ARTICLE
8 July 2026

BIS Issues New General Authorization 3, Creating A “Trusted Supplier” Program Under The ICTS Connected Vehicle Rule

WR
Wiley Rein

Contributor

Wiley is a preeminent law firm wired into Washington. We advise Fortune 500 corporations, trade associations, and individuals in all industries on legal matters converging at the intersection of government, business, and technological innovation. Our attorneys and public policy advisors are respected and have nuanced insights into the mindsets of agencies, regulators, and lawmakers. We are the best-kept secret in DC for many of the most innovative and transformational companies, business groups, and nonprofit organizations. From autonomous vehicles to blockchain technologies, we combine our focused industry knowledge and unmatched understanding of Washington to anticipate challenges, craft policies, and formulate solutions for emerging innovators and industries.
The U.S. Department of Commerce's Bureau of Industry and Security has introduced a new Trusted Supplier program through General Authorization Number 3, potentially transforming how automotive manufacturers and suppliers navigate compliance with the Connected Vehicle Rule. This development creates a pathway for suppliers to obtain direct approval for vehicle connectivity systems and automated driving components that would otherwise be prohibited due to ties with China or Russia. The program shifts the author
United States International Law
Wiley Rein are most popular:
  • with readers working within the Insurance industries

On June 18, 2026, the U.S. Department of Commerce, Bureau of Industry and Security (BIS) issued a new General Authorization Number 3 (“GA3”), establishing a “Trusted Supplier” program that could significantly change how automotive manufacturers and suppliers approach compliance with the BIS Information and Communications Technology and Services (ICTS) Connected Vehicle Rule (“the Rule”). This alert reviews the existing prohibitions under the Rule, the new pathway created by GA3, and practical considerations for stakeholders.

Background: The ICTS Connected Vehicle Rule

As detailed in our prior client alert, the ICTS Connected Vehicle Rule restricts the import and sale of vehicles and components tied to foreign adversaries China and Russia. The regulations target Vehicle Connectivity Systems (VCS) that enable external communications and Automated Driving Systems (ADS). The Rule’s objective is to prevent data exfiltration and remote manipulation by foreign adversaries.

For hardware, the Rule covers physical components that facilitate connection and communication over radio frequencies above 450 MHz, sweeping in telematics control units, Bluetooth and Wi-Fi modules, and cellular modems. For software, the Rule applies to application, middleware, and system software running on the primary processing unit that directly drives VCS or ADS functions.

To the extent covered hardware or software is designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to the jurisdiction of adversary nations (identified in the Rule as Russia or China), and unless an exemption or exclusion applies, such hardware or software currently is or will be prohibited from being imported into the United States absent a specific or general authorization from BIS. BIS has previously issued narrow General Authorizations for imports of certain otherwise prohibited hardware or software. BIS has also granted certain specific authorizations to some auto manufacturers and importers, but we understand those have been time-limited and subject to significant limitations. Additionally, current tier 1 or lower-level suppliers have not been eligible to directly apply for specific authorizations.

GA3 and the Trusted Supplier Program

GA3 now allows suppliers to directly apply to BIS for approval of their VCS hardware or covered software (i.e., otherwise prohibited items) such that connected vehicle manufacturers and VCS hardware importers can use those products without obtaining individual specific authorizations from BIS. It should be noted that importers and auto manufacturers that are themselves owned by, controlled by, or subject to the jurisdiction of an adversary foreign nation will not be eligible to apply for participation in the Trusted Supplier program.

Once a supplier is approved by BIS, the approved product and supplier will be listed together on a Trusted Supplier Registry, and no specific authorization will be required for imports. The importer or manufacturer will still need to file a declaration of conformity in compliance with the current Connected Vehicle Rule requirements governing such submissions.

Trusted Supplier Application Requirements

GA3 provides some guidance regarding the information BIS expects to be included in applications for the Trusted Supplier program. Suppliers will be required to submit a justification and detailed proposal sufficient for BIS to assess the national security risk associated with their continued use of covered hardware/software, including a description of existing or planned controls over the covered items and mitigation measures.

BIS will review applications on a case-by-case basis against an “undue or unacceptable risk” standard of the underlying Rule and may require a letter of assurance, a mitigation agreement, or other conditions before granting Trusted Supplier status.

Ongoing Obligations and Removal

Approved suppliers will be subject to ongoing compliance, reporting, and recordkeeping requirements demonstrating compliance with GA3. Suppliers will be expected to report to BIS within 30 days of discovering a change in circumstance that impacts their qualification for GA3. If suppliers determine that such circumstances result in non-compliance they must, within 30 days of such a determination, cease any prohibited conduct. In such instances, suppliers must submit a report to BIS identifying prohibited transactions, the number of connected vehicles or VCS hardware units implicated, and the proposed remedial measures.

BIS may, at its discretion, verify (i.e., audit) connected vehicle manufacturers and VCS hardware importers to determine whether they are relying on a General Authorization or any supplier listed on the Approval Supplier Registry. A supplier may be removed from the Trusted Supplier program for non-compliance, false statements, significant changes in circumstance that create additional risk, or other factors at the discretion of BIS.

Potential Impact of Pending Legislation

Prospective applicants should continue to monitor progress of the Connected Vehicle Security Act (“CVSA”), introduced this session in the Senate and currently pending further action by Congress. The most recent version of the CVSA contains provisions that would expand coverage of the Rule to a broader set of hardware and software, reduce current exceptions and exclusions, extend the scope to include additional connected vehicle manufacturer ownership structures, and most importantly with respect to GA3, limit the ability of BIS to issue General Authorizations and sunset existing General Authorizations by 2032.

Key Takeaways

The Trusted Supplier Registry program offers a potentially valuable compliance pathway that shifts the authorization burden to the supplier of the covered product, allowing eligible manufacturers and importers to source approved products without securing transaction-by-transaction specific authorizations. Suppliers and their customers should evaluate eligibility, begin assembling the risk-assessment and mitigation information that BIS will expect, and build the ongoing compliance and recordkeeping infrastructure necessary to maintain Trusted Supplier status.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More