The Department of Commerce’s new rule banning Chinese and Russian components from connected vehicles is already live—and OEMs have until model year 2027 to comply.

That includes signing a Declaration of Conformity stating that your vehicle’s VCS and ADS systems are clean of covered software. The CEO (or their designee) has to sign it. And they’re not just signing a form—they’re taking responsibility.

But what happens when the firmware you get from a supplier is basically a black box?

We built a feature to help with that.

How it Works

The process is simple:

1. Upload the firmware binary to the asset in VicOne’s xZeta tool.
2. VicOne’s xZeta tool scans the binary and extracts an SBOM—even when the supplier didn’t provide one.
3. The system correlates each package with the organization that manages it, including country of origin.
4. Based on this data, risks are automatically generated and assigned to your supply chain team for investigation.
5. Each risk is mapped to a recommended mitigation pulled directly from our threats and controls database.
   
   

It gives you real data—at the software package level—to back up your compliance claims.

Why This Matters

Your suppliers might not know where their code comes from. Or they might not tell you. Either way, this tool gives you a second opinion based on what’s actually in the firmware—not just what someone wrote in a spreadsheet.

It also means your cybersecurity and procurement teams can move faster. Instead of reading a 300-row SBOM and guessing what’s a problem, they can review pre-generated risks with vetted recommendations.

See It in Action

We’ve made two videos to walk through what we built:

• 👉 Feature Walkthrough – shows exactly how the feature works, step-by-step
  
  
• 📣 Promo Video – short overview of the problem and how we’re solving it
  
  

If you haven’t already read our breakdown of the new rule—including key deadlines and what’s required—you can read that article here.