AGENCY:
Federal Communications Commission.
ACTION:
Proposed rule.
SUMMARY:
In this document, the Commission seeks further comment on potential additional revisions to the rules and procedures associated with prohibiting the authorization of “covered” equipment in the Commission's equipment authorization program. The Commission also invites additional comment on proposed rule revisions to the Commission's competitive bidding program.
DATES:
Comments are due April 7, 2023. Reply comments are due May 8, 2023. All filings must refer to ET Docket No. 21-232 or EA Docket No. 21-233.
SUPPLEMENTARY INFORMATION:
This is a summary of the Commission's Further Notice of Proposed Rulemaking (Further Notice or FNPRM), ET Docket No. 21-232, EA Docket No. 21-233, FCC 22-84, adopted November 11, 2022, and released November 25, 2022. The full text of the Further Notice is available by downloading the text from the Commission's website at: https://www.fcc.gov/document/fcc-bans-authorizations-devices-pose-national-security-threat. When the FCC Headquarters reopens to the public, the full text of this document will also be available for public inspection and copying during regular business hours in the FCC Reference Center, 45 L Street NE, Washington, DC 20554. Alternative formats are available for people with disabilities (braille, large print, electronic files, audio format), by sending an email to fcc504@fcc.gov or calling the Consumer and Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).
Paperwork Reduction Act. This document does not contain proposed information collection(s) subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. In addition, therefore, it does not contain any new or modified information collection burden for small business concerns with fewer than 25 employees, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see44 U.S.C. 3506(c)(4).
Initial Regulatory Flexibility Analysis. As required by the RFA, the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on a substantial number of small entities of the proposals addressed in this FNPRM. The full IRFA is found in Appendix C at https://www.fcc.gov/document/fcc-bans-authorizations-devices-pose-national-security-threat.. Written public comments are requested on the IRFA. These comments must be filed in accordance with the same filing deadlines for comments on the FNPRM, and they should have a separate and distinct heading designating them as responses to the IRFA. The Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, will send a copy of this FNPRM, including the IRFA, to the Chief Counsel for Advocacy of the Small Business Administration, in accordance with the RFA.
Filing Requirements.
• Electronic Filers: Comments may be filed electronically using the internet by accessing the Commission's Electronic Comment Filing System (ECFS), http://apps.fcc.gov/ecfs/. See Electronic Filing of Documents in Rulemaking Proceedings,63 FR 24121 (1998).
• Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing.
○ Filings can be sent by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission's Secretary, Office of the Secretary, Federal Communications Commission.
○ Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701.
○ U.S. Postal Service first-class, Express, and Priority mail must be addressed to 45 L Street NE, Washington, DC 20554.
• Effective March 19, 2020, and until further notice, the Commission no longer accepts any hand or messenger delivered filings. This is a temporary measure taken to help protect the health and safety of individuals, and to mitigate the transmission of COVID-19. See FCC Announces Closure of FCC Headquarters Open Window and Change in Hand-Delivery Policy, Public Notice, DA 20-304 (March 19, 2020). https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
Ex Parte Rules—Permit but Disclose. Pursuant to section 1.1200(a) of the Commission's rules, this Further Notice of Proposed Rulemaking shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission's ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda, or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format ( e.g.,.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission's ex parte rules.
FOR FURTHER INFORMATION CONTACT:
Jamie Coleman, Office of Engineering and Technology, 202-418-2705, Jamie.Coleman@fcc.gov.
Synopsis
Further Notice on Part 2 Equipment Authorization
In this Further Notice of Proposed Rulemaking (Further Notice or FNPRM), the Commission seeks further comment on some of the issues the Commission raised in the Notice of Proposed Rulemaking of ET Docket No. 21-232 and EA Docket No. 21-233 (NPRM) (86 FR 4664) regarding revisions to the part 2 equipment authorization rules to prohibit authorization of equipment that has been determined to pose an unacceptable risk to national security. The Commission also invites comment on additional issues that have been raised with the establishment of the Commission's revised rules and approach in the Report and Order of this proceeding 88 FR 7592. The Commission encourages commenters and other interested parties to submit further comments on these or other issues related to revisions to the equipment authorization process to address the prohibition on authorization of equipment on the Covered List.
Component Parts
In the Report and Order, the Commission adopted requirements for applicants for equipment certification and responsible parties authorizing equipment via the Supplier's Declaration of Conformity (SDoC) process to make attestations that the equipment for which authorization is sought is not “covered” equipment. The Commission is not, however, requiring at this time that these attestations address the individual component part(s) contained within the subject equipment. As discussed in the Report and Order, several commenters raised various concerns regarding potential practical complications and difficulties that could result from inclusion of component parts within the scope of the prohibition. In this Further Notice, the Commission seeks to address these concerns as the Commission further considers issues concerning component parts with regard to prohibitions on authorization of “covered” equipment.
In seeking comment on component parts, the Commission notes at the outset that it believes that certain component parts produced by entities identified on the Covered List, if included in finished products, could potentially pose an unacceptable national security risk, similar to the security risk posed by the “covered” equipment that the Commission is now prohibiting from authorization. Similarly, Congress, in establishing the Reimbursement Program under the Secure Networks Act, shared the same concerns. It required that Huawei Technologies Company (Huawei) and ZTE Corporation (ZTE) equipment be destroyed as part of the rip and replace process, indicating that even components of untrusted and insecure equipment could pose a danger to the United States. In the Reimbursement Program, consistent with Congressional guidance, the Commission required that categories of equipment that include components that process data be destroyed so they do not get reused and continue to pose a risk. Given the challenge to protect against component parts that pose the same risk as covered equipment, the Commission endeavors to ensure that equipment that includes component parts that pose an unacceptable risk to national security also be prohibited from authorization. In this Further Notice, the Commission seeks comment to help identify such component parts and to consider how the Commission might best ensure prohibiting authorization of equipment that includes such components. In particular, the Commission seeks comment on whether and how individual component parts may need to be factored into decisions regarding authorizing equipment. This raises several issues that need to be more carefully evaluated to determine whether equipment with certain component parts should be considered “covered” equipment and thus prohibited from authorization. The Commission also recognizes that one complication is that many part 2 equipment authorization rules and part 15 rules reference “components,” but they do so in a variety of different contexts, and there is no single or consistent meaning of the term in the Commission's rules.
The Commission seeks comment about the extent to which component parts should be considered as the Commission implements its prohibition on “covered” equipment in its equipment authorization program. As the Commission considers how component parts should be treated in this process, the Commission notes that establishing a prohibition that includes considering component parts could require changes to the Commission's existing equipment authorization application process, which does not currently capture detailed information about the source of components that make up such equipment. As this proceeding examines the equipment authorization process, which is the gateway for equipment entering the U.S. marketplace with potential to ultimately become part of a telecommunication system or network, the Commission believes it is within the purview of the statute and the Commission's duty to address all equipment on the Covered List, including component parts of devices where the inclusion of such component parts would render the equipment “covered.” The Commission seeks comment on this view.
In seeking comment on how the Commission should address component parts with respect to the prohibition on authorization of “covered” equipment, the Commission also invites comment on how best to address the concerns previously raised by commenters regarding component parts. These concerns include what the Commission would consider to be component parts for purposes of implementing any potential prohibition on equipment authorizations that include such parts, including the extent to which only some types of component parts, or all such parts, should be considered. The Commission also seeks comment on practical considerations that would be involved with extending the prohibition to include component parts, including the requirements placed on applicants for equipment authorizations to identify any particular components.
As discussed above, in implementing the Secure Networks Act with regard to the Reimbursement Program, the Commission determined that categories of equipment that include components that process and retain data, or that process data, be destroyed so they do not get reused and continue to pose a risk. As the Commission considers how to address components in this proceeding, the Commission seeks comment on whether the Commission should attempt to identify ranges of components based on their risk assessment. For example, similar to the Reimbursement Program, does equipment that includes components that process and retain data, or that even process data, produced by entities identified on the Covered List, pose too much of a risk to the United States and its people to be authorized?
In proposing to include component parts within the scope of “covered” equipment in the NPRM, the Commission did not define the term and referred to both “components” and “component parts.” To ensure that equipment manufacturers, importers, assemblers, FCC-recognized Telecommunications Certification Bodies (TCBs), and other parties associated with the Commission's equipment authorization program are clear as to what equipment may be impacted by a prohibition on component parts from entities on the Covered List, the Commission would need to first develop and provide guidance on what component parts would need to be considered.
At a high level, the Commission notes that it permits modules as well as composite systems (or devices) to obtain equipment certification. A module generally consists of a completely self-contained transmitter that is missing only an input signal and power source to make it functional. Modules are designed to be incorporated into another device such as a personal computer. The advantage of using modules is that a transmitter with a modular grant can be installed in different end-user products (or hosts) by the grantee or other equipment manufacturer without the need for additional testing or a new equipment authorization for the transmitter. A composite system incorporates different devices contained within a single enclosure or in separate enclosures connected by wire or cable. A single equipment authorization application may be filed for a composite system that incorporates devices (including modules) subject to certification under multiple rule parts. Commission rules are flexible regarding the types of equipment that can be certified as modules and then incorporated into another device with no further action from the Commission and composite systems that could contain components (in this case a device). Telecommunications equipment or video surveillance equipment could contain one or more modules or could be assembled as a composite system and contain equipment produced by any of the entities (or their respective subsidiaries or affiliates) specified on the Covered List.
To ensure compliance with the prohibition on authorization of equipment identified on the Covered List, the Commission seeks comment on whether it should require that applicants or responsible parties, as applicable, obtain a separate equipment certification for any device that contains a module produced by any of the entities (or their respective subsidiaries or affiliates) specified on the Covered List. If the Commission were to adopt such a requirement, the Commission seeks comment as to how it should be applied. Should the Commission require that devices that incorporate previously-certified modules produced by any of the entities (or their subsidiaries or affiliates) on the Covered List would need to obtain a separate equipment authorization and certify that the device is not “covered” equipment? The Commission seeks comment on this view. Would such actions be sufficient to ensure against the availability of equipment containing modules that could present a security risk? Would a policy of requiring certain devices containing modules to go through the certification process and the associated attestation requirement adopted in the Report and Order, strike the right balance between providing the same flexibility for delivering products to the American public as is available today for most devices containing modules, while adding additional oversight on devices that could potentially be a security risk? What additional costs in terms of time or money would such a policy impose on device developers? What other approaches could be used to ensure devices containing modules do not cause a security risk to the United States and its citizens?
Similarly, because a composite system could be assembled by a third party and incorporate multiple devices including devices produced by any of the entities (or their respective subsidiaries or affiliates) specified on the Covered List, the Commission seeks comment on how to treat composite systems. First, recognizing that a composite system could contain only already-certified modules, the Commission seeks comment on treating them in the same manner described above for modules. That is, if any module in such a device is produced by any of the entities (or their respective subsidiaries or affiliates) specified on the Covered List, that device would be required to obtain a separate certification (including the attestation requirement adopted in the Report and Order stating that the composite system does not contain any “covered” equipment). The Commission seeks comment on this approach. Second, in cases where a composite system contains only devices that on their own would require certification or a mix of such devices and already approved modules, the Commission notes that the rules already required such devices to obtain a separate certification. Because such devices can be assembled by parties other than the original device manufacturer, the Commission seeks comment on requiring the attestation the Commission adopted in the Report and Order to affirmatively state that none of the devices that comprise the composite system are on the Covered List. The Commission does not believe such a requirement would impose any cost or undue burden on equipment certification applicants as such a requirement would be consistent with the requirements adopted in the Report and Order. The Commission seeks comment on this approach. The Commission also seeks comment on other approaches to dealing with composite systems in the certification process to ensure that such devices do not pose a security risk to the United States and its citizens.
The Commission also seeks comment on other broad approaches that could appropriately address concerns about component parts in the Commission's equipment authorization program. For instance, if equipment includes any component parts that could be authorized on a standalone basis, and such a component on its own would be considered “covered” equipment prohibited from authorization, then the equipment would be deemed “covered” equipment and thus prohibited from obtaining an equipment authorization. In addition, the Commission notes that if any determinations about “covered” equipment made by any enumerated source pursuant to the Secure Networks Act includes component parts, then this too would mean that equipment that includes such component parts would be “covered” equipment for purposes of the Commission's prohibition. The Commission seeks comment on this as well.
The Commission believes that dealing with component parts as described above is relatively straightforward. However, focusing on component parts at a more granular level, i.e., looking at all of the individual component parts that might be used to assemble a final device, would be more complicated. In the record of the NPRM, several commenters contend that, for purposes of prohibiting authorization of “covered” equipment, many component parts would not raise security concerns. The Commission invites comment, including specific comment on whether certain types of component parts potentially raise such a concern, while others do not. For example, do passive electronic components such as resistors, diodes, inductors, etc., pose a security risk by themselves? Do random access memory (RAM) chips, whose stored data is lost once power is disconnected or turned off, or components that comprise the bus, whose function is solely to link input and output ports, pose any security risk? Should the Commission focus instead on those components that have the ability to examine data traffic and route such traffic or provide the instructions to do so, or might otherwise pose an unacceptable risk to national security? The Commission includes here read only memory (ROM), flash memory, the central processing unit (CPU) or any other processor within the device, and the input and output ports (as they may be able to carry out routing functions). Should the Commission be concerned about semiconductors? Do commenters think that the Commission should consider rules regarding other component parts and if so, what rules would be appropriate? Should the Commission here be guided by the Reimbursement Program and, rather than try to identify every type of component, simply prohibit authorization of components that process and/or retain data? Notwithstanding any specific method of addressing these component parts within the equipment authorization process as described below, the Commission seeks comment on any overall approach to separating out component parts of interest that could pose a security risk versus component parts that do not. Does equipment need to be examined down to this level to ensure compliance with the prohibition on authorization of communications equipment that poses an unacceptable risk to national security under the Secure Networks Act? Should equipment that contains certain component parts produced by any of the entities listed on the Covered List be considered “covered”? If the Commission were to adopt rules to address component parts, what types of components may need to be considered as posing an unacceptable security risk? Commenters also should explain the reasons that particular component(s) would create an unacceptable risk. For example, should such components be limited to only those able to examine and route data or execute certain functions on an incoming or outgoing data stream? Would the Commission need to specifically define the components of interest in its rules or would a descriptive statement suffice? For example, would it be sufficient to specify that any component part within a device that is capable of examining an incoming or outgoing data stream and performing routing functions would fall under the umbrella of component parts of interest within the equipment?
In addition to categorizing the component parts that may be of interest when determining whether certain equipment should be considered covered equipment, the Commission seeks comment on how any identified component parts would be addressed in the equipment authorization process, both for certified devices and devices authorized through the SDoC process. Because parties seeking an equipment authorization must attest that the equipment in question is not “covered” equipment, how would a manufacturer, assembler, or other entity ascertain whether the components in question could result in their intended end product being “covered” equipment? Could an end-product produced or assembled by an entity not identified on the Covered List become “covered” equipment if it includes certain components produced by any entity identified on the Covered List? Should entities producing or assembling end products themselves obtain statements from their suppliers that certain components within any products obtained for inclusion in a Commission-regulated end product for the U.S. market do not contain components that are covered equipment or that could result in a device being classified as “covered” equipment? If so, should such statements be required to be provided in the authorization process, and/or available to the Commission upon request? What criteria could be used to decide when such equipment should be considered “covered” equipment? Are there objective standards for determining when a final product produced by an entity not identified on the Covered List that contains at least one component part produced by an entity named on the Covered List (or any of its affiliates or subsidiaries) is considered to be “covered” equipment? To what extent must the applicant for equipment certification be responsible for knowing whether any component part of its equipment was produced by any entity identified on the Covered List?
Elsewhere within the federal government, pursuant to E.O. 13873, efforts are underway to address the national security risks stemming from vulnerabilities in information and communications technology (ICT) hardware, software, and services. Among these efforts, the Cybersecurity & Infrastructure Security Agency (CISA) established the ICT supply chain risk management (SCRM) Task Force, which is working on developing a taxonomy of a “hardware bill of materials” that can be used when procuring ICT products ( e.g., an inventory of elements that makes up a particular piece of equipment) as well as a “software bill of materials.” The Task Force's efforts potentially could provide guidance and certainty in the equipment authorization process as to whether a piece of equipment complies with the Commission's rules. Should the Commission work with this Task Force to identify potential solutions to the lack of awareness of equipment components? How should this Task Force inform the Commission's potential treatment of component parts in its equipment authorization process? Should the Commission consider an applicant's exercise of reasonable diligence in seeking to determine whether the equipment includes a component part that potentially raises national security concerns be sufficient for purposes of its attestation about whether the equipment is “covered”? What other steps could an applicant take to ensure that all component parts comply with the Commission's rules? What specific attestation should the Commission require? Would an attestation that the device is not “covered” equipment be sufficient, and should the attestation include more specific information about component parts? What additional information should an entity provide to a TCB along with the application for certification or retain with records for SDoC authorizations? How can the Commission ensure that any action on components that it takes falls within the whole-of-government approach toward network and United States security?
The Commission seeks comment on each of these questions, and also on the overarching questions of the impact on both equipment security and the economy of considering component parts in the Commission's analysis of “covered” equipment. Specifically, the Commission seeks comment and data on the quantity and market share of entities on the Covered List in supplying modules or other devices for products intended for sale in the U.S. market, including composite devices as well as component parts as described above. The Commission further seeks comment, and encourages commenters to provide data, on the availability and costs of substitute modules, devices, and component parts from suppliers that are not identified on the Covered List, as well as the average lifespan/product cycle of affected final products. In the case that a component part may be identified as “covered” equipment, the Commission seeks comment on the feasibility and costs of replacing such component part. Would taking account of component parts broadly to include modules, devices, and the building block parts that make up a device produce an overall net positive benefit, taking into account both equipment security and economic impact? Is there a particular approach to identifying component parts that would maximize net benefits, such as focusing only on those component parts or type of parts that have been determined as posing an unacceptable risk to national security or the security and safety of U.S. persons?
Revocation of Existing Equipment Authorizations Involving “Covered” Equipment
In the NPRM, the Commission sought comment on the extent to which the Commission should revoke any existing equipment authorization if it adopted rules to prohibit future authorization of “covered” equipment. In the Report and Order, the Commission concluded that it has the existing authority to revoke such authorizations, including those granted prior to adoption of the Report and Order. With regard to revocation of any existing authorizations of “covered” equipment, in the NPRM the Commission did not propose to revoke any existing authorizations (and does not do so in this Report and Order), but instead sought comment on whether there are particular circumstances that would merit revocation of specific equipment, and if so, the procedures that should apply (including possible revisions to those procedures).
In the NPRM, the Commission sought comment on what particular circumstances would merit Commission action to revoke any existing authorization of “covered” equipment. To the extent revocation of any “covered” equipment might be appropriate, the Commission inquired about whether there was some process in which the Commission should engage to help identify particular equipment that should be considered for revocation. The Commission recognized that, in many situations, the revocation of any particular equipment might benefit from an appropriate and reasonable transition period for removing the equipment, but also sought comment on whether any situations might merit immediate compliance with a revocation. Further, the Commission sought comment on appropriate enforcement policies that should be associated with any revocation, including whether any monetary penalties should be considered. The Commission also inquired whether any educational or outreach efforts should be undertaken in the event of any equipment revocation. In addition, the Commission also asked about the specific procedures that the Commission should use if it were to seek to revoke any existing authorization of “covered” equipment. In particular, it noted that the existing procedures for revocation of equipment authorizations, as set forth in section 2.939(b), are the same procedures as for revocation of radio station licenses, which include several involved steps and procedures ( e.g., Commission order to show cause, and opportunity for a hearing). The Commission sought comment on whether these extensive procedures would be appropriate considering that “covered” equipment has been determined to pose an unacceptable risk to national security.
As the Commission noted in the Report and Order, commenters raised a range of concerns about whether the Commission should revoke any existing authorizations of “covered” equipment, and the Commission seeks further comment here on the issues the Commission raised in the NPRM on this topic. The Commission's further consideration here also complies with the Secure Equipment Act, in which Congress recognized the Commission's authority to examine the necessity for review and possible revocation of previously existing equipment authorizations and/or to consider the Commission's rules providing for possible revocation of previously granted equipment authorizations. The Commission uses this Further Notice to further explore the issues concerning equipment authorization revocation with respect to “covered” equipment authorized prior to the Commission's adoption of a prohibition on authorization of such equipment, and to expand the record on this topic, particularly in light of the actions taken and guidance provided in the Report and Order.
Scope of revocation. In the NPRM, the Commission sought comment on whether, following adoption of the rules in the Report and Order, it should consider revoking any existing authorizations involving “covered” equipment. Many commenters generally oppose action by the Commission to revoke existing authorizations of “covered” equipment, however worthy the security goal, expressing various concerns such as the potential for adverse impact to consumers and the supply chain. Others advocated that the Commission should revoke authorizations if the equipment would now be considered “covered” equipment. The Commission seeks comment on the scope of possible revocation of existing authorizations that it should consider, and whether there might be situations that would warrant revocation in certain circumstances.
Identification of devices that possibly should be revoked. In considering whether any existing equipment authorizations of “covered” equipment should be revoked, the Commission in the NPRM sought comment on whether there should be some process in which the Commission should engage to identify particular equipment authorizations that should be considered for revocation. It invited commenters to suggest such a process. The Commission also asked whether it should rely on outside parties' reports in its considerations. The Commission recognized the need to avoid taking any actions that would be overbroad in terms of affecting users of the previously-authorized equipment or would require removal of this equipment faster than it reasonably can be replaced.
The Commission now seeks further comment on whether there should be some process for identifying particular “covered” equipment whose authorization should be revoked because its continued authorization poses an unacceptable risk to national security. The Commission notes that it previously has authorized equipment produced by the companies producing equipment on the current Covered List, and the Commission anticipates that additional equipment produced by other companies may be determined to pose an unacceptable risk to national security and added to the Covered List as that list is updated in the future. How might the Commission or others identify existing authorizations among these if considering whether some of this equipment might merit revocation? Are there any specific cases of equipment that might merit immediate revocation? To what extent should the risk of such equipment to national security be considered, and how could such risk be evaluated? What are the benefits of eliminating this risk and the associated costs of revoking equipment necessary to eliminate this risk? The Commission concludes that it has the authority, as affirmed by Congress in the Secure Equipment Act, to consider the necessity to review or revoke an existing authorization of “covered” equipment approved prior to adoption of the Report and Order, and that it has such authority to consider such action without considering additional rules providing for any such review or revocation of existing authorizations. Considering the potential risk to national security concern, should the Commission consider revoking all authorizations of “covered” equipment, and if so how would such a potential revocation be implemented given the wide variety of existing authorizations? Also, to what extent should revocation of any particular equipment depend on establishment of a reimbursement program?
Considerations related to revocation of existing authorizations. In the event the Commission conclude that revocation of an equipment authorization may be appropriate, the Commission notes that such revocation might take different shapes. For instance, the revocation potentially could go so far as to involve not only prohibiting the future manufacture, importation, marketing, and sale of specified devices, but also requiring that the equipment no longer be used. On the other hand, the revocation of an existing authorization could conceivably be partial and limited, such as a revocation of an existing authorization that could, at some time in the future, preclude further importation, marketing, or sale of the affected equipment.
The Commission sought comment in the NPRM on the appropriate and reasonable transition period that may be necessary if the Commission decides to revoke an existing authorization. The Commission now requests additional comment on determining an appropriate transition period and whether and how that might depend on the scope of the revocation and the particular equipment involved. Should the Commission provide a suitable amortization period for equipment already in the hands of users? To what extent might the expected life-cycle of the equipment be taken into account? Pursuant to section 2.939(c), which provides for the revocation of any equipment authorization in the event of changes in its technical standards, the Commission previously sought comment on the provision of a suitable amortization period for equipment already in the hands of users or in the manufacturing process, and invites further comment here.
The Commission also seeks comment on the extent to which issues related to the supply chain and consumer-related concerns might figure in the Commission's considerations. How might the Commission evaluate supply chain issues in its consideration of whether to revoke an existing authorization, and what information and data ( e.g., number of devices, market share, substitutes, and prices) might be useful to such a consideration?
How should consumer-related concerns be factored in? In its comments on the NPRM, CTIA raises concerns relating to consumers. CTIA states that revoking existing authorizations for consumer products without a mechanism for removing them from the market would create significant confusion for consumers and could pass significant costs on to consumers who would presumably be placed in the difficult position of needing to replace newly-unauthorized devices. CTIA further argues that building a mechanism to remove retroactively de-authorized devices from the market would be complex and would need to consider how consumers would be made aware of the need to replace devices.
As noted above, there could be more than one type of revocation of existing equipment authorizations. Many commenters express concerns in the event the Commission revoked an existing authorization and required users to stop using that equipment. The Commission also might consider a kind of partial revocation of an existing authorization, such as in the case in which, at some specified date in the future, the importation, sale, or marketing of equipment that had previously been authorized could be prohibited. Such an action could eliminate any costs on users that would be associated with a requirement that existing equipment be replaced, while also promoting national security by preventing further purchasing and use of “covered” equipment that has been determined to pose an unacceptable risk to national security. The Commission seeks comment on the market impact of various types of revocation mentioned above, including estimates of the impact on costs and availability of equipment. The Commission also seeks comment on how the transition period for any such revocation affect the costs of revocation and availability of equipment.
To what extent should the time at which the equipment authorization was initially granted be a factor? For instance, in its comments on the NPRM, IPVM contends that, to the extent that some equipment that could no longer be authorized under the rules and procedures adopted in the Report and Order may only recently have been authorized (such as in the months immediately before adoption of the new rules), it would be reasonable for the Commission to revoke such authorizations; IPVM notes that in these cases revocation of the equipment would have minimal impact on American end-users because most of these products have not yet been widely sold or installed. The Commission seeks comment, including on the extent to which “covered” equipment has been authorized recently ( e.g., after issuance of the NPRM, or at any time before the effective date of the rules adopted in the Report and Order. Alternatively, to the extent that the equipment was authorized many years ago and has surpassed its expected life-cycle, might that be more reasonable grounds for the Commission to revoke the authorization?
Also, the Commission notes that there might be other alternatives to that of requiring complete revocation of an authorization. For instance, might there be measures, such as requiring the particular components of equipment be replaced or certain security patches be implemented, that might avoid the need to replace equipment that had been previously authorized? If so, how would such an approach be implemented? Should the estimated costs associated with these alternative measures be taken into account? If so, the Commission seeks comment and quantitative data associated with the costs of the alternative measures. Finally, the Commission requests any additional thoughts on other considerations that the Commission should take into account with regard to potential revocation of particular existing authorizations.
Procedures for revocation. In the NPRM, the Commission asked whether the Commission should revise or clarify the existing processes for revocation set forth in section 2.939(b) with regard to existing authorizations of “covered” equipment, given that the equipment has been determined to pose an unacceptable risk to national security. Under section 2.939(b), the procedures for revoking an equipment authorization are the same procedures as revoking a radio station license under section 312 of the Communications Act. Section 2.939(b) requires that revocation of an equipment authorization must be made in the “same manner as revocation of radio station licenses,” and thus generally would include the requirement that the Commission serves the grantee/responsible party with an order to show cause why revocation should not be issued and must provide that party with an opportunity for a hearing. As discussed in the Report and Order, however, applying section 312's procedures to revocation of equipment authorizations is not statutorily required.
In its comments on the NPRM, Hytera recommends that, if the Commission pursues revocation of existing authorizations, it should provide full and complete due process protections for the holders of the authorizations as spelled out in section 2.939(b). The Commission notes that Huawei, Dahua, and Hikvision also object to any revocation of existing equipment authorizations premised on potential constitutional claims related to due process. In considering the serious concerns surrounding equipment on the Covered List, the Commission seeks additional comment on the potential for expedited or otherwise different procedures for revocation of “covered” equipment. The Commission seeks comment on the necessity for section 312 procedures, which apply to the revocation of a “station license or construction permit” as defined in the Act, to apply with respect to revocation of any existing “covered” equipment. Should the process the Commission adopts in new rule 2.939(d) apply more broadly to existing equipment authorization revocations? The Commission also seeks comment on the scope of any due process or other constitutional requirements for such revocation procedures.
Enforcement. In the NPRM, the Commission sought comment on enforcement issues that could arise if the Commission revoked equipment authorizations. It noted that, pursuant to section 503(b)(5) of the Act, the Commission must first issue citations against non-regulatees for violations of FCC rules before proposing any monetary penalties. Such citations “provide notice to parties that one or more actions violate the Act and/or the FCC's rules—and that they could face a monetary forfeiture if the conduct continues.” In contrast, pursuant to section 503(b)(1)(A) of the Act, the Commission may assess a monetary forfeiture against grantees for violations of the Commission's rules without first issuing a citation. Therefore, the Commission may take enforcement action against a grantee who continues to market equipment after the authorization for that equipment has been revoked. The Commission also notes that third party suppliers, importers, retailers, and end users ( i.e., non-regulatees), who are not Commission regulatees, may not be aware that they are subject to Commission rules. Similarly, such non-regulatees may not be aware when equipment they market or use has been revoked by the Commission.
The Commission seeks comment on the best enforcement mechanisms the Commission should employ to swiftly curb the potential for post-revocation equipment marketing or use by such parties. Are there obligations that could be imposed on grantees or responsible parties that would help alleviate these concerns? The Commission also seeks comment on how it might revise its rules or work with federal partners and the communications industry to address existing “covered” equipment that may be in the marketplace post-revocation without adversely affecting consumers and others downstream in the supply chain. The Commission seeks further comment on these issues, as well as any comment that could help the Commission enforce the requirements imposed following revocation, such as an appropriate enforcement policy for the continued marketing, sale, or operation of equipment if the revocation involves a transition period.
Other revisions. The Commission again requests comment on whether it should make any other revisions to section 2.939 that would address revocation of “covered” equipment. Should specific provisions be included that focus on revocation of equipment that involve the types of equipment prohibited based on an unacceptable risk to national security? Do these concerns merit particular procedures commensurate with the risk to national security? If so, the Commission asks that commenters provide details and explain the rationale with the suggestions.
Outreach. In the NPRM, the Commission asked about whether it should undertake any educational and outreach efforts to inform the public regarding any revocations of “covered” equipment that may be made, such as regarding the legal effect of revocations. The Commission did not receive any comments on this particular question and again invites comment on this issue.
Supply Chain Considerations
In commenting on the proposals in the NPRM, some commenters ask whether, in the event that there are additions of “covered” equipment to the Covered List, the Commission should consider the potential impact of certain prohibitions where immediate implementation of a prohibition could result in supply chain problems. For instance, Drone Deploy expresses concerns that certain equipment used by U.S. businesses may be produced by only a few suppliers, and that in the event that equipment from such suppliers is placed on the Covered List, urges the Commission to consider providing clear market signaling and adequate notice before such a prohibition on authorization takes effect, so as not to harm US businesses. Drone Deploy further asks that the Commission work with other federal agencies in promoting the development of alternatives to equipment that may ultimately be added to the Covered List and to consider the market realities and ensure that adequate alternatives exist before restrictions on authorizations take effect. The Commission seeks comment on whether it should, in certain instances, take into account how the prohibition of particular “covered” equipment, and if such a prohibition could, if implemented immediately without sufficient advance notice or opportunity for the development of alternative sources of equipment, have a deleterious effect on the public interest.
United States Point of Presence Concerning Certified Equipment
In seeking comment in the NPRM on actions that the Commission should take that would better ensure compliance with, and enforcement of, Commission rules, the Commission proposed requiring that the party responsible for compliance with the Commission's certified equipment rules have a party located within the United States that would be responsible for compliance, akin to the current requirement applicable for equipment authorized through the SDoC process. The Commission observed that if there were a responsible party for certified equipment that has a physical presence in the United States, this would allow the Commission to conduct timely investigations and readily take effective enforcement action in instances of noncompliance, including noncompliance with the requirements promulgated in this proceeding. Only one commenter provided directly addressed comment in response to the Commission's proposal, supporting the identification of a U.S.-based responsible party.
The Commission continues to believe that it is important to facilitate enforcement of the Commission's rules and that requiring a U.S.-based responsible party for certified equipment would represent a significant step in achieving this goal. The Commission's actions in this proceeding to prohibit future authorization of “covered” equipment that poses an unacceptable risk to national security underscore the need for effective enforcement of applicable rules associated with certified equipment. Many certified devices that are imported to and marketed in the United States are manufactured in foreign countries and grantees of equipment authorizations with those devices are located outside of the United States. It can be difficult to effectively communicate with grantees, particularly foreign-based grantees, to engage in relevant inquiries, determine compliance, or enforce the Commission's rules when appropriate. Accordingly, it is important to have a reliable and effective means by which the Commission can readily identify and directly engage the grantee of an FCC equipment certification, which would be facilitated by requiring a U.S.-based presence for associated with certified equipment.
Under the current equipment certification rules set forth in section 2.909(a), the grantee obtaining the certification is the responsible party, and the only party responsible for compliance with applicable Commission requirements concerning that equipment. Requiring that, for certified equipment, there be a responsible party in the United States, would require revisions to the Commission's rules. In the NPRM, the Commission proposed adopting a general requirement that all applicants for equipment certification have a responsible party located in the United States, which could help ensure compliance with appliable Commission rules regarding the authorized equipment. At a minimum, such a requirement would require that any grantee that resides outside the United States to designate a party located within the United States that would have legal responsibility concerning compliance with such rules.
The Commission requests comment on the appropriate approach to implementing a U.S.-based responsible party requirement, as well as the details of implementing the approach in the Commission's rules. The Commission believes that it remains important that the grantee of the equipment authorization always be a responsible party for ensuring compliance under the Commission's rules, as this helps ensure that there are a wide range of tools available to the Commission that can be leveraged with respect to the grantee to help promote compliance. If the grantee continues to be a responsible party, but is not located in the United States and therefore names a separate entity located in the United States as a responsible party, how would this affect the Commission's goal of promoting compliance? Would this result in there being two responsible parties? Under this approach, what would be the relationship between the U.S.-based responsible party and the grantee, and should the Commission impose certain minimal requirements on that relationship? Would the grantee and the U.S.-located responsible party act as a co-equal in responsibility for compliance? Would both the applicant (if foreign-based) and designated U.S.-based responsible party have to attest and sign the FCC Form 731 application for equipment certification or would a single attestation be sufficient?
Should the Commission revise section 2.909(a) concerning the responsible party for certified equipment to more closely align with the approach concerning responsible parties set forth in section 2.909(b), i.e., the rule already in place for equipment authorized under the SDoC process? Are there important differences between certified equipment and SDoC-authorized equipment that should be taken into consideration as the Commission considers requiring a U.S. point of presence for certified equipment? Under the SDoC approach, the responsible party must be located in the United States, and could be, depending on the situation, the manufacturer, the assembler, the importer, or the retailer. Specifically, the Commission notes that under 2.909(b), if the manufacturer or assembler of the equipment is not located in the United States, and the equipment is imported, the importer of the equipment would be the responsible party unless the retailer(s) in the U.S. enter into agreement(s) with the importer or manufacturer (or assembler) to become the new responsible party. The Commission seeks comment on the extent to which a similar approach should be adopted for certified equipment. Should the Commission consider requiring that the importer, the retailer, the distributor, or some other entity be the U.S.-located responsible party? Should there only be one U.S.-located responsible party permitted? The Commission seeks comment on these issues and the rules and implementation details that commenters request that the Commission consider.
If the Commission requires a U.S.-located responsible party, how does the Commission ensure that any designated U.S.-based responsible party has the requisite qualifications, necessary organizational or corporate authority, capabilities, abilities and connection to the grantee to enable it to appropriately and fully respond to Commission inquiries and remedy violations of the Act and the Commission's rules? Should the Commission, for instance, require there be a formal agreement between the responsible party and the grantee? Should the Commission specify a particular status for the U.S.-based responsible party ( i.e., a citizen, a lawful resident, etc.)? What minimum criteria should the Commission consider for a U.S.-based responsible party's physical presence in the United States? Should the Commission require some form of financial security to ensure the Commission's ability to enforce its rules? How should the Commission collect and maintain information on any designated responsible party, through the TCB or directly with the Commission? What requirements are needed to ensure the grantee and/or the U.S.-based responsible party keeps its contact information up-to-date with the Commission? The Commission notes that these possible procedures could require updating FCC Form 731 and the Commission-maintained equipment authorization system (EAS) database procedures to address this additional entry and require necessary updating if there are any subsequent changes.
If the Commission adopts a requirement to have a U.S.-based responsible, is there any reason for the U.S.-based responsible party to be the same designee as the U.S.-based entity for service of process required by section 2.911(d)(7), or should they be different designees? In order to effectuate enforcement over time, should the grantee be required to maintain a U.S.-based responsible party for a certain period of time after the grantee ceases marketing the device? Finally, as the Commission considers which approach to take, the Commission seeks comment on the burdens placed on applicants and the TCBs in implementing the appropriate approach.
Other Issues
Now that the Commission's revised rules and approach have been established in the Report and Order, commenters and other interested parties may wish to submit further comments on these issues or other issues. The Commission seeks further comment on some of the issues the Commission raised in the NPRM. The Commission also invites comment on additional issues.
Additional information under section 2.1033. In the NPRM, the Commission asked whether to require the applicant to provide, under section 2.1033, additional information (possibly including a parts list) that could help establish that the equipment is not “covered” in order to assist TCBs and the Commission in the effort to prohibit authorization of “covered” equipment. If so, what additional information might be helpful or appropriate, and how should the requirement be crafted to mitigate any undue burden on applicants?
Review of the equipment authorization post-grant. Following a TCB's grant of certification, the Commission will post information on that grant “in a timely manner” on the Commission-maintained public EAS database, and that the TCB or Commission may set aside a grant of certification within 30 days of the grant date if it is determined that such authorization does not comply with applicable requirements or is not in the public interest. In the NPRM, the Commission invited comment on whether it should consider adopting any new procedures for gathering and considering information on potentially relevant concerns that the initial grant is not in the public interest and should be set aside. In particular, the Commission asked about the extent to which interested parties, whether the public or government entities ( e.g., other expert agencies) should be invited to help inform the Commission as to whether particular equipment inadvertently received a grant by the TCB and is in fact “covered” equipment such that the grant should be set aside. The Commission notes that commenters on the NPRM generally opposed establishing any new procedures. The Commission, however, invites further comment about whether procedures for a post-grant review process should be established now that the specific new rules and procedures are effective.
Post-market surveillance. In the NPRM, the Commission also sought comment on whether the Commission should consider any revisions or clarifications to the section 2.962(g) rules concerning “post-market surveillance” activities with respect to products that have been certified. Those rules currently require TCBs to perform appropriate post-market surveillance activities with respect to testing samples of certified equipment for compliance with technical regulations. The Commission noted that OET has delegated authority to develop procedures that TCBs will use for performing such post-market surveillance, and sought comment on whether any revisions or clarifications should be adopted with respect to post-market surveillance. In its comments on the NPRM, CTIA expresses concern that increasing the scope of TCBs' post-market surveillance responsibilities could result in delays in authorizing equipment and higher TCB costs. Now that rules and procedures for prohibiting authorization of “covered” equipment are effective, the Commission invites additional comment on this issue. Beyond the existing requirements under section 2.962(g), are there particular additional activities that TCBs should conduct in light of the goals of this proceeding?
Certification process for equipment that is prohibited from using SDoC. In the Report and Order of this proceeding, the Commission adopted a rule prohibiting any of the entities named on the Covered List as producing “covered” equipment, and their respective subsidiaries or affiliates, from using the SDoC process to authorize any equipment—not just “covered” equipment identified on the Covered List. Thus, any equipment eligible for equipment authorization that is produced by any entities so identified on the Covered List, or their respective subsidiaries or affiliates, must be processed pursuant to the Commission's certification process, regardless of any Commission rule that would otherwise permit use of the SDoC process. While the Commission maintains its belief that the implementation of this rule is not unnecessarily burdensome, the Commission did note in adopting it that as the Commission, industry, and manufacturers gain more experience over time on the effectiveness of its procedures concerning “covered” equipment, the Commission may wish to revisit this process. As such, the Commission takes this opportunity to seek comment on alternative procedures that the Commission could consider to maintain oversight over equipment identified on the Covered List, while ensuring consistent application of the Commission's equipment authorization procedures. What procedures should the Commission consider to specifically address the authorization of equipment produced by entities named on the Covered List as producing “covered” equipment? What specific aspects of the standard SDoC process and the Certification process should the Commission combine to ensure the necessary oversight for the Commission to readily identify and address equipment of concern?
Enforcement. In light of the rules and approach that the Commission adopted in the Report and Order, the Commission invites comment on other actions it should consider to promote enforcement of the prohibitions in the Commission's equipment authorization program relating to “covered” equipment.
Other issues. Finally, the Commission invites comment on other rules or procedures that the Commission should consider as it moves forward with implementation of the prohibition on authorization of “covered” equipment.
Further Notice on Competitive Bidding
In addition to considering revisions to the Commission's equipment authorization program, the Commission sought comment in the NPRM on whether to “require an applicant to participate in competitive bidding [for Commission spectrum licenses] to certify that its bids do not and will not rely on financial support from any entity that the Commission has designated under section 54.9 of its rules as a national security threat to the integrity of communications networks or the communications supply chain.”
If adopted, such a requirement could prevent the entities designated pursuant to section 54.9 from influencing the bidding in an auction for Commission spectrum licenses. The Commission has designated Huawei and ZTE, and their subsidiaries, parents, or affiliates, pursuant to section 54.9. In doing so, the Commission noted Huawei's and ZTE's ties to the Chinese government and military apparatus, along with Chinese laws obligating those companies to cooperate with any Chinese government requests to use or access their systems. It also is well-established that the Chinese government helped fuel Huawei's growth by deploying powerful industrial policies to make Huawei equipment cheaper to deploy than the alternatives. These policies include both direct subsidies to Huawei and state-funded export financing. The Chinese government support for Huawei has been repeatedly documented.
In the NPRM, the Commission stated that indirect subsidies may include “[d]istortionary financing intended to support participation in spectrum auctions of network operators who then deploy covered equipment and services [and thereby] may raise concerns about risks to the national security of the United States and the security and safety of United States persons.” The Commission noted concerns that such financing had enabled a party to outbid others for spectrum licenses at auction, effectively blocking other equipment providers. It sought comment on whether a potential certification might address the risk of such distortionary financing in Commission auctions.
Only a handful of commenters responding to the NPRM address the potential auction certification. None dispute the potential risk, though each raises different concerns with a certification requirement and each offers different suggestions to address those concerns. Addressing the potential difficulty of identifying the ultimate sources of financing, one commenter suggests that the Commission accept a certification based on reasonable belief “after sufficient due diligence.” Another commenter alternatively proposes that the certification only apply to applicants receiving “financial support” of greater than 10%, though it does not detail how this is to be measured. That commenter also notes some risk that the potential certification may interfere with allowing market forces to determine the use of spectrum by artificially limiting the number of applicants seeking the licenses. Echoing another commenter's concern with the breadth of the potential certification, an additional commenter suggests that the certification concern only those funds “specifically for the purpose of auction participation.” They further recommend limiting the certification to those entities specifically designated, and proposes clarifications that subsequent changes in the list of those designated would have no effect on earlier certifications. A different commenter, on the other hand, proposes expanding the entities covered by the certification to include relevant Chinese financial institutions. Finally, rather than focus on financing, another commenter would refocus the certification and make it into a bar on specific entities participating in Commission spectrum license auctions or the use by auction winners of equipment provided by those entities. Concerns about Huawei and ZTE and the risks posed by their equipment have continued since adoption of the NPRM and submission of the record in response, both in connection with spectrum license auctions and more generally. Concerns about the security of Huawei equipment were a significant topic in connection with Brazil's 2021 auction of spectrum licenses for use with 5G wireless technology. More recently, separate from any license auction, Canada issued a ban on equipment from Huawei and ZTE with respect to all licenses.
In light of the record in response to the NPRM, continuing concerns regarding Huawei and ZTE, and the Commission's action in the Report and Order with respect to equipment certification, the Commission seeks further comment on the risk of distortionary auction financing and potentially addressing that risk with a required auction application certification. Given developments since the NPRM, including the steps taken with respect to equipment approvals, has the risk of distortionary auction financing to benefit section 54.9 companies lessened or increased? As additional actions are taken with respect to untrusted equipment and vendors, is a potential auction certification more or less likely to be effective in addressing the underlying concern? As noted in response to the NPRM, such an inquiry can be difficult to tailor to address the underlying concern without imposing a burden on or creating uncertainty for auction participants. Would any of the alternatives suggested in the record address the underlying risk more effectively? Are there alternative ways to narrow or otherwise target the certification that would address the national security concerns, while limiting any negative impacts on competitive bidding?
Ordering Clauses
Accordingly, it is ordered, pursuant to the authority found in sections 4(i), 301, 302, 303, 309(j), 312, 403, and 503 of the Communications Act of 1934, as amended, 47 U.S.C. 154(i), 301, 302a, 303, 309(j), 312, 403, 503, and the Secure Equipment Act of 2021, Public Law 117-55, 135 Stat. 423, that the Further Notice of Proposed Rulemaking is hereby adopted.
It is further ordered that the Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, shall send a copy of this Further Notice of Proposed Rulemaking, including the Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration.
It is further ordered that the Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, shall send a copy of this Further Notice of Proposed Rulemaking, including the Initial Regulatory Flexibility Analysis, to Congress and the Government Accountability Office pursuant to the Congressional Review Act, see5 U.S.C. 801(a)(1)(A).
Federal Communications Commission.
Marlene Dortch,
Secretary.
[FR Doc. 2023-04608 Filed 3-7-23; 8:45 am]
BILLING CODE 6712-01-P