(c) Applications for specific authorizations. Applications for specific authorizations shall include, at a minimum, a description of the nature of the otherwise prohibited transaction(s), including the following:
- (1) The identity of the parties engaged in the transaction, including relevant corporate identifiers and information sufficient to identify the ultimate beneficial ownership of the transacting parties;
- (2) An overview of the VCS hardware or covered software that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, including persons responsible for assembling and packaging VCS hardware or covered software;
- (3) If known, the make, model, and trim of the connected vehicle(s) in which the VCS hardware or covered software will be integrated;
- (4) The intended function of the VCS hardware or covered software;
- (5) Documentation to support the information contained in the application, such as any ISO/SAE 21434 Threat Analysis and Risk Assessments (if available);
- (6) An assessment of the applicant's ability to limit PRC or Russian government access to, or influence over the design, development, manufacture, or supply of the VCS hardware or covered software;
- (7) Security standards used by the applicant with respect to the VCS hardware or covered software; and
- (8) Other actions and proposals such as technical controls (e.g., software validation) or operational controls (e.g., physical and logical access monitoring procedures) the applicant intends to take to mitigate undue or unacceptable risk, if applicable.