Sec. 2. Cybersecurity standards for motor vehicles
558 words·~3 min read·
/bill/116/s/2182/is/section-2A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Chapter 301 of title 49, United States Code, is amended by inserting after section 30128 the following: In this section: The term critical software systems means software systems that can affect— the control by the driver of the vehicle movement; or the safety features of the vehicle. The term driving data includes any electronic information collected about— the status of a vehicle, including the location and speed of the vehicle; and any owner, lessee, driver, or passenger of a vehicle.
The term entry point includes a means by which— driving data may be accessed, directly or indirectly; or a control signal may be sent or received either wirelessly or through wired connections. The term hacking means the unauthorized access to electronic controls, critical software systems, or driving data, either wirelessly or through wired connections. All motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which regulations are promulgated pursuant to section 2(c)(2) of the SPY Car Act of 2019 shall comply with the cybersecurity standards under paragraphs
(2)through (4). All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks. The measures referred to in subparagraph
(A)shall incorporate isolation measures to separate critical software systems from noncritical software systems. The measures referred to in subparagraph
(A)shall be evaluated for security vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing. The measures referred to in subparagraph
(A)shall be adjusted and updated based on the results of the evaluation under subparagraph (C). All driving data collected by the electronic systems that are built into motor vehicles shall be reasonably secured to prevent unauthorized access— while the data is stored onboard the vehicle; while the data is in transit from the vehicle to another location; and in any subsequent offboard storage or use of the data. Any motor vehicle manufactured for sale in the United States that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle. . Section 30165(a)(1) of title 49, United States Code, is amended by inserting 30129, after 30127, . Not later than 18 months after the date of enactment of this Act, the Administrator of the National Highway Traffic Safety Administration (referred to in this subsection as the Administrator ), after consultation with the Federal Trade Commission, shall issue a notice of proposed rulemaking to carry out section 30129 of title 49, United States Code. Not later than 3 years after the date of enactment of this Act, the Administrator, after consultation with the Federal Trade Commission, shall promulgate final regulations to carry out section 30129 of title 49, United States Code. Not later than 3 years after final regulations are promulgated pursuant to paragraph
(2)and not less frequently than once every 3 years thereafter, the Administrator, after consultation with the Federal Trade Commission, shall— review the final regulations promulgated pursuant to paragraph (2); and update the final regulations, as necessary. The table of sections for chapter 301 of title 49, United States Code, is amended by inserting after the item relating to section 30128 the following: 30129. Cybersecurity standards. .