FCC prohibits new foreign router models citing critical infrastructure risks

The Federal Communications Commission has updated its Covered List to include all consumer grade routers produced in foreign countries. This action restricts approval of new device models that could enter the United States market without sufficient safeguards. The step reflects a coordinated national security determination by Executive Branch experts that certain routers introduce unacceptable risks to critical infrastructure, to the broader economy, and to the safety of United States persons.

FCC prohibits new foreign router models citing critical infrastructure risks

In practical terms, adding foreign made consumer routers to the Covered List means new device models of this type are not eligible to receive FCC equipment authorization. Without authorization, such equipment cannot be imported, marketed, or sold in the United States. The purpose of this restriction is targeted and forward looking. It is intended to raise the security baseline for new devices entering the market while avoiding unnecessary disruption for consumers and retailers who already rely on existing models.

What the Covered List update does

The Covered List is the set of communications equipment and services that pose an unacceptable risk to national security or the safety of United States persons. The Commission may update this list only when directed by national security authorities. The FCC did not act on its own. It implemented a determination from Executive Branch agencies with appropriate national security expertise. That determination found that foreign made consumer grade routers present a supply chain vulnerability that could disrupt the United States economy, critical infrastructure, and national defense. It also found a severe cybersecurity risk that adversaries could leverage to disrupt critical infrastructure and directly harm United States persons.

This update applies to new device models. It does not retroactively block previously authorized routers. Equipment that already received FCC authorization before this action can continue to be imported, marketed, sold, and used. Consumers can continue to use any router they already acquired lawfully.

Impact on consumers and retailers

Consumers do not need to replace existing routers as a result of this update. Household and small business networks can continue to operate with previously purchased equipment. Retailers may continue to sell and support router models that already have valid FCC authorization. The change focuses on future approvals of new models so that the next wave of consumer routers meets stronger supply chain and security expectations.

Pathway for manufacturers through Conditional Approval

The determination includes an exemption pathway. The Department of War or the Department of Homeland Security may grant Conditional Approval for specific router devices after finding that they do not pose unacceptable risk. Producers of consumer grade routers are encouraged to submit applications for Conditional Approval following the published guidance. Devices that receive Conditional Approval can continue through the FCC equipment authorization process. This path supports responsible manufacturers that can document supply chain integrity, robust cybersecurity controls, and transparent update and vulnerability management practices.

National security context and prior related actions

The action aligns with the broader national strategy that the United States should not be dependent on outside powers for core components essential to national defense and economic security. Security agencies have documented how malicious actors have exploited weaknesses in certain foreign made routers to compromise households, disrupt networks, enable espionage, and facilitate theft of intellectual property. Investigations have tied foreign produced routers to notable campaigns such as Volt Typhoon, Flax Typhoon, and Salt Typhoon that targeted vital infrastructure.

This update also follows similar national security determinations in other technology sectors. In recent months the FCC has added uncrewed aircraft systems and related components produced in foreign countries to the Covered List with narrowly tailored exceptions, and it has implemented restrictions on communications and video surveillance technologies identified in federal law. These steps reflect an ongoing effort to secure the communications ecosystem, close supply chain gaps, and limit exposure to high risk equipment.

Guidance for organizations and next steps

Organizations that manage networks or procure connected devices should incorporate the Covered List into risk assessments and compliance programs. The Cybersecurity and Infrastructure Security Agency encourages the use of the Covered List as part of enterprise risk management. Procurement teams should verify authorization status for any router model under consideration and confirm whether a device has Conditional Approval if it is produced in a foreign country. Security teams should maintain current firmware, change default credentials, enable automatic updates where available, and segment networks to reduce exposure in line with industry best practices.

Manufacturers seeking to serve the United States market can pursue Conditional Approval by documenting supply chain integrity, secure development life cycle controls, strong encryption and key management, timely vulnerability disclosure, and a reliable software update mechanism. Demonstrating these safeguards can help ensure devices meet national security expectations while continuing to provide consumers with choice and innovation.

About the Fact Sheet and supporting determination

For clarity, the action is summarized in the Fact Sheet titled FCC Updates Covered List to Include Foreign Made Consumer Routers, Prohibiting Approval of New Models. The update follows a determination by Executive Branch agencies that consumer grade routers produced in foreign countries threaten national security. The FCC has implemented that determination consistent with its statutory role. The Commission will continue coordinating with national security authorities and industry stakeholders to protect United States critical infrastructure and to keep the communications supply chain secure and reliable.