Key Takeaway
The FCC now requires pre-approval for all foreign-manufactured routers before they can be imported, marketed, or sold in the United States, with applicants required to disclose foreign investor relationships and submit a U.S. manufacturing relocation plan. The rule targets supply chain risks tied to documented exploitation campaigns by groups including Volt Typhoon and Salt Typhoon, which compromised SOHO and enterprise routers to gain persistent access to U.S. critical infrastructure. CISOs, procurement teams, and network engineers must audit hardware pipelines, monitor DoD and DHS exemption lists, and pressure vendors for compliance timelines now.
FCC Foreign Router Approval Mandate
Issuing Body: Federal Communications Commission (FCC), acting on an Executive Branch national security determination.
What the Rule Requires
The FCC now requires pre-approval for any router manufactured outside the United States before it can be imported, marketed, or sold domestically. The rule applies to new devices only — routers already deployed in homes, enterprises, or data centers are not subject to forced removal or replacement.
Manufacturers seeking approval must submit a conditional approval application to the FCC. That application must disclose:
- The identities of all foreign investors with influence over the company
- Any foreign government relationships or ownership stakes
- A concrete plan to relocate router manufacturing to the United States
The Executive Branch determination underlying this rule identified two specific risk categories: first, a supply chain vulnerability capable of disrupting the U.S. economy, critical infrastructure, and national defense; second, a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.
Who Must Comply
Every company that manufactures routers outside the United States and intends to sell into the U.S. market must comply. This includes U.S.-headquartered vendors that offshore production.
Netgear — a U.S.-based company — manufactures all of its products abroad and falls squarely within scope. TP-Link, which has been the subject of Congressional scrutiny and reported FBI and Commerce Department investigations related to Chinese state ties, is also directly affected. Asus, D-Link, and other vendors with Taiwan or China-based manufacturing lines face the same requirement.
One notable exemption path exists: the Department of Defense (DoD) or the Department of Homeland Security (DHS) may designate specific router models as acceptable exceptions. As of this writing, neither agency has added any specific products to an exemption list.
Starlink's WiFi router, manufactured by SpaceX in the United States, is one of the few consumer-grade devices that does not trigger the new requirement.
Why Routers Are the Target
This rule did not emerge in a vacuum. Network edge devices — routers in particular — have been primary targets for state-sponsored intrusion campaigns. The Volt Typhoon threat group, attributed to the People's Republic of China, compromised thousands of SOHO routers including Cisco RV-series and Netgear devices to build the KV Botnet, used as a covert relay network for operations against U.S. critical infrastructure targets including energy, water, and telecommunications sectors. The FBI and CISA issued joint advisories on this campaign in 2024.
Salt Typhoon, a separate PRC-attributed group, compromised routers and network infrastructure at multiple U.S. telecommunications providers, gaining persistent access to lawful intercept systems. CVE-2023-20198 and CVE-2023-20273, both affecting Cisco IOS XE, were exploited in related campaigns targeting network infrastructure.
Firmware implants delivered through compromised supply chains — including pre-installation at manufacturing facilities or distribution points — are a documented vector. The VPNFilter malware, attributed to Sandworm (Russian GRU), infected over 500,000 routers across 54 countries, including Linksys, MikroTik, Netgear, and TP-Link devices, demonstrating the reach of router-focused offensive tooling.
Timeline and Penalties
The FCC has not yet published a formal grace period for existing inventory in distribution pipelines, but the requirement applies to new imports and sales. Companies that import or sell non-approved foreign-manufactured routers after the rule takes effect face FCC enforcement action, which can include fines, import bans, and revocation of equipment authorization.
The conditional approval process requires a U.S. manufacturing relocation plan, which signals a medium-to-long-term compliance horizon — moving fabrication from China or Taiwan to the United States is measured in years, not quarters. Companies that cannot or do not comply will effectively lose access to the U.S. market for new router hardware.
What Organizations Should Do Now
For CISOs and procurement teams:
- Audit your current router procurement pipeline. Identify every model in your approved hardware list and confirm its manufacturing origin.
- Check whether vendors you rely on — Netgear, TP-Link, Asus, D-Link — have filed for conditional FCC approval or publicly stated compliance plans.
- Prioritize replacement cycles for routers already flagged in prior government advisories, specifically TP-Link devices named in the 2024 Congressional letters and Cisco SOHO devices referenced in Volt Typhoon advisories.
- Monitor the DoD and DHS exemption lists. When those lists publish, they will define the fastest path to compliant procurement without waiting for manufacturing relocation.
For SOC analysts and network engineers:
- Treat any router manufactured in a jurisdiction with documented state-sponsored supply chain interference as an elevated-risk device until vendor compliance status is confirmed.
- Enforce network segmentation that limits router management plane exposure. Disable remote management interfaces where not operationally required.
- Apply firmware updates on a defined schedule and subscribe to vendor security advisories. CISA's Known Exploited Vulnerabilities catalog currently lists multiple router-affecting CVEs with binding operational directives for federal agencies — use that list as a baseline even in private sector environments.
- Log all outbound traffic from router management interfaces and alert on connections to unexpected destinations, a technique directly relevant to detecting KV Botnet-style relay infrastructure.
For vendors:
- File for conditional FCC approval immediately if you manufacture outside the United States. Delays increase the risk of enforcement action and customer attrition to compliant competitors.
- Prepare detailed foreign investor and influence disclosures. Incomplete applications will stall approval.
- Begin scoping U.S. manufacturing feasibility studies. The FCC's requirement for a relocation plan means this is now a regulatory deliverable, not a strategic option.
The rule will increase the cost of consumer and enterprise routers in the U.S. market. Domestic manufacturing does not match the cost structure of Chinese or Taiwanese fabrication. That cost burden falls on buyers. The policy explicitly trades price efficiency for supply chain integrity — a calculation that documented router exploitation campaigns make defensible from a technical standpoint.
Original Source
Schneier on Security
Related Articles
RSAC 2026: AI-Driven Threats, Global Cyber Leadership Shifts, and the Policies Reshaping Defense Priorities
RSAC 2026 surfaced AI-assisted attack tooling, enforcement of EU NIS2 and the incoming EU AI Act, and structural shifts in U.S. and allied cyber leadership as the defining issues for security practitioners. SOC teams and CISOs face active NIS2 enforcement since October 2024, EU AI Act high-risk system deadlines in August 2026, and ongoing CISA KEV remediation obligations. Organizations must audit AI product compliance, validate vulnerability remediation workflows, and document NIS2 risk management measures now.
Microsoft Mandates Windows 11 25H2 Upgrade for Unmanaged Home and Pro Devices
Microsoft has begun force-upgrading unmanaged Windows 11 24H2 Home and Pro devices to version 25H2 to address critical vulnerabilities including CVE-2023-28252. Unmanaged devices not enrolled in enterprise management tools will be automatically updated starting June 2024. Organizations should audit unmanaged endpoints and enforce patch management to maintain security compliance.
Latin America’s Labor Market Dynamics: Implications for Cybersecurity Talent Acquisition
A recent study reveals Latin America's potential as a cybersecurity talent source due to its youthful, technically skilled workforce. Organizations must address regional infrastructure, language, and compliance challenges to effectively recruit and onboard talent from this region.
SEC Cybersecurity Disclosure Rule: What CISOs and Security Engineers Must Do Before the Deadlines Hit
The SEC's cybersecurity disclosure rule requires public companies to report material incidents on Form 8-K within four business days of a materiality determination, and to disclose risk management programs and board oversight annually in 10-K filings. Large accelerated filers have been subject to incident reporting requirements since December 18, 2023, with enforcement precedent already set through the SEC's fraud charges against SolarWinds and CISO Timothy Brown. Security teams must build materiality determination workflows, align IR playbooks to disclosure triggers, and ensure 10-K disclosures accurately reflect internal security posture.