Specific Authorizations

The Specific Authorization application will be made available for download on this subpage the day the Connected Vehicles Rule goes into effect, March 17, 2025.

Download and complete the fillable PDF Specific Authorization application form below. You will also need to collect and submit documentation supporting the information contained in the application (such as any ISO/SAE 21434 Threat Analysis and Risk Assessments, if applicable). Please compile this form and any related documentation into a single PDF for submission.

Once you are ready, submit your completed application package to [email protected]. Please entitle the subject of your email: Specific Authorization Application: Entity Name.  

Any questions related to the Specific Authorization form should be submitted to [email protected].

During the processing of your Specific Authorization application, OICTS may reach out to request additional information as necessary to make an application decision. This may include a request by OICTS for an oral briefing by you and any other relevant parties. You may present additional information concerning your application to OICTS at any time prior to OICTS issuing its application decision. Any additional information should be submitted to [email protected].

Yes. You may use third parties in compliance with 15 C.F.R. § 791.315.

Any information or material submitted to OICTS which the entity or any other party desires to submit in confidence as a part of a Specific Authorization application should be contained within a file beginning its name with the characters “CBI.” Any page containing Confidential Business Information must be clearly marked “CONFIDENTIAL BUSINESS INFORMATION” on the top of the page. Any pages not containing Confidential Business Information should not be marked. By submitting information or material identified as Confidential Business Information, the entity or other party represents that the information is exempted from public disclosure, either by the Freedom of Information Act (5 U.S.C. § 552 et seq.) or by another specific statutory exemption. Any request for Confidential Business Information treatment must be accompanied at the time of submission by a statement justifying non-disclosure and referring to the specific legal authority claimed.

Applications for Specific Authorizations will be reviewed on a case-by-case basis. OICTS may require unique terms as a condition to granting a Specific Authorization in order to mitigate any risk arising from the otherwise prohibited transaction.

This review will include an evaluation of the risks and potential mitigation measures proposed by the applicant.

In making a determination to grant a Specific Authorization, OICTS may consider risks including, but not limited to, risks of data exfiltration from, and remote manipulation or operation of, the connected vehicle and the extent and nature of foreign adversary involvement in the design, development, manufacture, or supply of the VCS hardware or covered software.

Mitigation may include the applicant’s ability to limit PRC or Russian government access to, or influence over, the design, development, manufacture or supply of the VCS hardware or covered software; security standards used by the applicant and if such standards can be validated by OICTS or a third-party; and other actions or proposals the applicant intends to take to mitigate undue or unacceptable risk.

OICTS will inform each applicant of its decision to grant or deny a Specific Authorization in writing.

OICTS will provide you with a decision on your application package within 90 days of receipt unless we notify you within the 90-day period that additional time is required.

Please note, failure or delays in submitting additional information requested by OICTS may delay or preclude OICTS’s ability to issue a Specific Authorization.

Currently, OICTS does not have an automated way of displaying the status of Specific Authorization applications.

If you have not received a decision on your Specific Authorization application or a notice that OICTS requires additional time to process your application within 90 days of submission, you may request a status update at [email protected].

No. Unless otherwise specified, a Specific Authorization applies only to the transaction:

1. Between the parties identified in the Specific Authorization;
2. Described in the Specific Authorization; and
3. If the conditions specified in the Specific Authorization are satisfied.

No. You should only submit one Specific Authorization application for each prohibited transaction. Multiple Specific Authorization applications for the same transaction may result in processing delays.

OICTS may establish compliance, auditing, or verification requirements as conditions for granting a Specific Authorization.

Additionally, except as otherwise provided by law, any Specific Authorization or instructions issued as part of a Specific Authorization may be amended, modified, or rescinded by OICTS at any time.   

Applicants whose Specific Authorization application is denied may appeal this denial by submitting a written statement in support of your position to the Under Secretary of the Bureau of Industry and Security either through email or via mail. This appeal must be submitted no later than 45 days after the date appearing on your notice of denial. More detailed instructions on this appeals procedure can be found in the Connected Vehicles Rule in 15 C.F.R. § 791.309.

Applicants may also request OICTS reconsider a denied Specific Authorization application if there are new material facts or a change in circumstance related to the transaction in question.

This denial does not preclude you from filing an application for a Specific Authorization for a separate prohibited transaction.

Generally, Specific Authorizations will be approved for no less than one (1) model year or calendar year.

OICTS may approve Specific Authorization for less than one (1) year on a case-by-case basis for temporary situations, including:

1. 2027 model years that include covered software and are actively being sold or imported as of the effective date of this rule;
2. Covered software and VCS hardware supply chains that are affected by force majeure events;
3. As a result of a corporate merger, investment, acquisition, joint venture, or conversion of equity (such as from debt) that occurs during model year production;
4. As a result of the closure or relocation of facilities involved in the production of covered software or VCS hardware; and
5. Other instances as determined by OICTS.

You are required to maintain records for 10 years and may need to submit reports and statements to OICTS according to any instructions specific in your approved Specific Authorization.

OICTS expects to make the Specific Authorization application available on this subpage the day the Connected Vehicles Rule goes into effect, March 17, 2025. After this time, OICTS will accept Specific Authorization applications on a rolling-basis. However, due to the separate implementation timelines for the covered software and VCS hardware prohibitions, OICTS will initially prioritize responding to Specific Authorization applications for covered software transactions.

As of 2025, OICTS recommends you prioritize the submission of applications for Specific Authorizations for covered software transactions due to the separate implementation timelines for the covered software and VCS hardware prohibitions.

OICTS will not grant applications for Specific Authorizations for transactions that are otherwise permitted under a General Authorization.