Regulatory

Know the “Where” of your Firmware

Dustin Mills
Published on Jun 03, 2025

The Department of Commerce’s new rule banning Chinese and Russian components from connected vehicles is already live—and OEMs have until model year 2027 to comply.

That includes signing a Declaration of Conformity stating that your vehicle’s VCS and ADS systems are clean of covered software. The CEO (or their designee) has to sign it. And they’re not just signing a form—they’re taking responsibility.

But what happens when the firmware you get from a supplier is basically a black box?

We built a feature to help with that.

How it Works

The process is simple:

  1. Upload the firmware binary to the asset in VicOne’s xZeta tool.
  2. VicOne’s xZeta tool scans the binary and extracts an SBOM—even when the supplier didn’t provide one.
  3. The system correlates each package with the organization that manages it, including country of origin.
  4. Based on this data, risks are automatically generated and assigned to your supply chain team for investigation.
  5. Each risk is mapped to a recommended mitigation pulled directly from our threats and controls database.

It gives you real data—at the software package level—to back up your compliance claims.

Why This Matters

Your suppliers might not know where their code comes from. Or they might not tell you. Either way, this tool gives you a second opinion based on what’s actually in the firmware—not just what someone wrote in a spreadsheet.

It also means your cybersecurity and procurement teams can move faster. Instead of reading a 300-row SBOM and guessing what’s a problem, they can review pre-generated risks with vetted recommendations.

See It in Action

We’ve made two videos to walk through what we built:

If you haven’t already read our breakdown of the new rule—including key deadlines and what’s required—you can read that article here.

Stay Connected with Block Harbor

Keep up with the latest in vehicle cybersecurity through our specialized newsletters. Choose the option that best fits your interests and role.

Block Harbor Stakeholders

Newsletter for folks that want updates on what's next for Block Harbor.

Thank you for your submission!

Oops! Something went wrong while submitting the form.

Read More

Explore more automotive cybersecurity insights from our experts. Discover best practices, case studies, and emerging trends to strengthen your organization's security posture.

News
Collaborative Risk-Sharing in Automotive Cybersecurity

Learn More
Industry
Bridging the Gap: VSOC and PSIRT in Automotive Cybersecurity

Explore how VSOC and PSIRT work together to enhance cybersecurity in connected vehicles—balancing real-time monitoring with long-term vulnerability management.

Learn More
Industry
Why TARA Matters in Medical Devices

As medical devices become more connected, the need for structured cybersecurity grows. This post compares how automotive and healthcare industries handle risk—and how TARA can help medical device makers move from reactive compliance to proactive protection.

Learn More
Industry
Securing the Factory: Why TARA Matters in Industrial IoT

Industrial IoT boosts factory performance but widens the cyber-attack surface. This post shows how a structured Threat Analysis and Risk Assessment (TARA) process, aligned with IEC 62443 security levels, helps asset owners, integrators, and suppliers spot vulnerabilities, set the right protections, and keep production safe and resilient.

Learn More

Try Block Harbor Today

Start protecting your vehicles with the same platform the world’s best hackers and defenders use.