Request a demo

BIS Rule: Protecting Automakers from Adversarial Code

Client Alert
February 17, 2026
Norma Dowloer, Exiger Direct of Product Marketing
Norma
Dowler
Director of Product Marketing, Cyber

Executive Summary

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) finalized rule blocks the import or sale of new “connected” vehicles and certain key software and components if they rely on software tied to China or Russia. Think all those cloud-connected systems like cameras, microphones, and GPS systems that are now standard on modern vehicles.

The requirements will be phased in, with software starting with Model Year 2027, and vehicle-connectivity hardware following in Model Year 2030.

Annual Declarations of Conformity will be required via BIS’s CARS portal.

Why Is This a Problem for Automakers?

After years of outsourcing software modules to their suppliers, automakers are discovering they don’t know what’s inside their sprawling, multi-tier software supply chains. Over time, “software from suppliers” stopped meaning a few clearly labeled features and started looking like big, bundled packages with limited visibility into who wrote what. Even with contracts and documentation, code often pulls in third-party libraries and subcontracted work many layers down.

So when the government asks, “show us where it came from,” many companies are scrambling to map ownership, provenance, and update paths across thousands of components. Russian or Chinese-linked code can be buried deep in supplier packages, including embedded systems and middleware. Replacing it can mean expensive rewrites, fresh safety and reliability testing, supplier changes, and potential delays to vehicle launches. And demonstrating compliance needs to be done every year.

Exiger Makes It Easy

Exiger Cyber instantly finds FOCI (foreign ownership, control, or influence) signals deep inside software supply chains. It monitors and analyzes 500M+ repositories, 150M+ packages, and more than 68M verified supplies.

Exiger Cyber shows this component, a direct dependency, has a high score for FOCI risk. You can further drill down for additional information.

By continuously monitoring software, contributors, and supplier relationships across billions of records, Exiger Cyber surfaces risky contributors and FOCI-linked code even when it’s buried deep in your supply chain.

Interactive Demo

Take a Self-Guided Tour

Watch the platform analyze an SBOM, rank every dependency by predicted exposure and quality, and reveal the visual graph that links risky libraries to your products, no source code required.

Take a Tour
Exiger Cyber shows the geographic location of component suppliers to quickly visualize FOCI concerns.

Why This Matters

This new regulation highlights three critical questions for every automaker:

Do you have full visibility into your software supply chain including all dependencies?

→ It’s not enough to track the software from the “Tier-1” suppliers you know about. You need visibility into the full dependency trees, and not just for compliance reasons. Removing adversarial software reduces risk.

How quickly can you identify Chinese or Russian software components?

→ Manually researching all software, and all dependency trees is impractical, slow, and expensive.

Are you continuously monitoring all existing and new software for FOCI risk?

→ Software components aren’t static and new contributors to software libraries and components can change. Automatically monitoring compliance minimizes your risk and costs.

Talk to us about moving from manual, days-long investigations to automated identification in seconds, cutting the time-to-answer and enabling immediate mitigation.

Table of Contents

Get in Touch

Learn how you can build a more resilient supply chain.

insights

Perspectives

SEE ALL
From Risk Awareness to Supply Chain Advantage Webinar - Perspectives
Webinar
From Risk Awareness to Supply Chain Advantage - Session 1: Understanding Your Risk Posture
Session 1
New EU Economic Security Strategy What Global Companies Need to Know Now
White Paper
Wake Up Call: New EU Economic Security Strategy 
What Global Companies Need to Know Now
Euro Supply Chain Article - Perspectives
Article
Operationalising the EU’s New Economic Security Strategy
Snowflake Energy Article - Perspectives (1)
Article
Exiger AI Supply Chain Risk Management and Orchestration Now Embedded in Snowflake Energy Solutions
WEF Fast Fashion Report - Perspectves (1)
White Paper
Fake Fashion: A Human Rights Scandal
How Counterfeit Fashion Intersects with Organised Crime & Labour Exploitation
WEF Forced Labor Report - Perspectives
White Paper
Harnessing Data and Intelligence for Collective Advantage
Ending Forced Labour in Global Supply Chains
Forced Labor AI Webinar - Perspectives
Webinar
Forced Labor Detection That Spans Supply Chains
WEF_2026_s
Article
Davos 2026: Exiger at the World Economic Forum Annual Meeting 
Venezuela After Maduro
Client Alert
Venezuela After Maduro
Sanctions, Shipping, and Supply Chain Security
Featured Image
Webinar
From Blind Spots to Battle Advantage
How Ownership Redefines Export Compliance Risk
SDX Map and Analytics
Article
Magnify What Matters: Updates to 1Exiger
Abstract digital globe illustrating interconnected suppliers and third-party relationships, symbolizing evolving risk management strategies in 2025.
Article
From Reactive to Predictive: How AI Is Redefining Third-Party Risk Management in 2026

Demo The
Exiger Platform

Download the
White Paper

Take A Tour

Tour the Software Supply Chain Security Solution

Download the Whitepaper