Connected Vehicle National Security Review Act
- Bill Number
- S. 2040
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 1
- Policy Area
- Armed Forces and National Security
- Status
- Introduced
- Latest Action
- 2025-06-11: Read twice and referred to the Committee on Banking, Housing, and Urban Affairs.
- Last Updated
- 2026-04-30T11:03:20Z
AI-Generated Summary
Purpose
The Connected Vehicle National Security Review Act aims to protect U.S. national security by establishing a dedicated office within the Department of Commerce to review and regulate certain transactions involving information and communications technology (ICT) in connected vehicles. Connected vehicles are modern cars, trucks, or similar motor vehicles that use wireless networks to communicate with other devices or systems. The focus is on preventing undue risks—such as sabotage, threats to critical infrastructure (essential systems like transportation or energy grids), or unauthorized access to sensitive technology—from foreign adversaries.
Key Provisions
- Establishment of the Office of Information and Communications Technology and Services (OICTS): Creates this new office within the Bureau of Industry and Security (BIS) of the Department of Commerce. It is led by an Executive Director who reports to an Assistant Secretary and has special hiring powers to recruit experts quickly.
- Definitions: Key terms include:
- Covered transaction: Any deal involving U.S.-jurisdictional parties or property that uses ICT designed, made, or supplied by entities from "jurisdictions of concern" (China, Russia, Iran, North Korea) or items on the Commerce Control List (a U.S. export restriction catalog) in connected vehicles.
- Entity of concern: Companies or groups owned or controlled by those on the U.S. Entity List (restricted for security reasons) or from arms-embargoed countries.
- Undue risk: Threats like sabotage to ICT systems, harm to U.S. critical infrastructure or digital economy, or acquisition of controlled technology by concerning entities.
- Transaction Review Process: The Secretary of Commerce, through OICTS, can investigate suspected risky transactions, require reports or subpoenas (court orders for documents/testimony), and either mitigate risks (e.g., impose cybersecurity standards, exclude risky components, or negotiate conditions) or prohibit the transaction entirely. Prohibitions are published in the Federal Register (official government notice).
- Rulemaking Authority: Allows the Secretary to create regulations for entire classes of transactions, such as blanket prohibitions on deals with entities of concern or criteria to exclude low-risk ones. Includes licensing procedures for otherwise banned activities.
- Risk Assessments: Requires the Director of National Intelligence (DNI) to provide annual reports to Commerce and Congress on supply chain threats from concerning entities, including high-risk examples (unclassified version to Congress, with classified details on specific risks).
- Other Supports:
- Continues existing regulations from related executive orders on securing ICT supply chains.
- Establishes an advisory committee with industry, academic, and private sector experts to advise OICTS.
- Protects submitted information from public disclosure unless required by law.
- Enforcement and Penalties:
- Investigations can include searches, seizures, and subpoenas; the Attorney General can seek court orders for injunctions (stops) or divestment (forced sale of assets).
- Criminal penalties: Up to $1 million fine and 20 years in prison for willful violations.
- Civil penalties: Fines up to $250,000 or twice the transaction value, plus restrictions on future deals; includes a process for pre-penalty notices and settlements.
- Judicial Review: Challenges must go exclusively to the U.S. Court of Appeals for the D.C. Circuit within 180 days; sensitive info (e.g., classified or law enforcement data) reviewed privately by the court. This is the only legal remedy available.
Significant Changes to Existing Law
- Amends the Export Control Reform Act of 2018 by adding a new Part IV specifically for OICTS and connected vehicle ICT risks, integrating it into the broader U.S. export control framework.
- Expands BIS's role with a new Assistant Secretary position dedicated to this area.
- Updates annual reporting requirements to include summaries of how the new authorities prevent concerning entities from bypassing export controls.
- Broadens the definition of "U.S. person" under the Act to cover activities in this new part, ensuring consistent enforcement.
- Exempts OICTS actions from the Paperwork Reduction Act (which limits burdensome reporting requirements) to streamline processes.
- Clarifies that this does not override other laws, like those governing foreign investments reviewed by the Committee on Foreign Investment in the United States (CFIUS).
Potential Impacts
- Government Agencies: Enhances the Department of Commerce's (BIS) authority and resources for national security reviews, requiring coordination with intelligence agencies (e.g., DNI) and the Justice Department for enforcement. Increases workload for investigations and rulemaking but provides special hiring to build expertise.
- Citizens and Businesses: U.S. auto manufacturers, suppliers, and importers may face delays, costs, or prohibitions on using foreign ICT components, potentially raising vehicle prices or slowing innovation. Educates industry on risks to promote compliance.
- International Relations: Targets transactions from specific countries (China, Russia, Iran, North Korea), which could escalate trade tensions or retaliatory measures, while strengthening U.S. supply chain security against perceived foreign threats.
Main Stakeholders Affected
- Government: Department of Commerce (BIS and OICTS), Director of National Intelligence, Attorney General, and congressional committees (Senate Banking, Housing, and Urban Affairs; House Foreign Affairs).
- Industry: U.S. and foreign automotive companies, ICT suppliers, and vehicle manufacturers involved in connected vehicle tech (e.g., software for navigation or communication systems).
- Other Entities: Exporters/importers under U.S. jurisdiction, entities of concern (e.g., Chinese tech firms), and academic/industry advisors on the new committee.
- Public: Consumers of connected vehicles, who may benefit from reduced security risks but face indirect costs from regulations.
Notable Legal, Constitutional, or Political Implications
- Legal: Strengthens executive branch powers for proactive national security regulation without needing case-by-case presidential action, building on executive orders like 13873 (securing ICT supply chains). Limited judicial review to one court with private handling of sensitive info aligns with precedents in national security law (e.g., Foreign Intelligence Surveillance Act) but could limit due process for affected parties by restricting appeals and public transparency.
- Constitutional: Balances national security interests against commerce clause authority (regulating interstate/international trade); potential First Amendment concerns if disclosures are overly restricted, though protections for privileged info mitigate this. No direct impact on free speech or privacy noted.
- Political: Introduced by Sen. Slotkin (D-MI) in a bipartisan context amid U.S.-China tech rivalry, it signals heightened focus on automotive supply chains (key in states like Michigan). Could influence future trade policies but risks politicization if seen as overly protectionist.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (1)
Recent Actions
- 2025-06-11: Read twice and referred to the Committee on Banking, Housing, and Urban Affairs.
- 2025-06-11: Introduced in Senate
Bill Versions
- Connected Vehicle National Security Review Act — issued 2025-06-11 — PDF (28 pages)