“They’re going to need to collaborate with their procurement teams to make sure that the vehicles that are purchased align with these new regulations, particularly as we get closer to 2027,” Vanessa Miller, partner at law firm Foley and head of the firm’s national auto team, tells CSO. “The burden of compliance with the final rule rests on the vehicle manufacturers and importers, but CISOs play a crucial role in safeguarding their organizational assets.”
As a matter of general operating procedure, “any current vehicle fleet should be looked at for security vulnerabilities associated with existing components to look at software updates that may be prudent to mitigate those risks,” Miller says. On top of that, “you’re going to want uniformity across your fleet after 2027, and you’re not going to want to worry about being flagged for noncompliance for something that you purchased retroactively.”
Figuring out the supply chain for organizational vehicles will soon become necessary for most CISOs. “There’s going to be some pointed questions that someone needs to ask to get to the bottom of the supply chain and see where the software is coming from and who owns it,” Miller says. “Look at things like the vendor management and supply chain policies in place to ensure that the burden is on the vehicle manufacturer to certify these things.”
