FCC Releases NPRM and NOI in Secure Supply Chain Proceeding

On Thursday, June 17, 2021, the FCC released a Notice of Proposed Rulemaking (“NPRM”) and Notice of Inquiry (“NOI”) (FCC 21-73) in the Protecting Against National Security Threats to the Communications Supply Chain through the Equipment Authorization Program (ET Docket No. 21-232) and Protecting Against National Security Threats to the Communications Supply Chain through the Competitive Bidding Program (EA Docket No. 21-233) proceeding.  The NPRM proposes, and seeks comment on, changes to FCC rules related to equipment authorization and competitive bidding procedures that would better secure the nation’s critical communications networks.  Likewise, the NOI seeks comment on other actions the FCC might consider to incentivize equipment authorization participants to adopt cybersecurity best practices. The NPRM/NOI was unanimously adopted at the June Open Meeting.

As a reminder, in recent years the Commission has taken several steps protecting public safety and promoting national security.  Recent actions related to the following proposals include the Public Safety and Homeland Security Bureau’s publication of the “Covered List,” a listing of “covered” equipment and services “that pose an unacceptable risk to national security or to the security and safety of U.S. persons.”  The Commission also designated two companies, Huawei and ZTE, as companies that pose a national security threat to communications networks.

NPRM:  The NPRM proposes and seeks comment on the following:

  • Prohibiting Authorizations:  The Commission proposes modifying its equipment authorization rules to prohibit the authorization and marketing of any equipment listed on the Covered List, because it poses unacceptable risks to the national security.  In an effort to ensure compliance with this new rule and that no unauthorized equipment is authorized or installed, the Commission proposes the following:
    • Implementation of a Certification Requirement:  Requiring applicants to provide a written and signed attestation that the equipment being certified is not on the “Covered List.” Office of Engineering and Technology (“OET”) is directed to develop guidance on the new rules, which applicants can use to determine if their equipment is on the Covered List.  In addition, OET is directed to develop guidelines for post-market surveillance to identify unauthorized “covered” equipment that may have been certified.  Finally, the Commission seeks comment on ways to ensure existing equipment is not replaced with “covered” equipment.
    • Prohibiting Use of the Supplier’s Declaration of Conformity (“SDoC”) Process for Covered Equipment:  Currently, equipment that has less potential to cause RF interference may be authorized under the SDoC procedure, wherein the party attests that the equipment conforms with the Commission’s requirements and is not required to utilize the formal equipment authorization process.  Under the proposed rules, equipment on the Covered List could not be authorized through the SDoC process and must be processed through the formal authorization process described above.  SDoC applicants would be required to attest that they are not using the process for “covered” equipment.  The Commission seeks comment on the specific information to be included in those attestations, as well as the mechanisms for informing parties about the proposed prohibition.  Finally, the Commission seeks comment on the process for OET to expeditiously update the Covered List and alert SDoC users to these updates.
  • Devices Exempt from Equipment Authorization Requirements:  Currently, equipment that generates low levels of RF emissions that have no potential for interfering with authorized radio services are exempt from complying with equipment authorization procedures.  The Commission proposes that “covered” equipment, regardless of its RF emissions, should not be exempt from complying with equipment authorization procedures.   Further, the FCC seeks comment on the mechanism necessary to identify this otherwise exempt equipment, including a possible registration system or attestation requirement.
  • Revocation of Authorizations:  The Commission plans to revoke existing authorizations of equipment on the Covered List, and prohibit the marketing and importation of previously authorized items.  The Commission seeks comment on what authority it may rely upon to revoke the authorizations, including whether it may revoke authorizations for “covered” equipment on the premise that that the authorizations were granted under false statements and whether the Commission may revoke existing authorizations that are later modified to include covered equipment on the grounds that there was a “change in its technical standards.”  Finally, the Commission seeks comment on other circumstances through which the Commission could revoke existing authorizations, mechanisms for identifying existing authorizations that should be revoked, and the procedures for processing such revocations.
  • Competitive Bidding Certification:  The Commission seeks comment on whether potential auction participants must complete additional national security certifications prior to participating in the Commission’s auctions.  Specifically, the FCC proposes requiring applicants to certify that its bids do not and will not rely on financial support from entities the Commission has designated as a national security threat to communications networks or supply chain.  The Commission seeks comment on these proposals and their effect on potential bidders.

 NOI:  The NOI seeks comment on how Commission might leverage the equipment authorization program to incentivize manufacturers to consider cybersecurity standards and guidelines.  Specifically, the FCC seeks comment on mechanisms to address the particular security risks associated with IoT devices.  The Commission also seeks comment on the views of the Consumer Technology Association published in their recent cybersecurity white paper, and on whether and how the Commission may support the National Institute of Standards and Technology’s efforts to identify IoT cybersecurity criteria.

Comments will be due 30 days after publication in the Federal Register.

Reply comments will be due 60 days after publication in the Federal Register.

 On Thursday, May 27, 2021, the FCC circulated a Draft Notice of Proposed Rulemaking (“Draft NPRM”) and Notice of Inquiry (“Draft NOI”). The following changes were made from the Draft NPRM/NOI:

  • ¶ 44 – Adding remote control transmitters and wireless medical telemetry transmitters to the list of equipment for which certification is generally required.
  • ¶ 47 – Adding a request for comment on additional compliance measures the FCC should consider regarding the equipment certification application procedures, including whether applicants should have an ongoing duty to monitor the list of covered equipment during the pendency of their application and notify the FCC if subsequent to the initial filling of the application the equipment or component part has become newly listed as “covered” on an updated Covered List.
  • ¶ 50 – Removing a request for comment on whether the FCC should adopt procedures to ensure that a grant of certification is posted in a timely fashion.
  • ¶ 53 – Adding a request for comment on whether the compliance rules and regulations should be enhanced with respect to applicants that intentionally attempt to circumvent the rules.
  • ¶ 54 – Proposing adopting a rule requiring that the parties responsible for compliance of authorized equipment must be located within the United States and seeking additional comment on whether the Commission should require that the application for certification of equipment include a party and/or an agent for service of process that must be located in the United States.  The Commission anticipates these proposed rules would better insure compliance with the certification rules.
  • ¶ 56 – Adding a request for comment on other actions or activities, including outreach and education, that would help ensure all parties potentially affected by the rule changes will understand the rules and comply with the prohibition associated with “covered” equipment.
  • ¶ 59 – Clarifying that both an entity that produced or provides “covered” equipment and such an entities’ subsidiaries cannot be authorized pursuant to the FCC’s SDoC process.
  • ¶ 60 – Adding a request for comment on whether the compliance statement should be required to include the name of a U.S. Agent for service of process (if different from the responsible party).
  • ¶ 61 – Adding a request for comment on what types of actions or activities should be directed toward equipment manufacturers, assemblers, importers, retailers, parties performing modification, and others that serve as responsible parties under the SDoC process.  The FCC also seeks comment on whether a similar requirement should be imposed on existing authorizations obtained through the SDoC process, and if so, what that process should look like, and if not how the FCC should address the difficulty of obtaining service of process on certain foreign-based manufacturers.
  • ¶ 77 – Adding a request for comment on other action or activity, including outreach and education, that would help ensure all parties potentially affected by the removal of the exemption rule—which currently exempts certain devices from FCC testing, filing and record retention requirements—will understand the rules and comply.
  • ¶ 88 – Noting that the FCC can issue citations against non-regulatees for violations of FCC rules before proposing monetary penalties, which serves as notice for future monetary penalties against that party if their conduct continues.  The FCC seeks comment on what enforcement policy the FCC should enlist for the continued marketing, sale, or operation of equipment during the transition period, including assessing citations against the violating non-regulatees before proposing any monetary penalties.
  • ¶ 102 –  Adding a request for comment on whether there are additional technologies or cybersecurity methods that mitigate security risks, including RF fingerprinting, and whether and how the FCC should encourage development and adoption of such technologies during the equipment authorization process.
  • ¶ 103 – Adding a request comment on the role of retailers in voluntarily limiting the sale of authorized equipment that lacks appropriate security protections, as well as, the status of international standards-setting bodies’ actions relevant to supply chain security and how the FCC can encourage further participation in these efforts.
  • Appendix A – Detailing proposed changes to the equipment authorization rules at 47 CFR §§ 2.903, 2.906, 2.907, 2.909, 2.911, 2.1033.

Please Contact Us if you have any questions.

Recent Posts