What's Happening?
The Bureau of Industry and Security (BIS) Connected Vehicle Rule, effective since March 2025, imposes new compliance requirements on automotive software teams. The rule targets vehicle connectivity systems and automated driving systems, particularly those
involving components from foreign adversaries like China and Russia. It requires Declarations of Conformity backed by defensible documentation, focusing on the origin and provenance of software components rather than just their technical specifications. This has introduced a significant challenge for engineering and compliance teams, as they must now demonstrate the origin of software components and provide evidence to support their compliance claims. The rule emphasizes the importance of software provenance, pushing the industry to improve visibility into complex software stacks.
Why It's Important?
The BIS Connected Vehicle Rule has significant implications for the automotive industry, particularly in terms of national security and software governance. By focusing on the origin of software components, the rule aims to mitigate risks associated with foreign adversaries potentially compromising vehicle systems. This has broader implications for software security, as it requires companies to have full visibility into their software supply chains. The rule also highlights the interconnectedness of compliance and security, as opacity in software provenance can lead to both compliance and security risks. For the automotive industry, this means investing in infrastructure that captures software provenance at build time, which can enhance both compliance and security measures.
What's Next?
Automotive companies are expected to adapt their software development processes to meet the requirements of the BIS Connected Vehicle Rule. This involves instrumenting the build process to capture provenance data and integrating safety and security programs. OEMs will need to engage with suppliers to ensure compliance, requiring structured, machine-readable evidence of software provenance. The rule may drive the industry towards better software governance infrastructure, which could improve overall security posture. Companies that treat the rule as an opportunity to enhance their software governance infrastructure will likely be better positioned to handle future compliance and security challenges.
Beyond the Headlines
The BIS Connected Vehicle Rule could lead to long-term shifts in how the automotive industry approaches software development and security. By emphasizing software provenance, the rule encourages companies to build more resilient software supply chains. This could result in improved communication and coordination between OEMs and suppliers, enhancing trust and reducing vulnerability risks. Additionally, the rule may push the industry to integrate safety and security programs more closely, recognizing that security vulnerabilities are also safety issues. This holistic approach to software governance could make innovation in the automotive industry more sustainable.
