FCC Initiates Effort to Block “Insecure” Devices from the U.S. Market

FCC Initiates Effort to Block “Insecure” Devices from the U.S. Market

June 23, 2021, Covington Alert

At its monthly open meeting on June 17, the Federal Communications Commission (“FCC”) adopted a Notice of Proposed Rulemaking (“NPRM”) that proposes to change the agency’s equipment authorization rules and competitive bidding procedures to address national security threats.

The NPRM proposes changes to the FCC’s rules on equipment authorization that would (1) prohibit the marketing and sale of devices by certain providers that the FCC has determined pose a threat to the security of U.S. supply chains and networks, and (2) prohibit the participation of such entities in the FCC’s competitive bidding process for spectrum licenses and broadband funding.

The NPRM expands upon efforts in recent years by both Congress and the FCC to limit the use of devices that could pose a national security threat. Through the National Defense Authorization Act for Fiscal Year 2019, the SECURE Technology Act, and the Secure and Trusted Communications Networks Act of 2019 (“Secure Networks Act”), Congress has limited the use of federal funds to procure equipment, services, or systems from certain “covered” foreign entities.

The Secure Networks Act mandated that the FCC publish and periodically update a list of “covered communications equipment and services” that have been determined to pose national security risks (“Covered List”). The Secure Networks Act also prohibited the use of any federal subsidy from a program administered by the FCC that provides funds needed for advanced communications service, including all Universal Service Fund (“USF”) programs, to purchase “covered” communications equipment and services. The NPRM would expand upon this initiative by enabling the FCC to block certain devices from the U.S. market entirely.

Principal Elements of the NPRM

Equipment Authorization

First, the NPRM seeks comment on whether the FCC should revise its equipment authorization rules and processes to prohibit the authorization of equipment on the Covered List. The decision would also effectively prohibit the marketing and importation of equipment on the Covered List, if the products may not be authorized. The FCC rules provide two procedures for equipment authorization--Certification and Supplier’s Declaration of Conformity (“SDoC”)--and the proposed rules would apply to both processes.

Several specific issues on which the FCC seeks comment include:

• A requirement, in the equipment certification application, to provide a written and signed attestation that, as of the date of filing the application, no equipment (including any component part) is on the Covered List;
• A requirement that applicants submit additional information with equipment authorization applications to assist the FCC in assessing compliance with the new rules, such as a parts list noting the manufacturer of each part;
• Whether the FCC Office of Engineering and Technology (“OET”) should develop guidance, along with the Public Safety and Homeland Security Bureau, the Wireline Competition Bureau, the Wireless Telecommunications Bureau, and the International Bureau, regarding the FCC’s proposed prohibition on “covered” equipment. This guidance would be used by Telecommunications Certification Bodies (“TCB”) in implementing the proposed rules. TCBs are entities that are accredited by the FCC to approve devices and other equipment that require FCC certification;
• The extent to which interested parties, including the public and government entities, should be invited to inform the FCC that particular equipment that might be “covered” equipment has inadvertently received a grant by the TCB;
• Whether the FCC should adopt revisions or clarifications to the post-market surveillance requirements, which require TCBs to review a portion of devices that have already been certified to ensure their continued compliance with FCC rules and are delegated to OET;
• Whether the FCC should revise its rules to ensure that equipment users will not modify existing equipment in a way that would involve replacing equipment, in whole or in part, with “covered” equipment;
• Whether the FCC should no longer provide an equipment authorization exemption to “covered” equipment, and how to identify otherwise exempt equipment that is in use;
• Whether the FCC should revoke any existing authorizations of “covered” equipment.

The Commission also seeks comment on its authority to implement the proposed rules. On the legal authority question, the FCC argues that its authority derives from the Communications Act of 1934, as amended (the “Communications Act”), which provides the FCC with broad authority “as may be necessary in the execution in its functions.” Specifically, the FCC argues that the proposed equipment authorization rules are necessary to carry out the FCC’s mandate under the Secure Networks Act, to block the use of equipment on the Covered List by USF recipients.

As further support, the FCC points out that section 303(e) of the Communications Act provides the authority to “[r]egulate the kind of apparatus to be used with respect to its external effects” and that section 302 of the Communications Act provides the agency authority to promulgate rules pertaining to the interference potential of devices “in the public interest”.

The NPRM also seeks comment on whether the Communications Assistance for Law Enforcement Act (“CALEA”) provides an alternative source of authority, as it requires telecommunications carriers to ensure that surveillance capabilities built into their networks can only be activated pursuant to a court order or lawful authorization and the intervention by an agent of a carrier in compliance with FCC rules.

Competitive Bidding

The FCC’s competitive bidding process for spectrum licenses and broadband funding requires each applicant to make certifications as a prerequisite for participating in an auction. The NPRM seeks comment on whether the FCC should adopt new certifications for applicants that wish to participate in FCC auctions which would prevent participation by applicants that pose a national security threat to the integrity of communications networks and the communications supply chain. 

Specifically, the FCC seeks comment on whether applicants must certify that their bids do not and will not rely on financial support from an entity that the FCC has designated as a national security threat to the integrity of communications networks or the communications supply chain. The FCC further seeks comment on whether entities designated as a national security threat should be limited to those entities specified under the Covered List, or whether the certification should encompass a more broad category of entities, such as entities subject to control by an entity designated by the FCC.

Notice of Inquiry on Cybersecurity Standards

With the NPRM, the FCC also issued a Notice of Inquiry (“NOI”) seeking comment on ways that the FCC can use its equipment authorization program to encourage manufacturers who are building devices that will connect to U.S. networks to abide by cybersecurity standards and guidelines. The FCC specifically requests comment on whether the FCC should encourage manufacturers of IoT devices to follow the guidance in the NIST IoT Report issued in May 2020, and whether there are any gaps in that report that the FCC may help address. In general, an NOI does not lead directly to rules, but it can inform future rulemaking proposals. In issuing the NOI, the FCC has signaled continued interest in using its equipment authorization process to promote cybersecurity goals.

If you have any questions concerning the material discussed in this client alert, please contact the members of our Communications and Media practice.