Back to Webinars
Compliance & Regulations
Aug 21, 2025
57:23
Policy to Action: The Connected Vehicle Rule Webinar
Policy to Action: The Connected Vehicle Rule Webinar
Hello, and welcome everyone
I am Nicole Garrigan. I'm the marketing director at Finite State.
And on behalf of the Finite State team, I just wanna thank you for being here, and participating in our webinar on the connected vehicle rule.
it's my pleasure to introduce our moderator for today's session, Eric Greenwald.
Eric is the general counsel and head of policy at Finite State.
Before joining the private sector, Eric had an extensive career in government focused on national security and cybersecurity.
He served as special assistant to the president and senior director for cybersecurity on the National Security Council, held leadership roles in cybersecurity at the FBI, US Cyber Command, and was chief counsel for the House Intelligence Committee. So with that, please join me in welcoming Eric, who will kick off today's discussion.
Thank you very much, Nicole. And my role here, I just have two functions. One is to introduce our panelists. The other is to ask them questions. So let me go ahead and get started with the first one, and I'll begin with Hillary Kane. Hillary is the senior vice president of policy at the Alliance for Automotive Innovation, where she oversees the association's full policy portfolio.
Previous to her work at AAI, she led innovation and technology and policy at Toyota and also served in senior policy roles on Capitol Hill. Christian Davis. Christian is a partner at the law firm Aiken Gump, where he leads the cFIUS practice, specializing in foreign investment reviews and helping companies navigate national security regulations for mergers and acquisitions.
He regularly advises Fortune five hundred companies and global clients on trade compliance and supply chain challenges, focusing on complex regulatory environments that involve elements of trade, technology, and national security. So both of these guys are natural fits for for today's discussion, as is Matt Wieckhaus. Matt is the founder and CEO of Finite State, a company that drives innovation and software supply chain security for connected devices worldwide.
Matt previously founded and served as CTO for Patel's cyber innovations business unit, where he oversaw dozens of intelligence and national security programs related to IoT and embedded system security. And he is also my boss, so I am going to reserve my hardest questions for Matt.
What I would like to do is get us started because I think we're all here to to learn more about the connected vehicle rule. I think most of our audience members probably know at least some of the basics, but I think it's worth level setting and, covering some of the of the fundamentals, that we have, in in the rule. So what I'd like to do is I'd like to start with Christian, and ask Christian if you could just give us a very high level explanation of what the connected vehicle rule is and what it does.
Sure. Thanks, everybody.
So the connected vehicle rule is an ICTS rule, under the ICTS authority of the Department of Commerce, which is the Information Communication Technology Services Authority, which stems from a law called IEPA, International Emergency Economic Powers Act, which is essentially the authority that most sanctions regimes come from. And it's really a first in kind, regulatory regime, that is is focused on risk in a specific category of the ICTS sector, and and in this case, the connected vehicle sector.
And to just to start, connected vehicles sounds like it's some special kind of car that, you know, is is different or, you know, is it just EVs?
They the commerce department made clear now. This is every car that's been made for the last, I don't know, a decade really is what they're talking about because all cars have some sort of connectivity.
And we'll talk about, you know, where the the national security concerns are coming from, but really what they're focused on, are the the rules are targeted at China and Russia and, particularly specific types of hardware and software in in, connected vehicles, which are the vehicle connectivity system hardware, as well as software, associated with the VCS, as well as software associated with autonomous driving, particularly above level three.
What the rule does is that it prohibits, the import of VCS hardware, that is designed, developed, manufactured, or supplied, by person's own control. They're subject to jurisdiction or direction of China or Russia. Those are long terms. I'll I'll shorten them going forward, but that's kind of the framework that we're operating in. So first one is you can't send in the, you can't import the VCS hardware.
The next one is that, connected vehicle manufacturers, cannot import vehicles that completed vehicles that incorporate covered software.
The third one is that connected vehicle manufacturers, cannot knowingly sell, vehicles that incorporate, covered software that is tied to China and Russia. And then the last prohibition, the fourth one, is basically saying that if you are a connected vehicle manufacturer and you fit within this, category of being tied to China and Russia, you are not allowed to sell your cars in the United States, and you're not allowed to offer your cars for commercial services, in the US.
These are this is a major disruption to the supply chain.
So there's a delayed effective date.
You know, these these rules, they were the final rule was issued in January.
The hardware rules don't go into effect until twenty nine or thirty, kinda depending on, the specific hardware.
And then the software rules and the OEM rules on on Chinese and Russian OEMs, don't go into effect until model year twenty seven.
There are general and specific authorizations that can allow you to proceed even if you fit within these rules.
We'll talk about, specifically the the specific, the specific authorizations, further.
But one final point just to wrap up on on this is, like, the way that this is going to be enforced is through this idea of a declaration of conformity that an importer or a connected vehicle manufacturer, will need to submit on an annual basis to basically say that they've done the diligence to make sure that that they don't have they're not violating these rules with respect to the cars that they're selling or the hardware they're importing into the, United States.
So I'll pause there. There's a lot more to unpack, but that's a quick high level.
Thanks, Christian. And, yeah, we're we're gonna start using that shorthand quickly because, yeah, as you know, there's there's a mouthful there on a bunch of different concepts within the rule. And I'll I'll I'll start that by, turning to Matt and and saying that the rule the rule is designed to exclude components that are designed developed by Chinese entities, and we'll we'll continue to unpack that. But how easy is that to do to exclude components that fit those definitions that we'll discuss more?
Yeah. I think, you know, Christian framed this really well. And the the important part here is if you are in the supply chain or, ultimately, if you are a connected vehicle manufacturer or a VCS hardware importer, you are required to do a significant amount of diligence in order to be compliant here. And and let's start with this. In order to know that you don't have components that are covered, that are, you know, owned by or controlled by, you know, designed, developed, supplied by Chinese or Russian entities, you need to know what components you have as a starting point.
That sounds like an easy thing to do, but with software, software is extremely complex. The supply chains are many, many layers deep, and it is very common to have software libraries that come in through those layers that you might not know exactly where that came from or what component it is. That's where, a lot of work has been going on in the security space for the last decade to try to get a much better and more automated understanding of what those bills of material look like, what your inventory of components looks like. The same thing is true on hardware where you may buy a, connectivity unit from a supplier that might be in Europe, and they might source components.
They certainly source components globally that go into that, particular connectivity unit. And some of those components could come from China. And so now you are not just responsible for your relationship directly with that supplier as an OEM. You're responsible for the entirety of that supply chain leading up to you, and you have to file that declaration of conformity.
So there's several things that you have to do in order to be compliant here. One is, with the software part of this, which is the earliest part that's being enforced, you need to have an entire software bill of materials, an entire software component inventory, which likely requires some amount of automation and analysis with some, some oversight by people on your team who are looking at this.
You then for every software component, you need to understand whether that software component is covered or not. And, the there are some very important exclusions here that, that allow you to reduce some of this workload. For example, if the component is open source, and it's freely available on something like GitHub, to anyone in public, that is, that is excluded from the rule, because it's open source. If it is, if it meets a narrow definition of what is, described as firmware in the rule, it's also excluded.
But for everything else, all of the other software, you need to understand not only the component, but who designed who designed it, who developed it, who supplied it. And that is not something that is just obvious from a simple lookup. You have to do diligence with your suppliers on that, and you have to ask them questions.
That gets into the next part of this, which is you need to, in addition to software, you have to do the same thing for hardware. You have to have a hardware bill of materials. You have to have every component listed and available. You need to understand where it came from and who designed it and developed it. And then you take all of that together, and you have your list of suppliers who are involved in your supply chain. And for each one of those suppliers, you need to do diligence on the supplier to understand if they, meet those definitions that Christian was talking about earlier with respects to Chinese or Russian, controller influence.
And you need to understand where the development happened and where the design happened for each one of those components. For example, you could have a US supplier that has a Chinese development team that implemented something, and you need to be able to understand, whether that was taking place. So there's actually a lot of depth that's involved here.
I will I will pause there and say there's a lot of work to do. And if you haven't started this already, you might be a little bit behind. And, and and but there are there are ways to to help you, through some automation.
Thank thanks, Matt. And what I wanna do is just round out our high level, summary of the rule by turning to Hillary and referencing what Christian said about the the deadlines, have, you know, some time, before they they come into effect.
And I wanted to get your sense of how disruptive, is this rule, going to be to the automotive industry.
Yeah. So, I mean, I I'll start by saying that we you know, my association, my organization, we've described this rule as one of the most consequential auto regulation in decades and and sort of why have we done that? I think there's sort of three primary reasons. One, something that Matt sort of hinted at but, I mean, this is this is new.
This is different. This is requiring companies to build out massive new compliance structures and mechanisms and processes. You know, these companies have these structures in place for safety regulation and for emissions regulation but they don't have them for this type of thing. So, this is a new animal.
It's requiring folks to exercise muscles that they've never had to exercise before. So that's hard in and of itself.
Second, you know, also Matt hinted at this, you know, this is requiring auto manufacturers to have a level of visibility into their supply chains that they just haven't traditionally had. You know, as Matt hinted, I mean, we're it's tier one and tier two and tier three and tier four and tier five and onwards. And, you know, while auto manufacturers may have had some visibility into sort of tier one and tier tier two, the tiers below that is not something that they traditionally had a lot of exposure to. But as Matt said, this requires automakers to to get all the way down into the very, you know, bottoms of their supply chains, and and, that's gonna, you know, shake things up.
And then finally, you know, this is going to require companies to make changes to their supply chains. Period. I mean there's not a ton of Chinese content in these systems now but there is some.
And the rule is not very forgiving that, you know, there's no de minimis threshold. It's black or white. It's none. Period.
Right? So, it's gonna require, you know, those companies with even a little bit of Chinese content, or involvement, to make changes. And, the last point I'll make on this is, you know, I'm sure folks on the call know, but, you know, automotive supply change supply chains are, complex. And, you know, there's interconnectedness within vehicle systems or between vehicle systems, and you make one small change one place, then there's sort of a cascading effect throughout, in some cases, you know, the whole vehicle and its entire system.
And, you know, so changes to automotive supply chains are often I sort of equate them to, you know, like a steering a a large ocean liner, you know, in the middle of the ocean. It's really hard to do very quickly.
This rule does have, as Christian noted, a little bit of time built in, but not very much. These are very aggressive timelines to make the sort of changes within automotive supply chains that folks may have to make.
Thanks.
So with with that, I'd like to just start in with some specific questions.
And, you know, as we've already alluded to, there are questions about scope here, and and how you take the rule and determine what it actually applies to, whether we're talking about the equipment or we're talking about the entities that designed or developed it. And so while this is sort of for all panelists to to chime in and answer, I wanna start with Christian and and and get you to circle back on some of the concepts that you were describing, at the outset and talk about, you know, how do you determine whether an entity is, you know, subject to the jurisdiction and control of of of China or Russia?
Yeah. So on that one, that is a great question and one that is, particularly challenging. The way that this test is set out, there are a number of other, national security regulatory regimes that look at similar types of issues.
The test for this regime is broader than pretty much any other one, and and that's true across the ICTS, regulatory regime. It is very broad because it covers ownership control, jurisdiction, and then also direction of, China or Russia.
And in the guidance, they they say that that, direction means continuous and ongoing relationships between the regulated entity and China and Russia. What what that means is very nebulous, and they do have a number of examples in the in the regulations.
And almost every single one of them explains scenarios where a relationship is caught. And it doesn't explain where relationships aren't caught, which, makes it very challenging to say, like, where is the actual line?
So we're spending a lot of time with clients trying to figure out, you know, what is the line that is a sufficient nexus to, you know, China and Russia, it seems like it's a, it's a lower threshold than you would expect, in in many cases and probably not what you would think would be potentially, given some of the guidance that they're, they're providing. And so that comes up in context like minority investments by, Chinese or Russian entities, board membership.
If companies are undergoing transition plans to, come in compliance with these rules, you know, what is sufficient?
We're seeing, you know, a a lot of ambiguity there, and, and that's something that, you know, given this is a new regime is, is it's something that I think is really evolving in terms of where those lines are.
So thanks. And, you know, I think we're gonna talk a little bit, further along in the in the webinar about ambiguity and how to deal with the ambiguity of the rule. But I wanna because there there are two different primary categories of scope, and the first, you know, is what are the entity entities that are subject to the the rules prohibitions, but the other is the equipment. And I wanna turn to Matt and just, you know, we have we have a question already from a participant asking about, the, autonomous driving systems and and the extent to which, that is that covers just about anything that could be included, you know, touch the autonomous, system. But wanted to get a sense from you of, like, when we're talking about scope, whether it's whether it's the VCS hardware, VCS software, ADS software, like, how how are you approaching the question of what's in scope, what's out of scope?
Yeah. So the the way that the rule defines it is the the hardware or software has to directly enable those those two functions, either VCS or ADS. And and I realized that there could be could be ambiguity there, but there there are examples that are that are provided throughout the rule.
So, you know, for example, you know, for for there there are areas that are not ambiguous. If you are sourcing passive electronic components, not a problem. They're excluded, so you don't have to go down and worry about every single resistor and capacitor that's on your board. There are certain plate you know, certain types of components that are very hard to get from anywhere but China, and that's that's an example.
For hardware, the let's start with this. The there there are two different categories, within this rule. There's vehicle connectivity systems and autonomous driving systems, as Christian said. The hardware prohibitions only impact the VCS part of that.
So, on the hardware side, we're just talking about, vehicle connectivity systems that are transmitting above four hundred and fifty megahertz. So anything below that is excluded. Anything above that is included. And it has to be a part of the system that is directly enabling that.
So if you have an ECU that is sending some data on a bus to a to a VCS, that's then transmitting it. That ECU is not by default included in this in this rule. The it is it is about covering the pieces of the system that are directly enabling that communication. So think about your your cellular radios, modems, head units if they're embedded in there.
That's that's where, we're we're talking about, in general, the telematics systems for the vehicles.
The the ADS is a software focus only. And so and it is only for systems that are at level three, or higher autonomy, and it is just about the software that is, again, directly enabling that function. So, I think that the question was, you know, since, you know, brakes and and windshield wipers are required in order for an ADS to function, is that part of the scope? And I think the answer is pretty clearly, no. It is not. It is just the the pieces of the the vehicle that are directly enabling those functions.
Thanks. And I I wanna I I'm gonna, pivot to the, the legacy software, exclusion in a second, but there is a question about, the firmware exclusion, which I'm just gonna quickly comment on that, and and, I'll let any of the panelists add to that when I when I ask the question about the about the, about the legacy exclusion. But it's the question is considering firmware is essential to safety, why is this excluded? I think the short answer is we don't really know.
The the, in the draft version of the rule, the firmware exclusion was actually quite broad, and we were pretty surprised when we were looking at it, speaking for finite state.
And then when the final rule came out, it got defined a much, much more narrowly. And so I I think the the the while there's still some mystery as to the reason for excluding firmware, what I will say is it doesn't have a dramatic impact on the scope of the rule because it's been defined much more narrowly than it was in the in the draft rule.
Matt, do you wanna comment on that quickly before we proceed?
Eric is is spot on here. When when the draft came out, the rule the the firmware definition, which is an exclusion, it it explicitly carves out firmware, as as not being covered.
That definition at at the outset of the draft was broad enough that you could cover things like even potentially, drivers that are inside of a Linux kernel, even possibly an entire Linux operating system if it was just designed for that particular hardware. It was a pretty broad definition.
The definition the text itself has not changed from the from the draft. They define firmware as, software that is specifically programmed for a hardware device with a primary purpose of directly controlling, configuring, and communicating with that hardware device. But what they did was they added definitions examples around it that said to explain what is not firmware. And they did include things like system software, operating systems, for example. They included things like drivers that are that are not specifically firmware. So, really, where, you know, our view of this is right now is that we're talking about primarily, like, the bootloaders and very, very tiny embedded firmware, that might be resident in that in that device itself that has excluded everything else that is really doing any functionality, with with respects to, like, communications, protocols, higher level operating systems, applications that are facilitating communications, those are all in scope.
Thank you. So I do wanna turn quickly to the the legacy software exclusion. In particular, it also represents or reflects a change from the draft rule to the final rule. The draft rule did not include this exclusion, but I think, in a nod to the short timelines and the potential disruption to supply chains, commerce added a an exclusion for legacy software. And let me just turn quickly to Christian to explain what that is and and how it works.
Sure. And and so this only applies to software. It does not apply to hardware. But I think really, you know, the challenge is basically how do you trying to, divine the origins of software is particularly challenging for all the reasons that Matt, started off with. And because of that and, because of the short timeline, this legacy, software carve out was included, which basically says that you could have covered software that is linked to China. And so long as prior to March seventeenth of, of twenty twenty six, that software is no longer maintained, augmented, or otherwise altered by a China or Russia related entity, then it fits within, this carve out, and it could be could then be, used by in the US supply chain and not, trigger one of the prohibitions and not fall within the definition of covered software.
That's creating you know, there's a lot of interest in that and a lot of, you know, questions about what needs to be done ahead of time, you know, to either, you know, restructure supply chain, you know, within an organization, say that all the software was in the organization. You can figure out how to, you know, you know, set up your supply chain to and your your your software, maintenance and and work on that, within a company. But, also, if you're dealing with a third party, for instance, like a China or rush Russia related entity, is there a way to, you know, transfer that software over ahead of time? And what is permissible in terms of a contractual relationship with that party to transfer that over? Is it a royalty structure, and what kind of royalty structure would be, permissible?
Because there's some other guidance in the the regulations that call into question, you know, ongoing royalty, arrangements, which isn't how the rule reads. So there, again, a lot of ambiguity on that point, and I think a lot of people are are thinking about this right now about, you know, what transfers need to occur and and how do we, prepare for the legacy carve out.
Eddy, thanks. And and in a minute, I I wanna bring Hillary back in to start talking about some of the ambiguity both, you know, on a macro and a micro level. But before we do that, Matt, from from speaking still about the legacy, carve out, like, from a software development and product development perspective, like, what does this mean? Like, what do you have to do in order to be able to comply with the legacy software carve out?
Yeah.
I think what we're seeing, with a lot of our customers in the market in general is a model that is starting to look like you you may have Chinese content that's being you know, today is being actively developed and maintained by, a a company that would be considered covered and prohibited.
There is a transfer that that needs to take place, between now and March seventeenth of twenty twenty six, where the, the products that the, that is going into the vehicle, the software for that product needs to be maintained by a noncovered entity, after March seventeenth twenty twenty six. So with to be clear, after March seventeenth twenty twenty six, if you have one Chinese developer who is in a covered company change one line of code in in a covered product, which is your VCS or ADS, it is now prohibited.
So the the transfer is you need to have a noncovered team who is working on that code and doing the maintenance if you're going to continue using that that covered product during this transition period. So because you have longer on the hardware side of things, you may have a VCS hardware system that has Chinese firmware today that is allowed because of the legacy carve out, you can continue using that hardware until twenty twenty nine, because of the timeline for hardware.
And the challenge is getting the software maintenance and operations moved into an allowable, you know, position, which is making sure that it's being done by non, by non Chinese, companies or persons under the definition of the rule, rule, which is complicated.
But, that is a model that is popular right now that a lot of folks are trying to work through.
Yeah.
Thanks. And and I I just reflecting back on our shorthand, like, you you will hear all of us refer regularly to Chinese companies and not mention Russian companies. And, obviously, we all recognize that the rule covers both, but, I think we also all recognize that the practical reality is that Russian companies are not really implicated in the supply chain, the connect of connected vehicles or at least only to a nominal extent. So we're not really touching on those.
Okay. So, Hillary, now I am ready to get to the question of ambiguity. We've touched on it a few different here.
So I guess maybe the best way to start out is in your conversations with AI members, like, are there are there specific areas that that folks have been turning you to say, what does this mean? I don't understand. How do we how do we deal with this area of ambiguity in the rule? Like, what are what are the core the the most maddening, areas of ambiguity in the rule?
Yeah. So, and we've already touched on some of them, but there's there is a fair bit of ambiguity in it. And and I'm noticing I mean, auto companies do not like operating in in an area of ambiguity, so they are really, stressed. I I I would I would say stressed about, and struggling with some of these. So I I jotted down a few of of the ones that I've heard.
So so Matt had mentioned that, you know, the rule applies to components and software that directly enable, connectivity or automated driving. I get questions just about every day from our companies about, well, does this directly enable? Does this directly enable? So there is some confusion about what directly enables means.
There's also the rule talks about components or software that directly enable these things or are part of an item that directly enables these things and so I've gotten lots of questions about what does it mean to be part of an item.
We've talked about the the persons owned by, controlled by, subject to the jurisdiction or direction of a foreign adversary.
There's still a lot of confusion about what what that is and what that is not.
There's also, you know, the prohibitions apply, you know, in the cases of when when those persons owned by, controlled by, subject to the jurisdiction, blah blah blah. When they are involved in the design, development, manufacturing, or supply of these of these items and and these components and and folks really don't know where the limits are of design, and developed in particular. Those are ones that I've gotten lots of questions on.
Questions on.
You know, we we've talked about, due diligence. That is not a defined term, and it doesn't tell you what is due diligence and what is not due diligence. I think we'll talk about this a little bit later, but that, folks really wanna know what is the right amount of diligence to be due and what is, what, you know, what falls short. So those are some, some areas, of of of particular ambiguity that that I think is stressing the system a bit right now.
So I I would actually like to start digging in on this on the question of due diligence.
And I guess sort of opening up to the panel, like, have you developed a sense whether, you know, through your own instincts or, you know, conversations with the Department of Commerce of what level of due diligence is required. And if not, how are you advising, your customers, clients, members?
Anybody wanna jump in on that?
I mean, I would say that I think there is an expectation of a significant amount of diligence that needs to occur.
And it it requires, as, you know, Matt was saying, getting down below you you know, getting down multiple tiers into a supply chain.
And, you know, accompanying that is really flowing down diligence requirements, you know, to your tier ones who then can go to your tier twos, who can go to your, you know, tier threes, and basically ensuring that you are, you know, confirming down the line that they have, answered the questions as it relates to the specific, types of covered items, the software and the hardware, and flagging areas where there is some ambiguity as to whether or not something that is, you know, one, is it in or is it out? You know, that that's one question, in terms of a hardware perspective hardware software perspective.
And then the other one is, is it tied to China in a sufficient way? And kind of pulling apart, you know, that, as it gets down in the supply chain so that so that you can come back in and actually identify potential risk areas, and and, you know, settle those to a level of comfort that will allow an, OEM or an importer to certify to, the Department of Commerce that they are in compliance subject to civil and criminal penalties.
So, you know, given that that that is ultimately what is at stake and not to mention potential disruption of your supply chain and your actual sales, which could occur as a result of an enforcement action in this area, I think a significant amount of diligence is the expectation.
Yeah. And, I mean, if I could just jump in and say, not on this point in particular, but just generally, I mean, I think there are some areas of ambiguity where we might get some additional clarity from BIS between today and next March, right, on some of these things. I do not expect we will get additional clarity from BIS on what is or is not a sufficient amount of due diligence. So just to make you know, to sort of double click on what Christian said, I do like, I think folks are gonna have to be comfortable being uncomfortable or, you know, with the fact that that that this is going to not be an answer question in March, when these prohibitions take effect.
Yeah.
And one thing I'll add is there are a couple places where there are some clear definitions, and there there are there is clarity around diligence, in particular with respects to the the hardware bill of materials and software bill of materials. The the rule actually does spell out what you need in each of those cases for for them.
So so you can look at the rule. But, you know, in summary, for your hardware bill of materials, you need a listing of all the parts, components, assemblies, supply chain relationships, between those components, manufacturer identification, and and some detail to, support your certification.
And on the software side of things, they use the the pretty, well established at this point NTIA standards for for SBOMs, which is you need to have an author, time stamp, component name, supplier name, supply chain relationships again, and and details of those components. So there is some clarity on what you need to do, what you need to assemble for those bills of material, which you do not need to submit to the commerce department, anymore as part of the rule, but you do need to develop and maintain and furnish upon request, if there are if there are questions around your application.
So, thank you. And, actually, I just wanna flag, for anyone who hasn't seen it that, Mark Mark Calderon from, Commerce from BIS has, is is, posted a, a, an email address where you can submit questions to BIS. We where you're seeking clarity. But I I I agree, I think, with with what Hillary said that there are some questions that you might be able to get answers to and others where there you're not.
And I think, that we we can lament and and and be frustrated by the lack of clarity, in the in the rule. But, you know, for those of us who have some familiarity with the rulemaking process, it's it's easy to understand why, there there are areas where there isn't clarity, that it's hard to write a rule that is precise and very detailed, especially something where you're embarking in a in a new territory. So but we definitely appreciate, Mark, you jumping forward and providing that email address for people to submit questions to. I do speaking of questions from from the participants, while we're on the, subject of, ambiguity and trying to interpret, there is a question about, defining a, a a Chinese company, and, specifically, does it include a global tier one company with a joint venture in China that develops auto automotive software?
And I'm not expecting any of the panelists to sort of jump in and provide legal advice, on that question. But if there are any if if you if, Christian, I don't know if you wanna, sort of take a take a swing at that even as a general question, not necessarily that specific fact pattern.
So it is a global tier one with a JV and that develops automotive software. So, I mean, one thing I let me just, give give another example that's clearly covered to give you a sense of the answer to this. The the rules make very clear that, for instance, a US company that has a Chinese subsidiary that develops software is clearly covered by this rule as a China linked entity. So there's no it it it's not the idea that if you and that's the subject of the jurisdiction of of China.
So it's not the idea that, oh, you're owned by then you've got this you know, you've got a lot of US or you've got a lot of Europe involved in in your supply chain. You're you fall outside. No. If you have if if you are actually doing any of these activities, even under your own control, wholly owned subsidiary in China, it's covered.
So a joint venture with a Chinese entity that is engaged in this type of activity would seem to pretty clearly fall within on not on multiple, you know, assuming that the the software is covered. It would fall in not only because it's located in China, but also because your JV partner is probably a Chinese entity that would have, you know, some control or direction over the the entity.
But I I would add, Krishna. I I think it it just I I'm not it's not totally clear to me what the question's asking, but if it's if it's a, let's say, a US headquarter tier one, and the software is being developed in the US, but that tier one also has a JV in China that's not involved in the software development, I don't think my interpretation is that the software that was developed in the US by that tier one would not be covered just because the tier one also has a JV in China. Correct. Okay. Correct.
Yeah. Yeah. Yeah.
But I think I think it's worth noting oh, sorry. Go ahead, Matt.
I I was just gonna say that hits on a really key point, which is which is this.
The the the challenge one of the most challenging parts of this rule for supply chain teams who already are doing supply chain compliance is it's not as simple as just looking at your suppliers and saying, this supplier is okay, this supplier is not okay. You actually need to understand for each component whether the supplier is okay or not based upon what that supplier is doing. So you can have a supplier that manufacturers in, in Europe and in China. And that supplier is not just in and of themselves okay or not. It depends on whether the component you are buying was manufactured in Europe or if it was manufactured in China. And that's the that's where the diligence, requirements have have gone up so much compared to what everyone is used to. And and that's the complexity.
Yeah. I mean and and to the point, I mean, kind of combining some of those those concepts. Say you did have a JV in China that was, you know, making software for the Chinese market, and then you had a software that was made by the same, you know, sister company, but wholly in the US, you know, the you know, those would be distinct. But are those two entities collaborating with each other and in the design and development, and does that trigger the, does that, you know, basically taint the US software? And I think in many cases, it could.
So and I I think you guys are kind of making making an important point, and that is, you know, for any individual scenario, the facts at a granular level can really matter.
And so while we can, you know, take these questions and provide a a high level answer or give examples or dependencies, that it's the process of determining compliance, whether on a question of scope, or a question of practice like due diligence, is very, very fact dependent. And so it's something you need to do carefully. And, you know, of course, as a lawyer, I've I'd I'd advise you to do it under guidance of counsel, but, you know, and and technical experts as well. But, you know, it is this is a it's a complicated rule, and it's got a lot of areas that are that are unclear. And so that this there's a lot of navigation that needs to be done. I wanna jump to a question an interesting question from, the audience about, SBOMs, and the fact that CISA is planning on updating SBOM guidance, and wanted to turn to Matt and just see if you had any thoughts on that specific question.
Yeah. I think, you know, I know that there there was a notice put out, very recently, and, I think that that is a a more general notice around vulnerability management and SBOMs and the possibility of of of changes to the standards.
I don't believe it's necessarily going to impact the connected vehicle rule and the compliance requirements because the the rule text is already established, and it, inside of the text, does not reference CISA's SBOM requirements. It specifically tells you the fields that are required, in the SBOM in the rule text. I don't expect that that is necessarily going to impact the rule. But I know that this is this is very early, and I haven't had enough time to dig into this specifically yet.
Yeah.
So, yeah, I I think it it is it it also raises another point that, you know, we have a we're we're facing a shifting shifting ground underneath, the rule, from a policy, technical, and political perspective.
And that, I think, only, enhances or intensifies the ambiguity that, we're we're talking about elements of the rule that need to be interpreted by a department of commerce that is under new leadership in a in a new a new administration, from a different administration from the one in which it was written. And so there's a lot of interpretation questions that are challenging. And I think I'm gonna use that as an opportunity to segue, to ask panelists. And I'll start with Hillary on, commerce's implementation and enforcement of the rule. And I I am curious, I imagine some of your members are as well, as to how rigid, how strict, commerce is likely to be at both implementing and enforcing the rule whether right out of the gate or farther down the road.
Yeah. I I wish I knew. I don't know I don't know the answer but I I have, two thoughts and they're actually opposite thoughts. So but I'm gonna share them both because it may be insightful.
So one is, you know, this is the first one. This is the first ICS rule that BIS has done. So in some respects, I suspect that they will want to make an example of this. They want to send a message to all of the future sectors that are going to be covered by ICTS rules that this is serious.
They need to take this seriously. They need to be engaged in the rulemaking process. They need to be prepared to comply. So that leans towards like, yeah, I think they might, you know, be rather strict on enforcement.
The flip side of it is it's the first one.
And none of us, right, BIS, the auto industry really knows how this is gonna play out in practice and and we're sort of, in a way, flying the plane while we're building it. Right? So and I think BIS gets that and that there's some level of understanding that this may be bumpy out of the gate. And what leads me a little bit to think it's maybe the latter rather than the former is that BIS has been very clear, at least to us at least, that they suspect that there is going to be a need for a fair number of specific authorizations at the front end of implementation here, that folks are gonna find out that they need more time, that they're gonna discover an issue that they're not gonna be able to resolve in time.
And there seems we don't take this to the bank, but there seems to be an openness to be fairly flexible and forgiving with those specific authorizations in the early days. Not a long term solution. It's gonna buy you maybe a little bit more time, but maybe an openness to doing that to help folks navigate, this out of the gate.
I want I want to, turn to Christian in just a moment to to talk a little bit more about those specific authorizations and advisory opinions. But before I jump there, I there was a question, from the audience that I wanted to just flag because it, it gets the point I was making just a moment ago about shifting, landscape.
There was a question was about the FCC and about their, effort to get involved here. And I I think I I think I speak for everyone when I say we're all scratching our heads on that. And I and, you know, my my sense is that, I don't wanna wanna speak for commerce, but I suspect that there's probably a lot of frustration and mystery, from folks in commerce about what FCC is trying to do there. But it is reflective of the fact that this is the you know, if this is we're in an uncertain time, generally speaking, and specifically with respect to the connected vehicle rule. But let me move back on to the question of specific authorization advisory opinions. Christine, could you just describe, Hillary kind of already, teased what what those are where what the specific authorizations are, but could you just talk about them at a at a, you know, quick high level and then a little bit about what, you know, how how, companies might avail themselves of one or the other. Right.
I mean, so starting with the advisory opinion, you know, basically, because of the ambiguity that we're talking about, you know, the lack of press past precedent, there's new issues that I'm sure commerce, you know, didn't even think about when they were, you know, developing the rules. There are a lot of questions.
And there's the ability to go into commerce and within, on a sixty day timeline, get a response from commerce on an advisory opinion request. There's the the email address that, that Mark provided to us is is an option to go in and, you know, just get a quick answer. You know, I I think our experience with that is that many times it comes back with you need to submit an advisory opinion depending on how detailed the question is. We need more specific, you know, facts and and a a circumstance to provide on.
So if you do want that, you can you can, you know, get that type of clarification. And I think our expectation is that we will see a lot of advisory opinions that, are submitted when particularly when companies have taken different actions to try to comply with the rules. Right? And there was a scenario that was was not permitted, and we've restructured this.
Is this sufficient? Or, you know, that could be one, you know, particularly relating to ties to to China.
Another one could be, this is a really critical, you know, item, software or hardware. We're not sure whether it actually fits within the, the scope of the rule, and getting clarity on that would be super helpful, from you and getting that type of clarity.
So I think we'll see a lot of those.
You know, I think we're in the early days. We've been working on them, and we'll I think we'll start to build up some knowledge, you know, as we start getting those back, you know, and I think that not that the thinking is going on at at Commerce, and I think people are learning on the outside through that process.
The specific authorization is, you know, again, these are situations basically where parties are not able to comply with the rule because they're clearly covered, you know, under one of the various prohibitions, and they're not gonna be in compliance by the time that the rule goes into effect. And in that case, you can go in and submit a specific authorization and basically explain why, you know, what what what is what the situation is and why commerce should authorize that.
And, you know, I think some of the focuses on that will be things like supply chain, disruption, disruption to the US economy. But, also, what measures have you taken to actually mitigate the national security risk through cybersecurity measures, other compliance tools, and and structures corporate structures, etcetera, that really eliminate the risk and give commerce the ability to say, okay. We will allow this to, to go on. I don't my sense is that the approval of these will wane over time. You know, there'll be an initial as as Hillary was saying, there'll be an initial set that are approved. But, basically, these are, like, phase out, authorizations most likely that will lead towards scenarios where people have come into compliance with the ruling as opposed to acting in perpetuity under a specific authorization.
Yeah. I just wanna briefly add to what you just said, Christian, because I think that's a really important point with specific authorizations.
If you want to increase your likelihood of being granted one, you do need to do the cybersecurity work to show that you have mitigated the risks that are associated with that. They do call out some specific things in the rule. So, for example, if you are following, like, ISO two one four three four as your framework for cybersecurity and you can show that you've done threat modeling, You've done a vulnerability assessment. You're managing those. You've done a risk assessment. You've done your supply chain risk assessment. All of that needs to be compiled together into that specific authorization request, in order to show that you have a handle on this risk and, and that it is no longer a national security risk or it is an acceptable risk, at this time until you can find an alternative.
And and it's worth noting that, you need to be prepared to document that and also be prepared for the possibility that commerce will ask follow-up questions, and maybe even make specific requests for additional security measures, to to try to mitigate the risk that they might see, of of, of Chinese government involvement.
We are we're starting to get close to the top of the hour. So what I wanted to do is to pivot to what I think will be our final topic.
And it's, you know, I'm I am I'm sure that companies who are hearing about this want to know what should I be doing, what are my most urgent high priority actions. And, obviously, it depends on how far along are you, in preparing for this. But I do want to sort of pose this as a general question, to our panelists. And maybe I'll start with Matt, to just say, okay. And, you know, you can make this more from a technical software development or product, business strategy per perspective, however you prefer. But, you know, what do you see as the most urgent actions that companies should be contemplating as they're seeing the deadlines loom large?
Well, the the starting point is you need to understand what you are selling into the market that is covered by this rule, first and foremost.
Whether you are an OEM or you are a supplier in their supply chains, you are potentially impacted by this rule if you are if you are working within the VCS or ADS functions, of a vehicle. One important point that we have not touched on so far is you are also covered by this rule if you were an aftermarket telematics, company. So if you if you create products that plug into vehicles and provide connect and and have connectivity in them or provide autonomous driving, you are also covered by this rule.
And and we find that that is a group of companies that are less, aware of the fact that they're impacted here. So first, understand what products you have that are impacted, then make sure you are getting your your your supplier, your hardware, and your software component inventories, together as your starting point so that you can do your risk assessment and you can understand what your compliance baseline is. Then you have to get into that diligence process. And and that diligence process is a lengthy one when you have complex multi tiered supply chains and you have to reach out to suppliers you've maybe never, connected with in the past who are many layers down your supply chain. So you need to give yourself ample time. You really should be working on this already, if if you have not.
I wanna first turn to Hillary and then and then Christian. We've just got a few minutes remaining. So if you can just give me some high level, sense of, you know, what when you're talking to your members, Hillary, what are you advising them of the things that they need to focus on first and foremost?
Yeah. I mean, I think I just I just had I just had sort of two thoughts. One is is for sure figuring out what due diligence means to you, how you're gonna define it, and then going ahead and and and starting that process right quick as they as they say in Texas.
And and the second thing is you need to you need to figure out, if you're gonna need a specific authorization for something that you're not gonna be able to to to do what you need to do before March. And if that's the case, you you better get that together and in fairly quick because, it is a they give themselves, ninety days or more if they need it, to turn those around, and we're knocking on the door of of March twenty twenty six here. So those are the two.
Just to before I turn to Christian, I'll just make one note on what Matt was saying about aftermarket telematics. Like, if you if you are an importer or a producer of those and they're covered, you're the entity that actually has to submit either a declaration of conformity or a specific authorization.
It's not whereas it's principally going to be OEMs that are gonna be doing the interaction with with department of commerce for anybody, who's got a covered aftermarket product. You're on your own. You're the one doing it. It's not an OEM. So let me with that, let me just quickly turn to Christian for a quick, view on urgent actions.
Sure. I mean, I would would hundred percent echo and start with the the points that Matt and Hillary mentioned and particularly focused on due diligence.
Just a couple of kind of other thoughts.
If you are a company that has ties to China, you know, you need to think about what actions you're taking to get in compliance right away. And, you know, is it, you know, a restructuring of the company? Is it a, you know, sale of a business? You know, what what might what is the best approach and and what is feasible?
And then that ties in with, you know, the specific authorization and, you know, you know, figuring out how to operate.
The other thing I would mention similarly is, you know, one thing, and I mentioned this earlier, is on the legacy software carve out is that deadline is fast approaching. You know, it's March, but, you know, there's gonna be a lot of this is kinda like a one time chance to to get that code and use it in a way that is valuable to you.
What's the plan? You know, make sure that you're you're operating quickly and and taking action and finding an approach that, you know, is you're comfortable with or does that, you know, need to get an advisory opinion associated with it? Or, you know, what what is the plan? So, those are some some key points in addition to what, Matt and Hillary mentioned.
Awesome. Well, thank you very much. I really appreciate, the the time that all the panelists have put into not just coming here and presenting, but, all all the work that's been involved in the developing the knowledge and the expertise, associated with the with the connected vehicle rule. I'm sure this is not the last time that we collectively or individually will be talking about it. So thank you very much. And with that, let me turn it over to Nicole to wrap things up.
Alright.
Thank you so much, Eric, and thank you to all of our panelists today for joining.
It's a great session. Just a reminder to the audience, we will send the materials out to you shortly. If you have questions or would like to have a follow-up conversation with us, please get in touch. We are helping customers today solve, for the connected vehicle rule, as well as EUCRA and some other key regulations.
And so get in touch with us. We'd be happy to continue the conversation.
Thank you everyone for joining us once again, and I hope you have a wonderful day.