The U.S. Federal Communications Commission took sweeping action on March 23, 2026, adding all consumer-grade routers produced outside the United States to its Covered List—the agency's catalog of communications equipment deemed to pose unacceptable national security risks. The practical effect is a forward-looking prohibition: no new foreign-made router model can receive FCC equipment authorization, which is required for any device to be legally imported, marketed, or sold in the U.S.
The move follows a determination by a White House-convened interagency body that foreign-produced routers introduce a supply chain vulnerability capable of disrupting critical infrastructure and national defense, and present a "severe cybersecurity risk" that could be leveraged to attack American households and networks. FCC Chairman Brendan Carr welcomed the determination in a statement released alongside the announcement.
The FCC's action explicitly names three high-profile Chinese state-sponsored intrusion campaigns—Volt Typhoon, Flax Typhoon, and Salt Typhoon—as evidence that foreign-manufactured SOHO routers have already been weaponized against U.S. infrastructure. Those campaigns, which drew significant attention from the intelligence community and federal agencies over the past two years, exploited vulnerabilities in small-office and home-office networking hardware to gain persistent footholds in American networks, including those of telecommunications providers and critical infrastructure operators.
The citation matters because it frames this ruling not as a precautionary measure but as a response to documented, large-scale exploitation. It also signals that the FCC is extending the logic it applied to specific vendors—Huawei and ZTE were placed on the Covered List years ago—to an entire product category defined by manufacturing geography.
The ruling applies exclusively to new device models seeking FCC equipment authorization. Routers already authorized and in use are not affected; consumers can continue using previously purchased devices, and retailers can continue selling existing authorized inventory. The restriction is structural and forward-looking, not a recall or a ban on current hardware.
The scope, however, is broad. China accounts for an estimated 60% or more of the U.S. home router market. But the FCC's FAQ is explicit that the manufacturer's nationality is irrelevant—the determining factor is where the device is produced. That sweeps in U.S.-headquartered companies with overseas manufacturing operations, including major brands that design domestically but contract production to facilities in Asia.
A limited exit ramp exists. Manufacturers can apply to the Department of Defense or the Department of Homeland Security for "Conditional Approval," which requires companies to disclose their full management structure, detail their supply chain, and submit a concrete plan to onshore manufacturing in the United States. There is no established timeline for approval, and early indicators from the analogous December 2025 drone ban —where four non-Chinese manufacturers received conditional approval while Chinese market leaders remain blocked—suggest the process will be selective.
The market implications are significant. Because virtually no consumer router currently on the market is manufactured entirely within the United States—even brands that design domestically use overseas contract manufacturers—the ruling puts enormous pressure on an industry that has operated on the assumption of globalized hardware supply chains.
For enterprise security and IT procurement teams, the more immediate concern is not an overnight disruption but a medium-term squeeze on available hardware options for remote worker kits, branch office deployments, and network refreshes. As eligible product lines narrow, prices are expected to rise and vendor choices to consolidate around manufacturers that can navigate the conditional approval pathway or invest in domestic production capacity.
Jacob Krell, Senior Director of Secure AI Solutions & Cybersecurity at Suzu Labs, said the ruling reflects a risk the security community has been raising for years:
"Supply chain compromise is becoming one of the most serious threat vectors for nation state and advanced intrusion activity targeting critical infrastructure. The FCC's decision to add foreign manufactured consumer routers to its Covered List reflects a risk the security community has been warning about for years.
As endpoint and product security have improved, adversaries have increasingly looked upstream toward manufacturing, firmware, and other supply chain dependencies where compromise can create durable access. The FCC's citation of Volt Typhoon, Flax Typhoon, and Salt Typhoon is consistent with that concern. Network devices are especially attractive targets because they sit in the path of every packet entering and leaving an environment, and predeployment compromise can be exceptionally difficult to detect and remediate.
Security leaders should treat this as a procurement signal. If the federal government has concluded that foreign manufactured network hardware can present unacceptable supply chain risk, organizations should be reviewing whether their own vendor diligence, firmware assurance, and hardware sourcing practices reflect that same reality. Every router, switch, and access point in the environment came from a supply chain. Knowing where that hardware was manufactured, who wrote the firmware, and what visibility exists into that process is no longer a theoretical exercise."
Damon Small, a board of directors member at Xcape, Inc., described the decision as a significant escalation of the government’s supply chain posture:
"This is a massive expansion of U.S. tech protectionism, moving beyond specific Chinese entities like Huawei or ZTE to a blanket ban on all foreign-produced consumer routing hardware. By citing the weaponization of SOHO routers by groups like Volt Typhoon and Salt Typhoon, the FCC is treating the humble home router as a primary vector for national-scale pivot attacks against critical infrastructure.
For security leaders, the immediate risk isn't an overnight 'dark start," but a long-term supply chain squeeze; with more than 60% of the market currently dominated by foreign manufacturing, procurement for remote-worker kits and branch offices is about to become significantly more expensive and limited to a handful of 'trusted' (likely domestic) vendors.
Defenders should audit their current fleet of remote-access hardware and prioritize vendors moving toward U.S.-based manufacturing or those actively seeking DHS 'Conditional Approval.' While existing hardware is safe for now, expect insurance carriers and federal auditors to eventually move the goalposts from 'legal to use' to 'compliant to keep.'"
Both experts emphasize that this ruling, even if challenged in court—as the December drone ban has been—signals a durable shift in how U.S. policymakers are treating network hardware supply chain risk.
This creates practical near-term takeaways for security and procurement teams:
Audit existing remote access and branch hardware inventories, and document where each piece of equipment was manufactured.
Evaluate vendor roadmaps for conditional approval or domestic production investment. Incorporate hardware provenance into procurement criteria and third-party risk assessments, applying the same scrutiny to switches and access points as to routers.
Monitor the conditional approval process at the DoD and DHS, since that pipeline will define which products remain viable in the medium term.
The FCC's action is the latest in a series of escalating supply chain interventions—from the Huawei and ZTE vendor bans to the December 2025 drone restrictions. Whether it survives legal challenge or not, it reflects a federal posture that treats the network hardware supply chain as a national security domain rather than a procurement commodity.
Follow SecureWorld News for more cybersecurity news.