FCC works on protecting communications supply chain from national security threats

The U.S. Federal Communications Commission (FCC) has sought further comment on potential additional revisions to the rules and procedures associated with prohibiting the authorization of ‘covered’ equipment in the Commission’s equipment authorization program. The agency is working to protect the communications supply chain from national security threats using the Equipment Authorization Program and the Competitive Bidding Program. Additionally, the FCC also invites additional comment on proposed rule revisions to the Commission’s competitive bidding program.

As required by the RFA, the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on a substantial number of small entities of the proposals addressed in the Further Notice of Proposed Rulemaking (FNPRM), a notice published Wednesday in the Federal Register said. Written public comments are requested on the IRFA by Apr. 7, 2023, with reply comments due May 8. These comments must be filed in accordance with the same filing deadlines for comments on the FNPRM, and they should have a separate and distinct heading designating them as responses to the IRFA. 

The Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, will send a copy of this FNPRM, including the IRFA, to the Chief Counsel for Advocacy of the Small Business Administration, in accordance with the RFA. 

In the Report and Order, the FCC adopted requirements for applicants for equipment certification and responsible parties authorizing equipment using the Supplier’s Declaration of Conformity (SDoC) process to make attestations that the equipment for which authorization is sought is not ‘covered’ equipment. “The Commission is not, however, requiring at this time that these attestations address the individual component part(s) contained within the subject equipment,” the notice added. 

“In seeking comment on component parts, the Commission notes at the outset that it believes that certain component parts produced by entities identified on the Covered List, if included in finished products, could potentially pose an unacceptable national security risk, similar to the security risk posed by the ‘covered’ equipment that the Commission is now prohibiting from authorization,” the Federal Register notice said. “Similarly, Congress, in establishing the Reimbursement Program under the Secure Networks Act, shared the same concerns. It required that Huawei Technologies Company (Huawei) and ZTE Corporation (ZTE) equipment be destroyed as part of the rip and replace process, indicating that even components of untrusted and insecure equipment could pose a danger to the United States.” 

In the Reimbursement Program, consistent with Congressional guidance, the FCC required that categories of equipment that include components that process data be destroyed so they do not get reused and continue to pose a risk. “Given the challenge to protect against component parts that pose the same risk as covered equipment, the Commission endeavors to ensure that equipment that includes component parts that pose an unacceptable risk to national security also be prohibited from authorization,” it added.

In this Further Notice, the FCC seeks comment to help identify such component parts and to consider how the Commission might best ensure prohibiting authorization of equipment that includes such components. “In particular, the Commission seeks comment on whether and how individual component parts may need to be factored into decisions regarding authorizing equipment. This raises several issues that need to be more carefully evaluated to determine whether equipment with certain component parts should be considered ‘covered’ equipment and thus prohibited from authorization,” the notice added. 

The FCC also recognizes that one complication is that many part 2 equipment authorization rules and part 15 rules reference ‘components,’ but they do so in a variety of different contexts, and there is no single or consistent meaning of the term in the Commission’s rules.

The telecom agency also seeks comment on other broad approaches that could appropriately address concerns about component parts in the Commission’s equipment authorization program. “For instance, if equipment includes any component parts that could be authorized on a standalone basis, and such a component on its own would be considered ‘covered’ equipment prohibited from authorization, then the equipment would be deemed ‘covered’ equipment and thus prohibited from obtaining an equipment authorization,” it added.

Additionally, the Federal Register notice said that the Commission notes that if any determinations about ‘covered’ equipment made by any enumerated source pursuant to the Secure Networks Act includes component parts, then this too would mean that equipment that includes such component parts would be ‘covered’ equipment for purposes of the Commission’s prohibition. The Commission seeks comment on this as well.

In the NPRM, the FCC sought comment on whether, following adoption of the rules in the Report and Order, it should consider revoking any existing authorizations involving ‘covered’ equipment. Many commenters generally oppose action by the Commission to revoke existing authorizations of ‘covered’ equipment, however worthy the security goal, expressing various concerns such as the potential for adverse impact to consumers and the supply chain. Others advocated that the Commission should revoke authorizations if the equipment would now be considered ‘covered’ equipment. 

The Commission seeks comment on the scope of possible revocation of existing authorizations that it should consider, and whether there might be situations that would warrant revocation in certain circumstances. 

In the event the FCC concludes that revocation of an equipment authorization may be appropriate, the Commission notes that such revocation might take different shapes, the notice identified. For instance, the revocation potentially could go so far as to involve not only prohibiting the future manufacture, importation, marketing, and sale of specified devices, but also requiring that the equipment no longer be used. On the other hand, the revocation of an existing authorization could conceivably be partial and limited, such as a revocation of an existing authorization that could, at some time in the future, preclude further importation, marketing, or sale of the affected equipment. 

The FCC sought comment in the NPRM on the appropriate and reasonable transition period that may be necessary if the Commission decides to revoke an existing authorization. The Commission now requests additional comment on determining an appropriate transition period and whether and how that might depend on the scope of the revocation and the particular equipment involved.

The notice said that the FCC also seeks comment on the extent to which issues related to the supply chain and consumer-related concerns might figure in the Commission’s considerations. The agency might further evaluate supply chain issues in its consideration on whether to revoke an existing authorization, and what information and data might be useful to such a consideration.

To ensure that equipment manufacturers, importers, assemblers, FCC-recognized Telecommunications Certification Bodies (TCBs), and other parties associated with the Commission’s equipment authorization program are clear as to what equipment may be impacted by a prohibition on component parts from entities on the Covered List, the Commission would need to first develop and provide guidance on what component parts would need to be considered. 

The Federal Register notice said that in light of the record in response to the NPRM, continuing concerns regarding Huawei and ZTE, and the Commission’s action in the Report and Order with respect to equipment certification, the FCC seeks further comment on the risk of distortionary auction financing and potentially addressing that risk with a required auction application certification.

The FCC sought comment on the best enforcement mechanisms the Commission should employ to swiftly curb the potential for post-revocation equipment marketing or use by such parties. The agency also looked for feedback on how it might revise its rules or work with federal partners and the communications industry to address existing ‘covered’ equipment that may be in the marketplace post-revocation without adversely affecting consumers and others downstream in the supply chain.

In February, the FCC published a final rule in the Federal Register related to equipment authorization to further secure the nation’s communications networks and supply chain from equipment that poses an unacceptable risk to the national security of the U.S. or the security and safety of its citizens. The move seeks to protect against national security threats to the communications supply chain using the Equipment Authorization Program.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.