In the first blog of this series, we explored the broad impact of the Connected Vehicle Rule (CVR), a sweeping regulatory regime from the U.S. Department of Commerce designed to address national security concerns in the connected automotive space. Now, we turn our attention to the operational heart of the rule: due diligence.
The CVR doesn’t just prohibit specific hardware or software linked to foreign adversaries. It requires automakers and suppliers to demonstrate that they’ve taken reasonable, proactive steps to evaluate their supply chains and verify the integrity of connected vehicle components. In other words, compliance isn’t about avoiding risk; it’s about documenting how you’re managing it.
But in an industry defined by complexity—global suppliers, inherited codebases, black-box firmware—what does "reasonable and documented due diligence" actually look like?
From Ambiguity to Action: Interpreting “Due Diligence” in Context
The CVR uses language that’s deliberately broad, asking organizations to conduct and maintain evidence of due diligence that is “reasonable under the circumstances.” This flexible standard acknowledges the technical and logistical challenges of supply chain transparency, especially in large automotive ecosystems. But it also sets the expectation that organizations make a good-faith effort to uncover the origin, ownership, and risk profile of every connected component they use.
For most companies, that means going beyond supplier trust or surface-level assessments. It involves investigating who wrote the code embedded in ECUs, who owns the companies providing telematics firmware, and whether any components, directly or indirectly, create exposure to entities in China or Russia. And it means being able to show how you reached your conclusions.
This isn’t just regulatory theater. It’s operational assurance; evidence that you’ve built a traceable process to detect, assess, and address the kinds of threats CVR is designed to eliminate.
Why Visibility Is the Bedrock of Due Diligence
Modern connected vehicles are software-defined machines, often containing hundreds of millions of lines of code and thousands of embedded components. It’s virtually impossible to assess risk without a reliable inventory of what’s inside.
This is where Software Bills of Materials (SBOMs) and Hardware Bills of Materials (HBOMs) come into play.
An SBOM provides a detailed list of software components within a given system, everything from first-party code to third-party libraries and transitive dependencies. When done correctly, SBOMs offer insight into not just what software is running, but where it came from, who maintains it, and whether it introduces known vulnerabilities or licensing issues. Critically, for CVR compliance, SBOMs help reveal whether any software may originate from restricted foreign entities, even if it’s deeply embedded within another package.
Similarly, an HBOM surfaces the suppliers and origins of physical components—such as communications modules, ECUs, and chipsets—many of which also contain firmware. This is where country of origin, manufacturing location, and vendor ownership structures become essential elements of compliance.
In both cases, the ability to generate, manage, and correlate BOMs across products and suppliers is what turns static lists into actionable intelligence.
Ownership and Control: The Hardest Questions to Answer
One of the most difficult aspects of CVR due diligence is navigating the ownership clause. The rule doesn’t simply ban products with foreign firmware; it targets technology that is developed, maintained, or even indirectly influenced by entities “owned or controlled by” foreign adversaries.
This means organizations must dig deeper than just asking, “Where was this code written?” Instead, they must explore the corporate structures of their suppliers, the licensing relationships behind the code, and the geopolitical jurisdictions in which development takes place.
In practice, this can be exceptionally challenging, particularly for suppliers unwilling to disclose IP origins or for components sourced from global vendors with operations in multiple countries. Yet it’s precisely these gray areas that elevate regulatory risk. If you're unable to demonstrate how you evaluated these relationships, regulators may assume you didn’t try.
Building a Defensible Due Diligence Record
To demonstrate reasonable diligence under the CVR, companies will need more than a one-time supplier survey. Regulators will likely expect a repeatable, documented process, one that includes an inventory of systems assessed, the results of software and hardware analysis, and records of decision-making when potential risks are uncovered.
That documentation might include logs of outreach to suppliers, findings from source code or binary analysis, internal escalation memos regarding flagged technologies, and plans to substitute or phase out non-compliant components. Ideally, all of this is centrally managed within a platform that supports ongoing updates and auditability.
The ultimate goal isn’t perfection, it’s traceability. Being able to show how and why decisions were made is often as important as the decisions themselves.
Where Most Organizations Are Falling Short
In our work supporting CVR readiness across the automotive supply chain, we’ve observed common gaps that threaten compliance. Many companies, for instance, have partial SBOMs that cover only first-party code, ignoring the embedded third-party firmware bundled into supplier-delivered components. Others rely on spreadsheets or emails to manage supplier assessments, with no centralized view of component origin or licensing lineage. Some assume their Tier 1 suppliers have this information, only to discover that visibility disappears further down the chain.
The good news is that these gaps are addressable. But you need to start now.
What CVR-Aligned Due Diligence Looks Like in Practice
At Finite State, we’ve built our platform specifically to handle the complexity of supply chains like these. Our tools automatically generate SBOMs and HBOMs from both source code and binary firmware, surface vulnerabilities and licensing issues, and enrich component metadata with insights about vendor ownership and supply chain exposure. This helps our customers go beyond detection and actually build evidence of compliance, not just for CVR, but for EU CRA, CE RED, and the broader regulatory landscape converging around product cybersecurity.
More importantly, our customers gain the ability to act on that evidence by identifying the riskiest components, mapping exposure across their portfolio, and collaborating across teams to eliminate the blind spots that regulators will target.
Compliance Is a Process, Not a Milestone
Due diligence isn’t a report you generate once and file away. It’s an evolving program that adapts as your software changes, your suppliers shift, and the threat landscape grows more complex. The organizations that will thrive under CVR are those that build due diligence into their day-to-day engineering and procurement practices, not those who treat it as a one-time box to check before March 2026.
The CVR is asking hard questions of the automotive industry. The companies that can answer them—clearly, confidently, and with documentation in hand—will be the ones best positioned to continue operating in one of the most important and competitive markets in the world.
Ready to Strengthen Your Due Diligence Program?
Connect with our experts to explore how Finite State helps OEMs and suppliers turn due diligence into a repeatable, auditable compliance strategy.
Still catching up on the Connected Vehicle Rule?
Watch our expert-led session breaking down the CVR’s requirements, risk implications, and what OEMs and suppliers need to do next.
