Protecting Against National Security Threats to the Communications Supply Chain through the Equipment Authorization Program

Introduction

In November 2022, the Federal Communications Commission (FCC) strengthened Equipment Authorization Program rules, prohibiting importation and authorization of equipment for sale in the United States from high-risk vendors on the FCC’s Covered List.[1] Effective February 6, 2023, this rule bans new equipment authorizations from Chinese companies including Huawei, ZTE, and Hikvision. However, identical devices that received authorization before the effective date remain legal for sale, deployment, and operation indefinitely.

This regulatory gap creates a false sense of security. While these measures represent important progress in addressing future supply chain threats, thousands of previously authorized devices from the same vendors operate in U.S. networks. The Commission’s existing authority[2] lacks a systematic risk-based framework for revoking equipment authorizations in connection to Covered List entities.

Additionally, the ambiguities in how the FCC defines equipment “produced by” a covered entity allows adversaries to bypass controls by supplying critical components rather than finished products. If the FCC does not clarify that the definition includes components that are produced, designed, or manufactured by Covered List entities and promulgate a comprehensive ownership and control standard, such as the Department of Commerce’s rule 15 CFR § 791.2,[3] adversaries will continue to infiltrate supply chains even when final products seem to be sourced from approved manufacturers.

To meet the urgency of this threat, the Commission should adopt a more comprehensive risk-based framework to close regulatory and definitional gaps. The FCC’s Equipment Authorization Program and Competitive Bidding Program reforms in ET Docket No. 21-232 and ET Docket No. 21-233 represent important steps forward, but additional action is needed to address critical vulnerabilities already embedded in thousands of previously authorized devices.

Revocation of Existing Equipment Authorizations Is a National Security Imperative

The FCC’s equipment authorization process requires all telecommunications and electronic devices legally marketed in or imported to the United States to receive certification. These authorizations allow indefinite importation, sale, and use of devices until explicitly revoked.[4]

The November 2022 rules prohibit the importation and sale of new equipment from high-risk Chinese telecommunications and video surveillance vendors on the Covered List — including Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology — and their subsidiaries and affiliates. This rule, however, only applies to new equipment, creating a parallel regulatory standard where previously authorized equipment from these same vendors remains legal for sale and deployment despite posing identical security risks.[5]

Currently, the FCC has the authority to revoke existing equipment authorizations under specific circumstances[6] but lacks a clear mechanism to rescind authorization solely because the vendor has been designated on the Covered List. This authority is limited to cases involving technical non-compliance, false statements or misrepresentation in the application, failure to meet technical requirements following subsequent testing or inspections, or unauthorized changes to the equipment that were not originally approved by the Commission. The rule permits revocation “because of conditions coming to the attention of the Commission which would warrant it in refusing to grant an original application” but has not traditionally been used to address national security risks.[7]

To address this gap, the FCC needs the authority to revoke previously approved equipment authorizations for devices associated with entities on the Covered List to ensure consistent and comprehensive oversight for the protection of U.S. communications networks.

Previously Authorized Equipment Continues to Pose Threats

Equipment authorized before February 6, 2023, has the same, or nearly identical, technical capabilities that make newly banned devices dangerous. They can still undergo firmware updates, conduct remote communication, and transmit data back to their manufacturers. In May 2025, former Commissioner Nathan Simington warned again that Huawei-manufactured telecommunications equipment remains embedded across rural America — often placed precariously near U.S. military installations.[8]

Recent discoveries of Volt Typhoon and Salt Typhoon — cyber campaigns attributed to the People’s Republic of China — demonstrate how unmonitored devices allow adversaries to lie dormant, evade detection, and position themselves to cause disruption or conduct espionage.[9]

FCC Chairman Brendan Carr has acknowledged this threat, stating that the FCC has “taken concrete actions” to address Chinese threats and is working to “close any loopholes” that let foreign adversaries “skirt our rules.”[10] Yet despite these steps, dangerous equipment continues to be sold and deployed legally simply because it was approved before February 6, 2023.

Ambiguities Around Definitions Enable Supply Chain Infiltration

The ambiguity surrounding the term “produced by” in the context of covered equipment presents another critical challenge to securing America’s telecommunications infrastructure. The existing regulatory framework fails to address instances in which covered vendors serve as original equipment manufacturers or design contractors for companies not listed on the Covered List.

Complex ownership and investment structures further obfuscate these connections. The Department of Commerce’s definition of “owned by, controlled by, or subject to the jurisdiction or direction of” a foreign adversary, as described under 15 CFR § 791.2, goes beyond ownership thresholds and provides a comprehensive framework for identifying covered entities and their affiliates through agency relationships, citizenship or residency ties, ownership stakes, control relationships, and other business arrangements.[11] Adopting this broader definition would help the Commission uncover agents acting at the direction of foreign adversaries, shell companies deliberately designed to circumvent existing bans, joint ventures, and “dominant minority” voting and equity interests[12] that fall below the FCC’s existing thresholds.[13]

Adversaries do not need to develop and export complete end-user devices to compromise systems. China in particular now exploits a more subtle, yet effective, approach: Chinese state-affiliated entities design or manufacture critical components that are then integrated into devices branded and sold by legitimate firms from other countries. Since the final product bears no obvious labels or connection to covered entities, it can slip through the regulatory cracks and enter the U.S. market — even though its critical functionality depends on components produced, designed, manufactured, and controlled by entities on the Covered List.

This strategy offers adversaries various advantages. Tracing the origin of components is challenging when products pass through multiple intermediaries during the production phase before reaching the consumer. As a result, adversaries can evade regulatory oversight entirely, allowing them to slip risky products into the United States.

Recommendations

To close the regulatory gaps to account for both current and future threats to America’s communications infrastructure, the Commission should establish a comprehensive risk-based security framework. The following recommendations provide actionable steps to strengthen national security and enhance the cybersecurity posture while providing regulatory clarity.

1. Harmonize Security Standards and Establish a Risk-Based Assessment and Revocation Framework 

   Adversaries exploit equipment that is easiest to compromise — they do not distinguish between old and new equipment, and neither should regulatory frameworks. The Commission must harmonize and apply the same security standards retroactively to equipment from high-risk vendors authorized before February 6, 2023, through an emergency rulemaking process to be completed within six months. This persistent national security concern has gone unaddressed for far too long. The Commission needs clear authority to revoke existing equipment authorizations held by vendors on the Covered List. However, rather than requiring an immediate, wholesale replacement of all previously authorized equipment, the Commission should adopt a risk-based prioritization framework that recognizes practical implementation challenges and financial constraints faced by operators, particularly in rural communities.[14]The Commission should work with industry to design this framework. The framework should require providers to identify and report the use of high-risk covered equipment in their networks and prioritize the replacement of the most sensitive or vulnerable equipment first while allowing lower-risk equipment to be replaced or secured over a longer timeline. Prioritization should focus on specific security factors such as firmware update management, remote access controls, and data transmission capabilities. The goal is to ensure that all previously authorized high-risk equipment is reviewed and either secured or replaced in a coordinated and practical manner. A tiered-risk framework should allow for phased implementation to minimize burdens on smaller providers. It should also support mitigation or remediation measures where feasible rather than requiring replacement everywhere.

2. Strengthen Supply Chain Transparency and Oversight of Components 

   To address additional vectors for supply chain infiltration by adversaries, the Commission must refine regulatory definitions and oversight mechanisms to better account for risks embedded in components of covered equipment. The Commission should clarify and expand its definition of equipment “produced by” a covered entity to include devices that contain critical components produced, designed, or manufactured by entities on the Covered List — regardless of where the final assembly takes place.[15] In particular, the definition contained in 15 CFR § 791.2 of the Commerce Department’s rules accounts for control relationships, complex ownership structures, and affiliated entities that could otherwise circumvent a static Covered List-based system. This existing framework is an established precedent with clear guidance used across federal agencies. Section 791.2 also aligns with the criteria the Commission already applies when identifying foreign adversaries,[16] helping address indirect mechanisms adversaries commonly use to obfuscate their involvement in the U.S. market.Covered equipment awaiting authorization should be subject to security assessments by FCC-approved test labs and telecommunications certification bodies before entering the U.S. market to verify compliance with these expanded definitions and ensure that any critical components from covered entities are detected and evaluated for security risks.

3. Expand Information Collection on Foreign Adversary Connections 

   Adversaries increasingly leverage complex corporate structures and intermediary relationships to mask their involvement in the U.S. markets. To effectively manage this risk, the FCC needs the broadest possible visibility into these complex networks. Robust, proactive information collection is essential to uncover these hidden ties that could compromise the integrity and security of the communications supply chain. The Commission’s recent decision to lower disclosure thresholds for test labs and certification bodies from 10 percent to 5 percent[17] made meaningful progress in enhancing transparency. Building on this precedent, manufacturers and importers should be held to comparable disclosure standards, including information on material business partnerships with foreign entities — even those not on the Covered List. This approach would allow the Commission to proactively identify potential risks, support more informed risk-based decision-making, and reinforce national security while providing greater certainty and clarity for industry participants and setting a global standard for supply chain transparency.

Conclusion

By increasing transparency and strengthening layered supply chain accountability, the Commission can bolster the U.S. national security posture while supporting continued innovation in the telecommunications industry. Without the authority to revoke equipment authorizations where necessary, the FCC cannot prevent adversaries from corrupting communications infrastructure. The cost of inaction — measured in both dollars and national security risk — grows every day, signaling to adversaries that regulatory loopholes can be exploited to maintain access to U.S. critical infrastructure.

[1] Federal Communications Commission, “FCC Amends Equipment Authorization Program,” November 25, 2022. (https://www.fcc.gov/document/fcc-amends-equipment-authorization-program)

[2] §2.939 Revocation or withdrawal of equipment authorization under 47 C.F.R. §2.939, March 8, 2011. (https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-2/subpart-J/subject-group-ECFRd5ad3b739dbf27a/section-2.939)

[3] §791.2 Definitions under 15 C.F.R. §791.2, January 19, 2021. (https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-E/part-791/subpart-A/section-791.2)

[4] Federal Communications Commission, “Equipment Authorization,” accessed July 6, 2025. (https://www.fcc.gov/engineering-technology/laboratory-division/general/equipment-authorization)

[5] Federal Communications Commission, Press Release, “FCC Bans Equipment Authorizations for Chinese Telecommunications and Video Surveillance Equipment Deemed To Pose a Threat to National Security: New Rules Implement the Bipartisan Secure Equipment Act of 2021,” November 25, 2022, page 1. (https://docs.fcc.gov/public/attachments/DOC-389524A1.pdf)

[6] See: §2.939 Revocation or withdrawal of equipment authorization under 47 C.F.R. §2.939, March 8, 2011. (https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-2/subpart-J/subject-group-ECFRd5ad3b739dbf27a/section-2.939)

[7] §2.939 Revocation or withdrawal of equipment authorization under 47 C.F.R. §2.939, March 8, 2011. (https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-2/subpart-J/subject-group-ECFRd5ad3b739dbf27a/section-2.939); Federal Communications Commission, “Equipment Marketing Violations,” updated as of October 10, 2014. (https://www.fcc.gov/general/equipment-marketing-violations)

[8] Thomas English, “Exclusive: FCC Commissioner Warns Chinese Tech Still ‘Phoning Home’ To Beijing,” Daily Caller, May 27, 2025. (https://dailycaller.com/2025/05/27/nathan-simington-fcc-rip-and-replace-huawei-phone-home-telecom)

[9] U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” February 7, 2024. (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a)

[10] Federal Communications Commission, “Carr Announces Sweeping New Investigation into CCP-Aligned Entities,” March 21, 2025, page 1. (https://docs.fcc.gov/public/attachments/DOC-410318A1.pdf)

[11] §791.2 Definitions under 15 C.F.R. §791.2, January 19, 2021. (https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-E/part-791/subpart-A/section-791.2)

[12] Federal Communications Commission, “Protecting our Communications Networks by Promoting Transparency Regarding Foreign Adversary Control Notice of Proposed Rulemaking — GN Docket No. 25-166,” May 27, 2025, page 10. (https://docs.fcc.gov/public/attachments/DOC-411206A1.pdf)

[13] Federal Communications Commission, “Report and Order and Further Notice of Proposed Rulemaking,” May 27, 2025, page 45. (https://docs.fcc.gov/public/attachments/FCC-25-27A1.pdf)

[14] A “Priority 1” recipient is one with 2 million or fewer customers at the time it applied to the Program. 47 C.F.R.

• 1.50004(f). See: Federal Communications Commission, the Wireline Competition Bureau, “Secure and Trusted Communications Networks Reimbursement Program Sixth Report,” June 30, 2025, page 3. (https://docs.fcc.gov/public/attachments/DOC-412591A1.pdf)

[15] §791.2 Definitions under 15 C.F.R. §791.2, January 19, 2021. (https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-E/part-791/subpart-A/section-791.2)

[16] Section 791.4 identifies six foreign governments or foreign non-government persons as “foreign adversaries”: (1) the People’s Republic of China (including Hong Kong and Macau); (2) the Republic of Cuba; (3) the Islamic Republic of Iran; (4) the Democratic People’s Republic of Korea (North Korea); (5) the Russian Federation; and (6) Venezuelan politician Nicolás Maduro (Maduro Regime). 15 C.F.R. §791.4, January 19, 2021. (https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-E/part-791/subpart-A/section-791.4)

[17] Federal Communications Commission, “FCC Fact Sheet Promoting the Integrity and Security of Telecommunications Certification Bodies, Measurement Facilities, and the Equipment Authorization Program Report and Order and Further Notice of Proposed Rulemaking — ET Docket No. 24-136,” May 1, 2025, page 4. (https://docs.fcc.gov/public/attachments/DOC-411202A1.pdf)