Draft]








FEBRUARY 11, 2020
SEC. CYBERSECURITY RISKS TO MOTOR VEHICLE
SAFETY.

Subchapter I of chapter 301 of title 49, United States
Code, is amended by adding at the end the following:

30107. Cybersecurity risks to motor vehicle safety

CYBERSECURITY later than 180
days after the date of enactment of this section, a manu-
facturer may not sell, offer for sale, introduce or deliver
for introduction into commerce, or import into the United
States, any [motor vehicle,] or [highly automated vehicle,
vehicle that performs partial driving automation, or auto-
mated driving system] unless such manufacturer has de-
veloped, maintains, and executes cybersecurity practices
and processes to minimize cybersecurity risks to motor ve-
hicle safety.

CYBERSECURITY cyber-
security practices and processes required under subsection
shall include?

the risk-based prioritized identification, as-
sessment, and protection of safety-critical vehicle

control systems and the broader tranSportation eco-

120\021120.162.xml (755851l3)
February 11, 2020 (2:50 pm.)

 .XMDiscussion Draft]

2
1 system, as appropriate, through the product develop-
2 ment process and entire life-cycle of the vehicle;
3 a process for taking preventative and cor-
4 rective actions to mitigate against vulnerabilities, in-
5 eluding cybersecurity incident response plans;
6 the timely detection, assessment, and re?
7 sponse to potential vehicle cybersecurity incidents in
8 the field, including false and spurious messages and
9 malicious vehicle control commands;
10 facilitating recovery from cybersecurity in-
11 cidents as they occur;
12 sharing lessons learned across industry
13 through voluntary exchange of information per-
14 taming to cybersecurity incidents, threats, and
15 vulnerabilities;
16 coordinated cybersecurity vulnerability dis-
17 closure policy or other related practices for collabo-
18 ration with third-party cybersecurity researchers;
19 the identification of an officer or other in-
20 dividual of the manufacturer as the point of contact
21 with responsibility for the management of cybersecu?
22 rity;
23 the evaluation of elements of the supply
24 chain to identify and address cybersecurity
25 vulnerabilities;
(75555113)

February 11, 2020 (2:50 pm.)

 1 .XNlDiscussion Draft]

3

1 the use of segmentation and isolation tech-
2 niques in vehicle architecture design, as appropriate;
3 employee training and supervision for i111-
4 plementation and maintenance of the policies and
5 procedures required by this section; and

6 considering consistency and alignment
7 with the cybersecurity risk management approach
8 described in section 2(e) of the National Institute of
9 Standards and Technology Act (15 U.S.C. 272(e))
10 or international consensus cybersecurity standards.
11 CYBERSECURITY 

12 0 later than 2 years after the date of en-
13 actment of this Act, the Secretary of Transpor-
14 tation, in coordination With any other appropriate
15 Federal agency, shall conduct a study on the state
16 of cybersecurity regarding [motor vehicles,] or
17 [highly automated vehicles, vehicles that perform
18 partial driving automation, or automated driving
19 systems].
20 In conducting such study, the Secretary
21 shall?
22 develop a comprehensive list of Fed-
23 eral agencies With jurisdiction over cybersecu-
24 rity and a brief description of such jurisdiction
25 or expertise of such agencies;

(755851l3)

February 11, 2020 (2:50 pm.)

 1 .Xh?Discussion Draft]







February 11, 2020 (2:50 pm.)

4

identify all interagency activities tak-
ing place among Federal agencies related to cy-
bersecurity regarding [motor vehicles,] or
[highly automated vehicles, vehicles that per-
form partial driving automation, or automated
driving systems], including working groups or
any other relevant coordinated effort;

develop a comprehensive list of pub-
lic-private partnerships focused on cybersecurity
regarding [motor vehicles,] or [highly auto-
mated vehicles, vehicles that perform partial
driving automation, or automated driving sys-
tems], as well as any industry-based bodies, in-
cluding international bodies, which have devel-
oped, or are deve10ping, mandatory or voluntary
standards for cybersecurity and that status of
such standards;

identify all regulations, guidelines,
mandatory standards, voluntary standards, and
other policies implemented by each Federal
agency identified under this section, as well as
all guidelines, mandatory standards, voluntary
standards, and other policies implemented by

industry-based bodies;

(755851 

 Draft]






120\021 120.1 62.xml
February 11, 2020 (2:50 pm.)

5

review the current equipment, meas-
ures, guidelines, or practices used across the in-
dustry to identify, protect, detect, respond to,
or recover from cybersecurity incidents affecting
the safety of a passenger motor vehicle; and

identify existing cybersecurity re-
sources to assist individuals in maintaining
awareness of cybersecurity risks due to motor
vehicle safety and mechanisms for alerting a
human driver or operator regarding cybersecu-
rity vulnerabilities.

The Secretary shall submit to the Com-

mittee on Energy and Commerce of the House of
Representatives and the Committee on Commerce,
Science, and Transportation of the Senate a report

that contains?

the results of the study conducted
under paragraph 

recommendations to enable the ex-
change of information and lessons learned
across the industry regarding cybersecurity inci-
dents, threats, and potential vulnerabilities; and

recommendations for legislation or
rulemakings needed to address any cybersecu-

rity issue to motor vehicle safety related to

(755851 IS)

 Draft]






6
[motor vehicles,] or [highly automated vehi-
cles, vehicles that perform partial driving auto-
mation, or automated driving systems].

CYBERSECURITY the Sec-
retary makes a determination under subsection that
ruleniakings are needed to address any cybersecurity issue
to motor vehicle safety [related to [motor vehicles,]
or[highly automated vehicles, vehicles that perform partial
driving automation, or automated driving systems]] the
secretary shall complete such rulemakings not later than
years after the study is completed]

REPORTING an annual
basis, a manufacturer of a [motor vehicle,] or [highly
automated vehicle, vehicle that perform partial driving an-
tomation, or automated driving system] shall provide the
Secretary a detailed description of the practices and proc-
esses maintained by the manufacturer to minimize cyber-
security risks to motor vehicle safety. Such reports shall
be considered privileged and confidential for the purposes
of section 552(1))(4)of title 5, United States Code]

Secretary may investigate
any cybersecurity processes and practice developed, main-
tained, and executed by a manufacturer under this section

to determine Whether a manufacturer has complied, or is

(75585113)
February 11, 2020 (2:50 pm.)

 Draft]



Hi?Ii?tn?a
DJNHO

7
complying, with this section, chapter, or a regulation pre-
scribed or order issued pursuant to this chapter]

CIVIL 30165(a)(1) of title
49, United States Code is amended by inserting ?30107,?
after ?secti011?.]

term ?cybersecurity incident?
has the meaning given the term ?significant cyber incident?
in Presidential Policy Directive 41 issued July
26,2016.

CLERICAL analysis for chap-
ter 301 of title 49, United States Code, is amended by
inserting after the item relating to section 30107, as

added by section the following:

?30107. Cybersecurity Risk to Motor Vehicle Safety.?.?.

(755851l3)
February 11, 2020 (2:50 pm.)

PAT20124 Discussion Draft S.L.C.

1 SEC. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated to the Sec-
retary for each of ?scal years
[2021] through [2031]?

made by this Act; and
(2) to determine the compliance Of highly autocarry out this Act and the amendments
6
7
8 mated vehicles with the requirements of the chapter
9

301 Of title 49, United States Code.

PAT20125 Discussion Draft S.L.C.

1 DUAL USE VEHICLE SAFETY.

2 IN 30122(b) of title 49,

3 United States Code, is amended?]

4 by striking manufacturer? and insert-

5 ing the following:]

6 IN as provided in

7 paragraph (2), a manufacturer?; and]

8 by adding at the end the following:]

9 1) shall not
10 apply in cases in which a manufacturer intentionally
11 causes a steering wheel, brake pedal, accelerator
12 pedal, gear shift, or any other device or element of
13 design relating to the performance of the dynamic
14 driving task by a human driver to be temporarily
15 disabled during the time that an automated driving
16 system is performing the entire dynamic driving task
17 if the applicable motor vehicle is otherwise in compli-
18 ance with applicable motor vehicle safety stand-
19 ards??]

20 when a Level 4 or Level 5 auto-
21 mated driving system is engaged; and]

22 when that system is not engaged.?.]
23 the Secretary prescribes a

24 regulation in accordance with section 30122(c) of title 49,

PAT20125 Discussion Draft S.L.C.



p?Lp?L
HO

2
United States Code, to exempt a manufacturer (as de?ned
in section 30102 of that title) from the prohibition under
paragraph (1) of section 3012200) of that title With re-
spect to highly automated vehicles, effective on the date
011 which that regulation is prescribed?]

1) the amendments to section 30122(b) of
that title made by subsection shall terminate;
and]

section 30122(b) of that title shall be in
effect as if these amendments had not been en-

acted]

PAT20126

1 SEC.




Hocmqumer?so

era]

MN
UJN

S.L.C.

. CRASH DATA.
CRASH 

(1) IN later than 3 years after
the date of enactment of this Act, the Secretary
shall revise the crash data collection system to in-
clude the collection of crash report data elements
that identify whether any vehicle involved in a crash
is a highly automated vehicle or a vehicle performing
partial driving automation, including?

(A) the level of automation; and
(B) whether the automated driving fea-
tures were engaged at the time of the crash.

(2) carrying out para?
graph (1), the Secretary may coordinate with States
to update the Model Minimum Uniform Crash Cri-
teria to provide guidance to States on the collection
of information.

EARLY WARNING later than

3 years after the date of enactment of this Act, the Sec-

retary shall revise section 57 9.21 of title 49, Code of Fed-

Regulations, to update system or component cat-

egories to include systems or components of automated

driving systems]

PAT20127 Discussion Draft S.L.SEC. CONSUMER EDUCATION.


(1) IN later than years
after the date of enactment of this Act, the Sec-
retary shall conduct research to determine the most
effective method and terminology for informing con-
sumers about the capabilities and limitations of
automated vehicle technology, including advanced
driver assistance technology.

(2) conducting the re-
search described in paragraph (1), the Secretary
shall determine whether the method and terminology
described in that paragraph?

(A) should be based on or include the ter-
minology defined in the SAE International Rec-
ommended Practice report numbered 3016
and dated June 15, 2018; or

(B) should include alternative terminology.

later than years
after the date of enactment of this Act, the Secretary shall
[issue a rule initiate a rulemaking proceeding] to require
manufacturers to inform consumers of the capabilities and
limitations of the driving automation systems or features

of any highly automated vehicle or partially automated ve?

PAT20127 Discussion Draft S.L.C.
2

1 hiele, [including any changes to those capabilities and lim-

2 itations [due to resulting from that may result from]

3 software updates] 

PAT20128 Discussion Draft S.L.C.






SEC. . PERSONNEL AND STAFFING.

to the availability of ap-
propriations authorized under section not
later than years after the date of enactment of this
Act, the Secretary shall hire to carry out this Act and to
determine the compliance of highly automated vehicles
with the requirements of chapter 301 of title 49, United
States Code, not fewer than personnel with
knowledge, skills, [or and] expertise in?

(1) cybersecurity;

(2) electrical and mechanical engineering;

(8) software application in the automotive con-
text; [or and]

(4) any other area, as determined by the Sec-
retary.

RESOURCE AND STAFFING 

(1) IN later than 
months after the date of enactment of this Act, the
Secretary shall submit to the Committee on Com-
merce, Science, and Transportation of the Senate
and the Committee on Energy and Commerce of the
House of Representatives a resource and staf?ng re-

port describing?

PAT20128 Discussion Draft S.L.C.

2
(A) how the Secretary shall carry out sub-
2 section and
3 (B) any additional personnel or resources
4 that the Secretary expects will be needed during
5 the [10]-year period following the date of sub-
6 mission of the report?
7 to carry out this Act; and
8 (ii) to determine the compliance of
9 highly automated vehicles and partially
10 automated vehicles with the requirements
11 of chapter 301 of title 49, United States
12 Code.
13 (2) later than 3 years after the
14 date on which the staffing report under paragraph
15 (1) is submitted to the committees described in that
16 paragraph, the Secretary shall?
17 (A) update the report; and
18 (B) submit the updated report to those
19 committees.
20 carrying out subsections
21 and the Secretary shall?
22 (1) consider the staffing of the Highly Auto-
23 mated Systems Safety Center of Excellence estab-
24 lished under section 105 of title I of division of

PAT20128

Dim-kWh)

Discussion Draft S.L.C.
3

the Further Consolidated Appropriations Act, 2020
(Public Law 116?94); and

(2) coordinate with the Highly Automated Sys-
tems Safety Center of Excellence, as appropriate, to
ensure that resources are being allocated appro-

priately to carry out this Act.

PAT20109 3.11.0.

wthr?t

SEC. SAVINGS PROVISION.

Nothing in this Act alters any existing authority
under subtitle VI of title 49, United States Code, relating
to motor vehicles with a gross vehicle weight of 10,001

pounds or more.