FCC Moves to Lock Down the Consumer Router Supply Chain
The Federal Communications Commission (FCC) took a sweeping step on March 23, 2026, adding all new models of foreign-produced consumer routers to its Covered List — effectively banning their import and sale in the United States. The decision reflects growing concern from national security agencies that adversaries are exploiting hardware supply chains to embed persistent footholds into American homes and small businesses. Existing authorized devices are not affected by the ban, but no new foreign-manufactured router models will receive FCC authorization going forward.
| Attribute | Value |
|---|---|
| Regulatory Body | Federal Communications Commission (FCC) |
| Action Date | March 23, 2026 |
| Mechanism | Addition to FCC Covered List |
| Scope | All new foreign-produced consumer-grade routers |
| Affected Devices | New import/sale only — existing devices unaffected |
| Waiver Pathway | Conditional Approvals available via FCC application |
| Threat Actors | State and non-state actors, foreign intelligence services |
| Primary Risk | Supply chain compromise, espionage, critical infrastructure access |
What Is the FCC Covered List?
The Covered List is a formal register of communications equipment and services deemed to pose an unacceptable risk to national security or the safety of U.S. persons. Equipment on the list cannot receive FCC authorization, effectively barring it from legal sale or import. The list was introduced under the Secure and Trusted Communications Networks Act and has previously targeted major Chinese telecom vendors including Huawei and ZTE.
The March 23 expansion marks a significant broadening of scope — from targeted enterprise and carrier-grade equipment to mass-market consumer routers sold in retail stores and shipped directly to homes.
Why Consumer Routers?
Small office/home office (SOHO) routers have been a persistent soft target for nation-state threat actors. In 2024 and 2025, U.S. intelligence agencies publicly attributed multiple campaigns — including Volt Typhoon and related operations — to adversaries who compromised consumer routers to build covert relay networks inside U.S. infrastructure. These compromised devices were used to:
- Route attacker traffic through legitimate U.S. IP addresses, evading geolocation-based detection
- Establish persistent access to internal networks without deploying custom malware
- Conduct long-term espionage against critical infrastructure sectors including energy, water, and transportation
The FCC's action targets the root cause: hardware that arrives in the U.S. with firmware pre-loaded at foreign manufacturing facilities, providing potential backdoors before a consumer ever powers the device on.
Conditional Approvals Pathway
The FCC has not completely closed the door for foreign manufacturers. Entities seeking to sell consumer routers in the U.S. may apply for Conditional Approvals, a new review process that would allow the commission to evaluate specific products against defined security criteria. The criteria and timelines for this process had not been fully published at time of writing, but the mechanism signals that the FCC is willing to consider case-by-case exceptions for manufacturers who can demonstrate supply chain integrity.
| Impact Area | Description |
|---|---|
| Consumers | Limited new router choices; existing hardware unaffected |
| Retailers | Must clear new inventory sourced from covered countries |
| Manufacturers | Foreign firms face market exclusion without conditional approval |
| Domestic Producers | Significant market opportunity opens for U.S.-based alternatives |
| Critical Infrastructure | Reduced risk of pre-compromised hardware in residential/SOHO networks |
| Threat Actors | Lose a key vector for building domestic relay infrastructure |
Recommendations for Home Users
- Audit your existing router: Check manufacturer origin and firmware version. If your current router is unaffected, keep it updated with the latest firmware.
- Enable automatic firmware updates if your router supports it — many SOHO exploits target known, unpatched vulnerabilities.
- Segment your network: Separate IoT devices from computers and phones using a guest VLAN or secondary Wi-Fi network.
- Replace aging hardware proactively: If your router is more than 5 years old, plan a replacement with a device from a vendor now compliant with U.S. security standards.
Recommendations for IT and Security Teams
- Review procurement policies: Ensure your router and network hardware purchasing criteria now explicitly include FCC Covered List status.
- Conduct a hardware audit: Identify any foreign-manufactured routers deployed in office, branch, or remote work environments.
- Implement network monitoring at the edge: Deploy DNS filtering and traffic analysis to detect anomalous outbound connections from routers.
- Follow CISA SOHO router hardening guidance: Apply the published checklist for changing default credentials, disabling remote management, and enabling logging.
Recommendations for Enterprises
- Supply chain due diligence: Add FCC Covered List verification to your vendor risk assessment process.
- Zero-trust segmentation: Treat all network infrastructure as potentially compromised; verify east-west traffic internally.
- Engage legal and compliance teams: Ensure procurement contracts include representations from vendors about Covered List status for all hardware components.
Key Takeaways
- The FCC added all new foreign-produced consumer routers to its Covered List on March 23, 2026, blocking their import and sale in the United States.
- Existing authorized devices are not affected — the ban applies only to new models seeking FCC authorization.
- State and non-state actors have actively exploited SOHO routers to build covert relay networks inside U.S. infrastructure, most notably through Volt Typhoon-linked campaigns.
- A Conditional Approvals pathway exists for foreign manufacturers willing to undergo FCC security review, keeping a limited door open for compliant products.
- The ban applies to consumer-grade devices only, but signals a broader regulatory direction toward hardware supply chain security that may extend to enterprise equipment in future rulemakings.
- Domestic router manufacturers and U.S.-aligned producers stand to benefit significantly as foreign alternatives disappear from retail shelves.