[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3994 Introduced in House (IH)]

<DOC>






114th CONGRESS
  1st Session
                                H. R. 3994

  To direct the Administrator of the National Highway Traffic Safety 
      Administration to conduct a study to determine appropriate 
  cybersecurity standards for motor vehicles, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            November 5, 2015

     Mr. Wilson of South Carolina (for himself and Mr. Ted Lieu of 
 California) introduced the following bill; which was referred to the 
                    Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
  To direct the Administrator of the National Highway Traffic Safety 
      Administration to conduct a study to determine appropriate 
  cybersecurity standards for motor vehicles, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Security and Privacy in Your Car 
Study Act of 2015'' or the ``SPY Car Study Act of 2015''.

SEC. 2. STUDY ON CYBERSECURITY STANDARDS FOR MOTOR VEHICLES.

    (a) Study Required.--The Administrator of the National Highway 
Traffic Safety Administration, in consultation with the Federal Trade 
Commission, the Director of the National Institute of Standards and 
Technology, the Secretary of Defense, the Automotive Information 
Sharing and Analysis Center, SAE International, manufacturers of motor 
vehicles, manufacturers of original motor vehicle equipment, and 
relevant academic institutions, shall conduct a study to determine 
appropriate standards for the regulation of the cybersecurity of motor 
vehicles manufactured or imported for sale in the United States that 
should be adopted by the Administration and any other appropriate 
Federal agencies. The study shall include an identification of--
            (1) the isolation measures that are necessary to separate 
        critical software systems from other software systems;
            (2) the measures that are necessary to detect and prevent 
        or minimize in the software systems of motor vehicles anomalous 
        codes associated with malicious behavior;
            (3) the techniques that are necessary to detect and 
        prevent, discourage, or mitigate intrusions into the software 
        systems of motor vehicles and other cybersecurity risks in 
        motor vehicles, such as continuous penetration testing and on-
        demand risk assessments; and
            (4) best practices to secure driving data collected by the 
        electronic systems of motor vehicles while such data are stored 
        onboard the vehicle, in transit from the vehicle to another 
        location, and in offboard storage.
    (b) Reports to Congress.--
            (1) Preliminary report.--Not later than 1 year after the 
        date of the enactment of this Act, the Administrator shall 
        submit to the Committee on Energy and Commerce of the House of 
        Representatives and the Committee on Commerce, Science, and 
        Transportation of the Senate a report containing the 
        preliminary findings of the study conducted under subsection 
        (a).
            (2) Final report.--Not later than 6 months after the 
        submission of the report under paragraph (1), the Administrator 
        shall submit to the committees described in such paragraph a 
        report containing the complete findings of the study conducted 
        under subsection (a), including recommended dates for the 
        adoption and effectiveness of the standards determined to be 
        appropriate in such study and recommendations for any 
        legislation that may be necessary to authorize the adoption of 
        such standards.
            (3) Form of report.--The report required by paragraph (2) 
        shall be submitted in unclassified form but may contain a 
        classified annex.
    (c) Definitions.--In this section:
            (1) Administrator.--The term ``Administrator'' means the 
        Administrator of the National Highway Traffic Safety 
        Administration.
            (2) Critical software system.--The term ``critical software 
        system'' means a software system of a motor vehicle that can 
        affect the driver's control of the movement of the vehicle.
            (3) Driving data.--The term ``driving data'' includes any 
        electronic information collected about--
                    (A) a vehicle's status, including its location or 
                speed; or
                    (B) any owner, lessee, driver, or passenger of a 
                vehicle.
                                 <all>