OOIDA raises alarm on cybersecurity gaps in House bill over autonomous trucks

WASHINGTON — The Owner-Operator Independent Drivers Association (OOIDA) is opposing H.R. 7390, the SELF DRIVE Act of 2026, warning the bill would allow deployment of driverless 80,000-pound trucks based largely on company self-certification without independent federal verification of safety claims.

OOIDA president Todd Spencer sent a letter to House Energy and Commerce Committee leadership expressing concern for the gaps in the bill

“We write to express our opposition to H.R. 7390, the SELF DRIVE Act of 2026, since it fails to ensure the safe operation of driverless trucks or provide adequate transparency about their performance and capabilities,” Spencer said.

Lack of Regulation

According to Spencer, a recent crackdown from the Federal Motor Carrier Safety Administration (FMCSA) demonstrated
the importance of oversight and enforcement of critical safety regulations.

“On Feb. 18, FMCSA announced it was revoking the authority of over 550 Commercial Driver’s License (CDL) training schools for failing to meet federal safety standards and in some cases, perpetrating outright fraud,” Spencer said. “We applaud FMCSA for this action since ensuring compliance with basic training and licensing standards is foundational to road safety. This action makes clear that regulatory verification and enforcement are critical to upholding safety standards.”

According to the letter, instead of holding autonomous vehicles to similar standards, H.R. 7390 would permit the operation
of driverless 80,000 pound trucks based on the unverified assertions of companies with a vested financial interest in their deployment. While companies would be required to develop a “safety case” describing how the vehicle would operate safely, there is no requirement that the federal government verify these plans. In fact, companies would not need to provide these cases to the government before deployment or possibly even at all.

Self-Certification

“These cases must only be submitted to DOT upon request,” Spencer said. “This amounts to self-certification for the use of heavy-duty trucks on our nation’s roads. Under these circumstances, there is no way for the public to know whether these vehicles will operate safely. The use of ‘self-certification’ has already proven to have serious shortcomings in multiple areas
across the trucking industry, and taking this approach with autonomous CMVs would be the most disastrous use yet. To take one example, the Electronic Logging Device (ELD) mandate requires that heavy-duty trucks be equipped with a device, hardwired into the engine control module, that tracks the truck’s location and uptime, among other information.”

According to Spencer, when issuing this regulation, FMCSA established only “minimally compliant” security standards, and no requirement for third-party validation or testing prior to self-certification.

“As a result, we have seen numerous reports of ELDs that are vulnerable to cybersecurity attacks and could allow hackers to, take control of, steal data from, or even disrupt entire fleets by spreading malware unnoticed between vehicles,” Spencer said.

Cyber Security Vulnerabilities 

“In 2019, the FBI issued a security bulletin that highlighted the ability of cyber criminals to exploit ELD vulnerabilities due to a lack of certified security practices,” Spencer said. “Specifically, they noted that ‘this poses a risk to businesses because
ELDs create a bridge between previously unconnected systems critical to trucking operations.’ Similar to the implementation of the ELD mandate, H.R. 7390 contains only vague and insufficient cybersecurity requirements that fail to ensure the safety and integrity of automated vehicle operations. The bill merely requires manufacturers to maintain a written cybersecurity policy outlining how they would ‘detect and respond to cyber attacks, unauthorized intrusions, and false vehicle control commands,’ without defining specific technical standards such a policy must meet.”

Plan of Action Needed

“This lack of specificity raises questions if these policies would actually prevent or mitigate cyberattacks, or whether manufacturers could even execute their stated plans since the bill does not require them to prove compliance or verify cybersecurity protections are functioning as intended,” Spencer said. “Equally troubling, H.R. 7390 includes no requirement for public disclosure of cyber intrusions, nor any mandate that companies suspend operations or take vehicles offline in the event of a cyber incident.”

According to Spencer, as written, the legislation grants manufacturers significant discretion while offering the public little transparency or assurance that cybersecurity threats are being addressed promptly or appropriately.

“Although H.R. 7390 attempts to provide additional cybersecurity oversight by requiring a review of the Department of Commerce’s previously issued rule, ‘Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles,’ CMVs would not be included in this review since they were specifically excluded from the rule’s scope. The Department of Commerce omitted CMVs because the complex nature of this sector and national security concerns require special attention. Specifically, the Department highlighted that vehicle connectivity systems for CMVs, ‘pose a significant national security risk when designed, developed, manufactured, or supplied,’ by Chinese or Russian entities, and these risks would likely require a separate rulemaking to address this significant threat..”

Addressing Cybersecurity Threats

“This alone should be reason enough for the committee to recognize additional work is needed to address cybersecurity concerns for CMVs and it would be premature to permit their deployment under H.R. 7390,” Spencer said. “We also believe that this legislation fails to adequately address outstanding questions about how current safety regulations and licensing requirements will apply to heavy-duty trucks operating with automated driving systems (ADS).

Unanswered Questions

In the letter, Spencer noted that in 2019, FMCSA issued an Advanced Notice of Proposed Rulemaking (ANPRM) regarding the deployment of autonomous commercial motor vehicles (FMCSA-2018-0037-0131). This ANPRM raised numerous questions about how autonomous CMVs could be deployed, what safety measures should be in place, and in particular, what sort of CDL qualifications or requirements should be required of operators of these CMVs.

“To date, many of these questions remain unanswered,” Spencer said. “We are concerned that this legislation doesn’t directly address qualifications for remote operators for CMVs, or how an ADS would meet current Federal Motor Carrier Safety Regulations (FMCSRs) and qualifications for CMV drivers. Whether a vehicle is operated directly by a driver behind the wheel or by a remote assistant monitoring and potentially assuming control, the individual performing that function must hold a valid CDL. The CDL framework is built on decades of safety experience and ensures that operators understand the fundamental dynamics, risks and responsibilities associated with CMV operation. For these reasons, all autonomous and remotely operated CMVs must remain fully subject to FMCSRs. The need for thorough inspections, hours‑of‑service limitations, drug and alcohol testing requirements, and physical qualification standards remains just as relevant—if not more—when technology may disengage unexpectedly or require a human to rapidly assume control.”

Are AV Trucks Safe

“Until ADS-equipped CMVs have demonstrated safety performance equal to or exceeding that of human drivers, they should be held to the same, or more stringent, regulatory oversight,” Spencer said. “Despite pronouncements from autonomous trucking companies that full deployment is just around the corner, we still have not seen any independent, verifiable evidence that AV trucks are safe and ready. As we have advocated for years, measures to advance automated technology should be met with mandatory data transparency from AV companies. This will help educate consumers, the industry, lawmakers and regulators about the actual reliability of autonomous technology.”

H.R 7390 Falls Short

“Regrettably, H.R. 7390 falls short on this aspect as well,” Spencer said. “Instead of requiring proactive reporting of safety data and performance, this legislation only requires companies to report information after a crash. Our members make their living on the road, and they shouldn’t have to wait until something goes wrong to learn more about the safety of the driverless vehicles they’re sharing the road with. We urge the Committee to reject H.R. 7390 and instead pursue a framework that prioritizes adherence to proven safety requirements, independent validation and full transparency before allowing driverless heavy‑duty trucks onto our nation’s roads. Small‑business truckers and professional drivers have a direct stake in the outcomes of these decisions, and they deserve policies rooted in rigorous oversight, not assumptions or unverified assurances from industry. We stand ready to work with you to develop responsible, data‑driven approaches that genuinely enhance roadway safety while preserving the integrity of the trucking profession and safeguarding the motoring public.”

Dana Guthrie

Dana Guthrie is an award-winning journalist who has been featured in multiple newspapers, books and magazines across the globe. She is currently based in the Atlanta, Georgia, area.