Firewall Up: FCC Bars Foreign-Made Routers in New Covered List Update

Overview

On March 23, 2026, the Federal Communications Commission (FCC) updated its Covered List—a list of communications equipment and services deemed to pose an unacceptable risk to U.S. national security or the safety and security of U.S. persons—to include consumer-grade routers produced in a foreign country, absent an exemption granted by the U.S. Departments of War (DoW) or Homeland Security (DHS). This designation effectively prohibits the import of all consumer routers that are not produced in the United States.

Background

To date, the FCC has primarily designated to its Covered List equipment and services from specific Chinese telecommunications companies, and Kaspersky Labs, which has been subject to separate supply chain restrictions.

In December 2025, the FCC took a similar action by banning the import of all new models of foreign produced uncrewed aircraft systems (UAS) and UAS critical components, and not just those with a nexus to foreign adversaries. The FCC subsequently issued exemptions for specific models of UAS and UAS critical components.

The Addition of Routers to the Covered List 

Under the Secure Networks Act, the FCC may update the Covered List only upon the direction of a qualifying national security authority. The addition of commercial routers to the Covered List followed a National Security Determination that foreign-produced routers pose "unacceptable risks to the United States” by “(1) introducing a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense; and (2) establishing a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

In support of this determination, the FCC pointed to Salt, Flax, and Volt Typhoons, where Chinese-linked threat actors exploited weaknesses in widely deployed, often foreign-manufactured routers and edge networking devices to target U.S. critical infrastructure, including communications, energy, transportation, and water.  These compromised devices provided covert footholds and were used by the threat actors to create botnets in order to compromise systems and conduct espionage by exfiltrating confidential data.  It is unclear whether the FCC will take further action on additional categories of devices based on these hacking campaigns.  For example, the Flax Typhoon actors also hijacked Internet of Things devices like cameras, video recorders, and storage devices.

As a result of the addition of routers to the Covered List, new models of foreign-produced routers are now prohibited from receiving FCC equipment authorization, resulting in an effective ban from being imported, marketed, or sold in the United States.

How Do I Know Whether My Product is Prohibited?

Included in the prohibition are routers that meet the definition in the National Institute of Science and Technology’s Internal Report 8425A, which defines routers as “consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer.”

How Do I Know If My Router is Produced in a Foreign Country?

The FCC broadly defines “produced in a foreign country” as undergoing any major stage of the manufacturing process outside the United States, including manufacturing, assembly, design, and development. The nationality of the entity producing the router is irrelevant. Thus, a router designed in the United States but manufactured or assembled elsewhere would meet the definition of a covered router.

However, a U.S.-produced router is not "covered" solely because it contains foreign-made components. Devices do not become "covered" simply by incorporating a covered component unless that component is a modular transmitter under FCC rules (47 CFR §§ 2.903(b), 15.212).

Applicants will need to be able to provide sufficient evidence that the routers were not produced in a foreign country to make this certification, but there is no specific documentation or evidence required. 

Does This Prohibition Affect Routers Already in the United States?

No. This designation does not affect routers that meet the definition and are in the United States on the date the prohibition took effect, or routers that have already received FCC approval.

When the FCC adds items to the Covered List, authorizations previously granted remain valid unless the FCC revokes those approvals. Additionally, the Office of Engineering and Technology (OET) within the FCC also issued a blanket waiver to enable “Class I permissive changes” (i.e.,  software and firmware updates that mitigate harm to U.S. consumers) to previously authorized routers. This waiver will remain in place until March 1, 2027, and may be extended.

Are There Exceptions?

DoW or DHS can grant an 18-month “Conditional Approval” to a router, thereby creating an exception. Annex A to the FCC’s Notice describes the application process, which includes submission of the following materials:

• Corporate Structure Disclosure: Ownership structure, beneficial owners holding five percent or greater equity, board members and executive leadership (including nationality), and any foreign government ownership, control, or influence;
• Manufacturing and Supply Chain Disclosure: A detailed bill of materials, country of origin for all components, design, software, and firmware, manufacturing and assembly locations, and identification of supply chain concentration and single points of failure; and
• U.S. Manufacturing and Onshoring Plan: A detailed plan to establish or expand U.S.-based manufacturing, including existing U.S. production capabilities, committed capital expenditures over the next one to five years, and a dedicated point of contact for quarterly progress updates.

It remains to be seen if the FCC plans to conduct security audits of new foreign produced routers that seek such exemptions, as threat actors typically take advantage of cybersecurity exploits such as firmware vulnerabilities and default or weak credentials to gain access.

What's Next

• • Monitor Conditional Approvals: Subsequent to the FCC's December 2025 addition of foreign-produced drones to the Covered List, the FCC issued exemptions for specific models. It is possible that the FCC could similarly issue exemptions here.  Companies may monitor the FCC’s website for updates related to Conditional Approvals.
  • Know Your Supply Chain: The FCC will require evidence supporting a claim that a router is produced in the United States. Companies should begin collecting such information.
  • Consider Future Supply Chains: The FCC's action signals an increasingly aggressive posture towards foreign-produced supply chain technologies. Companies that manufacture routers and wish to participate in the U.S. market should evaluate their supply chains and consider establishing production operations in the United States, including manufacturing, assembly, design, and development.