Department of Commerce, Bureau of Industry and Security: Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles

B-337023

January 31, 2025

The Honorable Tim Scott
Chairman
The Honorable Elizabeth Warren
Ranking Member
Committee on Banking, Housing, and Urban Affairs
United States Senate

The Honorable Brian Mast
Chairman
The Honorable Gregory Meeks
Ranking Member
Committee on Foreign Affairs
House of Representatives

Subject: Department of Commerce, Bureau of Industry and Security: Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Commerce, Bureau of Industry and Security (BIS) titled “Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles” (RIN: 0694-AJ56). We received the rule on January 16, 2025. It was published in the Federal Register on January 16, 2025. 90 Fed. Reg. 5360. The effective date of the rule is March 17, 2025.

According to BIS, this rule sets forth regulations and procedures to address undue or unacceptable risks to national security and U.S. persons posed by classes of transactions involving information and communications technology and services that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries and that are integral to connected vehicles as defined in the rule.

Enclosed is our assessment of BIS’s compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Charlie McKiver, Assistant General Counsel, at (202) 512-5992.

Shirley A. Jones
Managing Associate General Counsel

Enclosure

cc: Elizabeth L. D. Cannon
Executive Director
Office of Information and Communications Technology and Services
Bureau of Industry and Security

ENCLOSURE

REPORT UNDER 5 U.S.C. § 801(a)(2)(A) ON A MAJOR RULE
ISSUED BY THE
DEPARTMENT OF COMMERCE,
BUREAU OF INDUSTRY AND SECURITY
TITLED
“SECURING THE INFORMATION AND COMMUNICATIONS
TECHNOLOGY AND SERVICES SUPPLY CHAIN: CONNECTED VEHICLES”
(RIN: 0694-AJ56)

(i) Cost-benefit analysis

The Department of Commerce, Bureau of Industry and Security (BIS) prepared an analysis of the cost and benefits for this rule. In its submission to us, BIS stated that the benefits of the rule include increased protection from foreign adversaries and reduced chances of catastrophic attack stemming from data exfiltration and remote manipulation of connected vehicles. BIS estimates the annualized monetized cost of the rule to range from $160 million to $250 million in 2023 dollars at a 2 percent discount rate. BIS also noted the rule could result in reduced ability of U.S. carmakers to compete internationally and disruption in connected vehicle supply chains.

(ii) Agency actions relevant to the Regulatory Flexibility Act (RFA), 5 U.S.C. §§ 603–605, 607, and 609

BIS determined that this rule may have economic impacts on small entities. 90 Fed. Reg. 5360, 5412 (Jan. 16, 2025). BIS prepared a Final Regulatory Flexibility Analysis describing the economic impacts of the rule on small entities. Id.

(iii) Agency actions relevant to sections 202–205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. §§ 1532–1535

BIS determined that this rule will not have an effect on state, local, or tribal governments, in the aggregate, or on the private sector, of $100 million in 1995 dollars, updated annually for inflation, in any one year. See 90 Fed. Reg. at 5360.

(iv) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. §§ 551 et seq.

On March 1, 2024, BIS issued an advance notice of proposed rulemaking (ANPRM). 89 Fed. Reg. 15066. On September 26, 2024, BIS issued a notice of proposed rulemaking (NPRM). 89 Fed. Reg. 79088. BIS stated that it solicited comments through both actions and that it considered comments received in response to the ANPRM and the NPRM. Id.

Paperwork Reduction Act (PRA), 44 U.S.C. §§ 3501–3520

BIS determined that this rule contains information collection requirements under the Act and submitted it to the Office of Management and Budget for review. 90 Fed. Reg. at 5411.

Statutory authorization for the rule

BIS promulgated this rule pursuant to sections 1601 et seq., and 1701 et seq., of title 50, United States Code.

Executive Order No. 12866 (Regulatory Planning and Review)

According to BIS, the Office of Information and Regulatory Affairs has determined that this rule is a significant regulatory action under the Order. 90 Fed. Reg. at 5410.

Executive Order No. 13132 (Federalism)

BIS determined that this rule does not have federalism implications. See 90 Fed. Reg. at 5410.