Understanding U.S. Government Rules on Connected Vehicle Cybersecurity

Modern vehicles are no longer just “cars.” They’re complex digital products with a variety of safety features, entertainment options, telematics and creature comforts that are always on, always connected to the cloud. That also means connected vehicle cybersecurity is a prime concern, as these systems can be targeted by cyber crooks. Governments across the world are racing to keep up with threats, setting new standards and protective measures. The U.S. government has just issued a new rule on IT and communications technology that’s worth a deep dive. 

The U.S. Bureau of Industry and Security (BIS) will soon increase scrutiny of designated “foreign adversaries” – particularly China and Russia – in connected vehicles. This covers hardware and software, creating unique challenges across the supply chain. The regulation will roll out in phases from 2027 to 2030, impacting automotive manufacturers, IoT suppliers, fleet operators, and telematics providers alike. It will require potentially time-intensive and costly compliance - but it doesn’t have to cause disruption if businesses act now to assess their supply chains and mitigate risks. 

Let's dive deeper into the BIS rule. 


What Are the Major Changes? 

The new rule directly impacts two key elements related to connected vehicle cybersecurity: Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS). 

  • By Model Year 2027: The rule prohibits the import or sale of connected vehicles containing ADS or VCS software from designated foreign adversaries. Industry players must be careful to analyze the Software Bill of Materials (SBOM) to identify and address affected software components.  

  • By Model Year 2030: The regulation extends to VCS hardware, prohibiting the use of non-compliant communication modules, processors, and associated chipsets from designated foreign adversaries. This could require hardware redesign, including board layouts, firmware, and component integrations.   

Additionally, companies must submit annual Declarations of Conformity and conduct ongoing security assessments and supply chain audits. 

Scope: This rule only applies to new passenger vehicles under 10,001 pounds (approximately 4,500 kilos). It does not apply to vehicles already on the road. 


What Systems and Industries Are Affected?

The BIS Final Rule applies to several systems critical to automotive manufacturing, telematics, logistics, and smart infrastructure:   

  • Automated Driving Systems (ADS): Covers SAE Level 3+ autonomy, where the vehicle takes primary control. Any foreign adversary component makes the entire system non-compliant, stressing strict supply chain security. 

  • Vehicle Connectivity Systems (VCS): Includes telematics, Bluetooth, cellular, satellite, and Wi-Fi modules, all posing data security risks. Defines connected vehicles as those with VCS or ADS. Future regulations may include commercial vehicles over 10,000 lbs. Companies modifying vehicles with ADS must comply. 

  • Covered Software: Regulates applications, middleware, and system software (excludes firmware). Software pre-2026 is exempt unless later modified by a foreign adversary. 

  • VCS Hardware & Importers: Covers hardware enabling connectivity and importers of VCS components, ensuring supply chain security and compliance. 


What Are the Connected Vehicle Security Risks for Providers?

Connected vehicles are vulnerable to data theft and manipulation through their communication and automation systems, with added risks from certain foreign governments identified by the U.S. government. This includes: 


1. Vulnerabilities in Vehicle Connectivity Systems (VCS)   

  • Data Interception Risks: VCS components (e.g., telematics control units, cellular modems) collect and transmit critical vehicle data, including GPS location, speed, voice patterns, and diagnostics. If compromised, adversaries could intercept and manipulate this information. 

  • Software Exploitation:  Can happen in the development lifecycle during open-source dependencies, updates, and supply chain tampering. 

  • Hardware Manipulation: PRC- or Russia-linked suppliers could introduce firmware or hardware backdoors in telematics modules, enabling unauthorized access to vehicle data and functions.  


2. Threats in Automated Driving Systems (ADS)   

  • Decision-Making Vulnerabilities: The complexity of ADS, driven by large-scale data and sophisticated AI, introduces risks such as manipulated data injection, adversarial manipulation of the AI, and susceptibility to unexpected operational failures. 

  • Sensor Manipulation: Attackers can manipulate the sensors that ADS uses to 'see' the road, causing it to detect things that aren't there (like phantom objects) and make dangerous driving errors. 

  • Network Exploitation: A compromised ADS could manipulate vehicle functions (e.g., braking, acceleration) and even impact other connected vehicles through vehicle-to-vehicle communication. 

  • Infrastructure Risks: ADS integration with broader transportation networks presents risks of systemic disruptions if adversaries manipulate data flows or exploit connectivity vulnerabilities. 


3. Risks Associated with Foreign Adversaries 

China:    

  • Supply Chain Risk: Rapidly expanding automotive sector (fueled by subsidies), embedded in global ICT supply chains, posing direct threats. 

  • Geographic Risk: Holds ~33% of global passenger vehicle production; expanding operations (e.g., Mexico) to potentially bypass US security. 

  • Technology Transfer Risk: "Military-civil fusion" strategy mandates private-sector tech (including connected vehicle tech) be accessible to the military. 

  • Data Security Risk: Legal obligations for companies to comply with government data requests create severe vulnerabilities for US data security and national defense. 

  • Cybersecurity Risk: PRC-backed cyber actors can infiltrate US infrastructure and manipulate ICT, raising malware concerns for connected vehicle systems.   

Russia:  

  • State Influence Risk: State-influenced automotive sector (smaller than China's), with close ties to military objectives. 

  • Supply Chain Risk: Expanding influence in global supply chains. 

  • Cybersecurity Risk: Well-documented history of cyber operations against US industries, with state-sponsored cyber groups skilled in attacks that can disrupt critical infrastructure, including transportation. 

  • Exploitation Risk: Increases risk of Russian actors exploiting connected vehicle system vulnerabilities. 

  • Espionage and Data Manipulation Risk: Uses state-owned and military-linked entities for espionage, unauthorized access to US technology, and manipulation of connected vehicle data. 


How Does 1NCE Help Companies Navigate Compliance?

The BIS rule introduces stringent compliance obligations, including the implementation of the annual Declaration of Conformity (DoC). 1NCE is committed to helping businesses manage these regulatory challenges. 

  • Regulation-Compliant Connectivity: Our SIM cards and IoT software ensure secure and BIS-compliant components and data transmission. 

  • Transparent Documentation: We provide detailed origin tracking for SIM cards and connectivity modules to help you complying with BIS obligations and requirements. 

  • Audit-Ready Compliance Support: We assist with required declarations, documentation, and chain-of-custody tracking. 

By offering trusted connectivity service in line with the new requirements, 1NCE enables businesses to stay compliant and mitigate regulatory risks while maintaining operational efficiency.


Next Steps: What Should Businesses Do Now?

To proactively address the implications of the BIS rule and ensure compliance, businesses involved with ADS and VCS systems should begin implementing these next steps: 

  • Conduct Supply Chain Audit: Identify foreign-sourced ICTS components within ADS and VCS systems. 

  • Develop a Compliance Roadmap: Plan for software adjustments by 2027 and hardware transitions. 

  • Engage with Partners: Work with trusted partners like 1NCE to ensure secure, regulation-compliant components. 

  • Monitor Regulatory Updates: The BIS rule may expand to commercial vehicles – ongoing vigilance is essential. 

Learn more about the BIS rule: Federal Register :: Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles 

Have more questions? Contact us anytime: Contact Us | 1NCE