Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles

DEPARTMENT OF COMMERCE <SUBAGY>Bureau of Industry and Security</SUBAGY> <CFR>15 CFR Part 791</CFR> <DEPDOC>[Docket No. 240919-0245]</DEPDOC> <RIN>RIN 0694-AJ56</RIN> <SUBJECT>Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Bureau of Industry and Security, Department of Commerce. <HD SOURCE="HED">ACTION:</HD> Notice of proposed rulemaking. <SUM> <HD SOURCE="HED">SUMMARY:</HD> In this notice of proposed rulemaking (NPRM), the Department of Commerce's (Department) Bureau of Industry and Security (BIS) proposes a rule to address undue or unacceptable risks to national security and U.S. persons posed by classes of transactions involving information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries, and which are integral to connected vehicles, as defined herein. BIS is soliciting comment on this proposed rule, which builds on the advance notice of proposed rulemaking (ANPRM) issued by BIS on March 1, 2024. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments to this proposed rule must be received on or before October 28, 2024. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> All comments must be submitted by one of the following methods: • <E T="03">By the Federal eRulemaking Portal: http://www.regulations.gov</E> at docket number BIS-2024-0005. • <E T="03">By email directly to: connectedvehicles@bis.doc.gov.</E> Include “RIN 0694-AJ56” in the subject line. • <E T="03">Instructions:</E> Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. For those seeking to submit confidential business information (CBI), please clearly mark such submissions as CBI and submit by email, as instructed above. Each CBI submission must also contain a summary of the CBI, clearly marked as public, in sufficient detail to permit a reasonable understanding of the substance of the information for public consumption. Such summary information will be posted on <E T="03">regulations.gov.</E> Comments that contain profanity, vulgarity, threats, or other inappropriate language or content will not be considered. • The Regulatory Impact Analysis is available at <E T="03">http://www.regulations.gov</E> at docket number BIS-2024-0005. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Marc Coldiron, U.S. Department of Commerce, telephone: (202) 482-3678. For media inquiries: Jessica Stallone, Office of Congressional and Public Affairs, Bureau of Industry and Security, U.S. Department of Commerce: <E T="03">OCPA@bis.doc.gov.</E> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> In this notice, BIS solicits comment on a proposed rule to prohibit transactions involving Vehicle Connectivity System (VCS) hardware and covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People's Republic of China, including the Hong Kong Special Administrative Region (PRC), or the Russian Federation (Russia). It follows an advance notice of proposed rulemaking (ANPRM), 89 FR 15066 (Mar. 1, 2024), in which BIS sought public comment to inform a rulemaking that would address the undue or unacceptable risks, as identified in Executive Order (E.O.) 13873, “Securing the Information and Communications Technology and Services Supply Chain,” 84 FR 22689 (May 17, 2019), posed by a class of transactions that involve information and communications technology and services (ICTS) designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and integral to Connected Vehicles. In E.O. 13873, the President delegated to the Secretary of Commerce (Secretary), to the extent necessary to implement the order, the authority granted under the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701, <E T="03">et seq.</E> ), “to deal with any unusual and extraordinary” foreign threat to the United States' national security, foreign policy, or economy, if the President declares a national emergency with respect to such threat. 50 U.S.C. 1701(a). In E.O. 13873, the President declared a national emergency with respect to the “unusual and extraordinary” foreign threat posed to the ICTS supply chain and has, in accordance with the National Emergencies Act (NEA), extended the declaration of this national emergency in each year since E.O. 13873's publication. <E T="03">See Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 85 FR 29321 (May 14, 2020); <E T="03">Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 86 FR 26339 (May 13, 2021); <E T="03">Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 87 FR 29645 (May 13, 2022); <E T="03">Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 88 FR 30635 (May 11, 2023); <E T="03">Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 89 FR 40353 (May 9, 2024). Specifically, the President identified the “unrestricted acquisition or use in the United States of ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” as “an unusual and extraordinary” foreign threat to the national security, foreign policy, and economy of the United States that “exists both in the case of individual acquisitions or uses of such technology or services, and when acquisitions or uses of such technologies are considered as a class.” <E T="03">See</E> E.O. 13873, <E T="03">and</E> 50 U.S.C. 1701(a)-(b). Once the President declares a national emergency, IEEPA empowers the President to, among other acts, investigate, regulate, prevent, or prohibit, any “acquisition, holding, withholding, use, transfer, withdrawal, transportation, importation or exportation of, or dealing in, or exercising any right, power, or privilege with respect to, or transactions involving, any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States.” 50 U.S.C. 1702(a)(1)(B). To address the identified risks to national security from ICTS transactions, the President in E.O. 13873 imposed a prohibition on transactions determined by the Secretary, in consultation with relevant agency heads, to involve foreign adversary ICTS and to pose certain risks to U.S. national security, technology, or critical infrastructure. Specifically, to fall within the scope of the prohibition, the Secretary must determine that a transaction: (1) “involves [ICTS] designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” defined in E.O. 13873 as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons;” and (2): A. “Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;” B. “Poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States;” or C. “Otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.” These factors are collectively referred to as “undue or unacceptable risks.” Further, E.O. 13873 grants the Secretary the authority to design or negotiate mitigation measures that would allow an otherwise prohibited transaction to proceed. E.O. 13873 section 1(b). The President also delegated to the Secretary the ability to promulgate regulations that, among other things, establish when transactions involving particular technologies may be categorically prohibited. E.O. 13873 section 2(a)-(b); <E T="03">see also</E> 3 U.S.C. 301-02. Specifically, the Secretary may issue rules establishing criteria, consistent with section 1 of E.O. 13873, by which particular technologies or market participants may be categorically included in or categorically excluded from prohibitions established pursuant to E.O. 13873. <HD SOURCE="HD1">II. Introduction</HD> Today's vehicles contain a myriad of connected components that provide greater convenience for consumers and increase road safety for both drivers and pedestrians, such as Wi-Fi, Bluetooth, cellular, and satellite connectivity. However, the incorporation of progressively more complex hardware and software systems that facilitate these features has also increased the attack surfaces through which malign actors may exploit vulnerabilities to gain access to a vehicle. As BIS outlined in its March 1, 2024, ANPRM, certain ICTS integral to Connected Vehicles could present an undue or unacceptable risk to U.S. national security when those systems are designed, developed, manufactured, or suppl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 269k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━