FCC Bans New Foreign‑Made Consumer Routers Over National Security Risks
What Happened — The U.S. Federal Communications Commission (FCC) announced a ban on the import and sale of new consumer‑grade routers manufactured abroad, unless they receive a conditional approval from the Department of Homeland Security (DHS) or other defense authorities. The rule adds all foreign‑made routers to the FCC’s “Covered List,” effectively prohibiting their marketing in the United States. Existing models already approved or in use are exempt, but any new device must undergo a security review.
Why It Matters for TPRM —
- Increases supply‑chain scrutiny for hardware vendors and third‑party network providers.
- Non‑compliant routers could trigger contract breaches, regulatory penalties, or forced product recalls.
- Highlights the growing intersection of cyber‑risk and national‑security policy, demanding updated vendor risk assessments.
Who Is Affected — Telecommunications carriers, enterprise IT departments, IoT device manufacturers, cloud‑hosting providers, and any organization that sources consumer‑grade networking equipment from overseas vendors.
Recommended Actions —
- Review all contracts with router and networking hardware suppliers for compliance clauses.
- Validate that any new router models slated for deployment have DHS conditional approval or are U.S.-made.
- Conduct an inventory audit of existing router assets to identify any that may fall under the new rule.
- Update third‑party risk questionnaires to capture the FCC Covered List status of network equipment.
Technical Notes — The ban targets the supply‑chain risk of foreign‑manufactured routers that have been linked to espionage campaigns such as Volt Typhoon, Flax Typhoon, and Salt Typhoon. No specific CVE is cited; the risk stems from potential backdoors, insecure firmware, and the ability of adversaries to exploit hardware‑level vulnerabilities. Source: Security Affairs