Regulation Spotlight Q&A with Dave Thomas: Securing Connected Vehicles Supply Chain

On March 17, 2025, the new Department of Commerce (DoC) rule banning Chinese and Russian software from US vehicles, is entering into effect, and the industry is in a whirlwind! Our PMM Noa Mizrachi sat down with Dave Thomas, to discuss the Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles rule, covering its timeline, requirements from carmakers and suppliers, fines and violations, and product security best practices to achieve compliance.

Further Reading
Download the rule (Federal Register, PDF)
DoC’s Bureau of Industry and Security (BIS) announcement on the rule (January 2025)

Q1: Dave, let’s start with an easy one. What does this rule mean, in 100 words or less?

It’s a software ban, to mitigate concerns regarding data security and supply chain security, to keep US critical infrastructure (CI) safer. The rule applies to carmakers and their suppliers – being Tier 1/2 or technology vendors – prohibiting the sale of vehicle connectivity system (VCS) hardware or software, that was designed, developed, manufactured, or supplied by people [working for companies] that are subject to the jurisdiction of China (including Hong-Kong and Macau), or Russia.

Q2: Why the focus on VCS?

The idea is to strengthen America’s National Security, by limiting/gating the potential for remote manipulation of these cyber-physical systems that are prevalent in modern vehicles (connected vehicles). Important to note the rule also prohibits the use of such technology within the United States of America – which has massive implications on Chinese carmakers running autonomous tes drives (licensed of course) in multiple cities across the US.

Q3: Does the rule apply to all types of vehicles – passenger, commercial, trucks, motorcycles, mining, etc?

Actually no, there are exemptions. Trucks, buses, commercial vehicles, RVs (over 10,000 pounds), bicycles, agricultural, construction, and mining vehicles are all excluded from the rule. Motorcycles are included but only if they fit the definition of connected vehicles.

Q4: If you’re the CISO of a US carmaker, what steps would you take to comply with the rule?

Great question! There are five steps I would do ASAP, like first thing tomorrow morning:

1. Conduct a comprehensive audit on my supply chain – two underlying reasons here: A) to identify which of my VCS components originate from these high-risk countries and explore alternative suppliers, and B) to map my supply chain from the core (‘me’) through Tier 3/4 and beyond.

2. Develop SBOMs and HBOMs – detailed Bills of Materials (BOM) aren’t a new concept, but to comply with the rule, these SBOM and HBOM are pivotal to meet the reporting requirements with full visibility, proper audit trail and processes.

3. Enhance Compliance Programs – Refresh our internal protocols to align with the new regulation, including recordkeeping practices, with proper documentation to submit our Declaration of Conformity.

4. Communications – Talk with my enterprise customers about the implications, offering support in assessing their security measures.

5. Beef-up my Compliance / Legal team – This rule isn’t the last, and between now and 2027 (and 2030) much will happen. Stay on top of further guidance to this rule, or other emerging regulations, and adjust your product security strategies accordingly.

Q5: What’s the adoption timeline?

The rule was published on January 16, 2025, and it is entering into force 60 days after, meaning March 17, 2025. The software restrictions are effective for model year 2027 vehicles, and the hardware restrictions are effective for model year 2030 vehicles. That may seem far, but in ‘vehicle years’ that’s is literally around the corner.

Q6: How do you comply with the rule? What do carmakers and companies need to submit?

As I see it, there are two ‘big buckets’ of requirements companies must adhere to with this rule:

Submission of an annual (or model-year) Declaration of Conformity to the Bureau of Industry and Security (BIS). These declarations MUST include HBOM, SBOM, and a list of all external endpoints to which the VCS hardware connects to.
Accurate recordkeeping for 10 years. Each company must maintain a full and accurate record of each transaction for which a declaration of conformity, general or specific authorization is required.

Important to note that companies with Federal Contracts might be subject to additional requirements.

Q7: How and when to submit that Declaration of Conformity?

A Declaration of Conformity must be submitted on an annual basis, for each model or calendar year. Carmakers must to submit the declaration at least 60 days before the first import of the first sale; Suppliers and vendors must also submit the declaration at least 60 days before the first import of VCS hardware. On follow-up submissions, there are two options:

If no material changes were made, companies can submit a confirmation that the previous Declaration of Conformity remains accurate, but no later than 1 year after the previous declaration, associating the new model year of vehicles to the existing declaration.
If material changes were made, companies must submit a revised declaration, within 60 days following the discovery of the change.

The obligation to report on material changes ceases 10 years after the original declaration.

How C2A Security Helps Companies Meet and Comply with the New Rule

As the only context-driven product security platform for software-defined products, EVSec leverages dynamic risk management, BOM management, AI, and vulnerability management to ensure targeted protection and compliance:

Automate Compliance & Risk Management
Eliminate blind spots in your cybersecurity strategy.
Identify and mitigate vulnerabilities while ensuring no prohibited Chinese or Russian components are integrated into automotive systems. Stay compliant with global regulations without disrupting development.

Prove Compliance with Minimal Effort
Generate audit-ready reports (SBOMs, HBOMs, VEX) aligned with BIS, ISO/SAE 21434, and UN R155 requirements, simplifying Declarations of Conformity.

Optimize Risk Prioritization & Minimize False Positives
Focus on real threats, not noise. EVSec integrates binary analysis, software composition analysis, and contextual TARA with AI-driven prioritization, ensuring accurate detection while minimizing false positives and alert fatigue.
Automate special submissions to exclude ECUs from the directive when compliant with ISO 21434 or proven to have no external connectivity.

Strengthen Governance Across the Software Development Lifecycle (SDLC)
Ensure full visibility into risks from early design to post-production.
Streamline security tracking, reporting, and mitigation across teams.

Built for the Pace of Automotive Innovation
Seamlessly integrate security into your DevSecOps workflow, reducing rework, avoiding penalties, and keeping pace with innovation.

To learn more, schedule a demo today.

Careers Form

Office Administrator

More articles that might interest you:

Pocket Guide: The CRA’s Impact on the Industrial Sector

The Cyber Resilience Act Explained: What MDMs and Healthcare Security Leaders Need to Know

Securing the Future: A Q&A with Cybersecurity Sales Executive Dave Thomas

Follow Us