Connected Vehicle National Security Review Act
The Connected Vehicle National Security Review Act would create a new Office of Information and Communications Technology and Services (OICTS) within the Commerce Department’s Bureau of Industry and Security (BIS). This office would use export-control authorities to identify and mitigate, or prohibit, certain information and communications technology and services (ICTS) transactions involved in connected vehicles that could pose an undue risk to U.S. national security, critical infrastructure, or the digital economy. The bill relies on intelligence assessments from the Director of National Intelligence (DNI) to pinpoint risks in supply chains and entities of concern (notably certain Chinese, Russian, Iranian, and North Korean actors) and would empower the government to regulate, license, or prohibit covered transactions and impose penalties for violations. It also enhances enforcement, introduces advisory and reporting mechanisms, and makes conforming amendments to existing export control law. In short, the bill creates a specialized government office to screen and control the technology used in connected vehicles to protect national security, while providing a formal process for risk assessment, mitigation, and enforcement.
Key Points
- 1Establishment of the Office of Information and Communications Technology and Services (OICTS) within BIS, led by an Executive Director who reports to BIS leadership; the office focuses on identifying and mitigating undue risk in ICTS transactions related to connected vehicles and educating industry on risks.
- 2Broad definitions and scope: a connected vehicle is a public-road vehicle that integrates onboard networked hardware with automotive software to communicate via various wireless means; covered transactions involve ICTS used in connected vehicles or items on the Commerce Control List, and target entities and jurisdictions of concern.
- 3Transaction review and mitigation authority: the Secretary (through OICTS) can review any covered transaction suspected of posing undue risk, compel information under oath, conduct investigations and hearings, and impose mitigation measures (cybersecurity standards, excluding certain components, or other requirements) or prohibit the transaction if risks cannot be mitigated.
- 4Regulatory and licensing authority: the Secretary may issue regulations for classes of covered transactions to identify entities and jurisdictions of concern, establish mitigation measures or prohibitions, set licensing procedures, and otherwise regulate how such transactions are conducted to address undue risks.
- 5Risk assessments and enforcement framework: the DNI must provide risk assessments on threats to U.S. supply chains, with annual updates and Congressional delivery in unclassified form (plus a classified annex); the bill also creates enforcement tools, penalties (criminal and civil), pre-penalty notices, settlements, and a judicial review pathway in the DC Circuit, along with confidentiality protections for sensitive information.