Takeaways

The FCC released a draft Third Report and Order that would expand the scope of its equipment authorization and Covered List rules to, among other things, prohibit authorization of radio frequency (RF) devices containing logic-bearing components produced by covered entities if, had the device itself been produced by the covered entity, it would have been prohibited from obtaining authorization.
An accompanying Third Further Notice of Proposed Rulemaking seeks comment on additional measures, including bifurcating the Covered List; requiring Software Bill of Materials (SBOM) and Hardware Bill of Materials (HBOM) disclosures; and expanding the equipment authorization ban to include all components produced by covered entities.
The item is scheduled for a vote at the FCC’s upcoming July 22 open meeting, giving interested stakeholders an opportunity to seek changes before the Sunshine Agenda period begins.

The Federal Communications Commission (FCC) kicked off America’s 250thwith a burst of national security-related items released prior to the July Fourth holiday, including a draft Third Report and Order and Third Further Notice of Proposed Rulemaking (the Order and the Further Notice, respectively) that builds on the agency’s ongoing efforts to expand the reach of its equipment authorization and Covered List rules. Up for consideration at the FCC’s July 22 open meeting, the Order as currently drafted would (1) close what the FCC refers to as the “component part loophole” to its Covered List rules; (2) require online marketplaces to display the FCC ID and compliance information statements at the point of sale; (3) require full certification for any modification or permissive change made by an entity identified on the Covered List; and (4) adopt a definition of “critical infrastructure” as used in the Covered List context.

The draft item also offers several clarifications and seeks comment on a number of measures intended to target what the FCC identifies as additional loopholes in the current framework, enhance the agency’s enforcement capabilities and refine its Covered List rules in light of other recently adopted changes.

Closing the “Component Part Loophole”
As we have written about here, here and here, the FCC maintains a list of communications equipment and services deemed to pose an unacceptable risk to national security, known as the “Covered List.” Since adoption of the Covered List, the FCC has enacted rules that prospectively restrict “covered” entities and equipment from receiving the equipment authorizations necessary to permit importation, marketing, and sale in the U.S. market. In an October 2025 Second Report and Order, the FCC clarified that “covered” equipment includes modular transmitters and prohibited authorization of any device containing a modular transmitter that is itself covered equipment. It also sought comment on whether to prohibit authorization of equipment containing other components produced by covered entities.

The Order would do just that: prohibit authorization of logic-bearing hardware components produced by covered entities and devices containing such components if, had the device itself been produced by the covered entity, it would have been prohibited from obtaining authorization. Notably, this prohibition would apply only with respect to logic-bearing components produced by covered entities, and not to logic-bearing components produced by non-covered entities who produce covered equipment (i.e., foreign-produced UAS, UAS critical components, and routers).

The draft Order defines “logic-bearing hardware components” as:

“any device, system, module, sub-assembly, integrated circuit, or other physical component that generates and uses timing signals or pulses at a rate in excess of 9,000 pulses (cycles) per second and uses digital techniques; inclusive of telephone equipment that uses digital techniques or any device, system, module, sub-assembly, integrated circuit, or other physical component that generates and uses radio frequency energy for the purpose of performing data processing functions, such as electronic computations, operations, transformations, recording, filing, sorting, storage, retrieval, or transfer.”

The Order would also task the FCC’s Office of Engineering and Technology with responding to “questions as to what sort of components meet this definition” and providing further clarification. The FCC concluded that such components pose many of the same national security risks as equipment produced directly by covered entities, due to their capability to execute instructions that enable surveillance, disruption and sabotage, accept firmware updates, and respond to remote signals to activate dormant code.

The prohibition would apply prospectively and take effect immediately upon adoption of the Order with no transition period.

New Obligations for Online Marketplaces
The FCC’s rules prohibit the “marketing” of RF devices that lack a valid equipment authorization, with the term “marketing” broadly encompassing the sale, lease, advertising, importation, shipment, and distribution for the purpose of selling or leasing of such device. The Order would clarify that “distribution for the purpose of selling” covers the listing of RF equipment on an online marketplace if the online marketplace also engages in consignment, warehousing, inventory management, order processing, labelling, packaging, billing or fulfilment services—even if the equipment is sold by a third party—and that such online marketplaces are subject to FCC enforcement action if they market unauthorized devices.

If adopted, the Order would require e-commerce platforms that “market” RF devices to display the FCC ID (for certified devices) and compliance information statement (for SDoC devices) at the online point of sale. The FCC concludes that doing so will enable consumers to make informed purchasing decisions and verify that the devices are “authorized for sale within the United States and are safe products.”

Definition of Critical Infrastructure
Following the D.C. Circuit’s 2024 vacatur of the FCC’s earlier-adopted definition of “critical infrastructure,” the draft Order would narrow the term to no longer encompass all components “connected to” critical infrastructure. As such, “critical infrastructure” would be defined as:

“[S]ystems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

This definition would continue to encompass systems and assets used in the provision of services or functions in the sixteen critical infrastructure sectors identified in the National Security Memorandum on Critical Infrastructure Security and Resilience.

Additional Clarifications
In addition to clarifying the applicability of the “marketing” rules to e-commerce platforms, the draft Order clarifies (or re-affirms) that:

  • Previously authorized devices may not be modified (including through a permissive change) if doing so would cause the device to become covered as a result of such modification or permissive change;
  • All covered entities that seek any modification or permissive changes to covered or non-covered equipment must submit full applications for recertification; and
  • No covered entity is permitted to rely on the SDoC process for modifications, even for non-covered equipment regardless of the nature or scope of the change.

Proposed Rules
The draft Further Notice seeks comment on a host of measures intended to close what the FCC has identified as additional loopholes in the current regulatory framework that compromise national security. At a high level, these include:

  • Whether to bifurcate the Covered List rules into producer/provider-based and production location-based categories with the intent to provide clarity with respect to which rules apply to both categories and which apply only to one category;
  • Whether to codify a definition of “produced by” for purposes of the Covered List and related rules;
  • Whether to adopt measures to address potential “white labeling” abuse with respect to devices claiming “electrically identical” status;
  • Whether to require applicants to submit a written and signed HBOM and SBOM at the time they apply for certification and require grantees to update the FCC of any changes to the HBOM or SBOM of the device;
  • Whether to prohibit authorization of devices incorporating any components produced by a covered entity (including software and/or firmware);
  • Whether to require certification for devices in Covered List sectors (UAS, UAS critical components, and routers) even if it would otherwise be eligible for authorization pursuant to SDoC or exempt from authorization;
  • Whether to adopt new restrictions and conditions for importation and marketing of covered equipment;
  • Whether to impose term limits on equipment authorizations; and
  • Whether to require a U.S.-based liable party for FCC-certified equipment (similar to the SDoC requirement to have a U.S.-based responsible party).

The FCC also proposes to codify in its rules a framework for permitting permissive changes for software and firmware updates that mitigate harm to U.S. consumers for previously authorized covered equipment. Such changes are currently permitted through a set of limited waivers granted in January and May 2026 that are set to expire on January 1, 2029.

Opportunity to Shape the Final Rules
The draft Order and Further Notice has been circulated for consideration at the FCC’s July 22 open meeting. As a result, companies that may be affected by these proposals still have a limited opportunity to meet with FCC Commissioners and staff (subject to the “permit-but-disclose” ex parte rules) before the Sunshine Agenda period begins to advocate for changes to the draft Order before its adoption. The Sunshine Agenda period is expected to begin one week prior to the open meeting.

If adopted, comments on the Further Notice would be due 30 days after publication in the Federal Register, with reply comments due 45 days following publication. Interested stakeholders are encouraged to participate in the rulemaking regarding the identified questions, as well as any other outstanding issues remaining in the Supply Chain Security docket.

* * * * * * * * * *

For more information about the FCC’s proposed equipment authorization changes, the Covered List, or for assistance evaluating the impact of these proposals or engaging with the FCC during the rulemaking process, please contact the authors.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.