July 1, 2026

Connected Vehicles Face Growing National Security Scrutiny Under Defense Bill

Holland & Knight Alert
Sara E. Peters | Kara Fischer | Samantha Reinstein

Highlights

  • Connected vehicle oversight is becoming a durable part of U.S. national security policy, particularly where foreign-linked technology could access sensitive government, defense or infrastructure environments. 
  • This growing concern is reflected in Section 353 of the U.S. Senate Committee on Armed Services' National Defense Authorization Act for Fiscal Year 2027, which directs the U.S. Department of War (DOW) to ban the operation of adversary-nation connected vehicles from military installations or DOW property.
  • For automakers, suppliers and technology providers, the practical takeaway is that compliance will increasingly require visibility into vehicle connectivity systems, automated driving systems and foreign-adversary links across the hardware and software stack.

Connected vehicles are transforming transportation networks, but they are also forcing lawmakers and regulators to confront new national security risks posed by foreign-linked software and hardware embedded in modern vehicles. This growing concern is reflected in Section 353 of the U.S. Senate Committee on Armed Services' National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2027 (S.4784), which directs the U.S. Department of War (DOW) to ban the operation of adversary-nation connected vehicles from military installations or DOW property. The incorporation of this section suggests that Congress is focused on preventing connected vehicles from countries of concern from collecting data on base layouts, personnel movements and sensitive operations.

Breaking Down Section 353

Section 353 establishes a two-phase ban preventing certain connected vehicles from operating at military installations or other DOW property. The first ban would begin after July 1, 2027, for vehicles that are already prohibited by the U.S. Department of Commerce's Bureau of Industry and Security (BIS) Connected Vehicle rule (15 C.F.R. Part 791). The second starts January 1, 2029, and would ban connected vehicles that DOW determines are connected to foreign entities of concern. DOW would be required to designate these vehicles pursuant to a process outlined in an implementation plan and publish a list of designated connected vehicles annually. The prohibitions would take effect upon submission of a certification to the congressional defense committees that DOW has the resources, personnel and capacity to enforce the prohibition.

A similar provision was included in the Senate version of the FY 2026 NDAA (S.2296) but ultimately was not included in the final bill. In the Joint Explanatory Statement (JES) accompanying the final bill, the conference acknowledged that the BIS Connected Vehicle rule addressed many security concerns related to connected vehicles manufactured by foreign adversaries but that DOW would face additional challenges as these technologies evolved. In anticipation of this evolving risk, Congress directed DOW in the JES to develop guidelines to prohibit connected vehicles from accessing sensitive information and locations on domestic military installations, as well as a strategy for containing the risk association with connected vehicles at overseas locations where those vehicles may already be in the market. Therefore, if DOW has followed these instructions, it should be well equipped to implement Section 353 if it is included in the final FY 2027 NDAA bill.

Path to Connected Vehicle Regulation

Over time, the approach to connected vehicle regulation by the U.S. has shifted from broad national security measures to more specific limits on foreign adversary products within the automotive supply chain. The FY 2027 Senate NDAA text is just one of many examples of how regulators and lawmakers have moved to strengthen the automotive industry against foreign adversaries.

  • Executive Order (EO) 13873 – Securing the Information and Communications Technology and Services Supply Chain: On May 15, 2019, President Donald Trump issued an EO declaring a national emergency to address vulnerabilities in the U.S. information and communications technology or services (ICTS) supply chain. The EO set up a strict framework to manage and restrict foreign technology, granting the Commerce Secretary the power to review, block or attach mitigation measures to any transaction involving foreign adversary-linked ICTS. This EO served as the catalyst for BIS' Connected Vehicle rule.
  • BIS Connected Vehicle Rule: On January 16, 2025, BIS issued a final rule restricting the use of certain hardware and software linked to the People's Republic of China and Russia in connected vehicles imported into or sold in the U.S. This rule targets two systems: vehicle connectivity systems (VCS), which cover hardware and software in wireless communications, and automated driving systems (ADS), which are systems capable of performing dynamic driving tasks on a sustained basis. The rule only applies to passenger vehicles (under 10,001 pounds), and prohibitions begin to take effect for model year 2027 vehicles. The rule also includes certain timebound exemptions for specific model year vehicles and legacy software, and it explicitly excludes low-risk hardware such as light detection and ranging (LiDar), radar and cameras from the prohibition. Since issuing the final rule, BIS has issued three general authorizations allowing for importation in specific circumstances without needing to seek a specific exemption authorization. BIS reviews exemption requests on a case-by-case basis; however, BIS has not granted any individual exemptions to date.
  • America First Trade Policy: On January 20, 2025, President Trump issued a presidential memorandum that included a provision directing the Commerce Secretary to review the final connected vehicle rules and recommend further appropriate actions, including whether ICTS controls should be expanded to account for additional connected products.
  • Connected Vehicle Security Act of 2026: On April 29, 2026, Sens. Bernie Moreno (R-Ohio) and Elissa Slotkin (D-Mich.) introduced the Connected Vehicle Security Act of 2026 (S.4429), and Reps. John Moolenaar (R-Mich.) and Debbie Dingell (D-Mich.) introduced the companion bill (H.R.8730) on May 11, 2026. Beyond simply codifying the BIS Connected Vehicle regulatory framework, this legislation covers more countries (China, Iran, Russia and North Korea), expands the definition of VCS hardware and requires the Commerce Department to publish a list of authorized items by January 1, 2032. Though this bill is still in the early stages, its bipartisan and bicameral introduction indicates that there is widespread interest in Congress to place limitations on connected vehicles linked to foreign adversaries.
  • Motor Vehicle Modernization Act: On May 21, 2026, the U.S. House of Representatives Committee on Energy and Commerce marked up an amendment in the nature of a substitute to the Motor Vehicle Modernization Act (H.R.7389), and it passed by a vote of 48-1. This bill includes a section titled "Protecting the Automotive Industry from Foreign Adversaries" (Section 301), which prohibits a manufacturer controlled by a foreign adversary from manufacturing, selling, offering, shipping or importing any motor vehicle in the U.S., whether directly or through another party. However, this section includes an exemption for specific manufacturers engaged in transactions that comply with the BIS Connected Vehicle rule.

Outlook for the Future

Taken together, these developments suggest that connected vehicle policy is likely to remain a national security priority even as the FY 2027 NDAA moves through the legislative process. Section 353 may be revised or removed in conference, but its reappearance after similar FY 2026 NDAA language – and its relationship to the BIS Connected Vehicle rule – reflect a broader shift toward treating connected vehicles as data-rich, software-enabled platforms that can implicate supply chain security, military readiness and sensitive-location protection. 

For automakers, suppliers and technology providers, the practical takeaway is that compliance will increasingly require visibility into VCS, ADS and foreign-adversary links across the hardware and software stack. The immediate fate of Section 353 remains uncertain, but the direction of travel is clear: Connected vehicle oversight is becoming a durable part of U.S. national security policy, particularly where foreign-linked technology could access sensitive government, defense or infrastructure environments. 

Holland & Knight continues to monitor developments in the transportation sector. If you have questions or need more information, contact the authors or another member of the Transportation and Infrastructure Policy Team.


Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.


Related Insights