The only parts where that's true are for things like FCC certification. The US does not have an affirmative certification process for automotive software, including safety critical systems. NHTSA instead puts out a set of rules called FMVSS that manufacturers and aftermarket parts must comply with. Manufacturers then self-certify that they meet FMVSS and produce a bunch of documentation demonstrating that if NHTSA asks.
Note that FMVSS has almost nothing to say on the topic of software. The industry broadly follows industry standards like ISO 26262 and the less universal 21448, but these don't have firm legal weight outside their status as standards of practice, nor do they preclude installing your own software.
The situation in Europe is different and an affirmative certification process does exist there.
For emissions related components, EPA rules do kick in though. While the current administration appears to have paused enforcement, their position for many years has been that running anything except factory approved firmware on an ECU or other emissions related computer constitutes a “defeat device” and is illegal for an on road vehicle subject to emissions controls. (Granted, in practice 99% of the reason anyone installs new firmware on their ECU, or switches to an aftermarket ECU, is for a “tune” that does affect emissions. I’m sure there is some edge case exception, but it’s very rare in on road engines.)
The alternative, and there are a very few tunes that have done this, is to prove to regulators that the tune does not negatively affect emissions in any way. In practice this is done by getting a CARB exception since they’re the ones actually checking for tunes.
This seems similar to what we do in medical devices.
The manufacturer creates a set of procedures covering the design process that meets, at a minimum, the stages set out in 21CFR, often following the industry standard for software: IEC-62304. Then mfr documents that those procedures were followed and at the end submits a set of documents about the test results and development process for agency approval.
Sound similar? One difference I can see is that if you replace the software in a released medical device with your own, it's no longer considered to be Approved and using it opens you up to Federal liability.
There's some similarities with the FDA, but quite a lot of important differences. NHTSA doesn't approve vehicles, for example. Manufacturers can sell whatever they want. NHTSA simply has the power to issue recalls (preventing further sales) if those vehicles don't comply with FMVSS.
NHTSA also doesn't incorporate standards like the FDA does, so while they're aware of industry standards and employ a number of relevant experts for various purposes, you're under no obligation to follow them. Tesla is actually an example here. Their development processes don't follow ISO-26262 (the automotive equivalent of IEC-62304), though stating this properly would need a lot of asterisks I don't want to get into.
The EU does both of these things for vehicles, though it's a bit more complicated than a flat approval or rejection and it's handled by a designated third party that also does medical device testing like TÜV SÜD. Other countries like the UK have a dedicated agency to handle type approvals.
Note that FMVSS has almost nothing to say on the topic of software. The industry broadly follows industry standards like ISO 26262 and the less universal 21448, but these don't have firm legal weight outside their status as standards of practice, nor do they preclude installing your own software.
The situation in Europe is different and an affirmative certification process does exist there.