0694-0145 Supporting Statement Jan 2025

Download: docx | pdf

SUPPORTING STATEMENT

U.S. Department of Commerce

Bureau of Industry and Security

Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles

OMB Control No. 0694-0145

A. Justification

1. Explain the circumstances that make the collection of information necessary.

E.O. 13873, “Securing the Information and Communications Technology and Services Supply Chain,” (May 15, 2019) delegated to the U.S. Secretary of Commerce broad authority to prohibit or impose mitigation measures on any information and communications technology and services (ICTS) Transaction with a foreign adversary nexus that is subject to United States jurisdiction and poses undue or unacceptable risks to the United States. This request for a new information collection is necessary due to a regulation focused on connected vehicles. The rule—absent a general or specific authorization otherwise—(1) prohibits VCS hardware importers from knowingly importing into the United States certain hardware for VCS; (2) prohibits connected vehicle manufacturers from knowingly importing into the United States completed connected vehicles incorporating covered software; and (3) prohibits connected vehicle manufacturers from knowingly selling within the United States completed connected vehicles that incorporate covered software. These prohibitions apply to transactions when such VCS hardware or covered software is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China (PRC) or the Russian Federation (Russia). The rule also (4) prohibits connected vehicle manufacturers who are persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software (collectively, “Prohibited Transactions”).

The new information collection will primarily take the form of Declarations of Conformity, specific authorizations applications, and advisory opinion requests. A regulated entity that is not engaging in an otherwise Prohibited Transaction would be responsible for attesting to the U.S. Department of Commerce (the Department) that due diligence has been conducted through the submission of a Declaration of Conformity. A regulated entity that is, and would like to continue, engaging in an otherwise Prohibited Transaction may submit a specific authorization application with information sufficient to demonstrate that the risk can be mitigated. If an entity would like further guidance on whether they are engaging in a Prohibited Transaction, they may submit an advisory opinion request with the Department. The new information collection will be used as tools to ensure compliance with the regulation and are integral to the success of the rule.

2. Explain how, by whom, how frequently, and for what purpose the information will be used. If the information collected will be disseminated to the public or used to support information that will be disseminated to the public, then explain how the collection complies with all applicable Information Quality Guidelines.

The collected information will be used by the Department’s Office of Information and Communications Technology and Services (OICTS) to operate a compliance program to ensure that connected vehicle manufacturers and VCS hardware importers understand and comply with the regulation. OICTS’s compliance team will review Declarations of Conformity, specific authorization applications, and advisory opinion requests on a rolling or annual basis, as they are received.

Connected vehicle manufacturers and VCS hardware importers will submit Declarations of Conformity to the Department to attest that they are not engaging in Prohibited Transactions. The information collected for Declarations of Conformity will largely take the form of certifications. In a Declaration of Conformity, an entity will certify that their covered software or VCS hardware is not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia and attest that they maintain documents, assessments, or otherwise in support of the certification, and can furnish this documentation to the Department upon request.

OICTS will use the information collected through specific authorization applications to evaluate whether an otherwise Prohibited Transaction can be mitigated through the issuance of a specific authorization. This information collection requirement is essential as OICTS must assess whether the information is substantial enough to demonstrate if the otherwise Prohibited Transaction does not pose undue and unacceptable risk to U.S. national security.

Finally, information collected through advisory opinion requests will be used to advise submitters on whether a prospective transaction is subject to a prohibition.

The Department does not anticipate disseminating the collected information to the public except to the extent required by law. This includes information collected for Declarations of Conformity, specific authorization applications, advisory opinions requests, and records to be furnished on demand.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological techniques or other forms of information technology.

After the rule is published, the Department will initially intake Declarations of Conformity, specific authorization applications, and advisory opinion requests via PDF forms that will be transmitted to the Department over e-mail. The Department is currently working to create a web-based portal and will transfer intake to this portal once it has been created.

4. Describe efforts to identify duplication.

The Department’s authority is established by Presidential Executive Order and is the only government department that has authority over the review of foreign adversary ICTS, including in connected vehicles. The Department has worked closely with the interagency in this effort and no duplicate authorities have been identified.

5. If the collection of information involves small businesses or other small entities, describe the methods used to minimize burden.

The Department maintains the flexibility to grant general authorizations to small entities that produce or import connected vehicles or VCS hardware units below a certain threshold into the U.S. each calendar year. The maintenance of records in support of the general authorization would be a compliance requirement for these small entities. Additionally, after reviewing public comments to the proposed rule, the Department has replaced a substantial amount of the information collection requirements with reporting and recordkeeping requirements for Declarations of Conformity. This will considerably decrease the burden for all regulated entities.

6. Describe the consequences to the Federal program or policy activities if the collection is not conducted or is conducted less frequently.

Connected vehicle manufacturers and VCS hardware importers may submit specific authorization applications on an as-needed basis. Without specific authorizations, the Department would not be able to permit otherwise Prohibited Transactions in cases where the risk can be mitigated through the issuance of a specific authorization. Information collection is a key aspect of specific authorizations as entities need to submit information adequate enough to demonstrate that the risk can be mitigated.

Connected vehicle manufacturers and VCS hardware importers may submit advisory opinion requests on an as-needed basis. With this being a new information collection, there are instances where entities will need further guidance on whether a transaction is indeed prohibited. Without advisory opinions, there would be no way for entities to inquire about their specific transactions, which could lead to the unintentional continuation of Prohibited Transactions and a further exacerbation of the risk.

Connected vehicle manufacturers and VCS hardware importers must submit Declarations of Conformity annually, with every new model year. Without annual Declarations of Conformity, the Department would be unable to ensure that VCS hardware or covered software entering the United States are absent of components designed, developed, manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. Where there are no material changes to the covered software or VCS hardware for a subsequent model year, the connected vehicle manufacturer or VCS hardware importer may submit a confirmation that the prior submitted information remains accurate. However, annual due diligence must be conducted to ensure that VCS hardware or covered software entering the United States continues to be absent of components designed, developed, manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia.

7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with OMB guidelines.

There are no special circumstances that will result in the collection of information in a manner inconsistent with the guidelines of 5 C.F.R. § 1320.6.

8. Provide information of the PRA Federal Register Notice that solicited public comments on the information collection prior to this submission. Summarize the public comments received in response to that notice and describe the actions taken by the agency in response to those comments. Describe the efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

Prior to issuing the rule, the Department sought and received public comment on the concepts in this rule in a Notice of Proposed Rulemaking (NPRM) (89 FR 79088) (September 26, 2024). The Department received 97 comments to the NPRM, and summarizes and addresses those comments, including those surrounding information collection, in the final rule.

9. Explain any decisions to provide payments or gifts to respondents, other than remuneration of contractors or grantees.

This rule will not involve any payment or gifts to respondents who submit documentation.

10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy.

The rule contains a section dedicated to Confidential Business Information (CBI). Any information or material submitted to the Department which the entity or any other party desires to submit in confidence as a part of a Declaration of Conformity, specific authorization application, advisory opinion request, record to be furnished on demand, or is otherwise CBI should be contained within a file beginning its name with the characters “CBI.” Any page containing CBI must be clearly marked “CONFIDENTIAL BUSINESS INFORMATION” on the top of the page. Any pages not containing CBI should not be marked. By submitting information or material identified as CBI, the entity or other party represents that the information is exempted from public disclosure, either by the Freedom of Information Act (5 U.S.C. § 552 et seq.) or by another specific statutory exemption. Any request for CBI treatment must be accompanied at the time of submission by a statement justifying non-disclosure and referring to the specific legal authority claimed.

Information or documentary materials collected under this rule, and not otherwise publicly or commercially available, will not be released publicly except to the extent required by law.

Based on existing statutes, including the criminal provisions of 18 U.S.C. § 1905, federal employees disclosing confidential or business proprietary information may face civil and criminal penalties for doing so.

In addition, the collections of information contained in the rule will include the collection of personally identifiable information (PII). Specifically, information collections related to Declarations of Conformity, specific authorizations, and advisory opinion requests will include identifying information such as an individual’s legal name, e-mail address, and phone number.

After the rule is published, OICTS will initially intake Declarations of Conformity, specific authorization applications, and advisory opinion requests via PDF forms that will be transmitted to the Department over e-mail. The privacy impact assessment (PIA) that covers the Department’s Enterprise IT Infrastructure is available here: PIA CSC GSS OS-009 2022_tsc smk 08-24-2022.pdf. Staff are currently working closely with the Department’s privacy programs to develop the web-based portal that will serve as the primary intake mechanism for this information and plans to publish a separate PIA assessing the associated privacy risks.

While the collections of information include PII, the Declarations of Conformity, specific authorization applications, and advisory opinion requests will not be indexed nor retrieved by the identifying information and the information is therefore not maintained in a Privacy Act system of records. As such, the information is not covered by one of the Department’s Privacy Act systems of records notice.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.

Not applicable.

12. Provide an estimate in hours of the burden of the collection of information.

The Department estimates that it will take regulated entities 310 to 430 hours to read the rule, understand the rule, and conduct initial due diligence in preparation to comply. Every subsequent year, the Department estimates that it will take regulated entities 150 to 300 hours to re-conduct due diligence into their VCS hardware or covered software supply chains and potentially re-submit the Declaration of Conformity. This broad range accounts for the varying levels of information that entities may need to update per model year. For example, a material change in the covered software or VCS hardware could lead to increased due diligence efforts and the submission of a new Declaration of Conformity. Alternatively, where there are no material changes to the covered software or VCS hardware for a subsequent model year, the connected vehicle manufacturer or VCS hardware importer may submit a confirmation that the prior submitted information remains accurate.

13. Provide an estimate of the total annual cost burden to the respondents or record- keepers resulting from the collection (excluding the value of the burden hours in

Question 12 above).

The Department anticipates that the initial cost burden per entity to read the rule, understand the rule, and conduct initial due diligence in preparation to comply is $56,671 to $77,055. Every subsequent year, the Department anticipates that the annual cost burden per entity to re-conduct due diligence into their VCS hardware or covered software supply chains and potentially re-submit the Declaration of Conformity for each new model year is $24,200 to $48,400 per year. This calculation is broken down as follows:

LINE	ITEM	ESTIMATED COST
1	Average number of Declarations of Conformity, specific authorization applications, or advisory opinion request submissions per entity per year	2
2	Average burden hours per entity per submission per year (including re-conducting due diligence into supply chains and recordkeeping)	75 to 150 hours
3	Average burden hours per entity per year (including re-conducting due diligence into supply chains and recordkeeping)	150 to 300 hours (Line 1 x Line 2)
4	Average hourly wage of operations managers, engineers, and lawyers1	$161.33
	Total	$24,200 to $48,400 (Line 3 x Line 4)

For purposes of the PRA annual burden estimate, BIS is using the value of 300 average burden hours per entity per year, for a calculated estimated annual cost of $48,400.

14. Provide estimates of annualized cost to the Federal government.

The estimated annual federal salary cost to the U.S. Government to review and, if applicable, respond to Declarations of Conformity, specific authorization applications, and advisory opinion requests after the rule is fully implemented is $971,800 [an estimated total of 430 Declarations of Conformity, specific authorization applications, and advisory opinion requests per year² * hourly GS-13 staff rate of $113/hour * average of 20 hours to review each Declaration of Conformity, specific authorization application, or advisory opinion request]. The $113 per staff member per hour cost estimate for this information collection is consistent with the GS-scale salary data for a GS-13 Step 1 (https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/pdf/2024/DCB.pdf) multiplied by a factor of 2 to include the cost of benefits and overhead. While BIS expects the time to review and, if applicable, respond to Declarations of Conformity, specific authorization applications, and advisory opinion requests to vary, 20 hours is BIS’s best estimate of this average.

The total estimated annual cost to the U.S. Government is $1,299,728. The calculation is as follows:

ITEM	ESTIMATED COST
Estimated Annual Federal Salary Cost to the U.S. Government	$971,800
Legal Support (two GS-15 Step 1 employees (multiplied by 2 to include the cost of benefits and overhead) @50% of their time)	$327,928
Total	$1,299,728

15. Explain the reasons for any program changes or adjustments.

The rule will create a new program that has not previously been implemented. As a new program, there are no changes or adjustments to a pre-existing program being proposed.

16. For collections whose results will be published, outline the plans for tabulation and publication.

BIS may publish on its website an advisory opinion that may be of broad interest to the public, with redactions where necessary to protect CBI.

At this time, there are no in-depth statistical analyses being conducted and no plans for publication of in-depth statistical data. However, any future public reports will only contain aggregated data.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons why display would be inappropriate.

The Department will display the OMB control number and expiration date on all forms.

18. Explain each exception to the certification statement.

There are no exceptions to the certification statement.

B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS

Not applicable.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Marc Coldiron
File Modified	0000-00-00
File Created	2025-01-17