Full Report
The U.S. FCC (Federal Communications Commission) updated its Covered List to include additional categories of communications equipment deemed... The post FCC expands Covered List to block high-risk routers and drones, tighten ban on foreign-made connectivity devices appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: Expansion of the FCC "Covered List" (2026 Update)
## Overview
The Federal Communications Commission (FCC) has updated its "Covered List" of communications equipment and services deemed to pose an unacceptable risk to U.S. national security. This update specifically targets foreign-produced technologies, including consumer-grade routers and unmanned aircraft systems (drones), effectively banning them from the U.S. market by denying them the necessary FCC equipment authorization.
## Key Details
- **Issuing Authority:** Federal Communications Commission (FCC)
- **Effective Date:** March 26, 2026 (Date of announcement/entry into force for new authorizations)
- **Jurisdiction:** United States (Importation, marketing, and sale)
- **Status:** Final (In Effect)
## Requirements
### Mandatory Requirements
1. **Equipment Authorization Ban:** Listed equipment is prohibited from receiving FCC authorization. Without this authorization, devices cannot be legally imported, marketed, or sold within the United States.
2. **Category-Specific Bans:** Restrictions apply to newly specified categories:
- Foreign-produced consumer-grade routers.
- Specified Unmanned Aircraft System (UAS/Drone) components.
3. **Supply Chain Integrity:** Organizations must ensure that any new procurement of connectivity or drone technology does not include equipment from entities on the Covered List.
### Recommended Practices
1. **Asset Inventory:** Conduct a comprehensive audit of existing network infrastructure to identify "vulnerable" foreign-made routers already in use.
2. **Credential Hardening:** Change default administrative credentials on all routers and network infrastructure to prevent brute-force attacks.
3. **Lifecycle Management:** Establish a decommissioning plan for existing "Covered" equipment, as these devices may lack future software transparency or security support.
## Affected Organizations
- **Industries:** Telecommunications, Critical Infrastructure, Managed Service Providers (MSPs), and Consumer Electronics Retailers.
- **Organization Size:** All sizes; however, Small-to-Medium Businesses (SMBs) and remote-work-heavy organizations are most affected by the router restrictions.
- **Geographic Scope:** Any entity operating within the United States or importing goods into the U.S.
## Compliance Timeline
- **Pre-March 2026:** Authorization of previously listed equipment (e.g., Huawei, ZTE) remained prohibited.
- **March 26, 2026:** Update takes effect; inclusion of foreign routers and drones on the Covered List.
- **Ongoing:** Previously authorized products remain legal for use but are flagged for heightened security risk.
## Implementation Guidance
### Assessment Phase
- Review the current **FCC Covered List** (Link below) against the organization's hardware inventory.
- Identify "foreign-produced" routers and drones in the procurement pipeline that have not yet received FCC authorization.
### Implementation Phase
- Halt procurement of any devices categorized under the new update from the specified foreign jurisdictions.
- Update Supply Chain Risk Management (SCRM) policies to include the FCC Covered List as a mandatory screening gate.
### Validation Phase
- Verify that all new network infrastructure purchases have a valid FCC ID that was granted prior to the restriction or belongs to a non-covered entity.
- Audit remote-work security policies to ensure home-office routers meet minimum security standards.
## Technical Requirements
- **Equipment Authorization:** Compliance with the **Secure and Trusted Communications Networks Act**.
- **Security by Design:** Preference for equipment providing **Software Bills of Materials (SBOMs)** and regular update cadences.
- **Vulnerability Management:** Remediation of the 32 average vulnerabilities typically found in network infrastructure devices through patching or replacement.
## Penalties & Enforcement
- **Fines:** Significant civil penalties for the illegal importation or sale of unauthorized equipment.
- **Other Consequences:** Seizure of goods by U.S. Customs and Border Protection; revocation of existing FCC licenses for non-compliant carriers.
- **Enforcement:** Directed by the FCC in coordination with national security authorities and the Executive Branch.
## Related Standards
- **NIST CSF 2.0:** Aligns with the "Supply Chain Risk Management" (GV.SC) category.
- **Secure and Trusted Communications Networks Act:** The primary legislative driver for the Covered List.
- **Executive Branch Determinations:** Mandates are driven by national security findings rather than independent agency discretion.
## Resources
- **Official Documentation:** [fcc[.]gov/supplychain/coveredlist](https://www.fcc.gov/supplychain/coveredlist)
- **Guidance Documents:** [FCC Press Release - DOC-420034A1[.]pdf](https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf)
- **Tools:** NIST CSF 2.0 Quick Start Guides for Supply Chain.
## Practical Recommendations
- **Broaden the Attack Surface View:** Recognize that home/consumer-grade routers are now a corporate attack surface due to remote work; consider moving toward Zero Trust Network Access (ZTNA) to mitigate router-level risks.
- **Standardize Procurement:** Move away from "white-box" or unbranded foreign routers that lack software transparency.
- **Monitor EOL Status:** If using existing equipment that is now on the Covered List, monitor for End-of-Life (EOL) announcements, as security support from blocked manufacturers is likely to cease.