Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SELF DRIVE Act revival: what it means for AV cybersecurity governance


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Congress is making a third attempt at federal autonomous vehicle legislation, with the SELF DRIVE Act adding safety-case submissions, a national crash repository, and written cybersecurity plans while 34 states keep their own rules, according to Upstream Security. The core issue is no longer whether AV regulation is needed, but whether safety-led governance can close cybersecurity and supply-chain gaps fast enough.

NHIMG editorial — based on content published by Upstream Security: Compliance Connected Vehicle Cybersecurity, The SELF DRIVE Act Returns

Questions worth separating out

Q: What breaks when AV regulation is fragmented across states?

A: Fragmentation forces manufacturers and fleet operators to maintain multiple control interpretations, documentation sets, and exception processes at once.

Q: Why do connected vehicles need stronger identity governance than traditional IoT devices?

A: Connected vehicles exchange safety-critical data, receive remote updates, and operate across long asset lifecycles, so identity failures can affect physical safety as well as confidentiality.

Q: How do organisations know if AV cybersecurity plans are actually working?

A: They should test whether the plan can answer three questions quickly: who accessed the system, what changed, and which supplier or software path made the change possible.

Practitioner guidance

  • Build a combined safety and cyber evidence pack Tie AV safety-case claims to software versions, security testing, supplier attestations, and change approvals so the submission reflects current operational risk.
  • Map supplier access and remote maintenance pathways Document who can reach vehicle management interfaces, what authentication they use, and how access is revoked when contracts or support relationships end.
  • Create one control baseline across jurisdictions Use a single internal control set for AV operations, then map it to state, federal, insurance, and supplier obligations to reduce drift and duplicated exceptions.

What's in the full article

Upstream Security's full article covers the legislative and operational detail this post intentionally leaves for the source:

  • The bill language that expands NHTSA authority over Level 4 and Level 5 automated driving systems.
  • The proposed National Automated Vehicle Safety Data Repository and its role in crash and incident reporting.
  • The federal preemption debate affecting state-level licensing, registration, and insurance requirements.
  • The cybersecurity plan obligations tied to safety case submissions and supply-chain review.

👉 Read Upstream Security's analysis of the SELF DRIVE Act and autonomous vehicle regulation →

SELF DRIVE Act revival: what it means for AV cybersecurity governance?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Safety-case governance is now the right model for autonomy, but only if it includes cyber evidence. The bill borrows the aviation idea of proving a system is safe before scale, which is directionally sensible for autonomous vehicles. But safety without security evidence is incomplete because connected vehicles fail through software, supplier access, and update paths as often as through physical malfunction. Practitioners should treat safety cases as combined safety and cyber assurance files, not as pure regulatory paperwork.

A question worth separating out:

Q: Who is accountable when a connected vehicle incident crosses safety, cyber, and supplier boundaries?

A: Accountability should sit with the organisation that owns the operational risk, not with whichever supplier happened to be involved at the end of the chain. That requires clear ownership for access management, change control, incident reporting, and contractual offboarding so responsibility does not disappear in the handoffs.

👉 Read our full editorial: The SELF DRIVE Act returns: federal AV regulation meets cyber gaps



   
ReplyQuote
Share: