Following our last Q&A session covering the basics of the Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles rule (download a complimentary 1-pager executive overview), in this article, we’ll cover the implications of the new DoC rule for OEMs and suppliers. 

C2A Security 1-pager: Unmasking the DoC Supply Chain Security Requirements

The US Department of Commerce (DoC) has enacted Biden’s proposed ban on Chinese and Russian vehicle software as of January 2025 in a continued effort to tighten security in global supply chains.

The new restrictions on prohibited software will take effect for model year 2027 vehicles, while the ban on hardware from China will begin with model year 2030 vehicles. 

This groundbreaking rule directly impacts the future of connected vehicles, starting with private vehicles, connected motorcycles, and RVs up to 10,000 pounds. Having significant implications for carmakers (OEMs), suppliers, and the entire automotive ecosystem, requiring the submission of annual Declarations of Conformity to demonstrate compliance with the prohibitions. 

The rule, which takes effect 60 days after its publication (today, March 17th, 2025), is part of a more significant effort to protect critical national infrastructure and reduce cybersecurity risks within the global automotive supply chain.

Implications of the New ‘Software Ban’ for OEMs and Suppliers

The move is driven by rising concerns over the security risks connected vehicle systems pose. As the number of connected vehicles in the US is projected to exceed 180 million by 2028, representing 70.9% of all licensed drivers, the need for secure software and hardware is paramount. According to the China Passenger Car Association, in 2023, the total number of passenger cars exported from China to the US was 74,800 units, accounting for only 1.4 percent of total exports.

Cybersecurity vulnerabilities in connected vehicle systems could expose drivers and infrastructure to severe risks, including data breaches, remote hacking, and unauthorized access to critical vehicle functions. Therefore, the rule prohibits importing and selling vehicles containing VCS or ADAS software that is subject to the jurisdiction or control of the PRC or Russia, aiming to reduce risks in the connected vehicle supply chain.

The US Department of Commerce’s Bureau of Industry and Security (BIS) clarified that all hardware and software integrated into the Vehicle Connectivity System (VCS) must meet the final rule. The new rule extends EO 13873’s “Securing the Information and Communications Technology and Services Supply Chain” and aims to reduce the risks associated with untrusted software sources in vehicles. National Security Advisor Jake Sullivan emphasized the importance of protecting American infrastructure by preventing foreign-controlled software from entering the connected vehicle ecosystem.

Failure to comply with the final rule may result in civil penalties of up to $368,136 per violation under IEEPA, while criminal violations can carry fines of up to $1,000,000.

These challenges will require OEMs, partners, suppliers, and product security teams to evaluate alternative options. However, certain best practices that all parties can uphold to comply with the new Department of Commerce regulations are also available.

What OEMs and Suppliers Need to Do to Stay Compliant

Compliance with this new rule goes beyond simple documentation – it requires a strategic approach to supply chain security, proactive monitoring, and thorough due diligence. Here are the key steps OEMs and suppliers can take to meet the DoC’s final rule:

  • Audit Your Supply Chain
    • Companies must evaluate their supply chains to ensure that Vehicle Connectivity Systems (VCS) hardware and software are not sourced from entities associated with foreign adversaries, particularly China and Russia. 
    • Conduct supply chain audits with precise mapping from OEM through Tier 1s and others.
  • Perform Due Diligence with SBOMs
    • A Software Bill of Materials (SBOM) is a critical tool for ensuring compliance and understanding the full scope of software components in your vehicle systems. 
    • he SBOM allows OEMs to track every software component used in the Vehicle Connectivity System (VCS), ensuring no unapproved or restricted components enter the supply chain. 
    • Provides visibility into open-source dependencies and third-party libraries, which could be at risk.
  • Implement Comprehensive Supply Chain Management
    • Establish comprehensive supply chain management for each contract, ensuring the identification of software and hardware components based on vendor origin.
    • Ensure all partners maintain clear service level agreements (SLAs) with predefined cybersecurity provisions. These agreements should cover everything from vulnerability disclosures to software patch management and compliance with regulatory standards. 
  • Enhance compliance programs
    • VCS hardware importers and connected vehicle manufacturers must submit annual or model-year Declarations of Conformity to the Bureau of Industry and Security (BIS).
    • These declarations must include an HBOM or SBOM, and a list of external endpoints to which the VCS hardware connects must be readily available.
    • 10 years: Maintain a complete and accurate record of each transaction for which a Declaration of Conformity, general authorization, or specific authorization is.
C2A Security EVSec platform, helps companies comply with the US DoC rule on supply chain security (aka Software Ban)

Exceed the DoC’s Final Rule with C2A Security

The new prohibitions outlined in the DoC’s final rule necessitate a proactive approach to ensuring compliance with the regulations surrounding connected vehicle software and hardware. Starting with Model Year 2027, all connected vehicle manufacturers will be impacted by these software restrictions, making it crucial to act now. With EVSec, you can automate the compliance process and streamline your efforts to meet these new requirements.

  1. Automated Compliance Process: Software Vetting and Compliance Verification
    EVSec helps you conduct thorough software vetting, ensuring that all Vehicle Connectivity System (VCS) and Advanced Driver Assistance Systems (ADAS) software are identified, replaced, and verified for compliance with the DoC’s prohibitions. This includes addressing any software components under the jurisdiction of China or Russia and ensuring that replacements meet the necessary regulatory standards. EVSec provides clear visibility into which vendors are at risk and which are safe, allowing OEMs to track vendor compliance easily.
  2. Security Assessments, Testing, and Validation
    Software modifications will be required to comply with the new rules, and these changes will need rigorous security assessments, testing, and validation. EVSec facilitates this process by providing the tools to manage and document these modifications efficiently, such as on-demand analytics, dashboards and reports. Enhancing data-driven decision-making, minimizing development delays and reducing compliance costs.
  3. SBOM and HBOM Management
    EVSec simplifies the creation and management of Software and Hardware Bills of Materials (SBOMs and HBOMs), specifically tailored to meet the DoC’s final rule. This helps OEMs maintain 10 years of declarations as required by the DoC, ensuring that your product’s compliance is well-documented over time.
  4. Audit-Ready Reporting and Monitoring
    Generate audit-ready reports easily with EVSec, enabling you to track supplier compliance and monitor adherence to the new regulations throughout the entire product lifecycle. Manage internal teams and the supply chain- utilizing centralized real-time sharing and collaboration of systems, joint work at scale, and full visibility into compliance actions and regulatory requirements.

Schedule a demo to learn how C2A Security can help prepare you for the DoC’s new rule.