FCC Bans the Import and Sale of Chinese Equipment Deemed to Pose a National Security Risk
The Federal Communications Commission (FCC or Commission) has adopted new rules prohibiting authorization for importation, marketing, or sale in the U.S. of certain Chinese telecommunications and video surveillance equipment deemed to pose an unacceptable risk to national security. Without an FCC authorization, telecommunications equipment cannot be imported, marketed, or sold in the U.S. This action follows steps in recent years by the Commission, Congress, and the Executive Branch aimed at securing the supply chain for telecommunications equipment and services within the United States.
The Report and Order applies to future authorizations of equipment identified on the Covered List (Covered Equipment) published by the FCC's Public Safety and Homeland Security Bureau (PSHSB) pursuant to the Secure and Trusted Communications Networks Act of 2019 (Secure Networks Act). The new rules, which implement the Secure Equipment Act of 2021 (Secure Equipment Act), forbid the authorization of Covered Equipment through the FCC's Certification process or the Supplier's Declaration of Conformity (SDoC) process. Among other provisions, the rules include clarification regarding what types of equipment are "covered" and impose an interim freeze order, effective November 11, 2022, to prohibit the approval of Covered Equipment during the period between adoption of the rules and their yet-to-be-determined effective date.
The Covered List, which includes both equipment and services, currently includes telecommunications and video surveillance equipment produced by Huawei Technologies Company (Huawei) and ZTE Corporation (ZTE). The list also includes telecommunications and video surveillance equipment produced by Hytera Communications Corporation (Hytera), Hangzhou Hikvision Digital Technology Company (Hikvision), and Dahua Technology Company (Dahua) "to the extent [the equipment] is used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes." The prohibitions accompanying inclusion on the Covered List, including the FCC's new prohibitions on equipment authorization, extend to the subsidiaries and affiliates of the named entities.[1]
The new rules follow the FCC's prohibition of the use of public funds to purchase equipment and services deemed to pose a national security risk and its companion Secure and Trusted Communications Networks Reimbursement Program (commonly referred to as "Rip-and-Replace") for the removal, replacement, and destruction of insecure Huawei and ZTE equipment and services already in use in U.S. networks, as well as the FCC's revocation of operating authority for certain Chinese state-owned carriers based on recommendations from national security agencies.
The FCC's Equipment Authorization Program
The FCC's equipment authorization program ensures radio frequency emitting (RF) devices—including mobile phones, "smart" watches, and other wireless consumer equipment—meet technical parameters relating to harmful interference with radio services. Under the FCC's prior regulations, authorization is required before an RF device can be imported to or marketed in the United States and can be achieved in one of two ways: (1) Certification, which involves submission of an application to an FCC-recognized Telecommunications Certification Body; or (2) the SDoC process, which is a self-certification process limited to specific equipment that has a reduced potential to cause harmful RF interference (e.g., LED light bulbs and microwave ovens). Some devices are altogether exempt from demonstrating compliance through the certification or SDoC procedures due to their low levels of RF emission or for other reasons (such as being subject to separate FCC licensing programs).
The revised regulations require entities identified on the Covered List as producing Covered Equipment (currently Huawei, ZTE, Hytera, Hikvision, and Dahua, plus their subsidiaries and affiliates) to use the certification process both for otherwise-exempt devices and for devices otherwise eligible for the SDoC process. The rules require all applicants for equipment authorization to designate a U.S. agent for service of process and to attest that the equipment for which they seek authorization is not "covered." Because a modification to previously approved equipment could change it from "not covered" to "covered," the new rules also require that a filing addressing "permissive changes" include an attestation that the equipment is not prohibited from receiving authorization. The FCC considered extending this attestation requirement to component parts contained in the equipment but ultimately determined the question of component parts required further review.
The regulations now allow for revocation of equipment authorizations completed after adoption of the Report and Order if the application included a false statement or representation relating to Covered Equipment, and provide streamlined procedures for revocation. Like the question of component parts, the question of whether to revoke existing equipment authorizations for Covered Equipment remains subject to further Commission review. Among the issues to be considered, the FCC intends to explore aspects such as preventing marketing or use of equipment by third parties post-revocation and whether the FCC should take into account potential effects on the supply chain when issuing revocations.
To assist with transparency, the new rules include definitions of "affiliate" and "subsidiary" for purposes of the equipment authorization program. They also require entities named on the Covered List as producing Covered Equipment to provide the FCC (under penalty of perjury) information on other entities, such as their subsidiaries and affiliates, that are subject to the Covered List; Covered List entities must notify the FCC of any changes to this information within 30 days after the change. The FCC will post this information on its website as an appendix to forthcoming guidance on Covered Equipment.
In summary, all RF devices produced by Covered List entities are now subject to mandatory certification, and the FCC will not approve any applications for certification of devices that constitute Covered Equipment. However, the FCC left open the possibility that some Hytera, Hikvision, and Dahua telecommunications and video surveillance equipment might avoid an absolute certification prohibition due to the use-based nature of the restrictions on that equipment.
Covered Equipment
Companies that have wrestled with identifying whether specific equipment is "covered" for purposes of Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Section 889) (generally applicable to federal contracting), the FCC's Rip-and-Replace program and/or the 2022 Supply Chain Annual Report (Annual Report) may welcome the new steps the FCC is taking to identify and clarify what it considers Covered Equipment under the equipment authorization program.[2] In addition to extensive discussion in the Report and Order itself, the FCC delegated responsibility to PSHSB and the FCC's Office of Engineering and Technology (OET), among other internal bureaus, to develop further guidance for the public regarding what types of telecommunications and video surveillance equipment are "covered."
The Report and Order specifies that "covered" telecommunications equipment is "any equipment used in fixed or mobile networks that provides advanced communications services, provided the equipment includes or uses electronic components." This includes any equipment that can be used in "a fixed or mobile broadband network to enable users to originate and receive high-quality voice, data, graphics, and video telecommunications using technology with connection speeds of at least 200 kbps in either direction." While the FCC yet again declined to produce a detailed list of equipment within the scope of this definition, it referred readers to the 2022 Filing Instructions for the Annual Report and related Network Categories Sheet on "access," "core," and "distribution" layer equipment, stating the equipment specifically identified in those instructions is indeed Covered Equipment and that the FCC intends to take a broad view of what additional equipment constitutes "covered" telecommunications equipment.
Responding to prior confusion, as well as objections voiced in public comments and ex parte submissions, the FCC specified that Covered Equipment includes handsets designed to operate on broadband networks—such as Huawei, ZTE, and Hytera handsets—and includes any other consumer premises equipment or Internet of Things devices that meet the parameters in the definition. These types of devices "meet the broad definition" adopted by the FCC "insofar as these devices incorporate electronic components, could enable users to originate and receive … telecommunications with connection speeds of at least 200 kbps in either direction, and may be the end points of most broadband networks which makes them part of the network."
"Covered" video surveillance equipment includes "any equipment that is used in fixed and mobile networks and provides advanced communications service in the form of a video surveillance service, provided the equipment includes or uses electronic components." This applies to "all equipment that is designed and capable for use for purposes of enabling users to originate and receive high-quality video telecommunications service using any technology with connection speeds of at least 200 Kbps in either direction." It includes equipment for which the end user can choose whether or not to connect it to the internet. (The FCC determined that because Congress already made the capability determination, in Section 889, that Hytera, Hikvision, and Dahua video surveillance equipment "otherwise pos[es] an unacceptable risk" to national security, it does not need to make a further assessment under the Secure Networks Act whether their equipment is "capable of routing or redirecting user data traffic or permitting visibility into any user data or packets or causing the network to be disrupted remotely.") The FCC clarified that "covered" video surveillance equipment includes video surveillance cameras, as well as equipment associated with video surveillance services that makes use of broadband capabilities, like video recorders, servers, and data storage devices.
The Covered List entries for Hytera, Hikvision, and Dahua are not absolute, so there is a possibility that some of their equipment might be eligible to receive FCC certification in the future. Unlike Huawei and ZTE, the Covered List entries for these three contain use-based prohibitions: their telecommunications and video surveillance equipment is covered "to the extent it is used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes."[3] This means that instead of being subject to categorical prohibitions on receiving equipment authorization, each of Hytera, Hikvision, and Dahua might receive conditional FCC authorization for their equipment, subject to stringent labeling, marketing, and sale prohibitions that will flow down to any distributors, dealers, and resellers.[4] When applying for certification, the three entities (and any affiliates and subsidiaries) will have to submit equipment-specific plans that ensure the equipment will not be marketed or sold—including by third-party distributors and dealers—for any of the prohibited purposes. The FCC will grant a conditional authorization only if it finds a plan sufficient.
Next Steps
In order to address outstanding questions, the FCC also adopted a Further Notice of Proposed Rulemaking (FNPRM). The FCC seeks further comment on issues including:
- additional revisions that should be made to the rules and procedures prohibiting the authorization of Covered Equipment, in particular, whether and how component parts should be factored into equipment authorization decisions;
- revocation of existing authorizations for Covered Equipment; and
- potential revisions to the Commission's competitive bidding program for spectrum licenses relating to national security concerns.
The comment period will close 30 days after publication of the FNPRM in the Federal Register, followed by a 60-day window for reply comments. Many provisions of the revised regulations will become effective on the date the rule is published in the Federal Register, but provisions containing modified or new information collection requirements will have a delayed effective date due to the need for Office of Management and Budget review under the Paperwork Reduction Act.
[1] There are currently 10 entities named on the Covered List, but only the five named here are subject to the new equipment authorization restrictions. The Secure Networks Act provides that equipment can be placed on the list "solely" based on a determination by one or more of four sources—which include Section 889 (mentioned later in this advisory) and appropriate national security agencies—that the equipment itself poses an unacceptable risk. 47 U.S.C. § 1601(c). If a determination addresses the risk posed by an entity's services, such as its international telecommunications services, but does not expressly address the entity's equipment, then the entity's equipment is not subject to the new equipment authorization restrictions. See FCC 22-84 ¶ 133 (Nov. 25, 2022).
[2] They may be less enthused about the potential for continued confusion: because of differences between authorizing statutes and programs, what constitutes "covered" equipment for purposes of Section 889 or Rip-and-Replace will not be identical to the generally more extensive list of what constitutes Covered Equipment for purposes of the Annual Report and the revised equipment authorization procedures.
[3] The Report and Order confirms that the FCC construes each term broadly. It turns to other authorities for many of its interpretations, such as the USA Patriot Act of 2001's definition of "critical infrastructure" which includes sectors such as the communications, financial services, health care, information technology, and transportation systems.
[4] The Report and Order does not specifically address how the FCC might react to discovery of a prohibited end use that occurs in spite of the manufacturer, distributors, and resellers all complying with approved preventative measures. In such an event, existing provisions like the Secure Networks Act would authorize enforcement against specific types of end-users (providers of advanced communications service). The approved plans themselves and/or the FNPRM process addressing revocation of existing authorizations may lead to further clarification regarding enforcement of future prohibited end-uses.