The Foundation for Defense of Democracies (FDD) identified that revoking existing equipment authorizations is a national security imperative, which is essential to closing supply chain gaps in the Federal Communications Commission (FCC) Equipment Authorization Program. The move requires telecommunications and electronic devices legally marketed in or imported to the U.S. to receive certification. These authorizations allow indefinite importation, sale, and use of devices until explicitly revoked.
“Effective February 6, 2023, this rule bans new equipment authorizations from Chinese companies, including Huawei, ZTE, and Hikvision. However, identical devices that received authorization before the effective date remain legal for sale, deployment, and operation indefinitely,” Jiwon Ma, senior policy analyst at the FDD’s Center on Cyber and Technology Innovation, wrote in a Monday public comment. “This regulatory gap creates a false sense of security. While these measures represent important progress in addressing future supply chain threats, thousands of previously authorized devices from the same vendors operate in U.S. networks.”
Ma noted that the Commission’s existing authority lacks a systematic risk-based framework for revoking equipment authorizations in connection with ‘Covered List’ entities.
She also highlighted the ambiguities in how the FCC defines equipment ‘produced by’ a covered entity, allowing adversaries to bypass controls by supplying critical components rather than finished products. If the FCC does not clarify that the definition includes components that are produced, designed, or manufactured by Covered List entities and promulgate a comprehensive ownership and control standard, such as the Department of Commerce’s rule that adversaries will continue to infiltrate supply chains even when final products seem to be sourced from approved manufacturers.
Currently, the FCC has the authority to revoke existing equipment authorizations under specific circumstances, but lacks a clear mechanism to rescind authorization solely because the vendor has been designated on the Covered List. This authority is limited to cases involving technical non-compliance, false statements or misrepresentation in the application, failure to meet technical requirements following subsequent testing or inspections, or unauthorized changes to the equipment that were not originally approved by the Commission.
The rule permits revocation ‘because of conditions coming to the attention of the Commission which would warrant it in refusing to grant an original application,’ but has not traditionally been used to address national security risks.
To address this gap, the FCC needs the authority to revoke previously approved equipment authorizations for devices associated with entities on the Covered List to ensure consistent and comprehensive oversight for the protection of U.S. communications networks.
Highlighting the recent discoveries of Volt Typhoon and Salt Typhoon, cyber campaigns attributed to the People’s Republic of China, Ma said the cyber incidents demonstrate how unmonitored devices allow adversaries to lie dormant, evade detection, and position themselves to cause disruption or conduct espionage.
Brendan Carr, FCC Chairman, acknowledged this threat, stating that the agency has ‘taken concrete actions’ to address Chinese threats and is working to ‘close any loopholes’ that let foreign adversaries ‘skirt our rules.’ Yet despite these steps, dangerous equipment continues to be sold and deployed legally simply because it was approved before February 6, 2023.
“The ambiguity surrounding the term ‘produced by’ in the context of covered equipment presents another critical challenge to securing America’s telecommunications infrastructure,” according to Ma. “The existing regulatory framework fails to address instances in which covered vendors serve as original equipment manufacturers or design contractors for companies not listed on the Covered List.”
She noted that complex ownership and investment structures further obfuscate these connections. “Adversaries do not need to develop and export complete end-user devices to compromise systems. China in particular now exploits a more subtle, yet effective, approach: Chinese state-affiliated entities design or manufacture critical components that are then integrated into devices branded and sold by legitimate firms from other countries.”
Pointing out that since the final product bears no obvious labels or connection to covered entities, Ma said, “it can slip through the regulatory cracks and enter the U.S. market — even though its critical functionality depends on components produced, designed, manufactured, and controlled by entities on the Covered List.”
This strategy offers adversaries various advantages. Tracing the origin of components is challenging when products pass through multiple intermediaries during the production phase before reaching the consumer. As a result, adversaries can evade regulatory oversight entirely, allowing them to slip risky products into the U.S.
To close longstanding regulatory gaps and address current and emerging threats to U.S. communications infrastructure, Ma prescribed three points that the FCC needs to adopt a comprehensive, risk-based security framework. This will require clear authority, practical implementation, and closer alignment with national security priorities.
The Commission must no longer distinguish between older and newer equipment when assessing risk. Adversaries target what’s most vulnerable, regardless of when it was authorized. A retroactive application of harmonized security standards to all equipment from high-risk vendors, including devices approved before Feb. 6, 2023, is essential. This should be executed through an emergency rulemaking process within six months. The FCC should also have the authority to revoke existing equipment authorizations tied to vendors on the Covered List. However, rather than mandating immediate replacement, the Commission should adopt a tiered, risk-prioritized approach that accounts for financial and operational realities, especially for rural operators.
Working in collaboration with industry, the Commission should develop a framework requiring providers to disclose where high-risk equipment is used in their networks, then prioritize replacement based on actual risk. Equipment that handles sensitive data, allows remote access, or lacks firmware security should be addressed first. Lower-risk gear could be managed with mitigation strategies or phased out over time. This would allow for a measured, coordinated, and more affordable transition while preserving network stability.
To counter broader risks in the supply chain, the Commission must tighten oversight of components embedded within covered equipment. It should expand the regulatory definition of ‘produced by’ a covered entity to include not only final products but also critical parts manufactured, designed, or controlled by high-risk vendors—even if the final assembly occurs elsewhere. This shift would close major loopholes that adversaries exploit through ownership complexity and affiliate structures.
All equipment awaiting FCC authorization should undergo pre-market security reviews conducted by approved test labs and certification bodies. These assessments must examine component origins and verify that no hidden vulnerabilities exist through indirect supply chain relationships.
The FCC must also broaden its visibility into foreign adversary ties that are often disguised through corporate shells or indirect business relationships. Information collection needs to be aggressive and far-reaching. The Commission recently reduced disclosure thresholds for test labs and certification bodies from 10 percent to 5 percent, making it a strong start. Now, manufacturers and importers should be held to similar transparency standards, including disclosures of material partnerships with foreign entities, whether or not they appear on the Covered List.
Expanded transparency will allow the FCC to identify risks earlier, make more informed decisions, and provide regulatory clarity to industry players. It also sets a precedent for global standards on secure communications supply chains, an increasingly vital front in national security.
In conclusion, Ma mentioned that by increasing transparency and strengthening layered supply chain accountability, the FCC can bolster the U.S. national security posture while supporting continued innovation in the telecommunications industry. “Without the authority to revoke equipment authorizations where necessary, the FCC cannot prevent adversaries from corrupting communications infrastructure. The cost of inaction — measured in both dollars and national security risk — grows every day, signaling to adversaries that regulatory loopholes can be exploited to maintain access to U.S. critical infrastructure.”
