FCC Extends Ban on Security Updates for Foreign‑Made Routers and Drones to 2029, Raising Supply‑Chain Risks
What Happened — The U.S. Federal Communications Commission (FCC) postponed its deadline prohibiting software and firmware updates for newly imported foreign‑made routers and drones from 2027 to at least January 1 2029. The extension follows industry pushback and concerns that a hard ban would leave millions of devices unpatchable.
Why It Matters for TPRM —
- Devices that cannot receive security patches become persistent attack vectors, increasing third‑party risk for any organization that relies on them.
- The rule targets future imports, meaning existing inventory may remain vulnerable for years, complicating risk assessments and procurement decisions.
- Regulatory uncertainty may affect contract negotiations, warranty terms, and liability clauses with hardware suppliers.
Who Is Affected — Telecommunications providers, enterprise IT departments, government agencies, manufacturers of IoT and drone solutions, and any organization that sources routers or UAVs from overseas vendors.
Recommended Actions –
- Review all contracts with router and drone suppliers to confirm update obligations and warranty language.
- Conduct an inventory audit to identify foreign‑made hardware still in use and assess patch‑ability.
- Prioritize migration to domestically produced or certified devices where feasible.
- Monitor FCC rulemaking developments and update risk registers accordingly.
Technical Notes – The FCC’s Office of Engineering and Technology (OET) cited “public interest” concerns for the extension, noting that updates are needed to patch vulnerabilities and maintain OS compatibility. The ban applies only to future imports; existing devices remain eligible for updates under current law. No specific CVEs are cited, but the lack of future updates could expose known and zero‑day flaws. Source: The Record