Regulations last checked for updates: Apr 24, 2025

Title 15 - Commerce and Foreign Trade last revised: Mar 28, 2025
All TitlesTitle 15Chapter VIIPart 791Subpart D - Subpart D—ICTS Supply Chain: Connected Vehicles
View all text of Subpart D [§ 791.300 - § 791.321]
§ 791.315 - Third-party verification and assessments.

(a) Overview. U.S persons subject to this subpart may hire, consult, or otherwise contract with a third-party to ensure compliance with this rule. In certain cases, the use of a third-party assessor will be mandated in the terms of an approved specific authorization.

(b) Third-party assessors. U.S. persons should determine whether a third-party assessor is qualified and competent, such as through industry certification or standard, to examine, to verify, and attest to the U.S. person's compliance with and the effectiveness of the security requirements implemented for VCS hardware or covered software transactions.

(1) The third-party assessor cannot be a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia.

(2) In determining the reasonableness of an entity's reliance on a third-party assessment, BIS will consider the independence of the third-party, including any financial incentives between the third-party and the entity.

(c) Scope. The use of a third-party assessor for U.S. persons submitting Declarations of Conformity is voluntary; however, if utilized, BIS recommends such third-party assessments to:

(1) identify and examine the VCS hardware importer or connected vehicle manufacturer's VCS hardware and covered software supply chains in relation to the prohibitions in this subpart;

(2) examine compliance relating to each Declaration of Conformity, general authorization, or specific authorization pursuant to which an entity is conducting transactions;

(3) use a reliable methodology to conduct the third-party verification; and

(4) acknowledge that the assessment may be used by the U.S. government to verify compliance.

(d) Assessment. To utilize third-party verification to fulfill the due diligence requirement for a Declaration of Conformity, the third-party assessor should prepare and submit a written report to the VCS hardware importer or connected vehicle manufacturer. The third-party assessment should at minimum:

(1) identify the suppliers of each relevant component and describe the nature of any foreign interest;

(2) describe the methodology undertaken, including the policies and other documents reviewed, personnel interviewed, and any facilities, equipment, or systems examined;

(3) describe the effectiveness of the VCS hardware importer or connected vehicle manufacturer's corporate policies related to compliance with this rule;

(4) for VCS hardware importers or connected vehicle manufacturers conducting transactions under the auspices of a general authorization or specific authorization, describe any vulnerabilities or deficiencies in the implementation of the authorization; and

(5) recommend any improvements or changes to policies, practices, or other aspects to maintain compliance with this subpart, as applicable to each transaction.

(e) Recordkeeping. The third-party assessor must comply with all recordkeeping requirements, pursuant to § 791.312.

authority: 50 U.S.C. 1701
source: 86 FR 4923, Jan. 19, 2021, unless otherwise noted. Redesignated at 89 FR 58265, July 18, 2024.
cite as: 15 CFR 791.315
© 2014 CustomsMobile | Disclaimer | Privacy | About