(a) Prohibited transactions authorized. Upon receipt of a valid and complete application, BIS may grant specific authorizations to permit a VCS hardware importer or connected vehicle manufacturer to engage in an otherwise prohibited transaction.
(b) Policy. It is the policy of BIS not to review applications for specific authorizations for transactions that are otherwise permitted by a general authorization.
(c) Applications for specific authorizations. Applications for specific authorizations shall include, at a minimum, a description of the nature of the otherwise prohibited transaction(s), including the following:
(1) The identity of the parties engaged in the transaction, including relevant corporate identifiers and information sufficient to identify the ultimate beneficial ownership of the transacting parties;
(2) An overview of the VCS hardware or covered software that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, including persons responsible for assembling and packaging VCS hardware or covered software;
(3) If known, the make, model, and trim of the connected vehicle(s) in which the VCS hardware or covered software will be integrated;
(4) The intended function of the VCS hardware or covered software;
(5) Documentation to support the information contained in the application, such as any ISO/SAE 21434 Threat Analysis and Risk Assessments (if available);
(6) An assessment of the applicant's ability to limit PRC or Russian government access to, or influence over the design, development, manufacture, or supply of the VCS hardware or covered software;
(7) Security standards used by the applicant with respect to the VCS hardware or covered software; and
(8) Other actions and proposals such as technical controls (e.g., software validation) or operational controls (e.g., physical and logical access monitoring procedures) the applicant intends to take to mitigate undue or unacceptable risk, if applicable.
(d) Application submission procedures and timing. VCS hardware importers or connected vehicle manufacturers who seeks to engage in an otherwise prohibited transaction must submit an application for a specific authorization in writing prior to engaging in the transaction, and await a decision from BIS prior to engaging in the transaction. Specific authorization submissions must be delivered to BIS as specified on its website, https://www.bis.gov/OICTS.
(e) Additional conditions. Only one application for a specific authorization should be submitted to BIS for each otherwise prohibited transaction; multiple parties submitting an application for a specific authorization for the same transaction may result in processing delays.
(f) Information to be supplied. An applicant may be required to furnish additional information as BIS deems necessary to assist in making a decision. BIS may request an oral briefing by the applicant and any other relevant parties. The applicant may present additional information concerning an application for a specific authorization at any time before BIS issues its decision regarding the application.
(g) Review and decisions. Applications for specific authorizations will be reviewed on a case-by-case basis, and conditions to be applied to each specific authorization may vary as needed to mitigate any risk that arises as a result of the otherwise prohibited transaction. Such review will include an evaluation of the risks and potential mitigation measures proposed by the applicant for the particular transaction. The risks that BIS may consider include, but are not limited to, risks of data exfiltration from, and remote manipulation or operation of, the connected vehicle and the extent and nature of foreign adversary involvement in the design, development, manufacture, or supply of the VCS hardware or covered software. Mitigation may include the applicant's ability to limit PRC or Russian government access to, or influence over the design, development, manufacture, or supply of the VCS hardware or covered software; security standards used by the applicant and if such standards can be validated by BIS or a third party; and other actions or proposals the applicant intends to take to mitigate undue or unacceptable risk. BIS will advise each applicant in writing of the decision respecting the filed application. Decisions regarding specific authorizations will not be made publicly available.
(h) Processing period. BIS will provide a decision regarding an application for a specific authorization within 90 days unless BIS determines, in its sole discretion, and notifies the applicant within that 90-day period, that additional time is required. Failure or delays by the applicant in submitting additional information requested by BIS may delay or prevent BIS's ability to issue a specific authorization.
(i) Scope. (1) Unless otherwise specified in the authorization, a specific authorization applies only to the transaction:
(i) Between the parties identified in the specific authorization;
(ii) With respect to the otherwise prohibited transaction(s) described in the authorization; and
(iii) If the conditions specified in the specific authorization are satisfied. The applicant must inform any other parties identified in the specific authorization of the authorization's scope and specific conditions.
(2) As a condition for the issuance of any specific authorization, BIS may require the applicant to submit third-party assessments or SBOMs/HBOMs as may be prescribed in the specific authorization or otherwise communicated to the applicant by BIS. Reports should be sent in accordance with the instructions provided in the applicable specific authorization.
(3) Any materially false or misleading representation in or otherwise associated with the application, or in any document submitted in connection with the application under this section, shall cause the specific authorization to be deemed void as of the date of issuance, and the applicant may incur penalties as specified in § 791.318.
(j) Verification. BIS may establish, in its sole discretion as conditions for receiving a specific authorization, any compliance, auditing, or verification requirements.
(k) Effect of denial. BIS's denial of a specific authorization may be appealed as described in § 791.309. BIS's denial of a prior specific authorization does not preclude parties from filing an application for a specific authorization for a separate otherwise prohibited transaction. The applicant may at any time, by written correspondence, request reconsideration of the denial of an application based on new material facts or changed circumstances.
(l) Effect of specific authorization. (1) No specific authorization issued under this subpart, or otherwise issued by BIS, permits or validates any prohibited transaction effectuated prior to the issuance of such specific authorization unless specifically provided for in the specific authorization.
(2) No regulation, ruling, instruction, or authorization permits any prohibited transaction under this subpart unless the regulation, ruling, instruction or authorization is issued by BIS and specifically refers to this subpart. No regulation, ruling, instruction, or authorization referring to this subpart shall be deemed to permit any prohibited transaction prohibited by any provision of this subpart unless the regulation, ruling, instruction, or authorization specifically refers to such provision. Any specific authorization permitting any otherwise prohibited transaction has the effect of removing those prohibitions from the transaction, but only to the extent specifically stated by the terms of the specific authorization. Unless the specific authorization otherwise specifies, such an authorization does not create any right, duty, obligation, claim, or interest in, or with respect to, any property that would not otherwise exist under ordinary principles of law.
(3) Nothing contained in this subpart shall be construed to supersede the requirements established under any other provision of law or to relieve a person from any requirement to obtain an authorization from another department or agency of the U.S. Government in compliance with applicable laws and regulations subject to the jurisdiction of that department or agency.
(4) Specific authorizations will be approved for a duration of no less than one (1) model year or calendar year except as provided in § 791.307(m).
(m) Exceptions. BIS may approve specific authorizations for a period of less than one (1) calendar year on a case-by-case basis under the following circumstances:
(1) 2027 model years that include covered software and are actively being sold or imported as of the effective date of this rule;
(2) Covered software and VCS hardware supply chains that are affected by force majeure events;
(3) As a result of a corporate merger, investment, acquisition, joint venture, or conversion of equity (such as from debt) that occurs during model year production;
(4) As a result of the closure or relocation of facilities involved in the production of covered software or VCS hardware; and
(5) Other instances as determined by BIS.
(n) Records. Persons receiving a specific authorization are required to maintain records for a period of 10 years, as required in § 791.312, as well as to submit reports and statements in accordance with the instructions specified in each specific authorization.
(o) Amendment, modification, or rescission. Except as otherwise provided by law, any specific authorization or instructions issued thereunder may be amended, modified, or rescinded by BIS at any time.