Federal Communications Commission publishes final rule for securing communications supply chain

The Federal Communications Commission (FCC) published Monday a final rule in the Federal Register related to equipment authorization to further secure the nation’s communications networks and supply chain from equipment that poses an unacceptable risk to the national security of the U.S. or the security and safety of its citizens. The move seeks to protect against national security threats to the communications supply chain using the Equipment Authorization Program.

“The Commission also addresses what constitutes ‘covered’ equipment for purposes of implementing the equipment authorization prohibition that the Commission is implementing,” the FCC notice published Monday said. “The actions being taken comply with Congress’s directive in the secure Equipment Act of 2021 to prohibit authorization of ‘covered’ equipment on the Covered List within one year of that Act’s enactment and to lay the foundation to prohibit the authorization of any additional ‘covered’ equipment that may be added to the Covered List based on a determination that such equipment poses an unacceptable risk to national security.”

Public comment on this submission has been waived. Certain amendments of the Commission’s rules are effective on the date of publication in the Federal Register, and contain new and modified information collection requirements that were reviewed and approved by the Office of Management and Budget (OMB) under the Paperwork Reduction Act, with an expiration date of June 30, 2023. The Office of Engineering and Technology establishes and announces the effective date of these sections in this document published in the Federal Register. 

“Because the emergency approval of this information collection has an expiration date of June 30, 2023, the Commission, as part of its continuing effort to reduce paperwork burdens and in the standard course of information collection review procedures, will issue a separate document inviting the general public to comment on the information collection requirements contained in this Final Rule as required by the Paperwork Reduction Act of 1995, Public Law 104–13,” the Federal Register notice said.

The FCC has the authority to adopt the proposals in the Notice of Proposed Rulemaking (NPRM) concerning prohibiting the authorization of ‘covered’ equipment on the Covered List. The Commission reaches this determination based on two grounds.

First, the Commission finds that the Secure Equipment Act provides the Commission with express authority to adopt rules that prohibit the review or approval of any application for equipment authorization for equipment that is listed on the Commission’s Covered List and requires the Commission to act. Second, the Commission has legal authority to take the relevant equipment authorization actions to prohibit authorization of ‘covered’ equipment specified in the Report and Order, about revocation of authorizations based on the agency’s statutory authority that predates Congress’s 2021 enactment of the Secure Equipment Act.

Based on the suggestion in the NPRM, section 105 of the Communications Assistance for Law Enforcement Act (CALEA) supports the Commission’s authority to prescribe the rules that the Commission adopted in the Report and Order. “That section requires telecommunications carriers to ensure that the surveillance capabilities built into their networks ‘can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of an individual officer or employee of the carrier acting in accordance with regulations prescribed by the Commission,’ and the Commission has concluded that its rule prohibiting the authorization of equipment on the Covered List that poses a national security threat implements that provision,” the notice added. 

The Commission is required to prescribe rules necessary to implement CALEA’s requirements, and it concludes that the rules it implements here will help ensure that equipment that carriers include in their networks will not include such unlawful interception capabilities because use of equipment from companies that are identified by Congress and national security agencies to pose a national security threat is far more likely to be subject to unauthorized access. 

Finally, as noted in the NPRM, the Commission has ancillary authority to implement these statutory provisions by adopting such rules ‘as may be necessary in the execution of [these foregoing Commission] functions.’

The notice said that the Regulatory Flexibility Act of 1980 (RFA) requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemaking unless the agency certifies that ‘the rule will not if promulgated, have a significant economic impact on a substantial number of small entities.’ Accordingly, the Commission has prepared a Final Regulatory Flexibility Analysis (FRFA) concerning the possible impact of the rule changes contained in this Second Order on the Reconsideration of small entities.

As required by the RFA, an Initial Regulatory Flexibility Analysis (IRFA) was incorporated in the NPRM, the notice said. The FCC sought written public comment on the proposals in the NPRM, including comments on the IRFA. No comments were filed addressing the IRFA. Accordingly, the Commission has prepared a FRFA concerning the possible impact of the rule changes contained in the document on small entities. The present FRFA conforms to the RFA, it added.

In March 2021, as the FCC’s primary expert on public safety and homeland security matters, the Public Safety and Homeland Security Bureau (PSHSB) published its first Public Notice on the Covered List. That list specifically identified equipment and services that, pursuant to the Secure Networks Act, had been determined by Congress as posing an unacceptable risk to national security. 

Among other things, the Covered List is listed as ‘covered’ equipment produced by five different entities: Huawei, ZTE, Hytera, Hikvision, and Dahua, and their respective subsidiaries and affiliates.

Last March, the PSHSB published a Public Notice updating the Covered List; this list retained the earlier identified ‘covered’ equipment, such as hardware produced by Huawei, ZTE, Hytera, Hikvision, and Dahua, while announcing additions to the Covered List based on new determinations by two of the other enumerated sources, Department of Homeland Security (DHS) and an executive branch interagency body (Team Telecom) with appropriate expertise. 

More recently, in September, the PSHSB published another Public Notice updating the Covered List; this list also retained the earlier identified ‘covered’ equipment (equipment produced by Huawei, ZTE, Hytera, Hikvision, and Dahua) while announcing certain additions to the Covered List based on new determinations by the Department of Justice, in coordination and concurrence with the Department of Defense (DoD).

Last October, the U.S. House Republicans raised concerns that Huawei infrastructure continues to exist across the nation’s cellular network despite its threat to national security. James Comer, a Republican from Kentucky and House Committee on Oversight and Reform Ranking Member, Glenn Grothman, a Republican from Wisconsin and Subcommittee on National Security Ranking Member wrote to Lloyd Austin, DoD Secretary and Jessica Rosenworcel, FCC Chairwoman on the failure by the two agencies to remove Huawei infrastructure from American networks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.