The Federal Communications Commission updated its Covered List on March 23, 2026, to include all consumer-grade routers produced in foreign countries, prohibiting new equipment authorizations for such devices.
The action followed a national security determination by an Executive Branch interagency body that routers produced in a foreign country pose unacceptable risks to the national security of the United States and to the safety and security of U.S. persons.
According to the determination, foreign-produced routers introduce a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense, and establish a severe cybersecurity risk that could be leveraged to disrupt U.S. critical infrastructure and harm U.S. persons.
The FCC’s fact sheet stated that malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft. Foreign-made routers were also implicated in the Volt, Flax, and Salt Typhoon cyberattacks targeting vital U.S. infrastructure.
I welcome this Executive Branch national security determination, and I am pleased that the FCC has now added foreign-produced routers, which were found to pose an unacceptable national security risk, to the FCC’s Covered List. Following President Trump’s leadership, the FCC will continue to do our part in making sure that U.S. cyberspace, critical infrastructure, and supply chains are safe and secure.
— Brendan Carr (@BrendanCarrFCC) March 23, 2026
The Covered List addition means new models of foreign-produced routers are prohibited from receiving FCC equipment authorization, which is required for importation, marketing, or sale in the United States. The ban applies to routers where any major stage of production—including manufacturing, assembly, design, or development—occurs outside the United States.
The action does not affect routers that have already received FCC authorization. Consumers can continue to use previously purchased routers, and retailers can continue to sell existing approved models.
The FCC’s FAQs confirm that the update does not impact a consumer’s continued use of routers they previously acquired.
The Office of Engineering and Technology issued a waiver allowing previously authorized routers to receive software and firmware updates, including security patches, until at least March 1, 2027.
Manufacturers of foreign-produced routers may apply for Conditional Approval from the Department of War or the Department of Homeland Security. If granted, such routers would be exempt from the Covered List restrictions.
The move follows a similar FCC action in late 2025 that added foreign-produced uncrewed aircraft systems and critical components to the Covered List, with comparable waiver provisions.
In February 2026, Texas Attorney General Ken Paxton sued TP-Link Systems Inc., a major router manufacturer with significant U.S. market share, alleging deceptive trade practices related to the security and origins of its products. The federal government had reportedly considered narrower actions against the company in 2025.
Privacy and security experts have noted that the ban addresses new devices but does not immediately resolve vulnerabilities in the large installed base of existing routers. Some analysts expect manufacturers to pursue waivers or Conditional Approvals in the near term.
FCC Chairman Brendan Carr stated that the agency will continue efforts to secure U.S. cyberspace and supply chains.
The Covered List is maintained under the Secure and Trusted Communications Networks Act of 2019. Equipment on the list is prohibited from receiving new FCC authorizations.
Consumers with concerns about router security are advised by experts to use strong, unique passwords, change default login credentials, enable automatic firmware updates where available, and replace devices that no longer receive security updates.
By
By
