FCC Releases Item Amending Equipment Authorization Rules to Protect U.S. National Security
On November 25, 2022, the Federal Communications Commission (FCC or Commission) released a Report & Order, Order, and Further Notice of Proposed Rulemaking (R&O, Order, and FNPRM; collectively, the Item) that makes significant changes to the FCC’s equipment authorization regime. The Item bans FCC authorization of equipment that appears on the Commission’s Covered List. The Covered List identifies a range of equipment, products, and services produced or provided by entities “deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.” The FCC’s action comes as part of a broader series of steps on the national security front taken by various agencies over the past several years, including in trade policy and investment review.
Although the FCC launched this proceeding with a Notice of Proposed Rulemaking and Notice of Inquiry prior to the passage of the Secure Equipment Act (SEA) by Congress, the Item implements Congressional direction in the SEA to adopt rules that would ban the authorization of Covered List equipment. The Item also seeks further comment on additional changes to the Commission’s equipment authorization regime and its competitive bidding process as related to entities that pose national security risks. However, the Item does not address the NOI’s discussion on how the FCC could use the equipment authorization process to further promote cybersecurity.
The rule changes adopted by the R&O are effective immediately upon the Item’s publication in the Federal Register, with a few exceptions.[1] Comments and reply comments on the FNPRM are due 30 and 60 days after Federal Register publication, respectively.
The R&O adopts the Commission’s proposals to prohibit authorization of “covered” equipment.
The prohibition on the authorization of “covered” equipment refers to all equipment on the Covered List, which currently includes telecommunications equipment produced by Huawei and ZTE as well as video surveillance and telecommunications equipment produced by Hytera, Hikvision, and Dahua that is used “for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes.” “Covered” equipment does not include the offerings of certain Covered list entities who are only on the Covered List for services (Pacific Network Corp, ComNet, China Unicom) or information security products and solutions (Kaspersky), rather than equipment.
To effectuate this prohibition, the R&O adopts several new requirements for all equipment authorization applicants, including:
- Attestation requirements for new applications—Applicants must submit a written and signed attestation that the equipment is not prohibited from receiving an equipment authorization and must indicate whether the applicant is a Covered Entity with respect to covered equipment.
- Obligations to designate an agent in the United States—All applicants, whether based in the U.S. or abroad, must designate an agent located in the United States to receive service of process. Applicants must attach an additional certification that identifies the agent for service, the agent’s contact information, and a statement signed by the applicant and the designated agent acknowledging the applicant’s consent to accept service of process.
- Required certifications for modifications and permissive changes to equipment—All requests to modify certified equipment must now include a certification attesting that the equipment is not prohibited from receiving an equipment authorization due to the requested modification.
- Post-authorization notice obligations—The Commission adds several disclosure obligations to ensure that material changes after authorization do not cause equipment to become “covered.” This includes a prohibition on a grantee licensing or authorizing other parties to manufacture authorized equipment if it would result in the equipment becoming “covered.” For changes to a grantee’s name or address or changes resulting from a grantee’s involvement in a transaction, the grantee must provide proper notice to the Commission, which includes a written and signed certification.
The Commission also expressed concern that covered equipment could continue to receive authorizations through the relatively relaxed processing rules associated with the Supplier’s Declaration of Conformity (SDoC). As a result, the R&O prohibits covered entities from using the SDoC process for authorizations of any equipment produced by that entity – not just covered equipment. Equipment produced by relevant entities on the Covered List must be processed through the certification process, even if the equipment would otherwise be considered exempt from the equipment authorization process.
The R&O did not implement revocations of previous “covered” equipment authorizations. However, revocations remain a possibility; the R&O specifies that the Commission has the authority to revoke existing authorizations “without considering additional rules providing for any such review or revocation of existing authorizations.” The R&O also adopts a streamlined revocation process for revoking equipment that misrepresents or falsely states its “covered” status.
The Commission anticipates that the Covered List will continue to be revised in the future. Additional clarification on covered equipment may be needed as the Covered List is updated, but that clarification will be provided by the Office of Engineering and Technology (OET) and the Public Safety and Homeland Security Bureau (PSHSB) on delegated authority. The Commission notes that it will provide “clear guidance” on the Commission’s website regarding “covered” equipment, and OET and PSHSB will issue a Public Notice on any future updates to the Covered List.
The Order is an “Interim Freeze Order” that prohibits further processing or grants of equipment authorization applications for equipment produced by any Covered List entity, pending adoption of the new rules.
The freeze began on the release date of the R&O and will continue until the rules adopted in the R&O become effective when the Item is published in the Federal Register. OET has the authority to modify or extend the freeze. This authority also allows OET to modify the interim freeze if the Covered List is updated to revise the entities identified on the Covered List as producing “covered” equipment.
The FNPRM seeks comment on additional changes to the equipment authorization program related to “covered” equipment and proposed revisions to the FCC’s competitive bidding program.
Specifically, the FNPRM seeks further comment on the following topics:
- Component parts—The FNPRM seeks additional information on how to identify component parts that introduce a similar risk as equipment on the Covered list and how the Commission can best ensure that it prohibits authorization of equipment including such components. Specifically, the Commission seeks comment on its authority to address component parts under the SEA and the practical considerations that would be involved with extending the prohibition to component parts, including possible requirements for equipment authorization applicants to identify any particular components. The Commission asks whether it should “attempt to identify ranges of components based on their risk assessment,” such as components that process and retain data. The Commission also seeks comment on whether passive electronic components like resistors, diodes, and inductors raise national security concerns.
- Modules and composite systems—The Commission notes that a “single equipment authorization application may be filed for a composite system that incorporates devices (including modules) subject to certification under multiple rule parts,” creating a possible risk for equipment to contain modules or be assembled as a composite system and simultaneously contain equipment produced by entities specified on the Covered List. Specifically, the Commission asks whether to require applicants to obtain separate equipment certificates for any device that contains a module produced by any of the entities on the Covered List and how to treat composite systems that could be assembled by a third party and incorporate devices produced by entities on the Covered List. The Commission proposes to treat composite systems similarly to modules and require devices produced by an entity on the Covered List to obtain a separate certification.
- Revocation of existing authorizations—The Commission seeks further comment on the potential scope of its authority to revoke existing equipment authorizations and processes the Commission could use to identify equipment authorizations that should be considered for revocation. The Commission also seeks comment on the appropriate transition period following a revocation decision and how potential supply chain issues, consumer-related concerns, the feasibility of partial revocations, and alternatives to revocations (i.e., security patches) should factor into the Commission’s revocation decisions.
- U.S. point of presence for compliance—The Commission seeks comment on the appropriate approach to implementing the U.S.-based responsible party requirement for all equipment certification applicants, as discussed in the R&O.
- Competitive bidding certifications—The previous NPRM asks whether the Commission should “require an applicant to participate in competitive bidding [for Commission spectrum licenses] to certify that its bids do not and will not rely on financial support from any entity that the Commission has designated . . . as a national security threat to the integrity of communications networks or the communications supply chain.” The FNPRM seeks additional comment on the risk of “distortionary auction financing” and whether prohibiting a potential auction certification is likely to be effective in addressing concerns about untrusted equipment and vendors.
- Certification process for equipment that is prohibited from using SDoC—The Commission requests comment on alternative procedures that the Commission could consider to maintain oversight over equipment identified on the Covered List, while also ensuring consistent application of equipment authorization procedures. Specifically, the Commission seeks comment regarding the procedures it should consider to address the authorization of equipment produced by entities named on the Covered List as producing covered equipment and which specific aspects of the standard SDoC process and the Certification process it should combine to ensure the necessary oversight for the Commission to readily identify and address equipment of concern.
***
The Item imposes significant changes on the FCC’s equipment authorization process and could have a substantial impact on companies seeking to bring electronic equipment to market. Wiley has a strong bench of expertise on issues related to federal supply chain oversight and national security. We have particularly deep experience with the FCC’s equipment authorization regime and enforcement in this area, handled by former OET staff. Please reach out to the authors on this alert for additional information on the Item.
[1] The FCC notes that some rule amendments contain information collection requirements that need further review by the Office of Management and Budget (OMB). The Office of Engineering and Technology will announce the effective dates for those sections after the Commission receives OMB approval.
Authors
- Partner
- Partner
- Partner
- Partner
- Partner
- Associate