FCC Expands National Security Measures for Telecom Industry

Last week, the Federal Communications Commission (FCC) took three separate actions to control foreign influence over US communications products and services. These decisions fit within the FCC’s broader efforts to safeguard national security by mitigating risks associated with foreign adversary control.

These actions follow recent efforts by the FCC to protect the US communications infrastructure from potentially harmful products and services. For example, the FCC began implementing the “Rip and Replace” program in 2020 to reimburse telecommunications service providers for the costs associated with removing equipment manufactured by Huawei Technologies Company and ZTE Corporation. Subsequently, the FCC revised its equipment authorization rules in 2022 to prevent certain manufacturers identified by Congress to present national security risks (Huawei, ZTE, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, Dahua Technology Company) from obtaining the necessary equipment authorizations to import and market their equipment into the United States. More recently, the FCC created the IoT Cyber Trust labeling program in 2024 to inform the public regarding cybersecurity risks associated with certain consumer products. The actions discussed below build on these efforts and propose an expansion of the FCC’s efforts to address connected cars.

Bad Labs Report and Order – First, the FCC adopted rules to prohibit certain entities from owning and controlling telecommunications certification bodies (TCBs), measurement facilities, and laboratory accreditation bodies. Under the FCC’s rules, TCBs and testing facilities play an important role in preventing the introduction of devices into the United States that could interfere with other devices or cause health risks to the public.

As mentioned above, the FCC took steps in 2022 to restrict entities on the FCC’s Covered List from obtaining equipment authorizations under certain circumstances. However, because several companies listed on the Covered List also own or control TCBs and testing facilities, the Report and Order adopted on May 22nd takes steps to ensure that these facilities are not owned by, controlled by, or subject to the direction of a prohibited entity. In this context, the FCC will define “prohibited entities” as those identified on the Covered List, along with those entities identified by other federal agencies as posing national security threats. The FCC will implement new reporting and certification requirements to require compliance certification. The new rules will go into effect thirty days after publication in the Federal Register, except for the data collection and certification requirements that need development and separate approval.

Bad Labs Report and Order – First, the FCC adopted rules to prohibit certain entities from owning and controlling telecommunications certification bodies (TCBs), measurement facilities, and laboratory accreditation bodies. Under the FCC’s rules, TCBs and testing facilities play an important role in preventing the introduction of devices into the United States that could interfere with other devices or cause health risks to the public.

Foreign Adversary Control NPRM – Second, the FCC proposed rules that would implement new certification and disclosure requirements for entities holding FCC licenses, permits, or other authorizations. These new certification and reporting requirements are intended to assist the FCC in identifying potential threats from foreign adversaries in the communications sector. The FCC’s proposed rules would extend to all regulated entities controlled by or subject to the jurisdiction or direction of a foreign adversary, focusing on foreign adversary ownership or control, and require certification regarding foreign ownership and collecting information on 5% or greater interest holders.

Connected Car Public Notice – Lastly, the FCC released a public notice on May 23, 2025, seeking comment on a proposal to incorporate new communications equipment and services on the Covered List relating to connected cars. In January 2025, the Bureau of Industry and Security (BIS) issued a Final Rule that certain hardware and software manufactured by Chinese- and Russian-controlled entities pose national security risks if integrated into connected cars in the United States. While many of the entities are already listed on the FCC’s covered list, the listed equipment and services are currently limited to the telecommunications industry.

The FCC is seeking expedited comments – due on June 9, 2025 – on whether to expand the class of equipment and services on the Covered List to include the following language adopted by BIS in January:

(1) automated driving systems (ADS) and completed connected vehicles designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China, including the Hong Kong Special Administrative Region and the Macau Special Administrative Region, (PRC), or the Russian Federation (Russia); and

(2) vehicle connectivity systems (VCS) hardware designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia and intended to be included within a completed connected vehicle in the United States; or VCS hardware with integrated covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia.

The FCC explained that it was opening a short comment period – which it asserts is not required under federal law when adding entities to the Covered List – because the BIS regulations do not list specific entities and, for the first time, would apply to all entities that would fall under the BIS definition.

Impact of FCC Actions – By taking these actions, the FCC intends to protect the communications supply chain from national security threats, potentially affecting entities involved in equipment authorization. These decisions may increase scrutiny and compliance costs for TCBs, test labs, and laboratory accreditation bodies. The proposed rules provide a comprehensive view of threats from foreign adversaries, potentially affecting all entities in the communications sector by requiring them to disclose foreign adversary control.

In light of these actions, providers of telecommunications equipment and services should take several steps in the near future, including:

• Compliance Strategy: Develop a compliance strategy to meet the new FCC certification and reporting requirements. This effort should involve reviewing current ownership structures and confirming that no prohibited entities have control or influence.
• Supply Chain Analysis: Entities that routinely engage with TCBs and other measurement facilities to either test their equipment or rely on the efforts of manufacturers of “white label” products to conduct and certify compliance should review their supply chain to ensure that prohibited entities are not involved in the authorization of imported devices.
• Risk Assessment: Conduct a risk assessment to identify any potential foreign adversary control within your organization and take steps to mitigate these risks.

The FCC’s recent actions confirm that it will continue scrutinizing foreign actors’ involvement and control in the US communications sector. Please feel free to contact us if you have any questions, would like to file comments in response to the proposed rules, or require further assistance in navigating these changes.