Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles

<RULE> DEPARTMENT OF COMMERCE <SUBAGY>Bureau of Industry and Security</SUBAGY> <CFR>15 CFR Part 791</CFR> <DEPDOC>[Docket No. 250107-0005]</DEPDOC> <RIN>RIN 0694-AJ56</RIN> <SUBJECT>Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Bureau of Industry and Security, Department of Commerce. <HD SOURCE="HED">ACTION:</HD> Final rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> This final rule, published by the Department of Commerce's (Department) Bureau of Industry and Security (BIS), sets forth regulations and procedures to address undue or unacceptable risks to national security and U.S. persons posed by classes of transactions involving information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries and that are integral to connected vehicles as defined herein. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> This final rule goes into effect on March 17, 2025. </EFFDATE> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Marc Coldiron, U.S. Department of Commerce, telephone: (202) 482-3678. For media inquiries: Office of Congressional and Public Affairs, Bureau of Industry and Security, U.S. Department of Commerce: <E T="03">OCPA@bis.doc.gov.</E> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> In this final rule, BIS prohibits transactions involving Vehicle Connectivity System (VCS) hardware and covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People's Republic of China, including the Hong Kong Special Administrative Region and the Macau Special Administrative Region, (PRC); or the Russian Federation (Russia). It follows an advance notice of proposed rulemaking (ANPRM), 89 FR 15066 (March 1, 2024), and a notice of proposed rulemaking (NPRM), 89 FR 79088 (September 26, 2024). In the ANPRM, BIS sought public comment to inform a rulemaking that would address the undue or unacceptable risks, as identified in Executive Order (E.O.) 13873, “Securing the Information and Communications Technology and Services Supply Chain,” 84 FR 22689 (May 17, 2019), posed by a class of transactions that involve ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and integral to connected vehicles. The NPRM proposed a rule to address the undue or unacceptable risks identified in the ANPRM and solicited public comment. BIS has considered the comments received during both rounds of public comment, and is making revisions, from the proposed rule, that address significant portions of that feedback. In E.O. 13873, the President delegated to the Secretary of Commerce (Secretary), to the extent necessary to implement the Order, the authority granted under the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701, <E T="03">et seq.</E> ), “to deal with any unusual and extraordinary” foreign threat to the United States' national security, foreign policy, or economy, if the President declares a national emergency with respect to such threat. 50 U.S.C. 1701(a). In E.O. 13873, the President declared a national emergency with respect to the “unusual and extraordinary” foreign threat posed to the ICTS supply chain and has, in accordance with the National Emergencies Act (NEA), extended the declaration of this national emergency in each year since E.O. 13873's publication. <E T="03">See Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 85 FR 29321 (May 14, 2020); <E T="03">Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 86 FR 26339 (May 13, 2021); <E T="03">Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 87 FR 29645 (May 13, 2022); <E T="03">Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 88 FR 30635 (May 11, 2023); <E T="03">Continuation of the National Emergency With Respect to Securing the Information and Communications Technology and Services Supply Chain,</E> 89 FR 40353 (May 9, 2024). Specifically, the President identified the “unrestricted acquisition or use in the United States of ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” as “an unusual and extraordinary” foreign threat to the national security, foreign policy, and economy of the United States that “exists both in the case of individual acquisitions or uses of such technology or services, and when acquisitions or uses of such technologies are considered as a class.” <E T="03">See</E> E.O. 13873, <E T="03">and</E> 50 U.S.C. 1701(a)-(b). Once the President declares a national emergency, IEEPA empowers the President to, among other acts, investigate, regulate, prevent, or prohibit, any “acquisition, holding, withholding, use, transfer, withdrawal, transportation, importation or exportation of, or dealing in, or exercising any right, power, or privilege with respect to, or transactions involving, any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States.” 50 U.S.C. 1702(a)(1)(B). To address the identified risks to national security from ICTS transactions, the President in E.O. 13873 imposed a prohibition on transactions that the Secretary, in consultation with relevant agency heads, has determined involve foreign adversary ICTS and pose certain risks to U.S. national security, including U.S. technology and critical infrastructure, or the security and safety of U.S. persons. Specifically, to fall within the scope of the prohibition, the Secretary must determine that a transaction: (1) “involves [ICTS] designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” defined in E.O. 13873 as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons, which, pursuant to E.O. 13873's implementing regulations at 15 CFR 791.4 are the PRC, Republic of Cuba (Cuba), Islamic Republic of Iran (Iran), Democratic People's Republic of Korea (North Korea), Russia, and Venezuelan politician Nicolás Maduro (Maduro Regime); and (2): A. “Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;” B. “Poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States;” or C. “Otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.” Factors A through C are collectively referred to as “undue or unacceptable risks.” In addition, section 1(b) of E.O. 13873 grants the Secretary the authority to design or negotiate mitigation measures to allow an otherwise prohibited transaction. The President also delegated to the Secretary the ability to promulgate regulations that, among other things, establish when transactions involving particular technologies may be categorically prohibited. E.O. 13873 section 2(a)-(b); <E T="03">see also</E> 3 U.S.C. 301-02. Specifically, the Secretary may issue regulations establishing criteria, consistent with section 1 of E.O. 13873, by which particular technologies or market participants may be categorically included in or categorically excluded from prohibitions established pursuant to E.O. 13873. <HD SOURCE="HD1">II. Introduction</HD> Today's vehicles contain a myriad of connected components that provide greater convenience for consumers and increase road safety for both drivers and pedestrians, such as Wi-Fi, Bluetooth, cellular, and satellite connectivity. However, the incorporation of progressively more complex hardware and software systems that facilitate these features has also increased the attack surfaces through which malign actors and foreign adversaries may exploit vulnerabilities to gain access to a vehicle. As BIS outlined in its March 1, 2024, ANPRM and its September 26, 2024, NPRM, certain ICTS integral to connected vehicles present an undue or unacceptable risk to U.S. national security when those systems are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. In the <E T="03">Securing the Information and Communications Technology and Services Supply Chain</E> interim final rule, 86 FR 4909 (Jan. 19, 2021), the Secretary determined that certain foreign governments or foreign non-government persons—the PRC, Cuba, Iran, North Korea, Russia, and the Maduro Regime—constitute foreign adversaries for purposes of E.O. 13873 and regulations promulgated pursuant to E.O. 13873. <E T="03">See</E> 15 CFR 791.4 (to the extent that the list of foreign adversaries identified in 15 CFR 791.4 is updated to add or remove governments or non-government pers ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 486k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━