 
supplied by persons owned by, controlled by, or subject to the 
jurisdiction or direction of a foreign adversary being incorporated 
into connected vehicles, demonstrates the need for regulation to 
protect U.S. national security. Such regulation will also incentivize 
greater supply chain transparency for not only existing supply chains 
but also for developing supply chains. To facilitate compliance, the 
rule would include a delayed implementation timeline so that industry 
can adjust their existing supply chains and plans for future supply 
chains. BIS is not currently proposing specific due diligence 
requirements. Instead, VCS hardware importers and connected vehicle 
manufactures are given flexibility to provide evidence of compliance 
efforts tailored to their unique operations. Such efforts could include 
using third-party researchers or independently conducting supply chain 
diligence.
    Several commenters raised a variety of potential trade-related 
concerns relating to this proposed rulemaking and other recent U.S. 
government actions related to automotive trade involving the PRC. While 
some commenters explicitly advocated for exclusionary tariffs on the 
import of all

[[Page 79092]]

PRC vehicles into the United States, others cautioned BIS to avoid 
creating unnecessary trade barriers when crafting a proposed rule. One 
commenter specifically warned that BIS regulation of connected vehicle 
software could amount to a digital trade barrier and urged BIS to avoid 
certain policies such as data localization requirements, digital 
service taxes, or forced code inspection. BIS underscores the U.S. 
government's commitment to the trusted and secure flow of data across 
borders. This proposed rule seeks to narrowly address, pursuant to E.O. 
13873, the acute national security concerns posed by certain foreign 
adversary ICTS in connected vehicle supply chains while minimizing any 
unnecessary disruptions in manufacturing and trade. BIS has drafted 
this proposed rule irrespective of any other automobile-related trade 
actions taken by the U.S. government.

c. ICTS Most Integral to Connected Vehicles and Their Capabilities

    In its ANPRM, BIS identified six systems (i.e., vehicle operating 
systems (OS), telematics systems, Advanced Driver-Assistance System 
(ADAS), Automated Driving Systems (ADS), satellite or cellular 
telecommunications systems, and battery management systems (BMS)) that 
it was considering identifying as the ICTS in Connected Vehicles most 
likely to present undue or unacceptable risks if exploited by foreign 
adversaries. BIS requested comment on the levels of risk associated 
with these various ICTS as well as any additional ICTS that commenters 
might consider integral to Connected Vehicles.
    Commenters held differing views on which ICTS are integral to 
connected vehicles and should be captured by the scope of a rule. For 
example, whereas some commenters noted that ADAS present a low risk of 
data exfiltration given that these systems often lack direct external 
connectivity, others noted that such systems may nevertheless be 
indirectly connected to external devices and systems (e.g., 
microcontrollers), thus offering indirect access to the data they 
collect. As another example, while many commenters identified LiDAR 
systems as a concern, there was disagreement about the nature of the 
vulnerability posed by these systems. Some commenters noted that LiDAR 
systems could be manipulated to cause grave harm (e.g., to ignore 
pedestrians) given their instrumental role in vehicle guidance. 
However, BIS's further technical analysis found that LiDAR generally 
lacks the ability to transmit from the vehicle and does not, as a 
standalone system, control the vehicle. Importantly, BIS notes that in 
many cases, ADS exerts control over both LiDAR and the vehicle and thus 
presents a higher risk. Other commenters pointed to the growing role of 
mobile applications that allow drivers to access and control core 
functions of the vehicle remotely (e.g., keyless driving). A number of 
commenters also highlighted concerns related to aftermarket connected 
devices. These devices, which often feature some forms of connectivity, 
are introduced to the vehicle after manufacture and sale and may 
contain vulnerabilities over which OEMs have little to no oversight.
    Several submissions expressed a desire for BIS to tailor any 
regulation as narrowly as possible, arguing that BIS should focus only 
on those systems with direct connectivity to the connected vehicle or 
the ability to transmit from the connected vehicle. Some commenters 
pointed specifically to devices that connect to a vehicle's controller 
area network (CAN) bus as posing a specific cybersecurity risk. Others 
recommended that BIS should critically examine electric vehicle 
charging infrastructure and associated technologies due to a potential 
risk of exploitation by foreign adversaries. A few OEM commenters 
ascribed the highest level of potential risk to ``finished'' or 
``vertically integrated'' vehicles from suppliers with a foreign 
adversary nexus that are operating in the United States. One commenter 
pointed to ICTS components inside safety-critical systems (e.g., 
braking systems, steering systems, traction systems, battery-charging 
and management systems, airbag systems) as posing greater levels of 
potential risk. On the other hand, some commenters recommended that BIS 
should aim to address the widest possible aperture of risk by 
regulating a wide variety of the technologies enumerated in the ANPRM 
along with additional technology categories (e.g., microcontrollers, 
analog products).
    Following consideration of these comments, BIS is proposing a rule 
that aims to strike a balance between minimizing supply chain 
disruptions and the need to address the national security risks posed 
by Connected Vehicles. BIS proposes to achieve this balance by focusing 
the rule only on those systems that most directly facilitate the 
transmission of data both into and from the vehicle, rather than 
focusing on all systems. Therefore, BIS is proposing to regulate 
transactions involving two systems of ICTS integral to connected 
vehicles, VCS and ADS. As further discussed below, in many cases, these 
systems serve as controllers for subordinate systems within the 
Connected Vehicle, like those highlighted in the ANPRM, making them a 
target for exploitation related to data exfiltration or remote vehicle 
manipulation. After reviewing comments, BIS has determined that 
aftermarket telematics devices, including fleet tracking devices and 
systems, that fulfill functions consistent with the definition of VCS 
hardware are covered by this proposed rule.
    Additionally, the proposed rule does not cover ICTS with the 
function of enabling the transmission, receipt, conversion, or 
processing of radio frequency communications at a frequency below 450 
megahertz. Setting such a threshold enables BIS to capture those ICTS 
that pose a higher risk due to their connectivity and transmission 
functions, while lowering compliance burden by excluding from 
regulation those ICTS with functions that pose a lower risk and offer 
high utility to consumers (e.g., tire pressure monitoring systems, 
electronic key fobs).
    For similar reasons, BIS ultimately chose to exclude other systems 
highlighted in the ANPRM--such as OS, ADAS, or BMS--from this proposed 
rule unless they have VCS components and fall within the proposed 
rule's definition of VCS hardware. For example, automotive software 
systems like BMS and automotive OS do not have their own connectivity, 
and require communication through a VCS, thereby making VCS a more 
effective focus for rulemaking. BMS traditionally do not have their own 
external wireless data link and instead rely on VCS for wireless 
communication through a VCS. Likewise, automotive OS software, which 
generally resides on an in-vehicle infotainment unit or centralized 
head unit, are characterized by a wide diversity in architecture, 
design, and supply chain among OEMs while also generally lacking their 
own data link, instead relying on communication through a VCS. Given 
how these systems are typically placed within connected vehicles and 
the ways in which they achieve connectivity, BIS has chosen to focus on 
the systems that ultimately facilitate the transmission of data both to 
and from the vehicle as opposed to these subordinate systems.
    Additionally, to reduce unnecessary economic impacts and supply 
disruption, BIS is proposing to regulate ADS software rather than the 
hardware components of ADAS and ADS. The hardware that enables ADAS and 
ADS varies widely between different OEMs. In contrast, the hardware 
that enables

[[Page 79093]]

VCS are relatively consistent across different automotive architectures 
and designs. ADAS and ADS hardware encompasses a wide variety of 
different sensors, distributed electronic control units (ECUs), 
centralized computing units, actuators, and signaling units, among 
others. These sensors and internal vehicle networking hardware rarely 
have independent connectivity. Most, if not all, scalable cybersecurity 
vulnerabilities to these systems are achieved by connectivity through 
VCS systems. A rule that coherently and feasibly addresses these varied 
supply chains would have disproportionate economic and supply chain 
impacts relative to the reduction of national security risks. Further, 
focusing on the ADS software supply chain appropriately mitigates the 
national security risks that they present while limiting the supply 
chain and economic impact. While BIS recognizes that the scope of data 
captured by connected automotive systems is vast and that multiple 
systems may pose national security risks, as discussed above, it has 
decided to focus its current efforts on VCS hardware and covered 
software. However, BIS does not foreclose the possibility of further 
addressing other systems, including additional aspects of VCS and ADS, 
in future regulation. BIS therefore also specifically seeks comment on 
its determination that VCS and ADS are automotive ICTS integral to 
Connected Vehicles and pose the greatest and most addressable national 
security risk, and on its decision to focus this rule on those systems. 
BIS also specifically seeks comment on whether any risks posed by other 
connected vehicle ICTS should also be addressed in this rule.

d. Cybersecurity Best Practices

    In the ANPRM, the Department requested comments regarding 
cybersecurity concerns with the connected vehicle supply chain, as well 
as standards, best practices, and norms that are relied upon and built 
up by the connected vehicle industry. Commenters largely emphasized 
that OEMs dedicate significant resources to bolstering the 
cybersecurity of connected vehicle systems in addition to following or 
conforming to relevant, established best practices and standards. Some 
commenters referenced work by vehicle manufacturers to deploy advanced 
encryption techniques as well as the importance of conducting thorough 
testing on connected vehicle systems and components, to include 
penetration testing, fuzz testing, and static code analysis. Others 
identified specific techniques and best practices, including role-based 
access controls. Among the best practices and standards most referenced 
by commenters were the National Highway Traffic Safety Administration's 
(NHTSA) Cybersecurity Best Practices for the Safety of Modern Vehicles, 
International Organization for Standardization's (ISO) and SAE 
International's standard ISO/SAE 21434, Institute of Electrical and 
Electronics Engineers Standards Association's (IEEE) standard IEEE 
1609.2, SAE J3061, and SAE J3161. At the international level, 
commenters also referenced the United Nations Economic Commission for 
Europe (UNECE) Regulations 155 (R155) and R156, which address whole-of-
vehicle and software update cybersecurity, respectively. One commenter 
encouraged BIS to pay particular attention to R155 and R156 given the 
standards' mandatory coverage in UNECE member states and their ability 
to provide common best practices to vehicle manufacturers globally.
    Many commenters underscored that security is a shared 
responsibility between OEMs and cloud service providers (CSPs), 
explaining that while CSPs manage the infrastructure layer, CSP 
customers are responsible for implementing appropriate configurations 
and controls in the cloud to protect their data. Commenters also 
emphasized that practices for automotive cloud security and cloud data 
access vary between OEMs and according to the specific contractual 
terms between the OEM and CSP. Some submissions pointed to ISO's and 
International Electrotechnical Commission's (IEC) standard ISO/IEC 
27001 and third-party certifications and attestations, such as the 
Cloud Security Alliance Cloud Controls Matrix, as models for cloud 
security best practices and standards. With regard to electric vehicle 
charging infrastructure, commenters pointed to ISO 15118, National 
Institute of Standards and Technology's (NIST) Internal Report (IR) 
8473, and German technical specification DIN 70121, but they emphasized 
that specific practices vary according to OEM due to differing battery 
types and configurations.
    BIS acknowledges that cybersecurity standards and best practices, 
particularly many of those mentioned in submissions, serve a crucial 
function in promoting the safety and security of vehicles. While BIS 
generally encourages the use of cyber security standards and best 
practices, BIS also acknowledges that no standard BIS is aware of or 
that was identified in comments--either currently in effect or under 
development--would sufficiently mitigate the undue or unacceptable 
risks posed by foreign adversary involvement in connected vehicle ICTS 
supply chains as described in this proposed rule, even if widely 
adopted by industry. The standards and guidance BIS reviewed are 
primarily focused on hardening automotive systems from external access. 
Standards and guidance alone are insufficient to address risks from 
within the supply chain, as the systems are not, and cannot be hardened 
against the OEM or tier 1 and 2 suppliers that have or maintain 
privileged access to them. As a result, BIS is not proposing to adopt 
cybersecurity standards and best practices as part of the rule but may 
consider the scope and nature of their adoption on a case-by-case basis 
as part of the Specific Authorizations process described in greater 
detail below.

e. Authorizations and Mitigations

    In the ANPRM, BIS sought comment on processes and mechanisms that 
BIS could implement to authorize an otherwise prohibited transaction 
with the adoption of mitigation measures. Commenters were generally 
aligned regarding authorizations and potential mitigation schemes. 
Several commenters requested that BIS adopt (1) an advisory opinion 
program for connected vehicles; (2) a trusted trader program to 
simplify compliance and avoid the complexity and uncertainty associated 
with a licensing regime; and (3) a program allowing OEMs and suppliers 
to self-certify compliance with the regulation. BIS has considered each 
of the comments in full and is proposing an advisory opinion program; 
procedures for VCS hardware importers and connected vehicle 
manufacturers to submit Declarations of Conformity, which allow OEMs 
and suppliers to self-certify their compliance with the regulation; as 
well as procedures for VCS hardware importers and connected vehicle 
manufacturers to determine eligibility for a General Authorization or 
apply for a Specific Authorization. BIS is not proposing a trusted 
trader program at this time because of the complexity, scale, and 
opacity of existing connected vehicle supply chains, but may consider 
establishing such a program to facilitate compliance as supply chains 
evolve and welcomes comment on such a program as well as any other 
alternate compliance mechanisms.
    A significant portion of commenters raised and rejected data 
localization requirements as a potential solution to the data 
exfiltration concerns associated with connected vehicles. Instead, many 
argued that data exfiltration concerns

[[Page 79094]]

could instead be mitigated by securing a demonstrated commitment to 
privacy and security from OEMs and suppliers, primarily through the 
adoption of industry cybersecurity best practices and standards. Some 
commenters also pointed to company membership in the Automotive 
Information Sharing and Analysis Center (Auto-ISAC) as another method 
for entities to demonstrate commitment to cybersecurity best practices. 
As discussed above, BIS has opted not to require adherence to any 
specific standard or best practice as a prerequisite to securing an 
authorization to engage in an otherwise prohibited transaction, but BIS 
reserves the right to consider compliance with them on a case-by-case 
basis in conjunction with other potential mitigations.

f. Economic Impacts

    Comments generally agreed that prohibitions affecting a major 
supplier of a component used in Connected Vehicles could result in 
negative economic outcomes. Commenters raised several concerns, 
including increased manufacturing costs for U.S. auto manufacturers 
that would likely be passed onto consumers; a decline in long-term U.S. 
competitiveness vis-[agrave]-vis foreign auto manufacturers; 
disincentivizing further investment in connected vehicles and 
autonomous vehicle research and development (R&D), potentially reducing 
future employment in the U.S. auto industry; and a decline in the 
safety and quality of connected vehicles available to U.S. consumers. 
Several commenters also noted that regulation may have an outsized 
impact on small businesses, which often lack the due diligence and 
compliance resources of their larger competitors. To mitigate these 
outcomes, several commenters requested substantial lead time for 
manufacturers to identify and source from alternative suppliers. 
Lastly, multiple submissions emphasized that not all components in 
connected vehicles produced by entities owned by, controlled by, or 
subject to the jurisdiction or direction of a foreign adversary 
necessarily pose a cybersecurity or national security risk, especially 
for components with minimal or no connectivity capability.
    Following consideration of these comments, BIS proposes to allow 
(1) until Model Year 2027, for connected vehicle manufacturers to come 
into compliance for transactions involving covered software, (2) until 
model year 2030, or January 1, 2029, for VCS hardware importers to come 
into compliance for transactions involving VCS hardware; and (3) until 
model year 2027 for connected vehicle manufacturers that are owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia to sell connected vehicles with VCS hardware and/or covered 
software. Moreover, to address concerns about the resources small 
businesses are able to devote to compliance, BIS is proposing a general 
authorization that would permit certain small businesses to engage in 
otherwise prohibited transactions. BIS also emphasizes that this rule 
would narrowly target the specific automotive systems that pose the 
greatest risk when designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of certain foreign adversaries. As such, the rule would not 
broadly prohibit the import of connected vehicle technologies from 
foreign adversary nations, nor would it require market participants to 
alter supply chains for low-risk or unconnected components.
    BIS believes that the implementation timeline strikes an 
appropriate balance between minimizing significant disruptions to the 
connected vehicles supply chain and mitigating the national security 
risk posed by foreign adversary involvement in the connected vehicles 
supply chain. Given the relatively limited amount of foreign adversary 
linked hardware and software in U.S. vehicles today, the software 
prohibitions proposed in this rule would address the most immediate 
threats to U.S. national security while allowing industry time to come 
into compliance with the prohibitions on VCS Hardware.

IV. Risks Associated With Vehicle Connectivity Systems and Automated 
Driving Systems When Designed, Developed, Manufactured, or Supplied by 
Persons Owned by, Controlled by, or Subject to the Jurisdiction or 
Direction of the PRC and Russia

    Following consideration of comments received on the ANPRM, and 
further consideration of the risks and vulnerabilities associated with 
various ICTS components that are critical to the operation of CVs, BIS 
proposes to focus its rule on two integral ICTS systems--VCS and ADS--
when designed, developed, manufactured, or supplied by persons owned 
by, controlled by, or subject to the jurisdiction or direction of two 
foreign adversary entities--the PRC and Russia. Below, BIS further 
explains its understanding of the undue and unacceptable risks 
associated with these particular systems, and these particular foreign 
adversaries, and seeks public comment on the systems and foreign 
adversaries addressed in the proposed rule.

a. Vulnerabilities Associated With Vehicle Connectivity Systems and 
Automated Driving Systems

1. Vehicle Connectivity Systems
    The term VCS encompasses hardware and software systems--such as the 
telematics control unit (TCU), cellular modems and antennas, and other 
automotive components--that integrate various radio frequency 
communication technologies and enable Connected Vehicles to access 
external data sources, facilitate vehicle-to-vehicle communication, and 
provide enhanced services to users through seamless connectivity 
options. For example, as the primary automotive VCS component, a TCU 
acts as the primary interface between the internal network and external 
communication channels. It collects data from onboard sensors such as 
GPS, accelerometers, gyroscopes, BMS, and other ECUs via wired networks 
like CAN bus, LIN, FlexRay, Automotive Ethernet, K-Line, as well as 
wireless protocols such as Bluetooth and Wi-Fi. Some systems use 
cameras and microphones to facilitate facial recognition of drivers, or 
to respond to voice commands of drivers. Once gathered, the TCU 
converts this internal data into radio frequency signals suitable for 
transmission over the chosen wireless protocol. In other words, as the 
vast array of sensors on a connected vehicle collect information about 
a driver's location, speed, voice patterns, battery state of charge, or 
other vehicle diagnostic and operational information, the TCU converts 
that data into a format that can be transmitted to systems outside the 
vehicle and then enables that transmission.
    While the increased degree of vehicle connectivity offers benefits 
to both consumers and manufacturers, it also increases risks to 
consumers and manufacturers due to the number of access points into the 
internal vehicle network, each of which may present multiple new 
software vulnerabilities for adversaries to exploit. See National 
Renewable Energy Laboratory, ``Vehicle Cybersecurity Threats and 
Mitigation Approaches,'' (Aug. 2019), https://www.nrel.gov/docs/fy19osti/74247.pdf. Such compromise of VCS software could occur at 
various points of the software development lifecycle, including tool 
development, source code repositories, open-source dependencies, 
software updates, and shipment interdiction. For instance, Upstream's 
2024 Global Automotive Cybersecurity Report documented a case

[[Page 79095]]

where security researchers installed malicious software on the VCS by 
performing a simulated jailbreak attack of an OEM's VCS using a voltage 
fault injection on the chip-maker's processor. This malicious software 
unlocked vehicle manipulating features such as acceleration and heated 
seats, provided access to private user data such as a user's phonebook 
and calendar entries, and enabled decryption of encrypted Non-Volatile 
Memory Express (NVMe) storage, manipulation of the car's identity, and 
extraction of the vehicle-unique credential used for authenticating and 
authorizing the OEM's internal service network. See Upstream, 2024 
Global Automotive Cybersecurity Report (Feb. 2024), https://upstream.auto/reports/global-automotive-cybersecurity-report/. By 
compromising software or its dependencies, malign actors may surveil, 
disrupt, damage, or otherwise exploit the data or systems of those who 
use the software. See National Counterintelligence and Security Center, 
``Software Supply Chain Attacks,'' (Mar. 2021), https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf.
    The threat of such a cyber operation by malicious actors can grow 
significantly when firmware or hardware components are intentionally 
designed with vulnerabilities. Access to the hardware supply chain for 
VCS provides an avenue for threat actors to manipulate or insert, with 
malicious intent, hardware, or firmware modules into telematics 
hardware components such as modems, Systems on Chip (SoC), Printed 
Circuit Boards (PCB), central processing units, and antennae. 
Manipulating or modifying hardware and associated firmware in the 
supply chain could also allow foreign adversaries to insert a backdoor, 
granting them control over the VCS. See Cybersecurity and 
Infrastructure Security Agency, Defending Against Software Supply Chain 
Attacks (April 2021), https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508.pdf, 
and National Counterintelligence and Security Center, ``Software Supply 
Chain Attacks,'' (Apr. 2023), https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf">https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf. For instance, cellular 
and satellite telecommunications transceivers are pivotal connectivity 
components in the VCS, utilizing radio frequency (RF) energy to 
facilitate the transmission and reception of data between a vehicle and 
the external world. If these transceivers are designed, developed, 
manufactured, or supplied by persons owned by, controlled by, or 
subject to the jurisdiction or direction of the PRC or Russia, such 
actors would have the means and capability to introduce vulnerabilities 
that could be exploited to intercept and/or compromise the information 
exchanged between the connected vehicle and the external world.
2. Automated Driving Systems
    The complexity of ADS software, the large foundation of data 
sources, and the driving responsibilities inherent to ADS render it a 
valuable target for exploitation. An ADS encompasses the upper end of 
the spectrum of autonomy levels that dictate the vehicle's independence 
and the extent of driver intervention required. As defined by the SAE 
J3016, autonomy levels range from Level 0 (no automation) where the 
driver controls all aspects of driving, to Level 5 (full automation) 
where the vehicle can operate independently under all conditions 
without human intervention. Levels 1 and 2 offer driver assistance 
through systems that control either steering or acceleration and 
braking, while Levels 3 through 5 (which generally comprise ADS) 
progressively increase the system's responsibility for driving tasks, 
with Level 4 requiring the ability to complete all driving functions 
within defined operational design domains (ODDs). As the autonomy level 
increases, the reliability and safety of the ADS become increasingly 
reliant on the system's operational performance, safety protocols, and 
cybersecurity measures. See Taxonomy and Definitions for Terms Related 
to Driving Automation Systems for On-Road Motor Vehicles, SAE 
International, (Apr. 2021), https://www.sae.org/standards/content/j3016_202104/.
    An ADS must be able to execute Dynamic Driving Tasks (DDTs) within 
specific ODDs. DDTs include critical tasks such as steering, braking, 
acceleration, and Object and Event Detection, Classification and 
Response (OEDR). OEDR enables an ADS to perceive and respond to 
surrounding objects and events, a responsibility that shifts 
progressively from the driver to the ADS itself as the degree of 
vehicle autonomy increases. See Edward Griffor, David Wollman, and 
Christopher Greer ``Automated Driving System Safety Measures Part 1: 
Operating Envelope Specification,'' NIST Special Publication 1900-301 
(2021), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1900-301.pdf.
    An ADS relies on a large foundation of connected information 
sources for decisions and outputs which in turn could create inherent 
vulnerabilities. As a result, the complex software systems that drive 
decisions for an ADS are valuable targets for malicious actors to 
exploit. Software-based threats to Connected Vehicles equipped with an 
ADS include manipulation of sensors to create phantom objects; 
manipulation of ADS software to detect, capture, and retain information 
about specific geographic areas or other sensitive data; or other 
manipulation of sensor fusion processing software that could lead to 
faulty and dangerous vehicle decision making, to include unauthorized 
control over the Connected Vehicle. See National Counterintelligence 
and Security Center, ``Autonomous Automotive Vehicle Supply Chain 
Risk,'' (2022), https://www.dni.gov/files/NCSC/documents/supplychain/autonomous-vehicles-placemat-2022-D9A54B50-.pdf.
    A compromised ADS creates opportunities for data exfiltration and 
unauthorized vehicle manipulation due to the direct access it has to 
the internal vehicle network (IVN). The IVN controls the communication 
framework within a Connected Vehicle, overseeing the ECUs responsible 
for engine control, traction control, door locks, climate control, 
battery management, powertrain, airbags, cameras, and radar 
functionalities. These ECUs also communicate via overlayed 
communication networking protocols such as a CAN bus, Local 
Interconnect Network (LIN), and ethernet. See Anastasios Giannaros, et 
al. ``Autonomous Vehicles: Sophisticated Attacks, Safety Issues, 
Challenges, Open Topics, Blockchain and Future Directions,'' Journal of 
Cybersecurity and Privacy 3.3 (2023). Because ADS interacts with ECUs 
through the IVN, a compromised ADS has the capability to execute 
functions that affect nearly all of a Connected Vehicle's software and 
hardware components. For example, an update to an ADS could alter the 
outputs the ADS makes to a body control unit, enabling the ADS to 
erroneously and dangerously open a vehicle's door while in motion. 
Moreover, because many Connected Vehicles maintain their own networks 
and actively scan their operating environment for other proximate 
networks, an ADS can also potentially be used to impact the IVN of 
other vehicles or transportation infrastructure networks through 
vehicle-to-vehicle communication. See National

[[Page 79096]]

Counterintelligence and Security Center, Autonomous Automotive Vehicle 
Supply Chain Risk, (Apr. 2022), https://www.dni.gov/files/NCSC/documents/supplychain/autonomous-vehicles-placemat-2022-D9A54B50-.pdf, 
and Patrick Wagner, Nikolai Puch, and David Emeis, ``Cybersecurity risk 
analysis of an automated driving system,'' Fraunhofer Institute AISEC, 
(Oct. 2023), https://publica.fraunhofer.de/entities/publication/4d66e81e-3570-4c49-9f8c-8c9967a34ca6/details.
    Given the significant processing power and complex decision-making 
ability of an ADS, the risks arising from ADS designed, developed, 
manufactured, or supplied by persons owned by, controlled by, or 
subject to the jurisdiction or direction of a foreign adversary extend 
beyond the IVN itself and can include risks to the fidelity and 
integrity of data that flows to downstream or adjacent transportation 
infrastructure. Foreign adversaries can corrupt ADS data by exploiting 
existing vulnerabilities in ADS connectivity environments (see section 
IV(b) below). As such, direct access to an ADS afforded to a malicious 
actor through the design, development, manufacture, or supply of ADS 
software has the potential to cause severe adverse consequences to U.S. 
national security and U.S. persons.

b. Threats Associated With the PRC and Russia

    The design, development, manufacture, or supply of certain VCS and 
ADS components by persons owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia poses undue or 
unacceptable risks to national security and U.S. persons. The PRC and 
Russia have adopted political, legal, and regulatory regimes that 
enable their governments to exercise direct and indirect ownership, 
control, or influence over entities in the connected vehicle supply 
chain. Unlike other foreign adversaries, the PRC and Russia also have 
certain current and anticipated industrial capabilities and expertise 
that uniquely position them within the global automotive market to pose 
an outsized risk, particularly when paired with the vulnerabilities 
present within certain connected vehicle systems.
1. PRC
    The PRC's role in the U.S. connected vehicle supply chain presents 
undue and unacceptable risks. The PRC has a large and growing 
automotive sector with strong connections to non-PRC, including U.S., 
automakers providing it potential increased access to the U.S. 
automotive market. Further, the PRC's automotive sector has historical 
and ongoing links to the PRC military and is influenced by pervasive 
government intervention, including through legal and regulatory 
structures that increase government oversight of and control over PRC-
based companies and their foreign subsidiaries. See Du Xiaoying and 
Wang Siyi, ``Dongfeng plays pivotal role in supporting China's 
military,'' China Daily, (Sept. 25, 2015), https://www.chinadaily.com.cn/cndy/2015-09/25/content_21976945.htm, and Matthew 
Funaiole et al., ``China Accelerates Construction of `Ro-Ro' Vessels, 
with Potential Military Implications,'' Center for Strategic and 
International Studies, (Oct. 2023), https://chinapower.csis.org/analysis/china-construct-ro-ro-vessels-military-implications/. 
Moreover, the PRC possesses advanced cyber espionage capacities that it 
exercises through both state and non-state cyber actors exacerbating 
such risks.
    First, the size and scale of state control in the PRC auto sector 
poses outsized risks, increasing the vectors by which the national 
security threats associated with Connected Vehicles can enter the 
United States. The PRC automotive sector has played an important role 
in its domestic industrial policy since 1986, when the sector was first 
named a ``pillar industry'' in the Seventh Five-Year Plan. The 
Fourteenth Five-Year Plan, the latest strategic framework for the PRC, 
continues to prioritize the technology innovation and sustainable 
development of the automobile market, including new energy vehicles and 
connected vehicle software and hardware systems. See Ben Murphy, 
``Outline of the People's Republic of China 14th Five-Year Plan for 
National Economic and Social Development and Long-Range Objectives for 
2035,'' Center for Security and Emerging Technology, (May 2021), 
https://cset.georgetown.edu/wp-content/uploads/t0284_14th_Five_Year_Plan_EN.pdf. For many years, the state has pursued 
a number of policies and practices to further its industrial policy 
objectives in the automotive sector, including mandatory joint venture 
requirements, foreign equity restrictions, massive subsidies and other 
financial support measures, and various other preferences and 
discriminatory policies and practices. The PRC automotive sector's 
growth was also led in part by several prominent state-owned firms that 
began as military equipment suppliers (e.g., Chang'an Automobile, 
Changhe, Hunan Changfeng Motor) or have since risen to become prominent 
state-owned firms (e.g., GAC Group, Chery Automobile Co.). See Mattias 
Holweg, Jianxi Luo, and Nick Oliver, The past, present and future of 
China's automotive industry: a value chain perspective, International 
Journal of Technological Learning, Innovation and Development 2 (Feb. 
2009), https://www.pure.ed.ac.uk/ws/portalfiles/portal/7765689/Oliver.pdf. In recent years, this growth and development has led to a 
massive surge in domestic vehicle production, with Chinese vehicle 
production increasing by 1.5 times over the 15-year span between 2008 
and 2023. Indeed, in 2023, the PRC alone was responsible for nearly 33 
percent of global passenger vehicle production. See VDA, Global 
passenger vehicle production in 2023, by country [Graph], (Retrieved 
July 23, 2024), https://www.statista.com/statistics/277055/global-market-share-of-regions-on-auto-production/, and OICA & Statista, 
China's share in global vehicle production from 2008 to 2021 [Graph], 
(Mar. 17, 2022), https://www.statista.com/statistics/233942/chinas-share-of-global-production-capacity-of-the-automobile-industry/. Amid 
this significant growth in the PRC's domestic auto industry, Chinese 
automakers, both state-owned and private firms, have leveraged their 
significant state-backed support, including subsidies, to fuel a global 
expansion that has seen Chinese automakers establishing foreign 
operations in countries like South Africa, the Netherlands, Thailand, 
Japan, and Brazil, among others, increasing the risks stemming from PRC 
auto manufacturing in third countries. This expansion, combined with 
recent investment announcements, has spurred concerns that Chinese 
automakers may soon seek to further expand into the United States 
either through exports or the establishment of additional manufacturing 
facilities. Some PRC-based companies have announced plans to establish 
manufacturing facilities in Mexico, which could enable them to receive 
favorable trade terms contained in the U.S.-Mexico-Canada Agreement 
(USMCA). Such a significant position within the global auto sector 
greatly expands the number of potential nexus points between PRC 
connected vehicle suppliers and U.S. automakers and U.S. consumers, 
including indirectly through auto manufacturers in third countries.

[[Page 79097]]

    Second, the military linkage between the PRC government and the 
automotive sector continues to the current day with the PRC's military-
civil fusion strategy--which seeks to, among other goals, exploit 
investment and innovation within the PRC's private sector to achieve 
military modernization goals--and has prioritized specific information 
and communication technologies that are integral to connected vehicle 
supply chains (e.g., telecommunications, artificial intelligence). See 
Ben Murphy, ``Outline of the People's Republic of China 14th Five-Year 
Plan for National Economic and Social Development and Long-Range 
Objectives for 2035,'' Center for Security and Emerging Technology (May 
2021), https://cset.georgetown.edu/wp-content/uploads/t0284_14th_Five_Year_Plan_EN.pdf. Strategies to achieve these goals 
include mandating collaboration between PRC-based companies and the 
military and establishing public and private firms as vectors to 
facilitate technology transfer, industrial espionage, and intellectual 
property theft that would be advantageous for the PRC military. See 
Office of the Dir. of Nat'l Intelligence, Annual Threat Assessment of 
the U.S. Intelligence Community, (Feb. 6, 2023), https://www.odni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf.
    Third, even beyond military-civil fusion, the role of the PRC 
government in the auto sector has only grown as government intervention 
in the market increases, including through direct ownership of 
prominent industry participants, the purchasing of so-called ``golden 
shares'' to gain significant levels of influence within otherwise 
private firms, embedding Chinese Communist Party (CCP) representatives 
within corporate boards and management, and the forceful application, 
or threat thereof, of the PRC's expanding security laws, including its 
digital era legal structure. See Lingling Wei, ``China's New Way to 
Control Its Biggest Companies: Golden Shares,'' Wall Street Journal 
(Mar. 2023), https://www.wsj.com/articles/xi-jinpings-subtle-strategy-to-control-chinas-biggest-companies-ad001a63. Laws promulgated in 
recent years provide the PRC government increased oversight and control 
over PRC-based companies and their foreign subsidiaries, providing a 
lever for influence over corporate operations that further exacerbates 
the threat that the PRC poses to U.S. national security. These laws 
require PRC-based companies, wherever located, to comply with certain 
access and information requests upon demand from the PRC, and therefore 
could be used by the PRC to obtain business or other data from PRC-
based companies involved in the connected vehicle supply chain. 
Companies operating under these laws frequently highlight the lack of 
transparency, consistency, clarity, and predictability of the 
enforcement of these laws, publicly stating that PRC laws relating to 
cybersecurity, data storage, or cryptography are not subject to the 
same degree of judicial accountability as they might be in other 
jurisdictions. In particular, BIS notes the PRC may utilize a suite of 
national security laws (e.g., Counter-Espionage Law of the People's 
Republic of China [promulgated by the Standing Committee of the 
National People's Congress, Nov. 1, 2014, amended Apr. 26, 2023, 
effective July 1, 2023]; National Security Law of the People's Republic 
of China [promulgated by the Standing Committee of the National 
People's Congress, July 1, 2015, effective July 1, 2015]; National 
Intelligence Law of the People's Republic of China [promulgated by the 
Standing Committee of the National People's Congress, June 27, 2017, 
effective June 28, 2017, amended Apr. 27, 2018]; Anti-Terrorism Law of 
the People's Republic of China [promulgated by the Standing Committee 
of the National People's Congress, Dec. 27, 2015, effective Jan. 1, 
2016, amended Apr. 27, 2018]) to compel companies, including those in 
the connected vehicle supply chain, to support national security 
efforts--which are more broadly defined in the PRC than in the United 
States--or military agents upon request, including in some cases 
through the creation of backdoors and security vulnerabilities in 
products sold abroad, and in many cases, the PRC prohibits companies 
from disclosing that such a request was made. See U.S. Department of 
Homeland Security, ``Data Security Business Advisory: Risks and 
Considerations for Businesses Using Data Services and Equipment from 
Firms Linked to the People's Republic of China,'' (Dec. 2022), https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf. Additionally, PRC authorities have established a 
regulatory system that effectively allows them to stockpile cyber 
vulnerabilities. Entities subject to these regulations, including 
automotive systems manufacturers, are required to report 
vulnerabilities upon discovery to PRC authorities before patching them. 
See Cyberspace Administration of China, ``Provisions on the Management 
of Security Vulnerabilities of Network Products,'' (Jul. 2021), https://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm. This requirement 
drastically increases the ability of the PRC government and PRC-backed 
cyber actors to take action against the United States using connected 
hardware and its associated software by creating an accessible library 
of known and potentially unpatched vulnerabilities. And fourth, the PRC 
has demonstrated a high level of competency in cyber malfeasance. The 
recent Volt Typhoon action exemplified how PRC cyber actors pre-
position themselves across U.S. critical infrastructure and military 
assets in order to, at a potential future date, launch an attack and 
impede U.S. decision making, induce social panic, and interfere with 
the deployment of U.S. military forces. See Cybersecurity and 
Infrastructure Security Agency, ``PRC State-Sponsored Actors Compromise 
and Maintain Persistent Access to U.S. Critical Infrastructure,'' (Feb. 
2024), https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a. A 2022 Annual Report to Congress by the U.S.-China Economic and 
Security Review Commission found that the PRC's ability and willingness 
to ``weaponize'' its own industries, particularly its cybersecurity 
industry, grants the country an asymmetric advantage over the United 
States; an argument that was further supported in reporting earlier 
this year that detailed the methods by which known government-
affiliated cyber threat groups utilize private firms to carry out their 
attacks. See U.S.-China Economic and Security Review Commission, ``2022 
Annual Report to Congress,'' (Nov. 2022), https://www.uscc.gov/sites/default/files/2022-11/2022_Annual_Report_to_Congress.pdf; Christian 
Shepherd et al., ``Leaked files from Chinese firms show vast 
international hacking efforts,'' The Washington Post (Feb. 22, 2024), 
https://www.washingtonpost.com/world/2024/02/21/china-hacking-leak-documents-isoon/. Additionally, a 2012 report from United States Senate 
Permanent Select Committee on Intelligence examining the national 
security risks posed by the PRC-based companies Huawei and ZTE 
specifically argued that there are numerous opportunities for PRC-based 
threat actors to insert malicious hardware or software components into 
ICTS products throughout the product development stage. See Permanent 
Select Committee on Intelligence, ``Investigative Report on the U.S.

[[Page 79098]]

National Security Issues Posed by Chinese Telecommunications Companies 
Huawei and ZTE'' (Oct. 2012), https://intelligence.house.gov/sites/intelligence.house.gov/files/documents/huawei-zte%20investigative%20report%20(final).pdf. This risk has not 
diminished, as indicated by a study of designed vulnerabilities in 
products conducted by the Georgetown Security Studies Review, which 
outlines five years of persistent insertion of malicious code by PRC-
based threat actors. See Georgetown Security Studies Review, ``Flawed 
by design electronics with pre-installed malware'' (May 2018), https://georgetownsecuritystudiesreview.org/2018/05/23/flawed-by-design-electronics-with-pre-installed-malware/. Given the above, the PRC's 
access to the U.S. connected vehicle supply chain through its growing 
automotive sector, military-civil fusion and other corporate governance 
policies, and legal institutions paired with its development of mature 
cyber espionage capabilities have increased the risk that the PRC could 
alter the systems in, or obtain and manipulate information to or about, 
market participants who use connected vehicle ICTS designed, developed, 
manufactured, or supplied by persons owned by, controlled by, or 
subject to the jurisdiction or direction of the PRC.
2. Russia
    The Russian state has prioritized the growth of its automotive 
manufacturing industry, instituted a legal and regulatory framework to 
compel company data sharing with the state, and maintained a long 
history of malicious cyber operations against the U.S. Under these 
circumstances, there is an increasing likelihood that Russia emerges as 
a supplier of connected vehicles technologies for the U.S. market, 
providing the Russian government a means of exploiting U.S. connected 
vehicles. Moreover, incorporating Russian hardware or software into the 
U.S. connected vehicle supply chain poses undue and unacceptable risks 
to U.S critical infrastructure and U.S. persons.
    First, while Russia has historically been less active in the global 
automotive sector than the PRC, the Russian government has recently 
sought to revitalize its own domestic auto manufacturing industry 
following the exodus of foreign automakers after the imposition of 
significant additional sanctions in 2022. In 2024 alone, the Russian 
auto market is projected to experience a 15 percent increase in 
passenger vehicle sales, marking a noted uptick since the market 
crashed following sanctions and some Russian auto manufacturers have 
continued introducing new models even amid broader economic headwinds. 
See Reuters, ``Russia's 2024 car sales forecast raised to 1.45 mln, 
units, AEB says,'' (Jul. 2024), https://www.reuters.com/business/autos-transportation/russias-2024-car-sales-forecast-raised-145-mln-units-aeb-says-2024-07-03. The void left by many foreign firms has made 
Russia a valuable export market for Chinese auto manufacturers seeking 
to expand their presence globally with some Chinese auto brands seizing 
significant market share from Russian competitors accounting for almost 
56 percent of domestic auto sales in August 2023. See Gleb Stolayrov 
and Alexander Marrow, ``Exclusive: Chinese car sales boom in Russia 
levels off amid shaky local recovery,'' Reuters (Nov. 2023), https://www.reuters.com/business/autos-transportation/chinese-car-sales-boom-russia-levels-off-amid-shaky-local-recovery-2023-11-24/. In Russia, the 
revitalization of the domestic economy, in particular the domestic auto 
sector, has become a key focus of the government since the imposition 
of sanctions in recent years. The Russian government has released 
several plans pointing to a prioritization of the development of its 
domestic automotive market with a particular focus on research and 
development for new technology, including autonomous vehicles and V2X 
vehicle connectivity systems. See Russian Federation, Order of the 
Government of the Russian Federation of December 28, 2022 No. 4261-r On 
Approval of the Strategy for the Development of the Automotive Industry 
of the Russian Federation until 2035 (Jan. 4, 2023), https://www.garant.ru/products/ipo/prime/doc/405963861/#1000 and See Russian 
Federation, Order of the Government of the Russian Federation of August 
23, 2021 No. 2290-r On Approval of the Concept for the Development of 
Electric Vehicle Production and the Transport Strategy of 2030, (2023), 
https://static.government.ru/media/files/bW9wGZ2rDs3BkeZHf7ZsaxnlbJzQbJJt.pdf. The development of these 
interlocking national transportation and automotive industry strategies 
involved stakeholders from domestic automakers, technology sectors, and 
the Russian government, illustrating a coordinated effort across the 
Russian state and its domestic automotive industry. In order to extend 
the reach of the state into the Russian auto industry, in February 
2024, Russia established a state-owned corporation named Rosavto that 
will act as liaison between government and industry and will develop 
production plans for vehicles and automotive spare parts, oversee the 
development of new models and technologies, and manage order 
distribution, legislative initiatives, and workforce training. See 
Eugene Gerden, ``New State Corporation to Oversee Russian Auto 
Industry,'' Wards Auto (Feb. 2024), https://www.wardsauto.com/regulatory/new-state-corporation-to-oversee-russian-auto-industry. 
Concerted efforts by the Russian government to grow the domestic 
Russian automotive industry increase the likelihood that Russian-
manufactured VCS hardware or covered software will enter the U.S. 
connected vehicle supply chain, which, as described below, would 
present an undue or unacceptable risk to U.S. national security.
    Second, like the PRC, the Russian government employs a suite of 
laws that enable it to compel domestic companies with overseas 
operations to provide data gleaned through foreign ventures or to 
surrender similar operational assets to the Russian state. These laws 
(e.g., Russian Law Federal Security Service No. 40-FZ, ``Operational-
Investigative Activity'' No. 144-FZ, 2014 Amdt. to No. 97-FZ) provide 
the Russian government direct control over Russian corporations' 
activities and facilities, including data or customer information, and 
mandate that companies cooperate with assisting counterintelligence 
actions as requested by the state, including the Federal Security 
Service of the Russian Federation (FSB). The FSB can, in some cases, 
mandate that companies allow the FSB to install equipment on their 
infrastructure or collect data. Firms that are required to facilitate 
this surveillance or intrusion activity can also be required to 
actively obfuscate such requests and must provide the state with any 
information essential to the decryption of any communications captured. 
Together, these laws enable the Russian state to collect and exploit 
sensitive data on or about U.S. persons via Russian businesses and, 
should Russian companies become more prominent in the connected vehicle 
supply chain, create a pathway by which the Russian government could 
secure wide-ranging access to the vast amounts of data collected and 
processed by Connected Vehicles in the United States. See internet 
Governance, ``Report of Peter B. Maggs,'' (Dec. 2017), https://www.internetgovernance.org/wp-content/uploads/12-7-Exhibit-AR-Part-6-Maggs-report.pdf. Public reports have consistently raised concerns 
about

[[Page 79099]]

Russian government laws concerning data collection, citing a lack of 
appropriate safeguards to prevent misuse, to include judicial or public 
oversight. More broadly, reports have repeatedly documented the uneven 
application of the rule of law, lack of judicial accountability, 
recurrent violations of judicial proceedings, and challenges with 
judicial independence. See Justin Sherman, ``Russia is weaponizing its 
data laws against foreign organizations,'' Brookings, (Sept. 2022), 
https://www.brookings.edu/articles/russia-is-weaponizing-its-data-laws-against-foreign-organizations/; Evegeni Moyakine and A. Tabachnik, 
``Struggling to strike the right balance between interests at stake: 
The `Yarovaya', `Fake news' and `Disrespect' laws as examples of ill-
conceived legislation in the age of modern technology,'' Computer Law & 
Security Review 40, (Apr. 2021), https://www.sciencedirect.com/science/article/pii/S0267364920301175.
    Third, apart from the access codified in Russia's legal framework, 
the country has a longstanding pattern of utilizing cyber operations to 
gain illicit access to systems that advance the strategic ends of 
Russian authorities. For example, in December 2020 the company 
SolarWinds announced it was the target of a two-year-long cyber 
operation perpetrated by Russian hackers in the Russian Foreign 
Intelligence Services (SVR). See U.S. Securities and Exchange 
Commission, ``SEC Charges SolarWinds and Chief Information Security 
Officer with Fraud, Internal Control Failures,'' (Oct. 2023), https://www.sec.gov/newsroom/press-releases/2023-227. The perpetrators of the 
SolarWinds supply chain attack used a software update to deliver its 
malware to the platform's users after Russian intelligence services 
obtained covert access to the computer systems on which the platform 
was installed and ultimately impacted more than 18,000 users, including 
more than 100 companies and nine U.S. Government agencies. This attack 
credibly demonstrates how Russian actors can infiltrate global 
enterprise systems via software updates and exemplifies how they could 
similarly leverage software as a means to exploit connected vehicles in 
the United States. Additionally, a 2023 Cyber Security Advisory 
suggests that exploitation of information technology firms and their 
software will continue to be a persistent tactic leveraged by the 
Russian government to collect intelligence. See Joint Cyber Security 
Advisory, ``Russian Foreign Intelligence Service (SVR) Exploiting 
JetBrains TeamCity CVE Globally'' (Dec. 2023), https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a. BIS has further 
identified Kaspersky Lab as an example of how Russia has leveraged 
software companies to give it the ability to collect and weaponize the 
personal information of Americans. See Bureau of Industry and Security, 
``Final Determination: Case No. ICTS-2021-002, Kaspersky Lab, Inc.'' 
(Jun. 2024), https://www.federalregister.gov/documents/2024/06/24/2024-13532/final-determination-case-no-icts-2021-002-kaspersky-lab-inc. 
These political, legal, and regulatory frameworks, combined with the 
PRC's and Russia's demonstrated capability to exploit ICTS supply 
chains through malicious cyber activity, exacerbate BIS's concern that 
the threats posed by these foreign adversaries could be directed at the 
U.S. connected vehicle supply chain, including integral systems such as 
VCS and ADS. The persistent connectivity and software-driven 
capabilities of VCS and ADS, combined with the vast amounts of data 
that traverse these systems, make them valuable and likely targets for 
the PRC and Russian governments to compromise.

c. Consequences

    Taken together, VCS and ADS designed, developed, manufactured, or 
supplied by persons under the ownership, control, jurisdiction, or 
direction of the PRC or Russia manifest undue and unacceptable risks to 
United States national security in several ways. If left unaddressed, 
the interaction of threats and vulnerabilities could result in the 
exfiltration of sensitive U.S. persons' data to foreign adversaries or 
the remote or automated manipulation of Connected Vehicles by the PRC 
and Russia, among other concerns.
    First, the integration of compromised VCS or ADS into a completed 
vehicle could undermine the reliability of a connected vehicle or its 
underlying control systems. Compromised components in VCS or ADS could 
result in increased frequency and severity of connected vehicle 
malfunctions that could in turn detrimentally impact U.S. national 
security, including the resiliency of U.S. critical infrastructure, or 
the safety of U.S. persons.
    Given the persistent connectivity of VCS and ADS and the essential 
functions that they service in the operation of Connected Vehicles, 
these systems, if compromised and co-opted by an adversary, could serve 
as a node through which a foreign actor could probe or breach broader 
ICTS systems within the United States. According to research by 
Upstream, remote malicious cyber activities--which rely on network 
connectivity (e.g., Wi-Fi, Bluetooth, 3/4/5G networks)--have increased 
significantly in recent years and consistently outnumber malicious 
cyber activities carried out through physical access to devices since 
at least 2010, accounting for 95 percent of all malicious cyber 
activities in 2023. See Upstream, Upstream's 2024 Global Automotive 
Cybersecurity Report (2024), https://upstream.auto/reports/global-automotive-cybersecurity-report/. Considering the increasingly 
sophisticated methodologies employed by foreign adversaries to gain 
access to critical U.S. cyber infrastructure, compromised VCS and ADS, 
with their inherent connectivity, would easily present another attack 
surface for foreign adversaries to exploit. As detailed in the previous 
analysis of vulnerabilities inherent in VCS, adversaries with access to 
VCS, such as to telematics systems, could inject malicious code into a 
vehicle's operational systems. Additionally, such malware could be 
developed in such a way as to exploit vehicle connectivity to propagate 
itself across multiple systems as the vehicle travels and connects to 
those discrete systems. In this way, not only would the ICTS integral 
to Connected Vehicles be compromised, but vehicle systems could be 
exploited to spread malware with the intent of harming all ICTS systems 
to which a vehicle connects. See Anastasios Giannaros, et al. 
``Autonomous Vehicles: Sophisticated Attacks, Safety Issues, 
Challenges, Open Topics, Blockchain and Future Directions,'' Journal of 
Cybersecurity and Privacy 3.3 (2023).
    Second, as discussed, both VCS and ADS have significant control 
over and access to critical vehicle functions, including steering, 
braking, speed control, ignition, and almost all other mechanical 
functions of the vehicle. Such extensive control over vehicle 
operations could enable a foreign adversary to use a compromised VCS or 
ADS component to hamper vehicle functions or even to manipulate a 
connected vehicle for malicious purposes. As VCS and ADS control or 
link to integral vehicle functions, a foreign adversary could even 
exploit compromised VCS or ADS components to impair or disable a 
connected vehicle while in transit. Disabled, impaired, or otherwise 
improperly functioning vehicles could result in grave damage or 
impediment to critical infrastructure within the United States, or in 
physical harm to U.S. persons. A disabled, impaired, or erratically 
functioning

[[Page 79100]]

Connected Vehicle, or potentially multiple Connected Vehicles all 
experiencing such problems simultaneously, could result not only in 
traffic patterns that would effectively block critical transportation 
arteries, but could cause collisions ultimately damaging transportation 
features (e.g., roadways, bridges, tunnels) and energy, 
telecommunications, and similar infrastructure situated near 
transportation systems. The potential consequences of widespread 
connected vehicle impairment could be particularly acute if the targets 
were fleet vehicles operating in support of infrastructure vital to 
transportation, energy, water, waste, telecommunications, and other 
essential services.
    The risks to the resiliency of critical U.S. infrastructure posed 
by connected vehicle components designed, developed, manufactured, or 
supplied by persons that are owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia are further compounded 
by the potential for VCS and ADS to collect data on infrastructure. 
Advances in VCS and ADS necessitate increasingly cutting-edge sensor 
suites incorporating radar, LiDAR, camera, sonar, and computer vision 
to gather information on the surrounding environment for both onboard 
computing and remote cloud computing to process data in informing 
vehicle operating decisions. This vast wealth of data, collected over 
time by multiple vehicles likely contains valuable information such as 
location data about critical U.S. infrastructure. For example, data 
gathered from GPS/GNSS systems in a connected vehicle could be cross-
referenced and collated with a multitude of other data to produce 
information about the location, function, and operational trends of 
various transportation, energy, or other critical infrastructure. A 
foreign adversary could extract such critical infrastructure data using 
its control over designers, developers, manufacturers, or suppliers of 
VCS and ADS components subject to the foreign adversary's ownership, 
control, jurisdiction, or direction, thereby increasing the risk and 
precision of attacks on such critical infrastructure.
    Finally, given the volume of information collected by vehicles to 
support VCS and ADS operation, exploitation of these systems could 
enable an adversary to cull a tremendous amount of data on vehicle 
movement across the United States. This information could potentially 
include data generated on or from fleet vehicles used by emergency 
response, law enforcement, or the military. This data, and particularly 
all metadata and derived data that can be drawn from the raw data, can 
provide considerable insight into fleet size, composition, and 
capabilities, as well as information on organizational response times 
and response procedures. Such information would prove valuable to an 
adversary seeking to disrupt U.S. emergency response operations. Any 
potential risks to U.S. national security arising from disrupting 
emergency response activities are further compounded by the potential 
for an adversary to exploit access to VCS and ADS to leverage the 
persistent connectivity required for malign operations, including 
exploits to trigger improper engine shutdown, brake activation, or 
electrical system deactivation. Any of these actions have serious 
consequences for U.S. persons' health and safety. The PRC or Russia 
could use similar methods to target U.S. persons other than 
institutions, thereby imperiling the safety and security of individual 
U.S. citizens or residents. VCS and ADS, if corrupted by the producer 
at the direction of a foreign adversary, could improperly access driver 
mobile devices to collect, exfiltrate, and exploit personally 
identifiable information (PII) or even protected health information 
(PHI). It is also possible that a foreign adversary could use covert 
access to VCS and ADS to provide false or misleading information to a 
driver, causing degraded and dangerous vehicle operation conditions. 
Such tactics could be used either indiscriminately to sow panic and 
cause disruption, or to intentionally target specific drivers. 
Additionally, and as noted by the Office of the Director of National 
Intelligence in the 2024 National Counterintelligence Strategy, foreign 
adversaries, like the PRC and Russia, view this kind of PII and PHI as 
particularly valuable as it provides them ``not only economic and R&D 
benefits, but also useful [counterintelligence] information, as hostile 
intelligence services can use vulnerabilities gleaned from such data to 
target and blackmail individuals.'' See The Director of Nat'l 
Intelligence, 2024 National Counterintelligence Strategy (Aug. 2024), 
https://www.dni.gov/files/NCSC/documents/features/NCSC_CI_Strategy-pages-20240730.pdf.
    Even when such systems are not subject to compromise, companies 
owned by, controlled by, or subject to the jurisdiction or direction of 
a foreign adversary, if occupying certain positions within the supply 
chain, may potentially legally gain access to their users' personal 
data. For example, one prominent Chinese auto manufacturer with 
operations in the United States publicly states in its U.S. privacy 
policy that the personal data it may collect (e.g., identifiers, 
customer records information, internet or other electronic network 
activity information, geolocation information, professional or 
employment-related information) is only stored in the United States 
``in principle,'' but goes on to note that personal data ``may be 
transferred to our headquarters in China'' for processing and storage. 
While the incorporation in the U.S. supply chain of VCS hardware and 
covered software designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia poses one type of risk, transactions 
involving VCS hardware and covered software pose a separate risk when 
the connected vehicle manufacturer is, itself, owned by, controlled by, 
or subject to the jurisdiction or direction of the PRC or Russia, even 
when the connected vehicle manufacturer is located in the United 
States. connected vehicle manufacturers have privileged and direct 
access to all systems in the vehicle, including the VCS hardware and 
covered software. Not only are VCS hardware and covered software built 
to the connected vehicle manufacturers' specifications but prior to the 
sale of a completed connected vehicle, connected vehicle Manufacturers 
are able to exercise significant levels of control over that VCS 
hardware and covered software with little to no external oversight 
prior to the sale of the completed connected vehicle. Based on the 
foregoing, BIS assesses that ICTS transactions involving VCS hardware 
or covered software designed, developed, manufactured, or supplied by 
persons owned or controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia--including transactions to supply the 
VCS hardware or covered software into the United States market as part 
of the sale of the completed connected vehicle--present undue or 
unacceptable risks to the national security of the United States within 
the meaning of E.O. 13873. BIS welcomes comment on the vulnerabilities 
and risks it has identified.

V. Discussion of the Proposed Rule and Request for Comments

    BIS proposes a regulation that would--absent a general or specific 
authorization otherwise--(1) prohibit VCS hardware importers from 
knowingly importing into the United

[[Page 79101]]

States certain hardware for VCS; (2) prohibit connected vehicle 
manufacturers from knowingly importing into the United States completed 
connected vehicles incorporating covered software; (3) prohibit 
connected vehicle manufacturers from knowingly selling within the 
United States completed connected vehicles that incorporate covered 
software; and (4) prohibit connected vehicle manufacturers who are 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia from knowingly Selling in the United 
States completed connected vehicles that incorporate VCS hardware or 
covered software (collectively, ``Prohibited Transactions''). These 
prohibitions would apply to transactions when such VCS hardware or 
covered software is designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia.
    BIS anticipates that this rule would primarily impact market 
participants who could be considered VCS Hardware Importers or 
connected vehicle manufacturers, such as OEMs and importers of 
completed connected vehicles, as well as Tier 1 and Tier 2 suppliers of 
VCS Hardware. For these entities, three compliance mechanisms--
Declarations of Conformity, general authorizations, and specific 
authorizations--are available, depending on whether the VCS hardware 
importer or connected vehicle manufacturer wishes to engage in an 
otherwise prohibited transaction. Importantly, because VCS hardware 
importers and connected vehicle manufacturers frequently offer many 
different types of products, any one of the three mechanisms may not be 
available for their entire business. Rather, depending on the product, 
VCS hardware importers and connected vehicle manufacturers could be 
required to use a combination of these three mechanisms to meet their 
obligations under the rule.
    First, Declarations of Conformity would have to be submitted to BIS 
by VCS hardware importers and connected vehicle manufacturers who have 
not engaged in a prohibited transaction, unless otherwise specified. 
Such VCS hardware importers and connected vehicle manufacturers would, 
in this Declaration of Conformity, certify, once per calendar year or 
model year (or whenever material changes occur) to BIS that the 
submitter has not engaged in a prohibited transaction and provide 
certain information on the import of VCS hardware and/or the import or 
sale of completed connected vehicles.
    Second, a general authorization could be available for VCS hardware 
importers and/or connected vehicle manufacturers seeking to engage in 
an otherwise prohibited transaction, depending on the circumstances. A 
general authorization would allow the VCS hardware Importer and/or 
connected vehicle manufacturer to engage in the otherwise prohibited 
transaction, without the need to notify or seek approval from BIS. 
General authorizations would be available only in a narrow set of 
circumstances in which the conditions of the otherwise prohibited 
transaction appropriately mitigate the level of risk associated with 
the particular transaction. Such conditions would include, for example, 
when VCS hardware is imported from the PRC or Russia solely for testing 
purposes, or where the completed connected vehicle that incorporates 
VCS hardware or covered software from the PRC or Russia will be driven 
on public roads for fewer than 30 calendar days per year. Those 
availing themselves of a general authorization would be required to 
continuously monitor their use of the VCS hardware or completed 
connected vehicles covered by the General Authorization to ensure the 
authorization still applies. If a change would render the transaction 
ineligible for a general authorization, such as a change in the 
vehicle's use, the VCS hardware importer or connected vehicle 
manufacturer would be required to apply for a specific authorization 
and to cease engaging in such transaction unless and until a Specific 
Authorization is granted. For example, if a completed connected vehicle 
that incorporates covered software or VCS Hardware that is designed, 
developed, manufactured, or supplied by a person owned by, controlled 
by, or subject to the jurisdiction or direction of the PRC or Russia is 
no longer used solely for display, research, or testing, the VCS 
hardware importer or the connected vehicle manufacturer would be 
required to seek a specific authorization. Similarly, if the VCS 
Hardware Importer or connected vehicle manufacturer meets or exceeds 
total model year production of 1,000 units, or if a completed connected 
vehicle that incorporates covered software or VCS hardware that is 
designed, developed, manufactured, or supplied by a person owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia is to be used on public roadways for 30 or more days in any 
calendar year, the VCS hardware importer or connected vehicle 
manufacturer would be required to seek a specific authorization from 
BIS.
    Lastly, for VCS hardware importers and connected vehicle 
manufacturers who wish to engage in a prohibited transaction, but do 
not otherwise qualify for a general authorization, a specific 
authorization from BIS would be required before they could proceed with 
the prohibited transaction. A specific authorization would only be 
available in circumstances where BIS determines, based on the 
information submitted by the applicant and other collected information, 
that the otherwise prohibited transaction does not present an undue or 
unacceptable risk to U.S. national security. However, as a condition of 
approving the specific authorization, BIS might impose certain 
requirements and mitigation measures upon the VCS hardware importers 
and connected vehicles manufacturers seeking to proceed with the 
prohibited transaction.
    VCS hardware importers and connected vehicle manufacturers could 
appeal to the Under Secretary for Industry and Security (Under 
Secretary) any decision by BIS to deny an application for a Specific 
Authorization, suspend or revoke a previously granted specific 
authorization, or issue a written notification that a VCS hardware 
importer or connected vehicle manufacturer is ineligible for a general 
authorization. Further, the regulation would establish a method for VCS 
hardware importers and connected vehicle Manufacturers to seek guidance 
from BIS, in the form of advisory opinions, on prospective transactions 
that may be prohibited. BIS also proposes to establish a process 
through which BIS may inform VCS hardware importers or connected 
vehicle manufacturers that certain of their activities could constitute 
a prohibited transaction.
    In proposing this rule, BIS recognizes that Section 203(b) of 
IEEPA--i.e., the ``Berman Amendment''--limits the scope of the 
authority to regulate or prohibit transactions relating to 
``information'' or ``informational materials.'' In relevant part, the 
Berman Amendment states that the ``authority granted to the President 
by this section does not include the authority to regulate or prohibit, 
directly or indirectly . . . the importation from any country, or the 
exportation to any country, whether commercial or otherwise, regardless 
of format or medium of transmission, of any information or 
informational materials, including but not limited to, publications, 
films, posters, phonograph

[[Page 79102]]

records, photographs, microfilms, microfiche, tapes, compact disks, CD 
ROMs, artworks, and newswire feeds.'' 50 U.S.C. 1702(b)(3). Consistent 
with the statute's text and purpose, as demonstrated by legislative 
history and context, as well as judicial interpretations, BIS 
understands the phrase ``information or informational materials'' to 
refer to expressive materials and mediums that may be carrying such 
expressive content. See, e.g., United States v. Amirnazmi, 645 F.3d 
564, 586-87 (3d Cir. 2011). Accordingly, the Berman Amendment prevents 
BIS from regulating, directly or indirectly, the import or export of 
expressive materials. It does not, however, prevent BIS from imposing a 
regulation that is aimed at the functional capabilities of technology.
    The proposed rule is consistent with the Berman Amendment. Its 
purpose is to regulate transactions involving certain hardware and 
software based on functional capabilities that can be exploited by 
foreign adversaries, not the exchange of ideas and expression that the 
Berman Amendment protects. As discussed in Section IV, VCS Hardware and 
covered software process and transmit data such as geolocation 
information or systems diagnostics reports, which are used to monitor 
and control the vehicle's safe operation, and that a foreign adversary 
could also manipulate in ways that could impair or disable the 
vehicle's function, leading to dangerous outcomes that pose a harm to 
U.S. national security. Similarly, the functional data collected by 
Covered Software--such as high-definition mapping data of 
infrastructure and roadways--would pose serious risks to that critical 
infrastructure if collected and exploited by a foreign adversary. As a 
result, BIS has determined that the proposed prohibitions in this rule 
are consistent with the Berman Amendment, which was intended to protect 
materials involving the free exchange of ideas from regulation under 
IEEPA. BIS is considering whether and how to address the term 
``information or informational materials'' within the context of the 
proposed rule and may consider further changes to the final rule to 
reflect our interpretation of this term. BIS welcomes comment on this 
issue.
    Each section of the proposed rule is discussed below. BIS invites 
comments on all aspects of this proposed rule.

a. Definitions

1. Automated Driving System (ADS)
    BIS proposes to define ``Automated Driving System'' to mean 
hardware and software that, collectively, are capable of performing the 
entire dynamic driving task for a completed connected vehicle on a 
sustained basis, regardless of whether it is limited to a specific ODD. 
This definition is consistent with the terminology industry uses for 
systems that operate at certain advanced levels of autonomy. It is also 
consistent with definitions issued by NHTSA. Specifically, this 
definition corresponds to automation levels 3, 4, and 5 as defined by 
SAE International standard J3016.
2. Completed Connected Vehicle
    BIS proposes to define ``completed connected vehicle'' to mean a 
connected vehicle that requires no further manufacturing operations to 
perform its intended function. This definition is consistent with 
definitions issued by NHTSA. Additionally, for the purposes of this 
proposed definition, the integration of an ADS into a connected vehicle 
constitutes a manufacturing operation for a Completed Connected 
Vehicle. BIS intends this caveat to clarify that a person owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia, whose sole manufacturing or assembly operation is 
integrating ADS into an otherwise Completed Connected Vehicle, would be 
subject to the prohibitions in the rule and would need to obtain a 
Specific Authorization before importing or Selling that completed 
connected vehicle in the United States.
3. Connected Vehicle
    BIS proposes to define ``connected vehicle'' to mean a vehicle 
driven or drawn by mechanical power and manufactured primarily for use 
on public streets, roads, and highways, that integrates onboard 
networked hardware with automotive software systems to communicate via 
dedicated short-range communication, cellular telecommunications 
connectivity, satellite communication, or other wireless spectrum 
connectivity with any other network or device. Vehicles operated only 
on a rail line are not included in this definition. This definition 
incorporates the suggestions of commenters to the ANPRM, many of whom 
requested that the definition of connected vehicle specify the types of 
vehicles that would be covered.
4. Connected Vehicle Manufacturer
    BIS proposes to define a ``connected vehicle manufacturer'' to mean 
a U.S. person (1) manufacturing or assembling completed connected 
vehicles in the United States; and/or (2) importing completed connected 
vehicles for Sale in the United States.
5. Covered Software
    BIS proposes to define ``covered software'' to mean the software-
based components, in which there is a foreign interest, executed by the 
primary processing unit of the respective systems that are part of an 
item that supports the function of VCS or ADS at the vehicle level. 
covered software does not include firmware, which is characterized as 
software specifically programmed for a hardware device with a primary 
purpose of controlling, configuring, and communicating with that 
hardware device. At a minimum, this definition of covered software 
would include operating systems such as a real-time operating system 
(RTOS), and general-purpose operating systems. An example of covered 
software within the ADS is, if included in the system, the machine 
learning software that performs the functions of object detection, 
classification, and decision making.
    Covered software does not include open-source software. BIS 
understands open-source software as software that can be freely used, 
modified, and distributed by anyone, with both access to the source 
code and the ability to contribute to the software's development and 
improvement. Given these qualities of open-source software, it is not 
designed, developed, manufactured, or supplied by any attributable 
entity. Therefore, the inclusion of open-source software as a component 
of covered software is not subject to prohibition. However, if licensed 
open-source software is modified to create proprietary enterprise 
software for a specific use not meant for redistribution, the resulting 
software could be subject to prohibition if the person modifying the 
open-source software is owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia. In addition to other 
aspects of this proposed rule, BIS specifically seeks comment on this 
definition.
6. FCC ID Number
    BIS proposes to define ``FCC ID Number'' as the unique alphanumeric 
code identifying a product subject to certification by the Federal 
Communications Commission (FCC) composed of a (1) grantee code and (2) 
product code.
7. Foreign Interest
    For the purposes of this rule, BIS is considering ``foreign 
interest,'' when used with respect to property, as any

[[Page 79103]]

interest in property, of any nature whatsoever, whether direct or 
indirect, by a non-U.S. person. Under this definition, a foreign 
interest can include, but is not limited to, an interest through 
ownership, intellectual property, contract--e.g., ongoing supply 
commitments such as maintenance, any license agreement related to the 
use of intellectual property--profit-sharing or fee arrangement, as 
well as any other cognizable interest. This definition is consistent 
with the definition of ``interest'' used in the context of Office of 
Foreign Asset Control sanctions, which are, in relevant part, also 
established pursuant to the statutory requirements of IEEPA. See 31 CFR 
Chapter V, and, e.g., 31 CFR 510.313, 535.312.
    Consistent with IEEPA, BIS proposes to regulate only transactions 
involving property in which a foreign country or national thereof has 
any such interest. A transaction would be subject to the prohibitions 
in the proposed rule only if it involves ICTS, specifically VCS 
hardware or covered software, that is designed, developed, 
manufactured, or supplied by a person owned by, controlled by, or 
subject to the jurisdiction or direction of the PRC or Russia. VCS 
hardware importers and connected vehicle manufacturers wishing to 
engage in transactions that this rule proposes to prohibit would need 
to qualify for a general authorization or obtain a specific 
authorization. In order to provide sufficient visibility into the 
supply chains of VCS Hardware and covered software including to verify 
that the transaction does not involve VCS Hardware or covered software 
that is designed, developed, manufactured, or supplied by a person 
owned by, controlled by, or subject to the jurisdiction or direction of 
the PRC or Russia (see Section V(c) of this notice and proposed Section 
791.305), BIS is proposing to require that VCS hardware importers and 
connected vehicle manufacturers that import VCS hardware, or import or 
sell completed connected vehicles that contain covered software in 
which there is any other foreign interest, submit an annual Declaration 
of Conformity containing relevant details about the import or Sale. BIS 
seeks comment on this regulatory approach, including the necessity and 
efficacy of requiring Declarations of Conformity with respect to VCS 
hardware and covered software in which there is a foreign interest, 
though not a foreign adversary interest. BIS also seeks comment on the 
availability and efficacy of any alternative approach that would 
require a narrower set of VCS hardware importers and completed 
connected vehicle manufacturers to submit Declarations of Conformity, 
while still achieving the goals of the Declaration of Conformity 
requirement and addressing the declared emergency under Executive Order 
13873.
    With respect to VCS hardware that is designed, developed, 
manufactured, or supplied by a person owned by, controlled by, or 
subject to the jurisdiction or direction of the PRC or Russia, BIS 
proposes to regulate the importation of VCS hardware, making VCS 
hardware importers responsible for compliance.
    With respect to Covered Software, based on discussions with 
connected vehicle manufacturers, automotive suppliers, and other 
stakeholders, BIS has come to understand that typically, ADS and VCS 
software are designed or developed to a connected vehicle 
manufacturer's specifications. ADS and VCS software is frequently 
designed, developed, or supplied by foreign persons, and those persons 
frequently retain a legally cognizable interest in the underlying 
software, even after it has been integrated into the connected vehicle. 
For example, foreign software developers may earn profits from use of 
their software; retain data access and sharing rights to the software; 
or have obligations to maintain and update the software. Such 
arrangements are among the types of interests that BIS contemplates as 
giving rise to an obligation to submit a Declaration of Conformity or, 
if the software designer, developer, or supplier is a person owned by, 
controlled by, or subject to the jurisdiction or direction of a foreign 
adversary, to qualify for a General Authorization or seek a Specific 
Authorization under the proposed rule. BIS therefore proposes to 
regulate covered software by regulating the importation or sale of 
completed connected vehicles, making connected vehicle Manufacturers 
responsible for compliance. BIS seeks comment on this understanding of 
foreign interests in covered software as well as other arrangements in 
which foreign designers, developers, or suppliers of covered software 
retain a cognizable legal interest in the software after it is 
integrated into a connected vehicle.
    Finally, in addition to the general regulations related to VCS 
hardware and covered software described above, with respect to 
connected vehicle manufacturers who are owned by, controlled by, or 
subject to the jurisdiction or direction of the PRC or Russia, BIS 
additionally proposes to regulate VCS hardware and covered software by 
regulating the sale of completed connected vehicles that incorporate 
VCS hardware or covered software. In this circumstance, BIS understands 
from extensive engagement with connected vehicle manufacturers and 
automotive suppliers that persons who own, control, or direct the 
operations of the connected vehicle manufacturer would maintain an 
interest in the vehicle transactions that the connected vehicle 
manufacturer carries out. For example, this could include, but is not 
limited to, profit sharing agreements between a parent company and its 
U.S. subsidiary, or data sharing agreements between the same. BIS 
understands this to be standard for the automotive industry and would 
welcome comments on this issue. Additionally, because the PRC and 
Russian legal regimes discussed in Section IV of this notice could 
compel a PRC or Russia-based parent company of a connected vehicle 
manufacturer to provide those governments with information on or access 
to the operations of the U.S.-based connected vehicle manufacturer, BIS 
understands that the foreign parent company typically retains a legal 
right to access the data collected by the U.S. subsidiary, representing 
a foreign interest in that U.S. subsidiary and its connected vehicle 
sales.
    BIS seeks comment on the nature of foreign interests in 
transactions related to the connected vehicle supply chain, including 
as described in the prohibitions outlined herein. BIS also seeks 
comment as to its understanding of the nature and presence of a Foreign 
Interest in property subject to the prohibitions described above, as 
well as whether there are other types of transactions that would 
involve Foreign Interests, as described above.
8. Hardware Bill of Materials
    BIS proposes to define ``Hardware Bill of Materials'' or HBOM as a 
comprehensive list of parts, assemblies, documents, drawings, and 
components required to create a physical product. This term includes 
information identifying the manufacturer, related firmware, technical 
information, and descriptive information.
9. Import
    BIS proposes to define ``import'' to mean, with respect to any 
article, the entry of such article into the United States Customs 
Territory. It does not include admission of an article from outside the 
United States into a foreign-trade zone for storage pending further 
assembly in the foreign-trade zone, or

[[Page 79104]]

shipment to a foreign country. This definition only applies to subpart 
D of 15 CFR part 791.
10. Item
    BIS proposes to define ``item'' as a component or set of components 
with a specific function at the vehicle level. A system may also be 
considered an item if it implements a function. This definition is 
consistent with ISO/SAE Standard 21434.
11. Knowingly
    BIS proposes to define ``knowingly'' to have the same meaning given 
to ``knowledge'' in the Export Administration Regulations (15 CFR 
772.1). Knowledge of a circumstance (the term may be a variant, such as 
``know,'' ``reason to know,'' or ``reason to believe'') includes not 
only positive knowledge that the circumstance exists or is 
substantially certain to occur, but also an awareness of a high 
probability of its existence or future occurrence. Such awareness is 
inferred from evidence of the conscious disregard of facts known to a 
person and is also inferred from a person's willful avoidance of facts.
12. Model Year
    Consistent with the definition used by NHTSA, BIS proposes to 
define ``model year'' as the year used to designate a discrete vehicle 
model, irrespective of the calendar year in which the vehicle was 
actually produced, provided that the production period does not exceed 
24 months. Throughout this proposed rule, BIS refers to both calendar 
year and model year when referring to the import of VCS Hardware, 
particularly for the submission of Declarations of Conformity (791.305) 
and the implementation timeline (791.308 (Exemptions)). BIS generally 
understands that most VCS hardware is imported into the United States 
already destined for a known, specific model year of vehicle. BIS also 
understands that some VCS hardware units may be imported without being 
associated with a specific vehicle model year. As such, the proposed 
rule provides separate timelines for each of these cases to accommodate 
business timelines for VCS hardware importers. BIS is particularly 
interested in comment on this approach.
13. Person Owned by, Controlled by, or Subject to the Jurisdiction or 
Direction of a Foreign Adversary
    BIS proposes to define ``person owned by, controlled by, or subject 
to the jurisdiction or direction of a foreign adversary'' to mean, (a) 
any person, wherever located, who acts as an agent, representative, or 
employee, or any person who acts in any other capacity at the order, 
request, or under the direction or control, of a foreign adversary or 
of a person whose activities are directly or indirectly supervised, 
directed, controlled, financed, or subsidized in whole or in majority 
part by a foreign adversary; (b) any person, wherever located, who is a 
citizen or resident of a foreign adversary or a country controlled by a 
foreign adversary, and is not a United States citizen or permanent 
resident of the United States; (c) any corporation, partnership, 
association, or other organization with a principal place of business 
in, headquartered in, incorporated in, or otherwise organized under the 
laws of a foreign adversary or a country controlled by a foreign 
adversary; or (d) any corporation, partnership, association, or other 
organization, wherever organized or doing business, that is owned or 
controlled by a foreign adversary, to include circumstances in which 
any person identified in paragraphs (a) through (c) possesses the 
power, direct or indirect, whether or not exercised, through the 
ownership of a majority or a dominant minority of the total outstanding 
voting interest in an entity, board representation, proxy voting, a 
special share, contractual arrangements, formal or informal 
arrangements to act in concert, or other means, to determine, direct, 
or decide important matters affecting an entity.
14. Prohibited Transactions
    BIS proposes to define ``prohibited transactions'' as, 
collectively, the transactions described in Sec. Sec.  791.302 
(Prohibited VCS hardware transactions), 791.303 (Prohibited covered 
software transactions), or 791.304 (Related prohibited transactions). 
The term prohibited transactions refers to the prohibitions on the 
knowing import of VCS hardware into the United States that is designed, 
developed, manufactured, or supplied by persons owned by, controlled 
by, or subject to the jurisdiction or direction of the PRC or Russia, 
as specified in section 791.302; the knowing Sale within, or import 
into, the United States of a completed connected vehicle containing 
covered software that is designed, developed, manufactured, or supplied 
by persons owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia, as specified in Sec.  791.303; and the 
knowing Sale of completed connected vehicles that incorporate VCS 
Hardware or covered software by connected vehicle Manufacturers who are 
owned by, controlled by, or subject to the jurisdiction or direction of 
the PRC or Russia, as specified in Sec.  791.304.
15. Sale
    BIS proposes to define ``sale,'' in the context of this subpart, as 
distributing for purchase, lease, or other commercial operations a new 
completed connected vehicle for a price, to include the transfer of 
completed connected vehicles from a connected vehicle manufacturer to a 
dealer or distributor, as those terms are defined in 49 U.S.C. 30102. 
This definition also applies to the related terms such as sell or 
selling. This would include direct-to-consumer sales of completed 
connected vehicles from the connected vehicle manufacturer to the 
ultimate purchaser.
16. Software Bill of Materials
    BIS proposes to define ``Software Bill of Materials'' or SBOM as a 
formal and dynamic, machine-readable inventory detailing the software 
supply chain relationships between software components and 
subcomponents, including software dependencies, hierarchical 
relationships, and baseline software attributes, including author's 
name, timestamp, supplier name, component name, version string, 
component hash, package URL, unique identifier, and dependency 
relationships to other software components.
    BIS understands that this definition generally conforms to industry 
standards. However, BIS is specifically seeking comment on the 
feasibility, technical burden, cost, and effectiveness of identifying 
and disclosing to BIS the listed SBOM attributes.
17. Vehicle Connectivity System
    BIS proposes to define ``Vehicle Connectivity System'' or VCS as a 
hardware or software item for a completed connected vehicle that has 
the function of enabling the transmission, receipt, conversion, or 
processing of radio frequency communications at a frequency over 450 
megahertz. This definition would exempt most remote keyless entry fobs 
and immobilizers and certain internal wireless sensors and relays. VCS 
software is included in the definition of Covered Software.
18. VCS Hardware
    BIS proposes to define ``VCS hardware'' as the following software-
enabled or programmable components and subcomponents that support the 
function of Vehicle Connectivity Systems or that are part of an item 
that

[[Page 79105]]

supports the function of Vehicle Connectivity Systems: microcontroller, 
microcomputers or modules, systems on a chip, networking or telematics 
units, cellular modem/modules, Wi-Fi microcontrollers or modules, 
Bluetooth microcontrollers or modules, satellite navigation systems, 
satellite communication systems, other wireless communication 
microcontrollers or modules, and external antennas. VCS hardware does 
not include component parts that do not contribute to the communication 
function of VCS hardware (e.g., brackets, fasteners, plastics, and 
passive electronics). VCS hardware would include aftermarket devices 
not contained in a completed connected vehicle at sale but that could 
be later integrated into or attached to the vehicle to perform VCS 
functions.
    BIS believes this definition appropriately identifies the various 
components, contained within a TCU or other connected systems of a 
connected vehicle, that facilitate off-board data transmission, and, 
thus, are most likely to pose the risks identified in Section IV of 
this notice. BIS specifically seeks comment on this list of components 
and the appropriateness of their inclusion to address the national 
security risks that BIS has identified in this notice.
19. VCS Hardware Importer
    BIS proposes to define ``VCS hardware importer'' as a U.S. person 
importing VCS hardware for further manufacturing, integration, resale, 
or distribution. A connected vehicle manufacturer may be a VCS Hardware 
Importer if VCS hardware has already been installed in a connected 
vehicle when imported by the connected vehicle manufacturer.
    This definition would capture OEMs, and tier 1 and tier 2 suppliers 
importing VCS hardware into the United States. BIS specifically seeks 
comment on the scope of this definition, particularly regarding whether 
it captures the breadth of market participants dealing in VCS Hardware.
20. United States
    BIS proposes to define ``United States'' to mean the United States 
of America, the States of the United States, the District of Columbia, 
and any commonwealth, territory, dependency, or possession of the 
United States, or any subdivision thereof, and the territorial sea of 
the United States.

b. Prohibitions on Certain Transactions Related to Connected Vehicles

1. Prohibited Transactions
    Under the proposed rule, VCS hardware importers would be prohibited 
from knowingly importing into the United States any VCS hardware that 
is designed, developed, manufactured, or supplied by persons owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia. BIS specifically seeks comment on this approach and whether 
additional components should be included in or excluded from this 
prohibition.
    Connected vehicle manufacturers would be prohibited from knowingly 
Selling within the United States, or importing into the United States, 
completed connected vehicles that incorporate covered software 
designed, developed, manufactured, or supplied by persons owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia.
    Connected vehicle manufacturers who are owned by, controlled by, or 
subject to the jurisdiction or direction of the PRC or Russia would 
also be prohibited from knowingly Selling in the United States 
completed connected vehicles that incorporate covered software or VCS 
hardware. As with other connected vehicle manufacturers, connected 
vehicle manufacturers who are owned by, controlled by, or subject to 
the jurisdiction or direction of the PRC or Russia participate in the 
design and development of VCS hardware and covered software, which are 
generally built to the manufacturers' specifications. However, this 
prohibition applies even if connected vehicle manufacturers who are 
owned by, controlled by, or subject to the jurisdiction or direction of 
the PRC or Russia were not involved in the design or development of the 
VCS Hardware and Covered Software. Their Sale of those completed 
connected vehicles constitutes the supply of VCS hardware and covered 
software and is thus captured by this prohibition. To be clear, BIS 
anticipates that because of the role connected vehicle manufacturers 
play in the design and development of the key components in connected 
vehicles, in many cases, this prohibition will be duplicative of the 
other prohibitions in this proposed rule. BIS seeks comments on the 
efficacy of all of the proposed prohibitions detailed above.
    As noted above, for the purposes of this proposed rule, BIS defines 
the term ``person owned by, controlled by, or subject to the 
jurisdiction or direction of a foreign adversary'' to mean (a) any 
person, wherever located, who acts as an agent, representative, or 
employee, or any person who acts in any other capacity at the order, 
request, or under the direction or control, of a foreign adversary or 
of a person whose activities are directly or indirectly supervised, 
directed, controlled, financed, or subsidized in whole or in majority 
part by a foreign adversary; (b) any person, wherever located, who is a 
citizen or resident of a foreign adversary or a country controlled by a 
foreign adversary, and is not a United States citizen or permanent 
resident of the United States; (c) any corporation, partnership, 
association, or other organization with a principal place of business 
in, headquartered in, incorporated in, or otherwise organized under the 
laws of a foreign adversary or a country controlled by a foreign 
adversary; or (d) any corporation, partnership, association, or other 
organization, wherever organized or doing business, that is owned or 
controlled by a foreign adversary, to include circumstances in which 
any person identified in paragraphs (a) through (c) possesses the 
power, direct or indirect, whether or not exercised, through the 
ownership of a majority or a dominant minority of the total outstanding 
voting interest in an entity, board representation, proxy voting, a 
special share, contractual arrangements, formal or informal 
arrangements to act in concert, or other means, to determine, direct, 
or decide important matters affecting an entity.
    To provide further clarity regarding transactions involving VCS 
hardware and covered software that would be prohibited, BIS offers the 
following examples of persons owned by, controlled by, or subject to 
the jurisdiction or direction of the PRC and Russia:
    Example 1: Company A, incorporated in the United States, is a 
wholly owned subsidiary of Company B. Company B is a state-owned 
enterprise of the PRC or Russia. Because Company B is a state-owned 
enterprise, Company A would be considered ``owned by'' the PRC or 
Russia.
    Example 2: Company A is a joint venture between Company B and 
Company C where Company C owns a majority share of Company A. Company B 
is a corporation incorporated in a third-party jurisdiction. Company C 
is a state-owned enterprise of the PRC or Russia. Company A would be 
considered ``owned by'' the PRC or Russia.
    Example 3: Company A is majority owned in aggregate by multiple 
state-owned enterprises and state-owned investment funds of the PRC or 
Russia. Company A would be considered ``owned by'' the PRC or Russia.
    Example 4: Company A, incorporated in the United States, is a 
subsidiary of

[[Page 79106]]

Company B. Company B is a private company incorporated in the PRC or 
Russia with its principal place of business in the PRC or Russia. 
Because Company B is subject to the jurisdiction of the PRC or Russia, 
Company B's subsidiary, Company A, is controlled by an entity subject 
to the jurisdiction of the PRC or Russia and would be considered 
``controlled by'' and ``subject to the direction of'' the PRC or 
Russia.
    Example 5: Company A is a multinational company where a majority of 
the voting power is held by Company B, a PRC or Russian government 
investment fund. Company A would be ``controlled by'' and ``subject to 
the direction of'' the PRC or Russia.
    Example 6: Company A is a holding company organized in a tax-
advantaged jurisdiction. Company A is publicly listed on a stock 
exchange and its corporate voting structure is characterized by Class A 
and Class B shares, Class B shares having ten times the voting power of 
Class A shares. If the aggregate voting power of shareholders subject 
to the jurisdiction of the PRC or Russia holding either Class A and 
Class B shares constitutes a majority or a dominant minority of total 
voting power, then Company A would be ``controlled by'' and ``subject 
to the direction of'' the PRC or Russia.
    Example 7: Company A, a company that is organized under the laws of 
the PRC or Russia, owns a minority interest in Company B, a U.S. 
business. Based on special voting powers vested in that minority 
interest, Company A maintains certain veto rights that determine 
important matters affecting Company B, including the right to veto the 
dismissal of senior executives of Company B. Company B would be 
considered ``controlled by'' and ``subject to the direction of'' 
Company A, and therefore owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia.
    Example 8: Company A is an entity incorporated in a third country 
and Company B is an entity incorporated in the PRC or Russia. Company A 
and Company B create a new joint venture, Company C, to design, 
develop, and manufacture a new product. Company A and Company B own 
minority shares of the joint venture while Company D, a holding company 
wholly owned by a PRC citizen, owns the largest minority share. If 
aggregate voting power of Company B and Company D constitutes majority 
or dominant minority voting share, Company C would be ``controlled by'' 
and ``subject to the direction of'' the PRC or Russia.
    Example 9: Company A has eight members on its board of directors. 
Company A is characterized by a shareholder and corporate governance 
structure that requires a 75 percent supermajority for any significant 
business decision. Three of the members of the board are citizens of, 
and therefore subject to the jurisdiction of, the PRC or Russia. 
Because these three members make up 37.5 percent of the voting power of 
the board, they can block any supermajority and therefore determine, 
direct, or decide important matters affecting Company A. Company A 
would be ``controlled by'' or ``subject to the direction of'' the PRC 
or Russia.
    Example 10: The PRC or Russian government, through an investment 
fund, acquires a 1% special management share in Company A. This share 
grants the PRC or Russian government the right to appoint a director to 
the board of Company A and veto certain key business decisions, such as 
major strategic changes or mergers. This share allows the government to 
influence Company A's operations and strategy. Company A would be 
``controlled by'' the PRC or Russia.
    Example 11: Company A maintains its principal place of business in 
the PRC or Russia. Company A would be ``subject to the jurisdiction'' 
of the PRC or Russia.
    Example 12: Company A is a publicly listed U.S. corporate entity. 
Company A has a wholly owned subsidiary, Company B, that is organized 
under the laws of the PRC or Russia and manufactures goods in the PRC 
or Russia. Because Company B is organized under the laws of the PRC or 
Russia, Company B would be subject to the jurisdiction of the PRC or 
Russia. However, Company A is not subject to the jurisdiction of the 
PRC or Russia by nature of its subsidiary, Company B, being ``subject 
to the jurisdiction'' of the PRC or Russia.
    Example 13: Company A is privately held and incorporated in the 
United States. One member of Company A's board of directors, Person X, 
a former chairman of the board of a large PRC corporation, has known 
ties to the government of the PRC, owns a large minority share of 
Company A, and has previously made significant investments in other 
companies founded by Company A's chief executive officer. Person X also 
facilitated a large minority investment in Company A by the large PRC 
corporation where they were previously chairman of the board. Person 
X's professional background indicates that they are directly or 
indirectly supervised, directed, controlled, financed, or subsidized by 
the PRC government. The combination of Person X's close ties to Company 
A's CEO, Person's X's ownership interest and ability to direct 
investment from large, highly regulated PRC corporate entities, and 
Person X's close ties to the PRC government indicate that Company A 
would be ``subject to the direction'' of the PRC.
    BIS seeks comment on whether the definition of, and examples 
provided to illuminate, who is a ``person owned by, controlled by, or 
subject to the jurisdiction or direction of a foreign adversary,'' 
provides sufficient clarity regarding the circumstances under which the 
rule's prohibitions might apply.
    For additional clarity in determining whether a transaction 
involving VCS hardware or covered software designed, developed, 
manufactured, or supplied by entities described above would be 
prohibited under the proposed rule, BIS offers the below examples. In 
offering these examples, BIS emphasizes that VCS hardware and covered 
software would not be considered designed, developed, manufactured, or 
supplied by persons owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia, solely based on the 
country of citizenship of natural persons who are employed, contracted, 
or otherwise similarly engaged to participate in the design, 
development, manufacture, or supply of that VCS hardware or covered 
software:
    Example 14: A U.S. person has a contractual relationship with a 
foreign person to import a cellular module, and the cellular module 
will later be integrated into a VCS for a completed connected vehicle. 
The U.S. person is, under the proposed rule, a VCS hardware importer. 
The U.S. person knows the cellular module was manufactured at a 
facility located in the PRC or Russia and is being imported through a 
third country. Since the entity manufacturing the module would, at a 
minimum, be ``subject to the jurisdiction'' of the PRC or Russia, the 
import of the module would be a prohibited transaction under the 
proposed rule, unless it qualifies for a general authorization or a 
specific authorization from BIS.
    Example 15: A U.S. person imports a TCU that was assembled in a 
third country, but that contains a microcontroller that is manufactured 
in the PRC or Russia and is Sold to the third-country assembler of the 
TCU. The U.S. person knows that the microcontroller was manufactured by 
an entity located in the PRC or Russia. As the microcontroller is 
included in the

[[Page 79107]]

definition of VCS hardware, the import of the TCU for a completed 
connected vehiclewould be a prohibited transaction under the proposed 
rule unless it qualifies for a general authorization, or a specific 
authorization granted by BIS.
    Example 16: A U.S. person imports a completed connected vehicle, 
making the U.S. person a connected vehicle manufacturer under the 
proposed rule's definition. The completed connected vehicle contains a 
TCU that operates software supporting off-vehicle connectivity above 
450 MHz, and that software is designed, developed, or otherwise 
supplied (in whole or in part) by an entity located in the PRC or 
Russia. Under the proposed rule, the import of the completed connected 
vehicle would be prohibited, unless it was authorized by a general 
authorization or a Specific Authorization.
    Example 17: A U.S. person who is a connected vehicle manufacturer 
that manufactures or assembles completed connected vehicles in the 
United States Sells to a dealer within the United States a completed 
connected vehicle in which the vehicle's ADS software for object 
detection, classification, and decision making is proprietary software 
designed, developed, or supplied by an entity in the PRC or Russia. The 
Sale or transfer of the completed connected vehicle would be a 
prohibited transaction under the proposed rule unless it qualifies for 
a general authorization or specific authorization granted by BIS.
    Example 18: A U.S. person who is a connected vehicle manufacturer 
utilizes foreign VCS and ADS software development teams through various 
subsidiaries, joint ventures, and contract arrangements, some of which 
retain servicing obligations, contractual and licensing rights, and 
other interests in the software they have developed. One of those 
software development teams is located in the PRC or Russia, and as 
such, that software team is subject to the jurisdiction of the PRC or 
Russia. Given the role of PRC or Russian developers in the creation of 
the VCS or ADS software (covered software), the sale of a completed 
connected vehicle within the United States that integrates this 
proprietary covered software, would be a prohibited transaction under 
the proposed rule, unless it qualifies for a general authorization or 
specific authorization granted by BIS.
    Example 19: A U.S. person who is a connected vehicle manufacturer 
utilizes VCS and ADS software development teams around the world 
through various subsidiaries, joint ventures, and contract 
arrangements. One of those software development teams is comprised of 
individuals who are PRC or Russian citizens working in a foreign 
jurisdiction other than the PRC or Russia for a company that is not 
owned by, controlled by, or subject to the jurisdiction or direction of 
the PRC or Russia. Although the individuals technically meet the 
definition of ``person owned by, controlled by, or subject to the 
direction of a foreign adversary,'' the sole fact that PRC or Russian 
citizens work on the connected vehicle manufacturer's software 
development would not make the Sale of a completed connected vehicle 
within the United States that integrates this VCS or ADS software a 
Prohibited Transaction under the proposed rule.
    Example 20: Company A, which is a wholly owned subsidiary of a 
foreign corporation in which a PRC or Russian entity owns a controlling 
interest, imports completed connected vehicles that incorporate covered 
software and VCS hardware, none of which was originally designed, 
developed, manufactured, or supplied by an entity owned by, controlled 
by, or subject to the jurisdiction or direction of the PRC or Russia. 
In such rare circumstance where Company A did not participate in the 
design or development of the covered software or VCS hardware, Company 
A would submit (once per Model Year) a Declaration of Conformity for 
the import of the completed connected vehicles containing covered 
software and VCS hardware. However, any subsequent sale by Company A of 
such completed connected vehicle in the United States would be 
prohibited. For example, Company A subsequently Sells such completed 
connected vehicles to a dealer in the United States. Because Company A 
is a person controlled by the PRC or Russia and has direct privileged 
access to the VCS Hardware and covered software prior to the sale, the 
knowing sale by Company A of the completed connected vehicle with VCS 
hardware and covered software would be a prohibited transaction under 
the proposed rule, and a specific authorization from BIS would be 
required before engaging in such a transaction.
    Example 21: Company A, a wholly owned subsidiary of a PRC or Russia 
corporation manufactures completed connected vehicles in the United 
States. The completed connected vehicles that Company A manufactures 
incorporate covered software and VCS hardware provided by Company B, a 
company that is not owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia. Because Company A is 
owned by, controlled by, or subject to the jurisdiction or direction of 
the PRC or Russia, participated in the design and development of the 
covered software or VCS hardware, and in any event, has direct and 
privileged access to its completed connected vehicles--including the 
incorporated covered software and VCS hardware--Company A's sale of the 
completed connected vehicles is a prohibited transaction under the 
proposed rule, and a specific authorization from BIS would be required 
before engaging in such a transaction.

c. Compliance

1. Declaration of Conformity
    BIS proposes to require VCS Hardware Importers and connected 
vehicle manufacturers engaged in specified transactions to submit 
Declarations of Conformity to BIS certifying that they have not engaged 
in a prohibited transaction. Under the proposed rule, declarants would 
be responsible for submitting information to BIS, including 
documentation collected from suppliers of components of VCS hardware 
and from suppliers of covered software, to verify compliance with the 
regulations. These requirements include obtaining and analyzing the 
HBOMs for VCS hardware and the SBOMs for covered software and providing 
documentation of the steps the declarant took to verify that the 
transactions comply with the provisions of the rule. In an effort to 
facilitate compliance, BIS is not currently proposing to mandate 
particular due diligence requirements but would rather allow VCS 
hardware importers and connected vehicle Manufacturers to provide 
evidence of their own efforts tailored to their unique operations. BIS 
seeks comment on this approach.
    The proposed rule generally contemplates that Declarations of 
Conformity would be submitted in three instances by persons not engaged 
in prohibited transactions: (1) Declarations submitted by VCS hardware 
importers; (2) Declarations submitted by connected vehicle 
manufacturers importing completed connected vehicles containing covered 
software into the United States; and (3) Declarations submitted by 
connected vehicle manufacturers selling completed connected vehicles in 
the United States that they have manufactured or assembled in the 
United States and which contain covered software, so long as there is a 
continuing foreign interest in the covered software. Persons required 
to submit a Declaration of

[[Page 79108]]

Conformity need do so once per model year for units associated with a 
vehicle model year, or calendar year for units not associated with a 
vehicle model year, and only for the categories of transactions they 
seek to execute during that period. VCS hardware importers or connected 
vehicle manufacturers engaging in multiple transactions that require 
submissions of Declarations of Conformity under separate paragraphs of 
Sec.  791.305 may, if they prefer, submit a single compiled Declaration 
of Conformity containing all required information for all transactions. 
For example, an OEM that manufactures or assembles completed connected 
vehicles in the United States, imports connected vehicles into the 
United States, and imports VCS hardware into the United States would be 
able to submit a single Declaration of Conformity based on vehicle 
make, model, and trim and VCS hardware that will be imported or 
manufactured that Model Year.
    BIS believes that Declarations of Conformity will be an important 
tool for advancing the goals of this proposed rule, and addressing the 
emergency declared in E.O. 13873. Declarations of Conformity will first 
and foremost provide BIS with a means to verify VCS hardware importers' 
and completed connected vehicle manufacturers' compliance with the 
proposed prohibitions. Through extensive engagement with connected 
vehicle manufacturers and automotive suppliers, BIS has come to 
understand that connected vehicle supply chains are complex and often 
opaque, with potentially hundreds of suppliers for a single connected 
vehicle in a given model year. Such complexity and opacity could result 
in the incorporation into connected vehicles of VCS hardware and 
covered software that is designed, developed, manufactured, or supplied 
by persons owned by, controlled by, or subject to the jurisdiction or 
direction of foreign adversaries, without the full knowledge of the 
connected vehicle manufacturer. While connected vehicle manufacturers 
typically have strong relationships with their immediate suppliers, to 
include the development of years-long supply contracts that span entire 
vehicle generations, their understanding of the deeper supply chain (to 
include who is supplying their suppliers) is substantially weaker. 
Additionally, while the COVID-19 pandemic and associated supply chain 
crisis forced connected vehicle manufacturers to more critically 
evaluate their hardware supply chains, illumination of software supply 
chains remains largely unachieved. Consequently, BIS believes that the 
requirement to submit annual Declarations of Conformity will serve as 
an important mechanism for ensuring that parties subject to this 
proposed rule implement the due diligence and other procedures 
necessary to fully understand the supply chains for their VCS hardware 
and covered software and thus comply the proposed rule's prohibitions 
on the incorporation of VCS Hardware or covered software that has been 
designed, developed, manufactured, or supplied by persons owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia.
    BIS also believes that the collection of annual Declarations of 
Conformity from connected vehicle manufacturers and VCS hardware 
importers would facilitate enforcement of the proposed rule, including 
by allowing BIS to proactively identify red flags and potential 
violations of the proposed prohibitions. For example, BIS may rely on 
the broad perspective provided by the Declarations of Conformity from 
multiple connected vehicle manufacturers and VCS hardware importers to 
identify previously undetected participation by PRC or Russian 
designers, developers, manufacturers, or suppliers that are subject to 
the prohibitions of this proposed rule yet remain entrenched in the 
U.S. connected vehicle supply chain. Additionally, these Declarations 
of Conformity would allow BIS to maintain an understanding of 
technological advancements and changes in the U.S. connected vehicle 
industry--both in hardware and software--and consequently enable BIS to 
propose updates to the rule as needed to maximize its effectiveness in 
mitigating the undue and unacceptable risks posed by the PRC and Russia 
while minimizing burden on industry.
    The sections below explain in greater detail the types of 
Declaration of Conformity that would be required under the proposed 
rule. BIS seeks comment on this regulatory approach, including the 
necessity and efficacy of requiring Declarations of Conformity with 
respect to VCS hardware and covered software in which there is a 
Foreign Interest. BIS also seeks comment on the availability and 
efficacy of any alternative approach that would require a narrower set 
of VCS Hardware Importers and completed connected vehicle manufacturers 
to submit Declarations of Conformity, while still achieving the goals 
of the Declaration of Conformity requirement and addressing the 
declared emergency under E.O. 13873.
i. Import of VCS Hardware
    The Declaration of Conformity described in Sec.  791.305(a)(1) 
would require VCS hardware Importers to provide information on the 
specific VCS hardware that the declarant plans to import into the 
United States for a given model year, or, for units not associated with 
a model year, a given calendar year. BIS proposes to require the 
Declaration of Conformity to contain the FCC ID number(s) of the VCS 
hardware, and, if applicable, any subcomponents in the VCS hardware 
that also have an FCC ID number. FCC regulations at 47 CFR 2.925 
require any electronic device that emits RF waves, including those 
imported into the United States, to have an FCC ID number, which is 
used to identify and certify that the device meets the necessary 
regulatory standards for wireless communication. The proposed rule 
would additionally require VCS Hardware Importers to report all third-
party information technology external endpoints to which the VCS 
Hardware is programmed to connect, including the country in which said 
endpoint is located and/or the identity and location of the service 
provider. This would include any third-party that is not the VCS 
hardware importer nor the final recipient, such as the connected 
vehicle manufacturer that integrates the VCS hardware and receives data 
on an episodic or ongoing basis from the VCS hardware. Additionally, 
VCS hardware importers would be required to submit an HBOM as part of 
the Declaration of Conformity. BIS would expect, consistent with the 
proposed definition for this term, this HBOM to include a comprehensive 
list of parts and technical information, including the provenance of 
subcomponents contained within the VCS hardware.
ii. Import of Completed Connected Vehicles
    The Declaration of Conformity described in section 791.305(a)(2) 
would require connected vehicle manufacturers that import completed 
connected vehicles, including U.S.-based OEMs and foreign-headquartered 
OEMs with operations in the United States, to provide information to 
BIS on the make, model, and trim (if known) of the imported group of 
completed connected vehicles and the covered software contained within 
the completed connected vehicles. BIS proposes to require declarants to 
submit an SBOM for the covered software related to both VCS and ADS. 
The

[[Page 79109]]

minimum requirements for the SBOM are author's name, timestamp, 
supplier name, component name, version string, component hash, package 
URL, unique identifier, and dependency relationships to other software 
components. Declarants may submit additional SBOM information as 
evidence demonstrating the covered software is not sourced from PRC or 
Russian-linked entities. BIS seeks comment on all aspects of this SBOM 
requirement.
iii. Manufacture or Assembly of Completed Connected Vehicles for Sale 
in the United States
    Similarly, this proposed rule, as described in section 
791.305(a)(3), would require connected vehicle Manufacturers that 
manufacture or assemble completed connected vehicles for sale in the 
United States to submit a Declaration of Conformity that includes 
information on the make, model, and trim of the group of completed 
connected vehicles and the covered software contained within the 
completed connected vehicles that the connected vehicle manufacturer 
will sell for a Model Year. BIS emphasizes that this requirement would 
apply only to connected vehicle manufacturers whose vehicles 
incorporate covered software in which there is a foreign interest. 
Connected vehicle manufacturers who manufacture or assemble completed 
connected vehicles in the United States and whose vehicles contain no 
covered software in which there is a foreign interest would not be 
required to submit a Declaration of Conformity. However, given the 
global nature of automotive software supply chains, BIS anticipates 
that nearly all connected vehicle manufacturers of completed connected 
vehicles for Sale in the United States would be required to submit an 
annual Declaration of Conformity covering all completed connected 
vehicles by make, model, and trim to be manufactured for Sale in the 
United States for each Model Year. As detailed above, this requirement 
would include the submission of an SBOM for covered software 
incorporated into the group of completed connected vehicles.
iv. Procedures To Submit Declarations of Conformity
    VCS Hardware Importers and connected vehicle manufacturers 
submitting a Declaration of Conformity under this rule would be 
required to submit the Declaration of Conformity to BIS annually, 60 
days prior to the first sale or first import of a Vehicle 
Identification Number (VIN) series of completed connected vehicles 
comprised of a single model year, or 60 days prior to the import of VCS 
hardware covered by the Declaration of Conformity. VCS hardware 
importers and connected vehicle manufacturers may, at their discretion, 
submit a combined Declaration of Conformity, or may submit separate 
Declarations of Conformity (e.g., one Declaration covering import of 
VCS hardware and another covering import of completed connected 
vehicles). Declarations of Conformity covering both the import or 
manufacture of completed connected vehicles and the import of VCS 
Hardware should be submitted by the earlier of the two reporting dates. 
connected vehicle manufacturers that would submit a Declaration of 
Conformity for the import of a group of completed connected vehicles 
into the United States should not submit a Declaration of Conformity 
related to the subsequent Sale of that same group of Completed 
Connected Vehicles. In the event of material changes that impact the 
content of the Declaration of Conformity, VCS hardware importers or 
connected vehicle manufacturers would be required to submit an updated 
Declaration of Conformity and an updated HBOM or SBOM within 30 days of 
such a change. Such changes may include changes in the suppliers of key 
subcomponents or functional aspects of the VCS hardware or covered 
software incorporated in the completed connected vehicle. BIS would 
make a web portal available on its website (https://www.bis.gov) 
through which VCS Hardware Importers and connected vehicle 
manufacturers may submit Declarations of Conformity.
2. General Authorizations
    General Authorizations would allow certain VCS Hardware Importers 
and connected vehicle manufacturers to engage in otherwise prohibited 
transactions without the need to notify BIS prior to engaging in the 
transaction. connected vehicle manufacturers or VCS hardware importers 
(and entities under common control, including parents) who produce 
small quantities of completed connected vehicles or VCS hardware, which 
the proposed rule defines as fewer than 1,000 units in a calendar year, 
would be eligible for a general authorization. This is in line with 
requirements for high-volume and low-volume manufacturers found in 49 
CFR part 565. BIS specifically seeks comment on this threshold for both 
completed connected vehicles and VCS Hardware. connected vehicle 
manufacturers would be eligible for a general authorization if the 
completed connected vehicle is otherwise subject to a prohibition but 
will be used on public roadways fewer than 30 days in any calendar 
year. For purposes of this general authorization, each use of a 
completed connected vehicle on public roadways on a distinct calendar 
day will count toward the 30-day limit, regardless of the duration of a 
vehicle's use on a particular day. VCS hardware importers and connected 
vehicle manufacturers would also qualify for a general authorization 
for otherwise prohibited transactions involving completed connected 
vehicles incorporating covered software or VCS hardware if the 
completed connected vehicles are used only for testing display, or 
research purposes and not on public roads in the United States. Lastly, 
VCS hardware importers or connected vehicle manufacturers would qualify 
for a general authorization for the importation of completed connected 
vehicles incorporating covered software or the importation of VCS 
Hardware solely for the purposes of repair, alteration, or competition 
off public roads, and the vehicle or hardware will be reexported from 
the United States within one year of the time of import.
    BIS proposes to allow persons using General Authorizations to self-
certify their compliance with the applicable General Authorization. As 
such, these persons would not need to submit documentation to BIS but 
would be required to gather and maintain full records for a period of 
10 years documenting compliance for all completed connected vehicles 
and VCS hardware covered by the general authorization. Furthermore, 
persons availing themselves of a general authorization would be 
required to continuously monitor for any changes that render a 
transaction ineligible for continued reliance on the general 
authorization. A VCS hardware importer or connected vehicle 
manufacturer that is no longer eligible for a general authorization 
would need to apply for and receive a specific authorization before 
engaging in an otherwise prohibited transaction. For example, connected 
vehicle manufacturers who import a certain model or trim of completed 
connected vehicles containing covered software that are originally used 
for display or testing purposes must seek a specific authorization 
before importing that model or trim of completed connected vehicle for 
more general use in the United States.
    A connected vehicle manufacturer or VCS hardware importer that is a 
subsidiary, joint venture, affiliate, or other entity subject to the 
ownership, control, jurisdiction, or direction of the

[[Page 79110]]

PRC or Russia would be ineligible for general authorizations and would 
be required to apply for a specific authorization before engaging in an 
otherwise prohibited transaction.
3. Specific Authorizations
    VCS hardware importers and connected vehicle manufacturers wishing 
to engage in an otherwise prohibited transaction who are ineligible for 
an exemption or general authorization would have to apply for and 
receive a specific authorization to engage in the otherwise prohibited 
transaction. The purpose of specific authorizations is to allow BIS on 
a case-by-case basis to determine the nature and scope of the undue or 
unacceptable risk to U.S. national security posed by transactions 
involving VCS hardware and covered software, including the extent of 
foreign adversary involvement in the transactions, as well as potential 
mitigations.
    VCS hardware importers and connected vehicle manufacturers must not 
engage in an otherwise prohibited transaction until BIS grants the 
application for a specific authorization. If a party engages in a 
prohibited transaction prior to receiving a specific authorization from 
BIS, that transaction would constitute a violation of the regulation. 
Specific authorization requests will be reviewed on a case-by-case 
basis, and the time to reach a decision on an application for a 
specific authorization will vary based on the complexity of the case. 
However, BIS will respond to applicants with a processing update within 
90 days of the initial application for a specific authorization, and 
typically endeavor to provide either a request for more information or 
a decision within that time period.
    Applications for a specific authorization must contain complete 
information on the proposed transaction, including every party 
involved, an overview of the covered software and/or the VCS hardware 
designed, developed, manufactured, or supplied by a person owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia, the intended use of the covered software and/or VCS 
hardware, and documentation to support the information contained in the 
application. Persons seeking a specific authorization would submit an 
application via a web portal that would be available on the BIS 
website. Applicants should take care to submit to BIS only one copy of 
an application pertaining to each transaction for which they seek 
specific authorization to avoid processing delays. BIS may request 
additional information from an applicant about any matter related to 
the specific authorization request. In rare situations, as part of its 
review of an application for specific authorization, BIS may, in its 
sole discretion, request an oral briefing by the applicant and any 
other relevant parties. At any point between initial submission of an 
application for specific authorization and a final decision issued by 
BIS, an applicant may submit additional information to bolster the 
application or provide clarity on any aspect thereof.
    When reviewing applications for a specific authorization, BIS will 
consider the factors that may pose undue or unacceptable risks, 
particularly as they relate to transactions that could result in the 
exfiltration of connected vehicle or U.S. persons' data, or the remote 
manipulation or operation of a connected vehicle. Examples of factors 
that BIS may consider include: the applicant's ability to limit PRC or 
Russian government access to, or influence over the design, 
development, manufacture, or supply of the VCS hardware or covered 
software; security standards used by the applicant and if such 
standards can be validated by BIS or a third-party; and other actions 
or proposals the applicant offers to implement as a way to mitigate 
undue or unacceptable risk.
    BIS's decision regarding any application for specific authorization 
will apply only to the specific parties and transaction outlined in the 
application and described in the decision notice. Additionally, the 
decision notice from BIS to the applicant(s) may contain any conditions 
that must be met by the parties for a transaction to be authorized. 
Such conditions, which are subject to revision by BIS, may include 
technical controls (e.g., software validation) or operational controls 
(e.g., physical and logical access monitoring procedures), that are 
either permanent or temporary. These controls will focus on the supply 
chain element that involves a link to a foreign adversary to mitigate 
any undue or unacceptable risk posed by the transaction. For connected 
vehicle manufacturers owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia, a specific 
authorization may include a requirement that all VCS hardware and 
covered software be assembled and integrated into the connected vehicle 
in the United States. In the approval letter for specific 
authorization, BIS will determine the effective date and duration of 
the authorization on a case-by-case basis.
    While applicants denied authorizations would not be precluded from 
submitting new applications for specific authorizations with regard to 
different transactions (involving different parties and/or different 
covered software or VCS hardware), BIS will reconsider a previously 
denied application for a specific authorization only if the applicant 
demonstrates a material change in circumstances.
4. Exemptions
    Transactions by VCS hardware importers and connected vehicle 
manufacturers would be exempt from the proposed prohibitions for a 
limited period. BIS proposes a shorter implementation period for 
transactions involving covered software and proposes a longer 
implementation period for transactions involving VCS hardware to allow 
market participants adequate time to establish alternative supply 
chains if necessary. This reflects BIS's understanding, and numerous 
public comments underscoring, that hardware supply chains for Connected 
Vehicles are complex and require multiple years to alter. VCS hardware 
importers would be permitted to engage in otherwise prohibited 
transactions involving VCS Hardware and would also be exempt from a 
requirement to submit a Declaration of Conformity for transactions not 
otherwise prohibited so long as: (1) for VCS hardware units not 
associated with a vehicle model year, the import of the VCS hardware 
takes place prior to January 1, 2029; or (2) the VCS hardware is 
integrated into a connected vehicle (completed or incomplete) or 
destined for a connected vehicle with a model year prior to 2030. 
Beginning January 1, 2029, any VCS hardware importer seeking to engage 
in a transaction subject to the VCS hardware prohibitions in Sec.  
791.302 (other than the import of a connected vehicle with a model year 
prior to 2030) would be required to obtain a specific authorization if 
the transaction is not otherwise permitted by a general authorization. 
Furthermore, VCS hardware importers seeking to import VCS hardware 
beginning on January 1, 2029, or VCS Hardware in completed connected 
vehicles or that is destined for connected vehicles starting with Model 
Year 2030, would be required to submit an annual Declaration of 
Conformity to BIS, unless obligated to seek a Specific Authorization. 
Connected vehicle manufacturers would be permitted to engage in 
otherwise Prohibited Transactions involving covered software designed, 
developed, manufactured, or supplied by a person owned by, controlled 
by, or subject to

[[Page 79111]]

the jurisdiction or direction of the PRC or Russia, so long as the 
completed connected vehicle that is imported or sold is of a model year 
prior to 2027. Beginning Model Year 2027 (as imported into or sold in 
the United States), any connected vehicle manufacturer seeking to 
engage in a prohibited transaction involving covered software specified 
in section 791.303 would be required to obtain a specific authorization 
if the transaction is not otherwise permitted by a general 
authorization. Furthermore, connected vehicle manufacturers would be 
required to submit an applicable Declaration of Conformity for imports 
or Sales of all completed connected vehicles beginning in Model Year 
2027. Connected vehicle manufacturers who are owned by, controlled by, 
or subject to the jurisdiction or direction of the PRC or Russia would 
be permitted to engage in otherwise prohibited transactions so long as 
the completed connected vehicle that is Sold is of a Model Year prior 
to 2027. Beginning Model Year 2027 (as Sold in the United States), 
these particular connected vehicle manufacturers seeking to engage in a 
prohibited transaction specified in Sec.  791.304 would be required to 
obtain a specific authorization if the transaction is not otherwise 
permitted by a general authorization.
5. Appeals
    BIS proposes to create a mechanism by which any person whose 
application for a specific authorization is denied, whose specific 
authorization is suspended or revoked, or who has received a written 
notification of ineligibility for a general authorization may appeal 
that decision to the Under Secretary. Appeals must be submitted in 
writing by email or mail to the Office of the Under Secretary within 45 
days of the date on the notice of the adverse administrative action by 
BIS. The appeal must detail how the party submitting the appeal has 
been directly and adversely affected by BIS's action, and the reasons 
that BIS's action should be reversed or otherwise modified. The Under 
Secretary, at his or her discretion, may delegate to the Deputy Under 
Secretary for Industry and Security or another BIS official the review 
of appeals, including arranging, at the official's discretion, informal 
hearings with relevant parties regarding the appeal.
    Appellants may submit supplementary information in support of their 
appeal, whether sua sponte or at the request of the Under Secretary or 
the designated official, but, though the Under Secretary or designated 
official generally would not consider additional information submitted 
sua sponte more than 30 days after submission of the original appeal. 
If the Under Secretary or designated official requests supplementary 
information, appellants will have no more than 30 calendar days to 
respond to the request. Appellants may also request an in-person 
informal hearing in writing at the time of submission. A hearing is not 
required, and the Under Secretary or designated official may, at his or 
her discretion, grant or deny a request for an informal hearing.
6. Advisory Opinions
    In response to public comments regarding the ANPRM, BIS proposes to 
include a mechanism for BIS to issue advisory opinions, similar to the 
process outlined in the Export Administration Regulations (EAR). BIS 
anticipates this process will provide connected vehicle manufacturers, 
VCS hardware importers, and other interested parties with greater 
clarity about how to comply with the proposed rule on an as-needed 
basis. As with the EAR, BIS emphasizes that advisory opinions provided 
under this proposed rule would in no way serve as evidence that the 
ICTS transaction addressed in the opinion is not subject to the 
jurisdiction of another U.S. Government agency. BIS may publish on its 
website an advisory opinion that may be of broad interest to the 
public, with redactions where necessary to protect Confidential 
Business Information. To solicit an advisory opinion from BIS, persons 
would be required to submit a written request to BIS by email or 
through a portal that will be available on the BIS website. BIS will 
not accept advisory opinion requests submitted by mail. A request for 
an advisory opinion must contain contact information for the submitter 
as well as all current information on the prospective transaction to 
assist BIS in making a determination. This would include technical 
details on the involved VCS hardware or covered software, information 
on the completed connected vehicle (if applicable), the SBOM and/or 
HBOM for the covered software and/or VCS hardware, and any other 
supporting materials that the submitter assesses will assist BIS in 
determining if the transaction may be prohibited by this rule. Persons 
seeking an advisory opinion are encouraged to submit as much pertinent 
information as possible in the initial request for an advisory opinion, 
but BIS may request more information as needed to formulate its 
opinion. BIS will only consider advisory opinion requests for actual, 
not hypothetical, prospective transactions in which all parties, as 
opposed to anonymous parties, are identified. Additionally, parties may 
only rely on an advisory opinion when engaging in a transaction if the 
original Advisory Opinion request contained complete and accurate 
information and only so long as such information remains accurate 
following the issuance of the Advisory Opinion.
7. ``Is-Informed'' Notices
    BIS could notify connected vehicle manufacturers or VCS hardware 
importers, either through direct letters or through a Federal Register 
notice meant to inform a broader set of persons, that a transaction 
involving certain covered software, VCS hardware, or entities requires 
a specific authorization because it would constitute a Prohibited 
Transaction according to the terms of this proposed rule. Any person 
who engages in a transaction covered by an ``Is-Informed'' notice 
without first receiving a Specific Authorization from BIS would have 
knowledge that such transaction is prohibited and would therefore be in 
violation of the rule. Is-Informed notices may only be delivered by or 
at the direction of the Under Secretary or a BIS employee designated by 
the Under Secretary.
8. Recordkeeping and Reporting Requirements
    BIS proposes to require connected vehicle manufacturers and VCS 
hardware importers to maintain complete records related to any 
transaction for which a Declaration of Conformity, general 
authorization, or specific authorization would be required by this 
rule, for a period of ten years. This recordkeeping requirement applies 
regardless of whether the transaction is subject to a general 
authorization, specific authorization, or whether the connected vehicle 
manufacturer or VCS hardware importer has not yet sought an 
authorization. BIS would expect said records to include all information 
pertinent to a general authorization or submitted when applying for a 
Specific Authorization, as well as business records related to the 
execution of the transaction, such as contracts, import records, bills 
of sale, relevant correspondence, and all other files specified in 
sections 791.312 and 791.313 to assess compliance with the rule.
    All connected vehicle manufacturers and VCS hardware importers 
would be required to submit records when requested by BIS related to 
any transaction for which a Declaration of

[[Page 79112]]

Conformity, general authorization, or specific authorization would be 
required by this rule, whether or not said transaction was carried out 
under a general authorization, specific authorization, or without an 
authorization from BIS. As such, BIS would be allowed to request 
business records, before, during, or after the transaction in question 
has taken place.

d. Enforcement

1. Penalties
    IEEPA authorizes this rulemaking. Thus, persons who violate, 
attempt to violate, conspire to violate, or knowingly cause a violation 
of this rule, if finalized, may be subject to civil and/or criminal 
penalties under IEEPA (50 U.S.C. 1705), depending on the circumstances 
of the violation. Potential violations of this proposed rule that would 
be subject to penalties include engaging in a prohibited transaction 
without an applicable general authorization or specific authorization, 
or failure to abide by the conditions enumerated in a specific 
authorization. Willfully providing false or fictitious information to 
the U.S. Government may be subject to criminal fines, imprisonment, or 
both. A civil penalty may be imposed on any person who violates, 
attempts to violate, conspires to violate, or causes a violation of any 
authorization, order, regulation, or prohibition issued under IEEPA.
    Under the Federal Civil Penalties Inflation Adjustment Act 
Improvements Act of 2015, the specific maximum civil penalty will be 
adjusted by notice in the Federal Register effective each calendar year 
by the Office of the Secretary of the Department of Commerce. At the 
time of publishing of this proposed rule, the maximum civil penalty for 
violations of IEEPA is $368,136 per violation and the maximum criminal 
penalty is $1,000,000.
    Under the proposed rule, should BIS have reason to believe that a 
violation has occurred and intends to issue a civil monetary penalty, 
it will inform the alleged violator through a written notice of the 
intent to impose a penalty (``Pre-Penalty Notice''). BIS will generally 
transmit the Pre-Penalty Notice electronically but may additionally 
issue a mailed notice. The recipient of a Pre-Penalty Notice may 
respond in writing to BIS to provide additional information or 
otherwise contest the penalty. BIS must receive this response within 30 
days of the transmission of the original pre-penalty notice. A response 
to a pre-penalty notice does not constitute a formal appeal, but it 
allows the recipient of the pre-penalty notice to contest facts set 
forth by BIS in the pre-penalty notice, provide exculpatory evidence, 
or otherwise respond to the pre-penalty notice. BIS may seek to 
initiate settlement discussions in the pre-penalty notice or may 
conduct separate outreach following transmission of the pre-penalty 
notice. Recipients of a pre-penalty notice may additionally request to 
initiate settlement discussions in their response to BIS or may conduct 
separate outreach to do so.
    Following the delivery of the pre-penalty notice and after 
considering any responses from the alleged violator, BIS will inform 
the alleged violator in writing as to whether it has found that a 
violation in fact occurred. Should BIS find that a violation has indeed 
taken place and no settlement has been reached, BIS will issue a final 
penalty notice to the violator specifying the violation and determining 
the specific civil monetary penalty to be imposed. This penalty may not 
be appealed following the procedures in section 791.309, but is a final 
agency action that the violator may contest in the appropriate U.S. 
District Court.
    Should a violator fail to pay the penalty as specified in the final 
penalty notice or fail to make alternative payment arrangements 
approved by BIS, BIS may refer the matter to the Department of Treasury 
for administrative collection or to the Department of Justice for 
collection via civil suit in U.S. District Court.
2. Finding a Violation
    Under the proposed rule, there may be cases in which BIS determines 
that a violation has taken place but that a civil monetary penalty is 
not appropriate. In such cases, BIS would issue a finding of violation 
that identifies the violation. The finding of violation could also 
contain an administrative response other than a civil monetary penalty, 
such as an order to cease and desist from conduct or activities that 
are prohibited by the proposed rule. Consistent with the procedures 
listed above regarding a pre-penalty notice, recipients of a finding of 
violation may file a response within 30 days contesting the facts of 
the finding of violation and/or providing information relevant to BIS's 
determination of whether a violation has occurred. BIS will consider 
any new information and inform the party in writing whether a violation 
has or has not occurred. A recipient that does not respond within 30 
days of receipt of the finding of violation will be deemed to have 
waived the right to respond. Any action taken in a finding of violation 
issued by BIS constitutes a final agency action that is not subject to 
appeal following the procedures in section 791.309.
3. Severability
    BIS intends for the provisions of this proposed rule, as finalized 
to be severable from each other. If a court holds that any provision in 
a final 15 CFR part 791, subpart D, is invalid or unenforceable, BIS 
intends that the remaining provisions of a final 15 CFR part 791, 
subpart D, as relevant, would continue in effect to the greatest extent 
possible. In addition, if a court holds that any such provision is 
invalid or unenforceable as to a particular person or circumstance, BIS 
intends that the provision would remain in effect as to any other 
person or circumstance. Depending on the circumstances and the scope of 
the court's order, BIS believes that the remaining provisions of a 
final rule likely could continue to function sensibly independent of 
any provision or application held invalid or unenforceable. For 
example, the prohibitions related to transactions involving VCS 
Hardware could continue to apply as intended, even if a court finds 
that the prohibitions on transactions involving ADS are invalid. 
Similarly, the proposed rule could be applied with respect to relevant 
hardware and software designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC, even if a court finds its application with 
respect to relevant hardware and software from Russian-linked persons 
is invalid.

e. Classification

1. Executive Order 12866
    Executive Order 12866, as reaffirmed by Executive Order 13563 and 
amended by Executive Order 14094, directs agencies to assess all costs 
and benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributed impacts, and equity). This proposed rule has been 
designated a significant regulatory action by the Office of Information 
and Regulatory Affairs (OIRA) under section 3(f)(1) of Executive Order 
12866, as amended by Executive Order 14094.
2. Unfunded Mandates Reform Act of 1995
    This proposed rule would not produce a federal mandate (under the 
regulatory provisions of title II of the

[[Page 79113]]

Unfunded Mandates Reform Act of 1995) for state, local, and tribal 
governments or the private sector.
3. Executive Order 13132 (Federalism)
    This proposed rule does not contain policies having federalism 
implications requiring preparations of a Federalism Summary Impact 
Statement.
4. Executive Order 12630 (Governmental Actions and Interference With 
Constitutionally Protected Property Rights)
    This proposed rule does not contain policies that have takings 
implications.
5. Executive Order 13175 (Consultation and Coordination With Indian 
Tribes)
    The Department has analyzed this proposed rule under Executive 
Order 13175 and has determined that the action would not have a 
substantial direct effect on one or more Indian tribes, would not 
impose substantial direct compliance costs on Indian tribal 
governments, and would not preempt tribal law.
6. National Environmental Policy Act
    The Department has reviewed this rulemaking action for the purposes 
of the National Environmental Policy Act (42 U.S.C. 4321, et seq.). It 
has been determined that this proposed rule would not have a 
significant impact on the quality of the human environment.
7. Paperwork Reduction Act
    The Paperwork Reduction Act of 1995 (44 U.S.C. 3501, et seq.) (PRA) 
provides that an agency generally cannot conduct or sponsor a 
collection of information, and no person is required to respond nor be 
subject to a penalty for failure to comply with a collection of 
information subject to the requirements of the PRA, unless that 
collection has obtained OMB approval and displays a currently valid 
Office of Management and Budget (OMB) Control Number.
    This proposed rule will create new information collection 
requirements, which are subject to review and approval by OMB under the 
PRA. Specifically, this proposed rule would require connected vehicle 
manufacturers and VCS hardware importers to submit annual Declarations 
of Conformity certifying that their import of VCS hardware and/or 
import or manufacture of completed connected vehicles does not involve 
hardware or software subject to the prohibitions in this proposed rule. 
Additional requirements for the Declarations of Conformity include 
supplying technical information regarding the hardware or software in 
question and providing a Bill of Materials for applicable software, 
hardware, or both.
    Moreover, entities seeking specific authorizations from BIS to 
engage in otherwise prohibited transactions will have to file 
information with the Department, submissions of which are also subject 
to the PRA. Applications for a specific authorization would require, 
but are not limited to, a description of the nature of the otherwise 
prohibited transaction(s). For entities that are covered by a General 
Authorization, a self-certification, without need to notify BIS, would 
be required (see Section VI of the NPRM). BIS proposes to require 
connected vehicle manufacturers and VCS hardware importers to maintain 
complete records related to any transaction for which a Declaration of 
Conformity, general authorization, or specific authorization would be 
required by this rule for a period of ten years, consistent with 
IEEPA's statute of limitations. These records would include any 
transaction for which the connected vehicle manufacturer or VCS 
hardware importer has not yet sought an authorization. BIS expects said 
records to include all information submitted in applications, as well 
as business records related to the execution of any ICTS transaction 
subject to the rule, such as contracts, import records, bills of sale, 
and all other files BIS may deem pertinent in assessing compliance with 
this proposed rule. Lastly, entities seeking an advisory opinion from 
BIS would have to file information with the Department, though this is 
an optional process for parties looking for additional clarity on 
proposed transactions. BIS anticipates that this collection would be 
largely similar to its program in administering 15 CFR 748.3, as it 
would require similar information and the process for submission is 
analogous. BIS seeks comment on how many entities would request an 
advisory opinion in order to better understand the associated costs.
    BIS estimates that the initial burden placed on applicable entities 
would be 180 to 240 hours. This estimate takes into account the one-
time initial cost (in hours) per entity to comply with the rule, 
including reading and understanding the rule's provisions. Every 
subsequent year, BIS anticipates that the total annual cost burden (in 
hours) for applicable entities to implement the rule would be 100 to 
500 hours.
    BIS assesses that there are 42 to 281 entities potentially impacted 
by the proposed rule and that the initial cost burden for these 
entities is between $30,964 and $38,554. This estimate takes into 
account the one-time initial cost per entity to comply with the rule, 
including reading and understanding the rule's provisions. Every 
subsequent year, BIS anticipates that the total annual cost burden for 
applicable entities to implement the rule will be $16,133 to $80,667 a 
year (average of operations manager, engineer, and lawyer hourly 
salaries in Table 2 [$484/hour/3 = $161.33] * [100 and 500 hours]). The 
annual cost burden placed on impacted entities includes (but is not 
limited to) producing the necessary HBOMs and SBOMs and documenting due 
diligence efforts. These hour and cost estimates are subject to 
variations among responsible entities due to application type. 
Declarations of Conformity will need to be submitted annually at 
minimum, while Specific Authorizations will need to be updated on an 
as-needed basis.
    The estimated annual federal salary cost to the U.S. Government is 
$1,130,000 [500 Declaration of Conformity/Specific Authorization 
notifications per year * two staff at a GS-13 salary ($113/hour * 2 = 
$226/hour) * average of 10 hours each to review each notification]. The 
$113 per staff member per hour cost estimate for this information 
collection is consistent with the GS-scale salary data for a GS-13 Step 
1 (https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/pdf/2024/DCB.pdf) multiplied by a factor of 2 to include 
the cost of benefits and overhead.
    The total estimated annual cost to the U.S. Government is 
$1,437,982.00. The calculation is as follows: Federal Employee Salaries 
(2 full-time employees) [$1,130,000.00] + Federal Government Overhead 
@20% [$226,000.00] + Legal Support (GS-15 Step 1 salary (multiplied by 
2 to include the cost of benefits and overhead) @25%) [$81,982.00] = 
$1,437,982.00.
    BIS requests comments on the information collection and 
recordkeeping requirements associated with this proposed rule. These 
comments will help BIS:
    i. Evaluate whether the information collection is necessary for the 
proper performance of our agency's functions, including whether the 
information will have practical utility;
    ii. Evaluate the accuracy of our estimate of the burden of the 
information collection, including the validity of the methodology and 
assumptions used;
    iii. Enhance the quality, utility, and clarity of the information 
to be collected; and
    iv. Minimize the burden of the information collection on those who 
are to respond (such as through the use of

[[Page 79114]]

appropriate automated, electronic, mechanical, or other technological 
collection techniques or other forms of information technology, e.g., 
permitting electronic submission of responses).
8. Regulatory Flexibility Act
    In compliance with Section 603 of the Regulatory Flexibility Act 
(RFA), 5 U.S.C. 601-612, the Department has prepared an initial 
regulatory flexibility analysis (IRFA) for this proposed rule. The IRFA 
describes the economic impacts the proposed action may have on small 
entities. The Department seeks comments on all aspects of the IRFA.
    1. A description of the reasons why action by the agency is being 
considered. Connected Vehicles contain a growing number of connected 
components. While these components provide greater safety and 
convenience through features like Wi-Fi, Bluetooth, cellular 
telecommunication, and satellite connectivity, the incorporation of 
progressively complex hardware and software systems enabling vehicle 
connectivity has also increased the attack surfaces through which 
malign actors may exploit vulnerabilities to gain access to a vehicle. 
ICTS integral to Connected Vehicles present an undue or unacceptable 
risk to U.S. national security when those systems are designed, 
developed, manufactured, or supplied by persons owned by, controlled 
by, or subject to the jurisdiction or direction of the PRC or Russia. 
Furthermore, the PRC and Russia are able to leverage legal and 
regulatory regimes to compel private companies subject to their 
jurisdiction, including carmakers and vehicle suppliers, to cooperate 
with state security and intelligences services. Cooperation can include 
providing data, logical access, encryption keys, and other vital 
technical information, as well as by installing backdoors or bugs on 
equipment or in software updates, ultimately making vehicle equipment 
exploitable by foreign adversaries. Such privileged access potentially 
enables the PRC and Russia to exfiltrate sensitive data collected by 
Connected Vehicles through their components and allow remote 
manipulation for vehicles driven by U.S. persons.
    2. A succinct statement of the objectives of, and legal basis for, 
the proposed rule. The Department is proposing this rule pursuant to 
authority under the International Emergency Economic Powers Act (IEEPA) 
(50 U.S.C. 1701, et seq.), the National Emergencies Act (NEA) (50 
U.S.C. 1601, et seq.), and Section 301 of Title 3, United States Code, 
and in accordance with E.O. 13873, ``Securing the Information and 
Communications Technology and Services Supply Chain,'' 84 FR 22689 (May 
17, 2019), which delegated to the Secretary of Commerce (Secretary) 
certain authorities provided to the President by IEEPA, the NEA, and 
Section 301 of Title 3 of the United States Code. In accordance with 
the National Emergencies Act, the President has declared each year 
since E.O. 13873 was published that the national emergency declared in 
E.O. 13873 regarding the ICTS supply chain continues to remain in 
effect.
    To address identified risks to national security from ICTS 
transactions, E.O. 13873 directs the Secretary (in consultation with 
other agency heads identified in E.O. 13873) to review any ICTS 
transaction, defined as any acquisition, importation, transfer, 
installation, dealing in, or use of any ICTS by any person, or with 
respect to any property, subject to United States jurisdiction, where 
the transaction involves any property in which a foreign country or 
national has any interest. When the Secretary, in consultation with the 
appropriate agency heads, finds that an ICTS transaction or class of 
ICTS transactions pose undue risks (including of sabotage, subversion, 
or catastrophic effects on the security and resiliency of U.S. critical 
infrastructure), or unacceptable risks to national security or the 
security and safety of U.S. persons, the Secretary may identify the 
ICTS transaction as prohibited by Section 1 of E.O. 13873 or impose 
mitigation measures on the ICTS transaction or class of ICTS 
transactions reviewed. E.O. 13873 additionally provides that the 
Secretary issue rules establishing criteria by which particular 
technologies or market participants may be categorically included in or 
categorically excluded from prohibitions established pursuant to the 
E.O.
    3. A description of and, where feasible, an estimate of the number 
of small entities to which the proposed rule will apply. BIS 
anticipates that the entities primarily responsible for compliance with 
this regulation will be connected vehicle manufacturers and VCS 
hardware importers. BIS assesses, based on publicly available 
information, that the U.S. connected vehicle market is dominated by a 
small set of manufacturers, few of which would be considered ``small 
entities'' under the Small Business Administration's definitions. The 
Small Business Administration small business size standard for NAICS 
336110: Automobile and Light Duty Motor Vehicle Manufacturing and NAICS 
336120: Heavy Duty Truck Manufacturing is 1,500 employees or fewer. 
However, BIS has limited data on how many of these suppliers engage in 
covered software and VCS hardware transactions, and therefore cannot 
estimate how many of these suppliers qualify as small entities. BIS 
specifically seeks comments on the number of suppliers engaged in 
covered software and VCS Hardware transactions in the United States, as 
well as the percentage of those entities that might or could qualify as 
small entities.
    4. A description of the projected reporting, recordkeeping, and 
other compliance requirements of the proposed rule, including an 
estimate of the classes of small entities that will be subject to the 
requirement and the type of professional skills necessary for 
preparation of the report or record. As stated above, connected vehicle 
manufacturers and VCS hardware importers will bear the majority of the 
proposed rule's compliance costs. BIS estimates that the recordkeeping 
and compliance burden placed on responsible small entities would 
involve operations managers, engineers, and lawyers. On an annual 
basis, these entities will need to, at minimum and if applicable, 
submit a Declaration of Conformity certifying that their import of VCS 
hardware and/or import or manufacture of completed connected vehicles 
does not involve hardware or software subject to the prohibitions in 
this proposed rule. The Declaration of Conformity would also include 
technical information regarding the hardware or software in question 
and a Bill of Materials for applicable software, hardware, or both.
    BIS proposes to require connected vehicle manufacturers and VCS 
hardware importers to maintain complete records related to any 
transaction for which a Declaration of Conformity, general 
authorization, or specific authorization would be required by this 
rule, for a period of ten years, consistent with IEEPA's statute of 
limitations. These records would be expected to assist BIS's 
enforcement efforts for the prohibitions in the proposed rule. The 
required records would include those related to any transaction that is 
subject to a general authorization (including records of any entities 
producing fewer than 1,000 connected vehicle or VCS hardware units in a 
calendar year), any transaction that is subject to a specific 
authorization, and any transaction involving covered software or VCS 
Hardware for which the connected vehicle manufacturer or VCS hardware 
importer has not yet sought an

[[Page 79115]]

authorization. BIS expects such records to include all information 
submitted in applications, as well as business records related to the 
execution of any ICTS transaction subject to the rule, such as 
contracts, import records, bills of sale, and all other files BIS may 
deem pertinent in assessing compliance with this proposed rule.
    Because small entities could avail themselves of a general 
authorization, the maintenance of records in support of such 
authorization would be the only compliance requirement. These records 
would serve as the small entities' self-certification, which does not 
need to be submitted to BIS. A general authorization would allow the 
VCS hardware importer and/or connected vehicle manufacturer to engage 
in the otherwise prohibited transaction, without the need to notify or 
seek approval from BIS. General Authorizations would be available only 
in a narrow set of circumstances in which the conditions of the 
otherwise prohibited transaction appropriately mitigate the level of 
risk associated with the particular transaction. Such conditions would 
include, for example, when VCS hardware is imported from the PRC or 
Russia solely for testing purposes, or where the completed connected 
vehicle that incorporates VCS hardware or covered software from the PRC 
or Russia will not be driven on public roads for more than 30 calendar 
days per year. Those availing themselves of a general authorization 
would be required to continuously monitor their use of the VCS hardware 
or completed connected vehicles covered by the general authorization to 
ensure the authorization still applies. If a change would render the 
transaction ineligible for a general authorization, such as a change in 
the vehicle's use, the VCS hardware importer or connected vehicle 
manufacturer would be required to apply for a specific authorization 
and to cease engaging in such transaction unless and until a specific 
authorization is granted. For example, if a completed connected vehicle 
that incorporates covered software or VCS Hardware that is designed, 
developed, manufactured, or supplied by a person owned by, controlled 
by, or subject to the jurisdiction or direction of the PRC or Russia is 
no longer engaged in display, research, or testing, the VCS hardware 
importer or the connected vehicle manufacturer would be required to 
seek a specific authorization. Similarly, if the VCS Hardware Importer 
or connected vehicle manufacturer exceeds total model year production 
of 1,000 units, or if a completed connected vehicle that incorporates 
covered software or VCS hardware that is designed, developed, 
manufactured, or supplied by a person owned by, controlled by, or 
subject to the jurisdiction or direction of the PRC or Russia is to be 
used on public roadways for 30 or more days in any calendar year, the 
VCS hardware importer or connected vehicle manufacturer would be 
required to seek a specific authorization from BIS.
    5. An identification, to the extent practicable, of all relevant 
Federal rules that may duplicate, overlap, or conflict with the 
proposed rule. This rulemaking does not duplicate or conflict with any 
Federal rules.
    6. A description of any significant alternatives to the proposed 
rule that accomplish the stated objectives of Executive Order 13984 and 
Executive Order 14110 and applicable statutes and that would minimize 
any significant economic impact of the proposed rule on small entities. 
The Department has proposed what it believes to be ``the least 
restrictive means necessary [by] tailor[ing] the prohibition to address 
the undue or unacceptable risk'' (see 15 CFR part 791.109(c)) and 
believes that the proposed rule will materially address significant 
risks for the United States or U.S. persons while balancing the overall 
compliance costs of the rule and minimizing the impact on small 
entities. Below is a description of alternatives considered by the 
Department; the Department invites comment on these alternatives.
    No-action alternative: While the alternative of taking no action 
would be less costly for connected vehicle manufacturers and VCS 
hardware importers, the no-action alternative is not preferred because 
the risks presented by foreign adversary involvement in the ICTS of the 
U.S. connected vehicle market could lead to catastrophic negative 
events for U.S. national security, including the security of U.S. 
critical infrastructure, and U.S. persons.
    More stringent alternatives: The Department considered several more 
stringent regulatory approaches, including regulating additional 
connected vehicle component systems not included in this proposed rule. 
For example, the Department considered the risks posed by various 
connected vehicle component systems, including ADS, telematics, battery 
management systems (BMS), automated driver assistance systems (ADAS), 
vehicle operating systems (OS), and satellite or cellular 
telecommunication systems. The Department currently believes the best 
approach to address the risks posed by connected vehicles and connected 
vehicle components from foreign adversary nations is to focus the scope 
of the NPRM on PRC- and Russian-supplied VCS hardware (which 
encompasses both telematics and satellite or cellular telecommunication 
systems) and covered software. Other systems under consideration, such 
as ADAS, seem to have a low risk of data exfiltration or, in the case 
of vehicle OS, would involve regulation that is expected to be 
extremely burdensome on industry.
    Preferred alternative: The proposed rule is the preferred 
alternative. BIS assesses that the regulatory approach outlined in this 
proposed rule would have the highest net benefit for connected vehicle 
manufacturers, VCS hardware importers, and consumers. BIS currently 
believes the provisions in the proposed rule are also to be, for the 
reasons articulated above and in the NPRM's preamble, ``the least 
restrictive means necessary. . .to address the undue or unacceptable 
risk'' presented by covered software and VCS hardware in connected 
vehicles.

List of Subjects in 15 CFR Part 791

    Business and industry, Communications, Computer technology, 
Critical infrastructure, Executive orders, Foreign persons, 
Investigations, National security, Penalties, Technology, 
Telecommunications.

Elizabeth L.D. Cannon,
Executive Director, Office of Information and Communications Technology 
and Services, Bureau of Industry and Security, United States Department 
of Commerce.

    For the reasons set out in the preamble, 15 CFR part 791, is 
proposed to be amended as follows:

PART 791--SECURING THE INFORMATION AND COMMUNICATIONS TECHNOLOGY 
AND SERVICES SUPPLY CHAIN

0
1. The authority citation for part 791continues to readas follows:

    Authority: 50 U.S.C. 1701et seq.; 50 U.S.C. 1601et seq.; E.O. 
13873, 84 FR 22689; E.O. 14034, 86 FR 31423.

0
2. Amend part 791 by adding subpart D, consisting of Sec.  791.300 
through Sec.  791.319, to read as follows:

Subpart D--ICTS Supply Chain: Connected Vehicles

Sec.
791.300 Purpose and scope.
791.301 Definitions.
791.302 Prohibited VCS hardware transactions.

[[Page 79116]]

791.303 Prohibited covered software transactions.
791.304 Related prohibited transactions.
791.305 Declaration of Conformity.
791.306 General authorizations.
791.307 Specific authorizations.
791.308 Exemptions.
791.309 Appeals.
791.310 Advisory opinions.
791.311 ``Is-Informed'' notices.
791.312 Recordkeeping.
791.313 Reports to be furnished on demand.
791.314 Penalties.
791.315 Pre-penalty notice; settlement.
791.316 Penalty imposition.
791.317 Administrative collection; referral to United States 
Department of Justice.
791.318 Finding of violation.
791.319 Severability.

Subpart D--ICTS Supply Chain: Connected Vehicles


Sec.  791.300  Purpose and scope.

    The inclusion in Connected Vehicles of certain ICTS designed, 
developed, manufactured, or supplied by persons owned by, controlled 
by, or subject to the jurisdiction or direction of certain foreign 
adversaries poses undue or unacceptable risks to U.S. national 
security. To address these undue or unacceptable risks, it is the 
purpose of this subpart to:
    (a) Prohibit ICTS transactions that involve certain software and 
hardware that, are designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the People's Republic of China (PRC) or the Russian 
Federation (Russia), as defined in Sec.  791.4 and that enable 
connected vehicle Automated Driving Systems or Vehicle Connectivity 
Systems, as defined in this subpart;
    (b) Implement compliance mechanisms such as Declarations of 
Conformity to ensure that no Prohibited Transactions, as defined in 
this subpart, have occurred;
    (c) Provide general authorizations and a mechanism for specific 
authorizations for certain transactions that are otherwise prohibited 
by this subpart, but where any undue or unacceptable risks to national 
security can be reasonably mitigated, based on defined criteria and 
conditions; and
    (d) Incentivize connected vehicle manufacturers, VCS hardware 
importers, and related suppliers to adopt measures to help secure the 
U.S. ICTS supply chain for connected vehicles.


Sec.  791.301  Definitions.

    The following definitions apply only to this subpart, 15 CFR part 
791 subpart D. For additional definitions applicable to all of part 
791, see 15 CFR 791.2. If a term is defined differently in this subpart 
than in 15 CFR 791.2, the definition listed in this section will apply 
to this subpart.
    Automated Driving System means hardware and software that, 
collectively, are capable of performing the entire dynamic driving task 
for a completed connected vehicle on a sustained basis, regardless of 
whether it is limited to a specific operational design domain (ODD).
    Completed connected vehicle means a connected vehicle that requires 
no further manufacturing operations to perform its intended function. 
For the purposes of this subpart, the integration of an Automated 
Driving System into a connected vehicle constitutes a manufacturing 
operation for a completed connected vehicle.
    Connected vehicle means a vehicle driven or drawn by mechanical 
power and manufactured primarily for use on public streets, roads, and 
highways, that integrates onboard networked hardware with automotive 
software systems to communicate via dedicated short-range 
communication, cellular telecommunications connectivity, satellite 
communication, or other wireless spectrum connectivity with any other 
network or device. Vehicles operated only on a rail line are not 
included in this definition.
    Connected vehicle manufacturer means a U.S. person
    (1) Manufacturing or assembling completed connected vehicles in the 
United States; and/or
    (2) Importing completed connected vehicles for sale in the United 
States.
    Covered software means the software-based components, in which 
there is a foreign interest, executed by the primary processing unit of 
the respective systems that are part of an item that supports the 
function of Vehicle Connectivity Systems or Automated Driving Systems 
at the vehicle level. Covered software does not include firmware, which 
is characterized as software specifically programmed for a hardware 
device with a primary purpose of controlling, configuring, and 
communicating with that hardware device. Covered software also does not 
include open-source software that can be freely used, modified, and 
distributed by anyone, with both access to the source code and the 
ability to contribute to the software's development and improvement 
unless that open-source software has been modified for proprietary 
purposes and not redistributed or shared.
    FCC ID Number means the unique alphanumeric code identifying a 
product subject to certification by the Federal Communications 
Commission composed of a:
    (1) Grantee code; and
    (2) Product code.
    Foreign interest, for purposes of this subpart, means any interest 
in property of any nature whatsoever, whether direct or indirect, by a 
non-U.S. person.
    Hardware Bill of Materials (HBOM) means a comprehensive list of 
parts, assemblies, documents, drawings, and components required to 
create a physical product, including information identifying the 
manufacturer, related firmware, technical information, and descriptive 
information.
    Import means, in the context of this subpart, with respect to any 
article, the entry of such article into the United States Customs 
Territory. It does not include admission of an article from outside the 
United States into a foreign-trade zone for storage pending further 
assembly in the foreign-trade zone or shipment to a foreign country.
    Item means a component or set of components with a specific 
function at the vehicle level. A system may also be considered an item 
if it implements a function.
    Knowingly means having knowledge of a circumstance (the term may be 
a variant, such as ``know,'' ``reason to know,'' or ``reason to 
believe''), to include not only positive knowledge that the 
circumstance exists or is substantially certain to occur, but also an 
awareness of a high probability of its existence or future occurrence. 
Such awareness is inferred from evidence of the conscious disregard of 
facts known to a person and is also inferred from a person's willful 
avoidance of facts.
    Model year means the year used to designate a discrete vehicle 
model, irrespective of the calendar year in which the vehicle was 
actually produced, provided that the production period does not exceed 
24 months.
    Prohibited transactions mean, collectively, the transactions 
described in 791.302 (Prohibited VCS Hardware Transactions), 791.303 
(Prohibited Covered Software Transactions), or 791.304 (Related 
Prohibited Transactions) of this subpart.
    Person owned by, controlled by, or subject to the jurisdiction or 
direction of a foreign adversary means:
    (1) Any person, wherever located, who acts as an agent, 
representative, or employee, or any person who acts in any other 
capacity at the order, request, or under the direction or control, of a 
foreign adversary or of a person whose activities are directly or 
indirectly

[[Page 79117]]

supervised, directed, controlled, financed, or subsidized in whole or 
in majority part by a foreign adversary;
    (2) Any person, wherever located, who is a citizen or resident of a 
foreign adversary or a country controlled by a foreign adversary, and 
is not a United States citizen or permanent resident of the United 
States;
    (3) Any corporation, partnership, association, or other 
organization with a principal place of business in, headquartered in, 
incorporated in, or otherwise organized under the laws of a foreign 
adversary or a country controlled by a foreign adversary; or
    (4) Any corporation, partnership, association, or other 
organization, wherever organized or doing business, that is owned or 
controlled by a foreign adversary, to include circumstances in which 
any person identified in paragraphs (a) through (c) possesses the 
power, direct or indirect, whether or not exercised, through the 
ownership of a majority or a dominant minority of the total outstanding 
voting interest in an entity, board representation, proxy voting, a 
special share, contractual arrangements, formal or informal 
arrangements to act in concert, or other means, to determine, direct, 
or decide important matters affecting an entity.
    Sale means, in the context of this subpart, distributing for 
purchase, lease, or other commercial operations a new completed 
connected vehicle for a price, to include the transfer of completed 
connected vehicles from a connected vehicle manufacturer to a dealer or 
distributor, as those terms are defined in 49 U.S.C. 30102. This 
definition also applies to the related terms such as Sell or Selling.
    Software Bill of Materials (SBOM) means a formal and dynamic, 
machine-readable inventory detailing the software supply chain 
relationships between software components and subcomponents, including 
software dependencies, hierarchical relationships, and baseline 
software attributes, including author's name, timestamp, supplier name, 
component name, version string, component hash package URL, unique 
identifier, and dependency relationships to other software components.
    Vehicle Connectivity System (VCS) means a hardware or software item 
for a completed connected vehicle that has the function of enabling the 
transmission, receipt, conversion, or processing of radio frequency 
communications at a frequency over 450 megahertz.
    VCS hardware means the following software-enabled or programmable 
components and subcomponents that support the function of Vehicle 
Connectivity Systems or are part of an item that supports the function 
of Vehicle Connectivity Systems: microcontroller, microcomputers or 
modules, systems on a chip, networking or telematics units, cellular 
modem/modules, Wi-Fi microcontrollers or modules, Bluetooth 
microcontrollers or modules, satellite navigation systems, satellite 
communication systems, other wireless communication microcontrollers or 
modules, and external antennas. VCS hardware does not include component 
parts that do not contribute to the communication function of VCS 
hardware (e.g., brackets, fasteners, plastics, and passive 
electronics).
    VCS hardware importer means a U.S. person importing VCS hardware 
for further manufacturing, integration, resale, or distribution. A 
connected vehicle manufacturer may be a VCS hardware importer if VCS 
hardware has already been installed in a connected vehicle when 
imported by the connected vehicle manufacturer.
    United States means the United States of America, the States of the 
United States, the District of Columbia, and any commonwealth, 
territory, dependency, or possession of the United States, or any 
subdivision thereof, and the territorial sea of the United States.


Sec.  791.302  Prohibited VCS hardware transactions.

    (a) VCS hardware importers are prohibited from knowingly importing 
VCS hardware that is designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia.
    (b) In the context of this subpart, VCS hardware will not be 
considered to be designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia, solely based on the country of 
citizenship of natural persons who are employed, contracted, or 
otherwise similarly engaged to participate in the design, development, 
manufacture, or supply of the VCS hardware.


Sec.  791.303  Prohibited covered software transactions.

    (a) Connected vehicle manufacturers are prohibited from knowingly 
importing into the United States completed connected vehicles that 
incorporate covered software, designed, developed, manufactured, or 
supplied by persons owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia.
    (b) Connected vehicle manufacturers are prohibited from knowingly 
selling in the United States completed connected vehicles that 
incorporate covered software, designed, developed, manufactured, or 
supplied by persons owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia.
    (c) In the context of this subpart, covered software will not be 
considered to be designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia, solely based on the country of 
citizenship of natural persons who are employed, contracted, or 
otherwise similarly engaged to participate in the design, development, 
manufacture, or supply of the Covered Software.


Sec.  791.304  Related prohibited transactions.

    Connected vehicle manufacturers who are persons owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia, are prohibited from knowingly selling in the United States 
completed connected vehicles that incorporate VCS hardware or covered 
software.


Sec.  791.305  Declaration of Conformity.

    (a) Requirements--(1) Import of VCS hardware: A VCS hardware 
importer may not import VCS Hardware as part of a transaction that is 
not otherwise prohibited by this subpart without first submitting to 
the Bureau of Industry and Security (BIS) a Declaration of Conformity, 
unless otherwise specified by this subpart. The Declaration of 
Conformity shall include:
    (i) The name and address of VCS hardware importer;
    (ii) A certification that the declarant has not knowingly engaged 
in a prohibited VCS hardware transaction;
    (iii) The FCC ID Number associated with the VCS hardware and, if 
applicable, of the subcomponents contained therein;
    (iv) A list of third-party external endpoints to which the VCS 
hardware connects, including the country where each endpoint is located 
and/or the identity and location of the service provider;
    (v) If known, the make, model, and trim of the completed connected 
vehicles for which the VCS hardware is intended;
    (vi) A HBOM for the VCS hardware that is the subject of the 
Declaration of Conformity;
    (vii) Documentation of the VCS hardware importer's due diligence 
efforts, to include independent or hired third-party research, to 
ensure the VCS

[[Page 79118]]

hardware listed in the HBOM is not designed, developed, manufactured, 
or supplied by persons owned by, controlled by, or subject to the 
jurisdiction or direction of the PRC or Russia;
    (viii) If applicable, an indication of whether the submission is an 
update to a prior Declaration of Conformity and the date of the last 
submission;
    (ix) Identifying information for an individual point of contact 
(including name, email address, and phone number); and,
    (x) Any additional material information the VCS hardware importer 
would like to submit.
    (2) Import of completed connected vehicles: A connected vehicle 
manufacturer may not import completed connected vehicles containing 
covered software as part of a transaction that is not otherwise 
prohibited by this subpart without first submitting to BIS a 
Declaration of Conformity, unless otherwise specified by this subpart. 
The Declaration of Conformity shall include:
    (i) The name and address of the connected vehicle manufacturer;
    (ii) A certification that the declarant has not knowingly engaged 
in a prohibited covered software transaction;
    (iii) The make, model, trim, and Vehicle Identification Number 
(VIN) series applicable to the completed connected vehicles;
    (iv) A SBOM for the covered software that is the subject of the 
Declaration of Conformity. At a minimum, the SBOM must include author's 
name, timestamp, supplier name, component name, version string, 
component hash, package URL, unique identifier, and dependency 
relationships to other software components.
    (v) Documentation of the connected vehicle manufacturer's due 
diligence efforts, to include independent or hired third-party 
research, to ensure that the covered software listed in the SBOM is not 
designed, developed, manufactured, or supplied by persons owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia;
    (vi) If applicable, an indication of whether the submission is an 
update to a prior Declaration of Conformity and the date of the last 
submission;
    (vii) Identifying information for an individual point of contact 
(including name, email address, and phone number); and
    (viii) Any additional material information the connected vehicle 
manufacturer would like to submit.
    (3) Sale of completed connected vehicles manufactured in the United 
States: Connected vehicle manufacturers that manufacture or assemble 
completed connected vehicles in the United States that incorporate 
covered software as part of a transaction that is not otherwise 
prohibited by this subpart, may not Sell completed connected vehicles 
in the United States without first submitting to BIS a Declaration of 
Conformity, unless otherwise specified by this subpart. If there is no 
Foreign Interest in the covered software that is incorporated in 
completed connected vehicles manufactured or assembled in the United 
States, the connected vehicle manufacturer need not submit a 
Declaration of Conformity. If submitting a Declaration of Conformity, 
it shall include:
    (i) The name and address of the connected vehicle manufacturer;
    (ii) A certification that there is a foreign interest in the 
covered software that is incorporated in the completed connected 
vehicles that will be Sold in the United States;
    (iii) A certification that the declarant has not knowingly engaged 
in a prohibited covered software Transaction;
    (iv) The make, model, trim, and VIN series applicable to the 
completed connected vehicles;
    (v) A SBOM for the covered software that is the subject of the 
Declaration of Conformity. At a minimum, the SBOM must include author's 
name, timestamp, supplier name, component name, version string, 
component hash, package URL, unique identifier, and dependency 
relationships to other software components.
    (vi) Documentation of the connected vehicle manufacturer's due 
diligence efforts, to include independent or hired third-party 
research, to ensure the covered software listed in the SBOM is not 
designed, developed, manufactured, or supplied by persons owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia;
    (vii) If applicable, an indication of whether the submission is an 
update to a prior Declaration of Conformity and the date of the last 
submission;
    (viii) Identifying information for an individual point of contact 
(including name, email address, and phone number); and
    (ix) Any additional material information the connected vehicle 
manufacturer would like to submit.
    (b) Procedures to submit Declarations of Conformity. Connected 
vehicle manufacturers and VCS Hardware Importers shall submit 
Declarations of Conformity annually as specified in this section and 
any time there is a material change that makes a prior Declaration of 
Conformity or associated HBOM or SBOM no longer accurate.
    (1) Connected Vehicles Manufacturers seeking to import or 
manufacture for Sale in the United States a completed connected vehicle 
containing covered software shall submit a Declaration of Conformity 60 
days prior to the first import or first sale of each model year of 
completed connected vehicles, grouped by make, model, and trim.
    (2) VCS hardware importers seeking to import any VCS hardware shall 
submit a Declaration of Conformity 60 days prior to the first import of 
VCS hardware for each model year for units associated with a vehicle 
model year, or calendar year for units not associated with a vehicle 
model year. VCS hardware importers may submit a single Declaration of 
Conformity detailing all VCS Hardware models that will be imported in 
the Model Year or calendar year.
    (3) Entities that are both connected vehicle manufacturers and VCS 
hardware importers may, but are not required to, submit a single 
compiled Declaration of Conformity detailing all required information 
specified in 791.305 of this subpart. Any compiled Declaration of 
Conformity shall be submitted 60 days prior to the first import or 
first sale of the model year of completed connected vehicles or 60 days 
prior to the first import of VCS hardware, whichever occurs first.
    (4) Declarants must notify BIS of any material change in the 
contents of a previously submitted Declaration of Conformity by 
submitting a revised Declaration of Conformity within 30 days following 
any such changes.
    (c) Declarations of Conformity must be delivered to BIS using an 
official electronic reporting option as specified by BIS on its website 
(https://www.bis.gov).
    (d) Connected vehicle introduced by means of a fraudulent or false 
declaration. Any person who engages in a prohibited VCS hardware 
transaction or a prohibited covered software transaction and submits a 
false or fraudulent Declaration of Conformity made without reasonable 
cause to believe the truth of the declaration, may incur penalties as 
defined in Sec.  791.314.


Sec.  791.306  General authorizations.

    (a) VCS hardware importers and connected vehicle manufacturers may 
qualify for a general authorization if they meet the stated 
requirements or conditions to engage in otherwise prohibited 
transactions. Persons availing themselves of any general authorization 
are required to maintain

[[Page 79119]]

records documenting each otherwise prohibited transaction for a period 
of 10 years as specified in Sec.  791.312.
    (b) General course of procedure. VCS hardware importers and 
connected vehicle manufacturers may self-certify, without need to 
notify BIS, that they meet the requirements for one or more of the 
following general authorizations:
    (1) The connected vehicle manufacturer or VCS hardware importer and 
entities under common control, including parents, engaging in an 
otherwise prohibited transaction produces a total model year production 
of completed connected vehicles containing covered software or total 
model year production of VCS hardware is less than 1,000 units;
    (2) The completed connected vehicle that incorporates covered 
software or VCS hardware will be used on public roadways on fewer than 
30 calendar days in any calendar year;
    (3) The completed connected vehicle that incorporates covered 
software or the VCS hardware will be used solely for the purpose of 
display, testing, or research, and will not be used on public roadways; 
or
    (4) The completed connected vehicle that incorporates covered 
software or the VCS hardware is imported solely for purposes of repair, 
alteration, or competition off public roads and will be reexported 
within one year from the time of import;
    (c) Change in use. In the event of any change in the use of a 
completed connected vehicle or VCS hardware associated with a general 
authorization, a VCS hardware importer or connected vehicle 
manufacturer availing itself of a general authorization must determine 
if it still qualifies for the general authorization or if it must apply 
for a specific authorization.
    (d) Inspection. VCS hardware importers and connected vehicle 
manufacturers availing themselves of a general authorization are 
subject to audit and inspection by BIS.
    (e) Restrictions. VCS Hardware importers and connected vehicle 
manufacturers shall not avail themselves of any general authorization 
if any one or more of the following apply:
    (1) BIS has notified the VCS hardware importer or connected vehicle 
manufacturer that it is not eligible for a general authorization.
    (2) The VCS Hardware Importer or connected vehicle manufacturer is 
a person owned by, controlled by, or subject to the jurisdiction or 
direction of the PRC or Russia.


Sec.  791.307  Specific authorizations.

    (a) BIS may provide Specific Authorizations permitting a VCS 
hardware importer or connected vehicle manufacturer to engage in 
otherwise prohibited transactions. Persons receiving a specific 
authorization are required to maintain records for a period of 10 years 
as required in Sec.  791.312 and submit reports and statements in 
accordance with the instructions specified in each specific 
authorization.
    (b) General course of procedure. Prohibited transactions subject to 
this subpart, and that are not otherwise permitted under an exemption 
or a general authorization, may be permitted under a specific 
authorization. It is the policy of BIS not to grant applications for 
specific authorizations for transactions that are permitted by a 
general authorization.
    (c) Applications for specific authorizations. Applications for 
specific authorizations shall include, at a minimum, a description of 
the nature of the otherwise prohibited transaction(s), including the 
following:
    (1) The identity of the parties engaged in the transaction, 
including relevant corporate identifiers and information sufficient to 
identify the ultimate beneficial ownership of the transacting parties;
    (2) An overview of the VCS hardware or covered software that is 
designed, developed, manufactured, or supplied by a person owned by, 
controlled by, or subject to the jurisdiction or direction of the PRC 
or Russia;
    (3) If known, the make, model, and trim of the completed connected 
vehicle in which the VCS hardware or covered software will be 
integrated;
    (4) The intended function of the VCS hardware or covered software;
    (5) Documentation to support the information contained in the 
application, including ISO/SAE 21434 Threat Analysis and Risk 
Assessments, to include an assessment on the applicant's ability to 
limit PRC or Russian government access to, or influence over the 
design, development, manufacture or supply of the VCS hardware or 
covered software; security standards used by the applicant with respect 
to the VCS hardware or covered software; other actions and proposals 
such as technical controls (i.e., software validation) or operational 
controls (i.e., physical and logical access monitoring procedures), the 
applicant intends to take to mitigate undue or unacceptable risk; and
    (6) Any other information that BIS may request after receipt of the 
initial application for a Specific Authorization.
    (d) Application submission procedures. A VCS hardware importer or 
connected vehicle manufacturer who seeks to engage in an otherwise 
prohibited transaction must submit an application for specific 
authorization in writing prior to engaging in the transaction and await 
a decision from BIS prior to engaging in the transaction. This 
application must be delivered to BIS using an official electronic 
reporting option as specified by BIS on its website (https://www.bis.gov).
    (e) Additional conditions. Only one application for a specific 
authorization should be submitted to BIS for each otherwise prohibited 
transaction; multiple parties submitting an application for a specific 
authorization for the same transaction may result in processing delays.
    (f) Information to be supplied. An applicant may be required to 
furnish additional information as BIS deems necessary to assist in 
making a decision. The applicant may present additional information 
concerning an application for a specific authorization at any time 
before BIS makes its decision with respect to the application.
    (g) Review and decisions. Applications for specific authorization 
will be reviewed on a case-by-case basis and determine conditions to be 
applied to each specific authorization as may be needed to mitigate any 
risk that arises as a result of the otherwise prohibited transaction. 
Such review may include an evaluation of the risks and potential 
mitigation measures proposed by the applicant for the particular 
transaction, including, but not limited to, risks of data exfiltration 
from, and remote manipulation or operation of, the connected vehicle; 
the extent and nature of foreign adversary involvement in the design, 
development, manufacture, or supply of the VCS hardware or covered 
software; the applicant's ability to limit PRC or Russian government 
access to, or influence over the design, development, manufacture or 
supply of the VCS hardware or covered software; security standards used 
by the applicant and if such standards can be validated by BIS or a 
third-party; other actions and proposals the applicant intends to take 
to mitigate undue or unacceptable risk. BIS will advise each applicant 
of the decision respecting the filed application.
    (h) Processing period. BIS shall respond to any application for a 
specific authorization with a status update and a request for 
additional information or documents, if any, within 90 days after 
receipt of the application.
    (i) Scope. (1) Unless otherwise specified in the authorization, a 
specific

[[Page 79120]]

authorization permits the transaction only:
    (i) Between the parties identified in the specific authorization;
    (ii) With respect to the otherwise prohibited transaction(s) 
described in the authorization; and
    (iii) If the conditions specified in the specific authorization are 
satisfied. The applicant must inform any other parties identified in 
the specific authorization of the authorization's scope and specific 
conditions.
    (2) Any specific authorization obtained based on a false or 
misleading representation in the application or in any document 
submitted in connection with the application under this section shall 
be deemed void as of the date of issuance, and the applicant may incur 
penalties as specified in Sec.  791.314.
    (3) As a condition for the issuance of any specific authorization, 
the applicant may be required to file reports with respect to the 
otherwise prohibited transactions authorized by the specific 
authorization in such form and at such times and places as may be 
prescribed in the specific authorization or otherwise communicated to 
the applicant by BIS. Reports should be sent in accordance with the 
instructions provided in the applicable specific authorization.
    (j) Effect of denial. BIS's denial of a specific authorization may 
be appealed as described in Sec.  791.309 and does not preclude parties 
from filing an application for a specific authorization for a separate 
otherwise prohibited transaction. The applicant may at any time 
request, by written correspondence, reconsideration of the denial of an 
application based on new material facts or changed circumstances.
    (k) Effect of specific authorization. (1) No specific authorization 
issued under this subpart, or otherwise issued by BIS, permits or 
validates any prohibited transaction effected prior to the issuance of 
such specific authorization unless specifically provided for in the 
specific authorization.
    (2) No regulation, ruling, instruction, or authorization permits 
any prohibited transaction under this subpart unless the regulation, 
ruling, instruction or Authorization is issued by BIS and specifically 
refers to this subpart. No regulation, ruling, instruction, or 
authorization referring to this subpart shall be deemed to permit any 
prohibited transaction prohibited by any provision of this subpart 
unless the regulation, ruling, instruction, or authorization 
specifically refers to such provision. Any specific authorization 
permitting any otherwise prohibited transaction has the effect of 
removing those prohibitions from the transaction, but only to the 
extent specifically stated by the terms of the specific authorization. 
Unless the specific authorization otherwise specifies, such an 
authorization does not create any right, duty, obligation, claim, or 
interest in, or with respect to, any property that would not otherwise 
exist under ordinary principles of law.
    (3) Nothing contained in this subpart shall be construed to 
supersede the requirements established under any other provision of law 
or to relieve a person from any requirement to obtain an authorization 
from another department or agency of the U.S. Government in compliance 
with applicable laws and regulations subject to the jurisdiction of 
that department or agency.
    (l) Amendment, modification, or rescission. Except as otherwise 
provided by law, any Specific Authorization or instructions issued 
thereunder may be amended, modified, or rescinded by BIS at any time.


Sec.  791.308  Exemptions.

    (a) VCS hardware importers may engage in prohibited transactions 
described in Sec.  791.302 without an authorization as required under 
Sec. Sec.  791.306 and 791.307, and are exempt from submitting 
Declarations of Conformity with respect to all other transactions, as 
described in Sec.  791.305 provided that:
    (1) For VCS Hardware units not associated with a vehicle model 
year, the import of the VCS hardware occurs prior to January 1, 2029; 
or
    (2) The VCS hardware is associated with a vehicle model year prior 
to 2030 or the VCS hardware is imported as part of a connected vehicle 
with a model year prior to 2030.
    (b) Connected vehicle manufacturers may engage in prohibited 
transactions described in Sec.  791.303 without authorization as 
required under Sec. Sec.  791.306 or 791.307 and are exempt from 
submitting Declarations of Conformity with respect to all other 
transactions, as described in Sec.  791.305, provided that the 
completed connected vehicle that incorporates covered software 
described in Sec.  791.303(a)(1) was manufactured prior to Model Year 
2027.
    (c) Connected vehicle manufacturers who are owned by, controlled 
by, or subject to the jurisdiction or direction of the PRC or Russia 
may engage in prohibited transactions described in section 791.304 
without Authorization as required under Sec. Sec.  791.306 or 791.307, 
and are exempt from submitting Declarations of Conformity to all other 
transactions, provided that the completed connected vehicle that 
incorporates VCS hardware and/or covered software was manufactured 
prior to Model Year 2027.


Sec.  791.309  Appeals.

    (a) Scope. Any person directly and adversely affected by any of the 
listed administrative actions taken by BIS pursuant to this subpart may 
appeal to the Under Secretary for reconsideration of that 
administrative action. Only the following types of administrative 
actions are subject to the appeals procedures described in this 
subpart:
    (1) Denial of an application for specific authorization;
    (2) Suspension or revocation of an issued specific authorization; 
or
    (3) Determination of ineligibility for a general authorization.
    (b) Designated appeals reviewer and coordinator. The Under 
Secretary may delegate to the Deputy Under Secretary of Commerce for 
Industry and Security or to another BIS official the authority to 
review and decide the appeal, and to exercise any other function of the 
Under Secretary under this section. In addition, the Under Secretary 
may designate any employee of BIS to be an appeals coordinator to 
assist in the review and processing of an appeal under this subpart.
    (c) Appeals procedures. An appeal under this subpart must be 
submitted to the Under Secretary by email or at the following address: 
Bureau of Industry and Security, U.S. Department of Commerce, Room 
3898, 14th Street and Pennsylvania Avenue NW, Washington, DC 20230 not 
later than 45 days after the date appearing on the written notice of 
administrative action. The appeal must include a full written statement 
in support of the appellant's position. The appeal must include a 
precise statement of the reasons that the appellant believes that the 
administrative action has a direct and adverse effect and should be 
reversed or modified. The Under Secretary or the designated official 
may request additional information that would be helpful in resolving 
the appeal and may accept additional submissions. The Under Secretary 
or the designated official will not ordinarily accept any submission 
filed sua sponte more than 30 days after the filing of the appeal.
    (d) Request for informal hearing. In addition to the written 
statement submitted in support of an appeal, an appellant may request, 
in writing, at the time an appeal is filed, an opportunity for an 
informal hearing. A hearing is not required, and the Under Secretary or 
the designated official may grant or deny a

[[Page 79121]]

request for an informal hearing at the Under Secretary or the 
designated official's sole discretion. Any hearings will be held in the 
District of Columbia unless the Under Secretary or the designated 
official determines, based upon good cause shown, that another location 
would be preferable.
    (e) Informal hearing procedures. If a hearing request is granted, 
the Under Secretary or the designated official may provide an 
opportunity for the appellant to make an oral presentation at an 
informal hearing based on the materials previously submitted by the 
appellant or made available by the Department. The Under Secretary or 
the designated official may require that any facts in controversy be 
covered by an affidavit or testimony given under oath or affirmation. 
The rules of evidence prevailing in courts of law do not apply, and all 
evidentiary material deemed by the Under Secretary or the designated 
official to be relevant and material to the proceeding, and not unduly 
repetitious, will be received and considered. The Under Secretary or 
the designated official has the authority to limit the number of people 
attending the hearing, to impose any time or other limitations deemed 
reasonable, and to determine all procedural questions. A transcript of 
an informal hearing shall not be made, unless the Under Secretary or 
the designated official determines that the national interest or other 
good cause warrants it, or the appellant requests a transcript. If the 
appellant requests, and the Under Secretary or the designated official 
approves the taking of, a transcript, the appellant will be responsible 
for paying all expenses related to production of the transcript. Any 
person designated by the Under Secretary to conduct an informal hearing 
shall submit a written report containing a summary of the hearing and 
recommended action to the Under Secretary.
    (f) Decisions. In addition to the documents specifically submitted 
in connection with the appeal, the Under Secretary or the designated 
official may consider any recommendations, reports, or other relevant 
documents available to BIS in determining the appeal, but shall not be 
bound by any such information, nor prevented from considering any other 
relevant information, or consulting with any other person or groups, in 
making a decision. The Under Secretary or the designated official may 
adopt any other procedures deemed necessary and reasonable for 
considering an appeal, including by providing the appellant with an 
interim or proposed decision and offering the appellant an opportunity 
to provide comments. The Under Secretary or the designated official 
shall decide an appeal within a reasonable time after receipt of the 
appeal. The decision shall be issued to the appellant in writing and 
contain a statement of the reasons for the action and address any 
arguments contrary to the decision presented by the appellant. The 
decision of the Under Secretary or the designated official shall be 
final.
    (g) Effect of appeal. Acceptance and consideration of an appeal 
shall not affect any administrative action, pending or in effect, 
unless the Under Secretary or the designated official, upon request by 
the appellant and with opportunity for a response, grants a stay.


Sec.  791.310  Advisory opinions.

    (a) VCS hardware importers and connected vehicle manufacturers may 
request an advisory opinion from BIS as to whether a prospective 
transaction is subject to a prohibition in this subpart. The entire 
transaction that is the subject of the advisory opinion request must be 
an actual, as opposed to hypothetical, transaction and involve 
disclosed, as opposed to anonymous, parties to the transaction.
    (b) Advisory opinion requests must be made in writing, and may be 
delivered to BIS by email, through the BIS website, or by any other 
means that BIS may prescribe.
    (c) Persons submitting advisory opinion requests are encouraged to 
provide as much information as possible to assist BIS in making a 
determination, to include the following information:
    (1) The name, title, and telephone and email address of the person 
to contact;
    (2) The submitter's complete address comprised of street address, 
city, state, country, and postal code;
    (3) All available information identifying the parties to the 
prospective transaction;
    (4) Complete information regarding the VCS hardware and/or covered 
software and any descriptive literature, brochures, technical 
specifications, or papers that provide sufficient technical detail to 
enable BIS to verify whether the prospective transaction would 
constitute a prohibited transaction as defined in this subpart;
    (5) For connected vehicle manufacturers: the make, model, and trim 
level, or other identifying information number of the completed 
connected vehicle;
    (6) For VCS hardware Importers: the identification of the system; 
and, if known, the make, model, and trim of the group of completed 
connected vehicles for which the equipment is intended;
    (7) An SBOM and/or an HBOM; and
    (8) Any other information that the submitter believes to be 
material to the prospective transaction.
    (d) Each person that submits an advisory opinion request shall 
provide any additional information or documents that BIS may thereafter 
request in its review of the matter.
    (e) Each advisory opinion can be relied upon by the requesting 
party or parties to the extent the disclosures made pursuant to this 
subpart were accurate and complete and to the extent the disclosures 
continue accurately and completely to reflect circumstances after the 
date of the issuance of the advisory opinion. An advisory opinion will 
not restrict enforcement actions by any agency other than BIS. It will 
not affect a requesting party's obligations to any other agency or 
under any statutory or regulatory provision other than those 
specifically discussed in the Advisory Opinion.
    (f) BIS may publish on its website an advisory opinion that may be 
of broad interest to the public, with redactions where necessary to 
protect confidential business information.


Sec.  791.311  ``Is-Informed'' notices.

    (a) BIS may inform VCS hardware importers or connected vehicle 
manufacturers either individually by specific notice or, for larger 
groups, through a separate notice published in the Federal Register, 
that a specific authorization is required because an activity could 
constitute a prohibited transaction.
    (b) Specific notice that a specific authorization is required may 
be given only by, or at the direction of, the Under Secretary or a BIS 
official designated by the Under Secretary.


Sec.  791.312  Recordkeeping.

    Except as otherwise provided, VCS hardware importers and connected 
vehicle manufacturers shall keep a full and accurate record of each 
transaction engaged in for which a Declaration of Conformity, general 
authorization, or specific authorization would be required under 
sections 791.305, 791.306, or 791.307, regardless of whether these 
transactions are effected pursuant to a general authorization, specific 
authorization, or otherwise, and such record shall be available for 
examination for at least 10 years after the date of such transactions.


Sec.  791.313  Reports to be furnished on demand.

    (a) VCS hardware importers and connected vehicle manufacturers are 
required to furnish under oath, in the

[[Page 79122]]

form of reports or as otherwise specified by BIS, from time to time and 
at any time as may be required by BIS, complete information relative to 
any transaction involving the import of VCS hardware or the import or 
Sale of completed connected vehicles incorporating covered software, 
regardless of whether such transaction is effected pursuant to an 
authorization or otherwise, subject to the provisions of this subpart. 
BIS may require that such reports include the production of any books, 
contracts, letters, papers, or other hard copy or electronic documents 
relating to any transactions, in the custody or control of the persons 
required to make such reports. BIS may, through any person or agency, 
conduct investigations, hold hearings, administer oaths, examine 
witnesses, receive evidence, take depositions, and require by subpoena 
the attendance and testimony of witnesses and the production of any 
books, contracts, letters, papers, and other hard copy or electronic 
documents relating to any matter under investigation, regardless of 
whether any report has been required or filed in connection therewith.
    (b) For purposes of paragraph (a) of this section, the term 
``document'' includes any written, recorded, or graphic matter or other 
means of preserving thought or expression (including in electronic 
format), and all tangible things stored in any medium from which 
information can be processed, transcribed, or obtained directly or 
indirectly, including correspondence, memoranda, notes, messages, 
contemporaneous communications such as text and instant messages, 
letters, emails, spreadsheets, metadata, contracts, bulletins, diaries, 
chronological data, minutes, books, reports, examinations, charts, 
ledgers, books of account, invoices, air waybills, bills of lading, 
worksheets, receipts, printouts, papers, schedules, affidavits, 
presentations, transcripts, surveys, graphic representations of any 
kind, drawings, photographs, graphs, video or sound recordings, and 
motion pictures or other film.
    (c) Persons providing documents to BIS pursuant to this section 
must submit documents electronically. Acceptable formats include 
Portable Document Format (PDF) and Microsoft Excel. Files with 
embedded, encrypted, or password protected content will not be 
accepted.


Sec.  791.314  Penalties.

    (a) Section 206 of the International Emergency Economic Powers Act 
(50 U.S.C. 1705) (IEEPA) is applicable to violations of the provisions 
of any general authorization, Specific authorization, regulation, 
order, directive, instruction, or prohibition issued by or pursuant to 
the direction or authorization of the Secretary of Commerce (Secretary) 
pursuant to this subpart or otherwise under IEEPA.
    (1) A civil penalty not to exceed the amount set forth in section 
206 of IEEPA may be imposed on any person who violates, attempts to 
violate, conspires to violate, or causes a violation of any exemption, 
general authorization, specific authorization, regulation, order, 
directive, instruction, or prohibition issued under this subpart.
    (2) A person who willfully commits, willfully attempts to commit, 
willfully conspires to commit, or aids or abets in the commission of a 
violation of any exemption, general authorization, specific 
authorization, regulation, order, directive, instruction, or 
prohibition issued under this subpart is subject to criminal penalties 
and may, upon conviction, be fined not more than $1,000,000, or if a 
natural person, be imprisoned for not more than 20 years, or both.
    (b) The civil penalties provided in IEEPA are subject to adjustment 
pursuant to the Federal Civil Penalties Inflation Adjustment Act of 
1990 (Pub. L. 101-410, as amended, 28 U.S.C. 2461 note).
    (c) The criminal penalties provided in IEEPA are subject to 
adjustment pursuant to 18 U.S.C. 3571.
    (d) Pursuant to 18 U.S.C. 1001, whoever, in any matter within the 
jurisdiction of the executive, legislative, or judicial branch of the 
U.S. Government, knowingly and willfully falsifies, conceals, or covers 
up by any trick, scheme, or device a material fact; or makes any 
materially false, fictitious, or fraudulent statement or 
representation; or makes or uses any false writing or document knowing 
the same to contain any materially false, fictitious, or fraudulent 
statement or entry shall be fined under title 18, United States Code, 
imprisoned, or both.
    (e) Violations of this subpart may also be subject to other 
applicable laws.


Sec.  791.315  Pre-penalty notice; settlement.

    (a) When required. If BIS has reason to believe that there has 
occurred a violation of any provision of this subpart or a violation of 
the provisions of any exemption, general authorization, specific 
authorization, regulation, order, directive, instruction, or 
prohibition issued by or pursuant to the direction or authorization of 
the Secretary pursuant to this subpart or otherwise under IEEPA and 
determines that a civil monetary penalty is warranted, BIS will issue a 
pre-penalty notice informing the alleged violator of BIS's intent to 
impose a monetary penalty. A Pre-Penalty Notice shall be in writing and 
issued electronically to the alleged violator. The pre-penalty notice 
may be issued whether or not another agency has taken any action with 
respect to the matter.
    (b) Response--(1) Right to respond. An alleged violator may respond 
to a Pre-Penalty Notice in writing to BIS.
    (2) Deadline for response. A response to a Pre-Penalty Notice must 
be made within 30 days as set forth below. The failure to submit a 
response within 30 days shall be deemed to be a waiver of the right to 
respond.
    (i) Computation of time for response. A response to a Pre-Penalty 
Notice must be electronically transmitted on or before the 30th day 
after the date of delivery by BIS.
    (ii) Extensions of time for response. If a due date falls on a 
federal holiday or weekend, that due date is extended to include the 
following business day. Any other extensions of time will be granted, 
at the discretion of BIS, only upon specific request to BIS.
    (3) Form and method of response. A response to a pre-penalty notice 
need not be in any particular form, but it must be typewritten and 
signed by the alleged violator or a representative thereof, contain 
information sufficient to indicate that it is in response to the pre-
penalty notice, and include the BIS identification number listed on the 
pre-penalty notice. A digital signature is acceptable.
    (4) Information that should be included in response. Any response 
should set forth in detail why the alleged violator either believes 
that a violation of the provisions of this subpart did not occur and/or 
why a civil monetary penalty is otherwise unwarranted under the 
circumstances. The response should include all documentary or other 
evidence available to the alleged violator that supports the arguments 
set forth in the response. BIS will consider all relevant materials 
submitted in the response.
    (c) Settlement. Settlement discussions may be initiated by BIS, the 
alleged violator, or the alleged violator's authorized representative.
    (d) Representation. A representative of the alleged violator may 
act on behalf of the alleged violator, but any oral communication with 
BIS prior to a written submission regarding the specific allegations 
contained in the pre-penalty notice must be preceded by a written 
letter of representation, unless the pre-penalty notice was served upon

[[Page 79123]]

the alleged violator in care of the representative.


Sec.  791.316  Penalty imposition.

    (a) If, after considering any written response to the pre-penalty 
notice and any relevant facts, BIS determines that there was a 
violation by the alleged violator named in the pre-penalty notice and 
that a civil monetary penalty is appropriate, BIS may issue a penalty 
notice to the violator containing a determination of the violation and 
the imposition of the monetary penalty.
    (b) The issuance of the penalty notice shall constitute final 
agency action. The violator may seek judicial review of that final 
agency action in federal district court.


Sec.  791.317  Administrative collection; referral to United States 
Department of Justice.

    In the event that the violator does not pay the penalty imposed 
pursuant to this subpart or make payment arrangements acceptable to 
BIS, the matter may be referred for administrative collection measures 
by the Department of the Treasury or to the United States Department of 
Justice for appropriate action to recover the penalty in a civil suit 
in a federal district court.


Sec.  791.318  Finding of Violation.

    (a) When issued. (1) BIS may issue an initial finding of violation 
that identifies a violation if BIS:
    (i) Determines that there has occurred a violation of any provision 
of this subpart, or a violation of the provisions of any exemption, 
general authorization, specific authorization, regulation, order, 
directive, instruction, or prohibition issued by or pursuant to the 
direction or authorization of the Secretary pursuant to this subpart or 
otherwise under IEEPA;
    (ii) Considers it important to document the occurrence of a 
violation; and
    (iii) Concludes that an administrative response is warranted but 
that a civil monetary penalty is not the most appropriate response.
    (2) An initial finding of violation shall be in writing and may be 
issued whether or not another agency has taken any action with respect 
to the matter.
    (b) Response--(1) Right to respond. An alleged violator may contest 
an initial Finding of Violation by providing a written response to BIS.
    (2) Deadline for response; default determination. A response to an 
initial Finding of Violation must be made within 30 days as set forth 
in paragraphs (b)(2)(i) and (ii) of this section. The failure to submit 
a response within 30 days shall be deemed to be a waiver of the right 
to respond, and the initial Finding of Violation will become final and 
will constitute final agency action. The violator may seek judicial 
review of that final agency action in federal district court.
    (i) Computation of time for response. A response to an initial 
finding of violation must be electronically transmitted on or before 
the 30th day after the date of delivery by BIS.
    (ii) Extensions of time for response. If a due date falls on a 
federal holiday or weekend, that due date is extended to include the 
following business day. Any other extensions of time will be granted, 
at the discretion of BIS, only upon specific request to BIS.
    (3) Form and method of response. A response to an initial finding 
of violation need not be in any particular form, but it must be 
typewritten and signed by the alleged violator or a representative 
thereof, contain information sufficient to indicate that it is in 
response to the initial finding of violation, and include the BIS 
identification number listed on the initial finding of violation. A 
digital signature is acceptable.
    (4) Information that should be included in response. Any response 
should set forth in detail why the alleged violator either believes 
that a violation of the provisions of this subpart did not occur and/or 
why a finding of violation is otherwise unwarranted under the 
circumstances. The response should include all documentary or other 
evidence available to the alleged violator that supports the arguments 
set forth in the response. BIS will consider all relevant materials 
submitted in the response.
    (c) Determination--(1) Determination that a finding of violation is 
warranted. If, after considering the response, BIS determines that a 
final finding of violation should be issued, BIS will issue a final 
finding of violation that will inform the violator of its decision. Any 
action taken in a final finding of violation shall constitute final 
agency action. The violator has the right to seek judicial review of 
that final agency action in federal district court.
    (2) Determination that a finding of violation is not warranted. If, 
after considering the response, BIS determines a finding of violation 
is not warranted, then BIS will inform the alleged violator of its 
decision not to issue a final finding of violation.


Sec.  791.319  Severability.

    If any provision of this subpart is held to be invalid or 
unenforceable by its terms, or as applied to any person or 
circumstance, or stayed pending further agency action or judicial 
review, the provision is to be construed so as to continue to give the 
maximum effect to the provision permitted by law, unless such holding 
will be one of utter invalidity or unenforceability, in which event the 
provision will be severable from this part and will not affect the 
remainder thereof.

[FR Doc. 2024-21903 Filed 9-23-24; 8:45 am]
BILLING CODE 3510-33-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.