Exploring the Dept. of Commerce’s Proposed Rule for Connected Vehicles

Update: As of March 17, 2025, the Connected Vehicles Final Rule has taken effect. 

The U.S. Department of Commerce recently proposed a set of cybersecurity rules aimed at safeguarding the connected vehicle supply chain. Designed to reduce national security risks by regulating the software and hardware used in connected vehicles – particularly those originating from China and Russia - the proposed rule would be a game-changer for the automotive industry.

With a potential implementation deadline looming for model year 2027 for software in connected vehicles (2030 for hardware), here’s what you need to know about the Department of Commerce’s new proposed rule for connected vehicles.

What the Proposed Rule Covers

This isn’t the first regulation aimed at securing connected vehicles. Standards like the UNECE Regulation No.155, ISO/SAE 21434, and ISO 24089, already establish guidelines for managing cybersecurity risks in vehicle development and lifecycle management. However, while these regulations focus on areas like cybersecurity governance, risk management, and ensuring secure software updates, the proposed rule is the first that would prohibit vehicles from entering the U.S. market if they contain hardware or software from China or Russia. This means that in addition to following cybersecurity best practices, manufacturers must now ensure that their vehicles do not use components from blacklisted suppliers, or they risk losing access to one of the largest automotive markets in the world.

Key Components

• Manufacturers cannot knowingly import or sell vehicles with Vehicle Stability Control (VCS) or Automatic Driving Systems (ADS) software or hardware from companies owned, controlled, or influenced by foreign adversary countries, regardless of whether the vehicle is manufactured in the U.S. or abroad
• Manufacturers must submit annual Declarations of Conformity to the U.S. Department of Commerce, certifying that vehicles are free from prohibited components
• Requires manufacturers to produce a detailed software bill of materials (SBOM) for all vehicle software
• Applies to all on-road vehicles but excludes off-road vehicles
• Takes effect for software in 2027 and for hardware in 2030 (or 2029 for units without a model year)

How to Prepare

Though the rule’s full impact may not be felt until 2027, the long development cycles of connected vehicles mean you must integrate security practices now if you want your vehicle to hit the market when the rule comes into effect. We are already seeing requests for proposals (RFPs) from auto manufacturers asking their suppliers to certify their compliance with the CV rule - even though it has yet to be finalized. This means that OEMs and suppliers must begin the compliance process now - when there is enough time to redesign supply chains, source new suppliers, and embed new security processes into development pipelines. Here are some of the steps we recommend implementing immediately:

• Audit Your Supply Chains: Identify all hardware and software components in your connected vehicles
• Embrace SBOMs: a Software Bill of Materials (SBOM) is crucial for visibility into your software supply chain, so you can identify and track the origin of each software component
• Build Securely by Design: Integrate robust security measures from the earliest stages of vehicle development

Compliance with Finite State

Because the rule has not yet been finalized, we don’t know the precise prohibitions and requirements it will impose, but we do not expect it to change significantly from its current, proposed form.

Regardless, the Finite State platform is designed to address complex compliance needs, even where the requirements have yet to be finalized. We offer robust capabilities that are readily adaptable to specific technical requirements:

• Comprehensive SBOM Management - generate, ingest, unify, enrich, and monitor
• Vulnerability correlation – detect known and unknown vulnerabilities in first and third-party code
• Multi-standard compliance – automated reporting and continuous monitoring to track software changes and vulnerabilities in real-time
• Remediation workflows – tailored & prioritized recommendations on how to address vulnerabilities

Our platform streamlines supplier management, quickly identifies vulnerabilities, and automates SBOM processes, saving you valuable time and resources. As the regulatory landscape continues to evolve, partner with Finite State to help you navigate the future of automotive security with confidence.