[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3407 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 3407

To amend chapter 301 of subtitle VI of title 49, United States Code, to 
  require a cybersecurity plan for highly automated vehicles, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 26, 2017

 Mr. Kinzinger (for himself and Ms. Clarke of New York) introduced the 
   following bill; which was referred to the Committee on Energy and 
                                Commerce

_______________________________________________________________________

                                 A BILL


 
To amend chapter 301 of subtitle VI of title 49, United States Code, to 
  require a cybersecurity plan for highly automated vehicles, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. CYBERSECURITY OF AUTOMATED DRIVING SYSTEMS.

    (a) In General.--Chapter 301 of subtitle VI of title 49, United 
States Code, is amended by inserting after section 30129 (as added by 
section 4) the following new section:
``Sec. 30130. Cybersecurity of automated driving systems
    ``(a) Cybersecurity Plan.--A manufacturer may not sell, offer for 
sale, introduce or deliver for introduction into commerce, or import 
into the United States, any highly automated vehicle, vehicle that 
performs partial driving automation, or automated driving system unless 
such manufacturer has developed a cybersecurity plan that includes the 
following:
            ``(1) A written cybersecurity policy with respect to the 
        practices of the manufacturer for detecting and responding to 
        cyber attacks, unauthorized intrusions, and false and spurious 
        messages or vehicle control commands. This policy shall 
        include--
                    ``(A) a process for identifying, assessing, and 
                mitigating reasonably foreseeable vulnerabilities from 
                cyber attacks or unauthorized intrusions, including 
                false and spurious messages and malicious vehicle 
                control commands; and
                    ``(B) a process for taking preventive and 
                corrective action to mitigate against vulnerabilities 
                in a highly automated vehicle or a vehicle that 
                performs partial driving automation, including incident 
                response plans, intrusion detection and prevention 
                systems that safeguard key controls, systems, and 
                procedures through testing or monitoring, and updates 
                to such process based on changed circumstances.
            ``(2) The identification of an officer or other individual 
        of the manufacturer as the point of contact with responsibility 
        for the management of cybersecurity.
            ``(3) A process for limiting access to automated driving 
        systems.
            ``(4) A process for employee training and supervision for 
        implementation and maintenance of the policies and procedures 
        required by this section, including controls on employee access 
        to automated driving systems.
    ``(b) Effective Date.--This section shall take effect 180 days 
after the date of enactment of this section.''.
    (b) Enforcement Authority.--Section 30165(a)(1) of title 49, United 
States Code, is amended by inserting ``30130,'' after ``30127,''.
    (c) Clerical Amendment.--The analysis for chapter 301 of subtitle 
VI of title 49, United States Code, is amended by inserting after the 
item relating to section 30129 (as added by section 4) the following 
new item:

``30130. Cybersecurity of automated driving systems.''.
    (d) Definitions.--Section 30102 of title 49, United States Code, is 
amended--
            (1) in subsection (a)--
                    (A) by redesignating paragraphs (1) through (13) as 
                paragraphs (2), (3), (4), (5), (8), (9), (10), (11), 
                (12), (13), (15), (16), and (17), respectively;
                    (B) by inserting before paragraph (2) (as so 
                redesignated) the following:
            ``(1) `automated driving system' means the hardware and 
        software that are collectively capable of performing the entire 
        dynamic driving task on a sustained basis, regardless of 
        whether such system is limited to a specific operational design 
        domain.'';
                    (C) by inserting after paragraph (5) (as so 
                redesignated) the following:
            ``(6) `dynamic driving task' means all of the real time 
        operational and tactical functions required to operate a 
        vehicle in on-road traffic, excluding the strategic functions 
        such as trip scheduling and selection of destinations and 
        waypoints, and including--
                    ``(A) lateral vehicle motion control via steering;
                    ``(B) longitudinal vehicle motion control via 
                acceleration and deceleration;
                    ``(C) monitoring the driving environment via object 
                and event detection, recognition, classification, and 
                response preparation;
                    ``(D) object and event response execution;
                    ``(E) maneuver planning; and
                    ``(F) enhancing conspicuity via lighting, 
                signaling, and gesturing.
            ``(7) `highly automated vehicle'--
                    ``(A) means a motor vehicle equipped with an 
                automated driving system; and
                    ``(B) does not include a commercial motor vehicle 
                (as defined in section 31101).'';
                    (D) by inserting after paragraph (13) (as so 
                redesignated) the following:
            ``(14) `operational design domain' means the specific 
        conditions under which a given driving automation system or 
        feature thereof is designed to function.''; and
                    (E) by adding at the end the following:
            ``(18) `vehicle that performs partial driving automation' 
        does not include a commercial motor vehicle (as defined in 
        section 31101).''; and
            (2) by adding at the end the following:
    ``(c) Revisions to Certain Definitions.--
            ``(1) If SAE International (or its successor organization) 
        revises the definition of any of the terms defined in paragraph 
        (1), (6), or (14) of subsection (a) in Recommended Practice 
        Report J3016, it shall notify the Secretary of the revision. 
        The Secretary shall publish a notice in the Federal Register to 
        inform the public of the new definition unless, within 90 days 
        after receiving notice of the new definition and after opening 
        a period for public comment on the new definition, the 
        Secretary notifies SAE International (or its successor 
        organization) that the Secretary has determined that the new 
        definition does not meet the need for motor vehicle safety, or 
        is otherwise inconsistent with the purposes of this chapter. If 
        the Secretary so notifies SAE International (or its successor 
        organization), the existing definition in subsection (a) shall 
        remain in effect.
            ``(2) If the Secretary does not reject a definition revised 
        by SAE International (or its successor organization) as 
        described in paragraph (1), the Secretary shall promptly make 
        any conforming amendments to the regulations and standards of 
        the Secretary that are necessary. The revised definition shall 
        apply for purposes of this chapter. The requirements of section 
        553 of title 5 shall not apply to the making of any such 
        conforming amendments.
            ``(3) Pursuant to section 553 of title 5, the Secretary may 
        update any of the definitions in paragraph (1), (6), or (14) of 
        subsection (a) if the Secretary determines that materially 
        changed circumstances regarding highly automated vehicles have 
        impacted motor vehicle safety such that the definitions need to 
        be updated to reflect such circumstances.''.
                                 <all>