On December 10, 2020, the Federal Communication Commission (FCC or Commission) unanimously approved a Second Report and Order on supply chain security (Second R&O), which is the latest effort in its evolving role with national security issues. The FCC characterized the item as “another major step towards securing our communications networks by adopting rules to implement the Secure and Trusted Communications Networks Act of 2019.”
Among other things, the Second R&O:
- establishes the procedures and criteria for publishing a list of covered communications equipment and services that pose an unacceptable risk to national security;
- prohibits the use of federal subsidies administered by the Commission from being used on such covered communications equipment and services;
- establishes the Secure and Trusted Communications Networks Reimbursement Program (Reimbursement Program);
- requires Eligible Telecommunications Carriers (ETCs) and participants in the Reimbursement Program to remove covered communications equipment and services; and
- establishes broad reporting requirements.
The Second R&O builds upon the Commission’s existing proceeding Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs (WC Docket No. 18-89) and the November 2019 Report and Order (First R&O) that took steps to protect communications networks by prohibiting the use of Universal Service Fund support to purchase any equipment or services from companies designated by the Commission as posing a threat to national security. The First R&O also initially designated China-based equipment providers Huawei Technologies Company and ZTE Corporation as posing national security threats. Since the First R&O was adopted in 2019, the FCC issued the final designation of Huawei and ZTE (currently under FCC appeal), took steps to integrate provisions of the Secure and Trusted Communications Networks Act of 2019 (Act) into this proceeding, and completed an information collection, which estimated the cost to “rip and replace” existing Huawei and ZTE equipment and services from ETC networks at $1.6 billion.
Below is a high-level summary of the item. Please reach out to a member of our team if you have questions.
Requirement to Remove and Replace Covered Equipment and Services
The Second R&O requires two groups—(1) recipients of Reimbursement Program funds and (2) ETCs receiving USF support—to remove and replace from their networks and operations environments equipment and services on the FCC’s Covered List. Failure to comply with this requirement would result in enforcement action and the loss of future universal service funding. However, this obligation is conditioned on a congressional appropriation to fund the Reimbursement Program.
- Application to ETCs: The obligation with respect to ETCs applies to their entire network (not just jurisdictions where they operate as an ETC) and is irrespective of whether they receive funds from the Reimbursement Program; the scope of the rule does not extend to affiliates and subsidiaries of ETCs.
- Covered Equipment and Services: The remove-and-replace requirement applies to equipment and services on a list of covered communications equipment and services (Covered List). The Second R&O clarifies that “[t]he Covered List is limited to such equipment and services that the federal government, including the U.S. intelligence community, has identified as national security threats and that are placed at the most vulnerable spots in our communications infrastructure” and is “also limited to certain operational functions such as routing or redirecting user data traffic, causing an advanced communications service provider’s network to be remoted disrupted, or otherwise posing an unacceptable risk to United States national security.” ¶ 33. Accordingly, it states that “concerns raised in the record regarding inclusion of Lifeline end-user equipment are moot because they are outside the scope of the Secure Networks Act.” ¶ 33.
General Matters on Secure Networks Act Implementation
The Second R&O interprets “‘communications equipment and service’ as defined in section 9(4) of the Act to include all equipment or services used in fixed and mobile broadband networks, provided they include or use electronic components.” ¶ 52. The Second R&O also interprets “‘advanced communications service’ for the purposes of the Secure Networks Act to include services with any connection of at least 200 kbps in either direction.” ¶ 55.
Creation and Maintenance of the Covered List
As directed by the Act, the Second R&O states that the Commission will publish the Covered List no later than March 12, 2021. This list is the basis for the other requirements—including the remove-and-replace requirements discussed above, as well as the ban on use of federal subsidies and the reporting requirements discussed below.
- Sources for and Reliance on Determinations: The Second R&O finds that the Commission has “no discretion to disregard determinations from the enumerated sources” from the Act. ¶ 59. Accordingly, “where there is a determination from one of these sources, we must take action to publish or update the Covered List to incorporate communications equipment or services covered by that determination.” ¶ 59. Additionally, the Second R&O holds that the Commission cannot accept determinations from any other source. The sources are:
- Determinations from any executive branch interagency body with appropriate national security expertise. In addition to the Federal Acquisition Security Council (FASC), which is referenced in the Act, the Commission has included in this category Team Telecom and CFIUS.
- Determinations from the Department of Commerce.
- Determinations from the National Defense Authorization Act for Fiscal Year 2019.
- Determinations from appropriate national security agencies. The Second R&O includes here any sub-agencies of the enumerated agencies in the Act, which are the Departments of Defense and Homeland Security, the Office of the Director of National Intelligence, the National Security Agency, and the Federal Bureau of Investigation.
- Publishing the Covered List: The Second R&O states that the Commission will publish, update, or modify the Covered List without providing notice or opportunity to comment; however, the Public Safety and Homeland Security Bureau will issue a public notice each time the Covered List is updated.
- Incorporating Determinations onto the Covered List: The Commission “anticipate[s] that some determinations will list specific communications equipment or services that ‘pose an unacceptable risk to the national security of the United States and the security and safety of United States persons’ and others will list general categories or classes of equipment that pose such a risk.” ¶ 79.
- Clarifying Inclusion on the Covered List: The Second R&O confirms that a party may seek a declaratory ruling if there is uncertainty whether specific equipment/services are on the Covered List, but it clarifies that the Commission lacks discretion to modify a determination. To the extent that parties take issue with a determination, the Commission indicates that they should petition the source of the determination. ¶ 88.
- Updating and Modifying the Covered List: The FCC “believe[s] the best interpretation of the Secure Networks Act is that it does not grant the Commission authority to update the Covered List outside of these national security determinations, and thus, we will make no changes or modifications to the Covered List unless we identify a new or modified determination of covered communications equipment or services from any of the sources identified in section 2(c) of the Act. If one of the sources issues a new or modified determination, the Commission will update the Covered List to reflect this change.” ¶ 92.
Ban on the Use of Federal Subsidies for Equipment on the Covered List
The Second R&O adopts a new rule that will “prohibit the use of a Federal subsidy made available through a program administered by the Commission that provides funds for the capital expenditures necessary for the provision of advanced communications service to purchase, rent, lease, or otherwise obtain any covered communications equipment or service identified and published on the Covered List, or maintain any such covered communications equipment or service previously purchased, rented, leased, or otherwise obtained.” ¶ 95.
- Relationship to Existing Supply Chain Prohibition: The Commission “acknowledge[s] that there will be two processes to designate equipment or services as prohibited from federal funding—one for the designation of an entity as posing a national security threat to the integrity of communications networks or the communications supply chain, and one for the designation of specific equipment and services through the Covered List process outlined in section 2 of the Secure Networks Act. Certain equipment or services may be subject to either or both the prohibition . . .” ¶ 95.
- Scope of the New Prohibition: “The new prohibition further applies to any funding programs administered by the Commission made available to subsidize capital expenditures for the provision of advanced communications service, including any future USF programs, whereas [the existing prohibition] is limited to USF support.” ¶ 96. Like its approach under the existing prohibition, the new prohibition does not grandfather existing contracts.
As directed by the Act, the Commission will establish a “Reimbursement Program to reimburse the costs reasonably incurred by providers of advanced communication services with 2 million or fewer customers to permanently remove, replace, and dispose of covered communications equipment and services from their networks.” ¶ 108.
- Mechanics and Funding: The Second R&O covers eligibility, costs reasonably incurred, the reimbursement process, and preventing waste/fraud/abuse. The Commission explains that it conditions the start of the program on Congress appropriating the funds the Commission estimates that program will cost.
- Replacement List: The FCC will “establish, and will publish on [its] website, a Replacement List that will identify the categories of suggested replacements of real and virtual hardware and software equipment and services to guide of providers removing covered communications equipment from their networks.” The Commission states that “creating a list of suggested replacements would have negative consequences, such as the Commission being seen as picking favored equipment and manufacturers and imposing de facto mandates of specific equipment.” ¶ 196.
The Second R&O will “implement a new data collection requirement applying to all providers of advanced communications service. [The FCC will] require that providers of advanced communications service annually report on covered communications equipment or services in their networks.” For equipment or services on the Covered List acquired on or after August 14, 2018, network providers will have to report: “the type of covered communications equipment or service purchased, rented or leased; location of the equipment or service; date the equipment or service was procured; removal or replacement plans for the equipment or service, including cost to replace; amount paid for the equipment or service; the supplier for the equipment or service; and a detailed justification for obtaining such covered equipment and service.” The Commission plans to issue a public list of providers that have reported covered equipment or services in their network; however, sensitive information like “location of the equipment and services; removal or replacement plans that include sensitive information; the specific type of equipment or service; and any other provider specific information” will be presumptively confidential. ¶ 210
The Second R&O expands the Commission’s earlier steps to secure the communications supply chain, and displays the FCC’s integral role in implementing federal and congressional directives to secure the nation’s communications and internet infrastructure.
 At the time of publication the final version of the Second R&O was not yet publicly available and this summary is based on the draft document, which may differ slightly from the adopted version.