The Security Industry Assn. (SIA) issued an updated report for industry stakeholders after the FCC published its Report and Order prohibiting new device authorizations for Chinese telecommunicatdions and video surveillance products on the agency’s Covered List.
“The Security Industry Association applauds actions by the FCC, Congress and others throughout the government to protect our nation’s communications networks and help establish a more resilient and secure supply chain for electronics,” the association said in a statement.
On the list currently are certain products from 10 different Chinese and Russian companies, including video surveillance products from Hikvision and Dahua as defined in Section 889 of the 2019 National Defense Authorization Act (NDAA).
“Authorization” is the FCC certification process required for many types of radiofrequency (RF) emitting electronic devices before they can be marketed, imported or sold in the United States. For a manufacturer to apply for an obtain authorization, equipment must meet the FCC’s technical requirements, namely, they must prevent harmful RF interference with other devices, as well as limit human RF exposure, in addition to other criteria.
Under the Secure Equipment Act and the rulemaking from the FCC, this otherwise routine process will now become an instrument to implement cybersecurity and national security objectives as well.
Here are some key elements about the FCC's decision that security stakeholders should be aware of:
- This action by the FCC does not affect any authorized products currently in the U.S. market, including products in use and in supply.
- Effective immediately, there is a freeze on processing new authorization applications for equipment that is produced by any entity identified on the Covered List as producing “covered” equipment, until the order is effective, a date which is yet to be announced.
- Specific to video surveillance equipment, after the order becomes effective no new authorizations for such equipment produced by the entities on the Covered List will be granted. An exception is possible if the entity provides a plan – subject to Commission approval – ensuring the product will not be marketed and sold for “the purpose of public safety, security of government facilities, physical surveillance of critical infrastructure, or other national security purpose” (the use criteria for Covered list inclusion of video surveillance equipment, as defined in Section 889).
- All applicants for device authorization will subsequently be required to provide a written attestation that the product in question is not “covered equipment" produced by an entity on the Covered List. This does not require consideration of component parts. However, it does include products from subsidiaries and affiliates of the listed entities, and well as “white label” (i.e., re-branded) products they manufacture. See page 57 of the Order for full information on determining whether equipment is covered.
- The Order does not “revoke” existing device authorizations. While the Commission has requested further comment on this matter, it is unclear whether such action would be taken in the future.
In issuing the Order, the Commission requested further public comment on several possible future actions contemplated in its initial notice last year, but not included, such as prohibiting device authorization for products that include components produced by entities on the Covered List, and “revoking” device authorizations for covered equipment authorized prior to the order.
The Commission acknowledged potentially significant implementation difficulties in taking such actions. For example, it noted that extending the prohibition to component parts would require extensive changes to the existing process for all applicants and would be complicated by the fact there is no accepted definition of components in related law or regulations.
The practical implications of revoking of existing device authorizations –unprecedented on grounds unrelated to technical details or faults in applications – are unclear and would depend on the scope and specifics. Covered products include a wide range of equipment with varying associated risks, from telecommunications network infrastructure to end point devices used by consumers.
The Commission noted such a policy -- if implemented -- could range from “partial and limited” meaning it would “at some time in the future, preclude further import, marketing, or sale of the affected equipment” to the extreme, “requiring that that equipment no longer be used.”
The Commission also noted the possibility of targeted revocation of specific equipment authorizations based on risk criteria beyond inclusion on the Covered List.
Also acknowledged were potential difficulties for third parties such as importers, distributers, retailers and end-users may encounter in knowing and determining when, or if, equipment authorization for products they market or use has been revoked by the Commission.
The rulemaking is open for public comment for 30 days following publication, with reply comments due within 60 days.
Implementation of the Order is likely to reduce supply and eventually eliminate availability in the U.S. of video surveillance products manufactured by the listed entities as existing product life cycles expire.
This will require adjustments by all companies that may still be providing them, and impact product offerings, costs and other business operations – even if they’re not federal suppliers.
For more background information, see SIA’s earlier post on the Secure Equipment Act.