Protecting Against National Security Threats to the Communications Supply Chain Through the Equipment Authorization Program and the Competitive Bidding Program, 14312-14322 [2023-04608]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 88, Number 45 (Wednesday, March 8, 2023)]
[Proposed Rules]
[Pages 14312-14322]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-04608]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 2

[ET Docket No. 21-232, EA Docket No. 21-233; FCC 22-84; FR ID 129145]


Protecting Against National Security Threats to the 
Communications Supply Chain Through the Equipment Authorization Program 
and the Competitive Bidding Program

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Commission seeks further comment on 
potential additional revisions to the rules and procedures associated 
with prohibiting the authorization of ``covered'' equipment in the 
Commission's equipment authorization program. The Commission also 
invites additional comment on proposed rule revisions to the 
Commission's competitive bidding program.

DATES: Comments are due April 7, 2023. Reply comments are due May 8, 
2023. All filings must refer to ET Docket No. 21-232 or EA Docket No. 
21-233.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's 
Further Notice of Proposed Rulemaking (Further Notice or FNPRM), ET 
Docket No. 21-232, EA Docket No. 21-233, FCC 22-84, adopted November 
11, 2022, and released November 25, 2022. The full text of the Further 
Notice is available by downloading the text from the Commission's 
website at: https://www.fcc.gov/document/fcc-bans-authorizations-devices-pose-national-security-threat. When the FCC Headquarters 
reopens to the public, the full text of this document will also be 
available for public inspection and copying during regular business 
hours in the FCC Reference Center, 45 L Street NE, Washington, DC 
20554. Alternative formats are available for people with disabilities 
(braille, large print, electronic files, audio format), by sending an 
email to [email protected] or calling the Consumer and Governmental 
Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).
    Paperwork Reduction Act. This document does not contain proposed 
information collection(s) subject to the Paperwork Reduction Act of 
1995 (PRA), Public Law 104-13. In addition, therefore, it does not 
contain any new or modified information collection burden for small 
business concerns with fewer than 25 employees, pursuant to the Small 
Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 
U.S.C. 3506(c)(4).
    Initial Regulatory Flexibility Analysis. As required by the RFA, 
the Commission has prepared an Initial Regulatory Flexibility Analysis 
(IRFA) of the possible significant economic impact on a substantial 
number of small entities of the proposals addressed in this FNPRM. The 
full IRFA is found in Appendix C at https://www.fcc.gov/document/fcc-bans-authorizations-devices-pose-national-security-threat.. Written 
public comments are requested on the IRFA. These comments must be filed 
in accordance with the same filing deadlines for comments on the FNPRM, 
and they should have a separate and distinct heading designating them 
as responses to the IRFA. The Commission's Consumer and Governmental 
Affairs Bureau, Reference Information Center, will send a copy of

[[Page 14313]]

this FNPRM, including the IRFA, to the Chief Counsel for Advocacy of 
the Small Business Administration, in accordance with the RFA.
    Filing Requirements.
     Electronic Filers: Comments may be filed electronically 
using the internet by accessing the Commission's Electronic Comment 
Filing System (ECFS), https://apps.fcc.gov/ecfs/. See Electronic Filing 
of Documents in Rulemaking Proceedings, 63 FR 24121 (1998).
     Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing.
    [cir] Filings can be sent by commercial overnight courier, or by 
first-class or overnight U.S. Postal Service mail. All filings must be 
addressed to the Commission's Secretary, Office of the Secretary, 
Federal Communications Commission.
    [cir] Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9050 Junction Drive, 
Annapolis Junction, MD 20701.
    [cir] U.S. Postal Service first-class, Express, and Priority mail 
must be addressed to 45 L Street NE, Washington, DC 20554.
     Effective March 19, 2020, and until further notice, the 
Commission no longer accepts any hand or messenger delivered filings. 
This is a temporary measure taken to help protect the health and safety 
of individuals, and to mitigate the transmission of COVID-19. See FCC 
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, DA 20-304 (March 19, 2020). https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
    Ex Parte Rules--Permit but Disclose. Pursuant to section 1.1200(a) 
of the Commission's rules, this Further Notice of Proposed Rulemaking 
shall be treated as a ``permit-but-disclose'' proceeding in accordance 
with the Commission's ex parte rules. Persons making ex parte 
presentations must file a copy of any written presentation or a 
memorandum summarizing any oral presentation within two business days 
after the presentation (unless a different deadline applicable to the 
Sunshine period applies). Persons making oral ex parte presentations 
are reminded that memoranda summarizing the presentation must (1) list 
all persons attending or otherwise participating in the meeting at 
which the ex parte presentation was made, and (2) summarize all data 
presented and arguments made during the presentation. If the 
presentation consisted in whole or in part of the presentation of data 
or arguments already reflected in the presenter's written comments, 
memoranda, or other filings in the proceeding, the presenter may 
provide citations to such data or arguments in his or her prior 
comments, memoranda, or other filings (specifying the relevant page 
and/or paragraph numbers where such data or arguments can be found) in 
lieu of summarizing them in the memorandum. Documents shown or given to 
Commission staff during ex parte meetings are deemed to be written ex 
parte presentations and must be filed consistent with rule 1.1206(b). 
In proceedings governed by rule 1.49(f) or for which the Commission has 
made available a method of electronic filing, written ex parte 
presentations and memoranda summarizing oral ex parte presentations, 
and all attachments thereto, must be filed through the electronic 
comment filing system available for that proceeding, and must be filed 
in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). 
Participants in this proceeding should familiarize themselves with the 
Commission's ex parte rules.

FOR FURTHER INFORMATION CONTACT: Jamie Coleman, Office of Engineering 
and Technology, 202-418-2705, [email protected].

Synopsis

Further Notice on Part 2 Equipment Authorization

    In this Further Notice of Proposed Rulemaking (Further Notice or 
FNPRM), the Commission seeks further comment on some of the issues the 
Commission raised in the Notice of Proposed Rulemaking of ET Docket No. 
21-232 and EA Docket No. 21-233 (NPRM) (86 FR 4664) regarding revisions 
to the part 2 equipment authorization rules to prohibit authorization 
of equipment that has been determined to pose an unacceptable risk to 
national security. The Commission also invites comment on additional 
issues that have been raised with the establishment of the Commission's 
revised rules and approach in the Report and Order of this proceeding 
88 FR 7592. The Commission encourages commenters and other interested 
parties to submit further comments on these or other issues related to 
revisions to the equipment authorization process to address the 
prohibition on authorization of equipment on the Covered List.

Component Parts

    In the Report and Order, the Commission adopted requirements for 
applicants for equipment certification and responsible parties 
authorizing equipment via the Supplier's Declaration of Conformity 
(SDoC) process to make attestations that the equipment for which 
authorization is sought is not ``covered'' equipment. The Commission is 
not, however, requiring at this time that these attestations address 
the individual component part(s) contained within the subject 
equipment. As discussed in the Report and Order, several commenters 
raised various concerns regarding potential practical complications and 
difficulties that could result from inclusion of component parts within 
the scope of the prohibition. In this Further Notice, the Commission 
seeks to address these concerns as the Commission further considers 
issues concerning component parts with regard to prohibitions on 
authorization of ``covered'' equipment.
    In seeking comment on component parts, the Commission notes at the 
outset that it believes that certain component parts produced by 
entities identified on the Covered List, if included in finished 
products, could potentially pose an unacceptable national security 
risk, similar to the security risk posed by the ``covered'' equipment 
that the Commission is now prohibiting from authorization. Similarly, 
Congress, in establishing the Reimbursement Program under the Secure 
Networks Act, shared the same concerns. It required that Huawei 
Technologies Company (Huawei) and ZTE Corporation (ZTE) equipment be 
destroyed as part of the rip and replace process, indicating that even 
components of untrusted and insecure equipment could pose a danger to 
the United States. In the Reimbursement Program, consistent with 
Congressional guidance, the Commission required that categories of 
equipment that include components that process data be destroyed so 
they do not get reused and continue to pose a risk. Given the challenge 
to protect against component parts that pose the same risk as covered 
equipment, the Commission endeavors to ensure that equipment that 
includes component parts that pose an unacceptable risk to national 
security also be prohibited from authorization. In this Further Notice, 
the Commission seeks comment to help identify such component parts and 
to consider how the Commission might best ensure prohibiting 
authorization of equipment that includes such components. In 
particular, the Commission seeks comment on whether and how individual 
component parts may need to be factored into decisions regarding 
authorizing equipment. This raises

[[Page 14314]]

several issues that need to be more carefully evaluated to determine 
whether equipment with certain component parts should be considered 
``covered'' equipment and thus prohibited from authorization. The 
Commission also recognizes that one complication is that many part 2 
equipment authorization rules and part 15 rules reference 
``components,'' but they do so in a variety of different contexts, and 
there is no single or consistent meaning of the term in the 
Commission's rules.
    The Commission seeks comment about the extent to which component 
parts should be considered as the Commission implements its prohibition 
on ``covered'' equipment in its equipment authorization program. As the 
Commission considers how component parts should be treated in this 
process, the Commission notes that establishing a prohibition that 
includes considering component parts could require changes to the 
Commission's existing equipment authorization application process, 
which does not currently capture detailed information about the source 
of components that make up such equipment. As this proceeding examines 
the equipment authorization process, which is the gateway for equipment 
entering the U.S. marketplace with potential to ultimately become part 
of a telecommunication system or network, the Commission believes it is 
within the purview of the statute and the Commission's duty to address 
all equipment on the Covered List, including component parts of devices 
where the inclusion of such component parts would render the equipment 
``covered.'' The Commission seeks comment on this view.
    In seeking comment on how the Commission should address component 
parts with respect to the prohibition on authorization of ``covered'' 
equipment, the Commission also invites comment on how best to address 
the concerns previously raised by commenters regarding component parts. 
These concerns include what the Commission would consider to be 
component parts for purposes of implementing any potential prohibition 
on equipment authorizations that include such parts, including the 
extent to which only some types of component parts, or all such parts, 
should be considered. The Commission also seeks comment on practical 
considerations that would be involved with extending the prohibition to 
include component parts, including the requirements placed on 
applicants for equipment authorizations to identify any particular 
components.
    As discussed above, in implementing the Secure Networks Act with 
regard to the Reimbursement Program, the Commission determined that 
categories of equipment that include components that process and retain 
data, or that process data, be destroyed so they do not get reused and 
continue to pose a risk. As the Commission considers how to address 
components in this proceeding, the Commission seeks comment on whether 
the Commission should attempt to identify ranges of components based on 
their risk assessment. For example, similar to the Reimbursement 
Program, does equipment that includes components that process and 
retain data, or that even process data, produced by entities identified 
on the Covered List, pose too much of a risk to the United States and 
its people to be authorized?
    In proposing to include component parts within the scope of 
``covered'' equipment in the NPRM, the Commission did not define the 
term and referred to both ``components'' and ``component parts.'' To 
ensure that equipment manufacturers, importers, assemblers, FCC-
recognized Telecommunications Certification Bodies (TCBs), and other 
parties associated with the Commission's equipment authorization 
program are clear as to what equipment may be impacted by a prohibition 
on component parts from entities on the Covered List, the Commission 
would need to first develop and provide guidance on what component 
parts would need to be considered.
    At a high level, the Commission notes that it permits modules as 
well as composite systems (or devices) to obtain equipment 
certification. A module generally consists of a completely self-
contained transmitter that is missing only an input signal and power 
source to make it functional. Modules are designed to be incorporated 
into another device such as a personal computer. The advantage of using 
modules is that a transmitter with a modular grant can be installed in 
different end-user products (or hosts) by the grantee or other 
equipment manufacturer without the need for additional testing or a new 
equipment authorization for the transmitter. A composite system 
incorporates different devices contained within a single enclosure or 
in separate enclosures connected by wire or cable. A single equipment 
authorization application may be filed for a composite system that 
incorporates devices (including modules) subject to certification under 
multiple rule parts. Commission rules are flexible regarding the types 
of equipment that can be certified as modules and then incorporated 
into another device with no further action from the Commission and 
composite systems that could contain components (in this case a 
device). Telecommunications equipment or video surveillance equipment 
could contain one or more modules or could be assembled as a composite 
system and contain equipment produced by any of the entities (or their 
respective subsidiaries or affiliates) specified on the Covered List.
    To ensure compliance with the prohibition on authorization of 
equipment identified on the Covered List, the Commission seeks comment 
on whether it should require that applicants or responsible parties, as 
applicable, obtain a separate equipment certification for any device 
that contains a module produced by any of the entities (or their 
respective subsidiaries or affiliates) specified on the Covered List. 
If the Commission were to adopt such a requirement, the Commission 
seeks comment as to how it should be applied. Should the Commission 
require that devices that incorporate previously-certified modules 
produced by any of the entities (or their subsidiaries or affiliates) 
on the Covered List would need to obtain a separate equipment 
authorization and certify that the device is not ``covered'' equipment? 
The Commission seeks comment on this view. Would such actions be 
sufficient to ensure against the availability of equipment containing 
modules that could present a security risk? Would a policy of requiring 
certain devices containing modules to go through the certification 
process and the associated attestation requirement adopted in the 
Report and Order, strike the right balance between providing the same 
flexibility for delivering products to the American public as is 
available today for most devices containing modules, while adding 
additional oversight on devices that could potentially be a security 
risk? What additional costs in terms of time or money would such a 
policy impose on device developers? What other approaches could be used 
to ensure devices containing modules do not cause a security risk to 
the United States and its citizens?
    Similarly, because a composite system could be assembled by a third 
party and incorporate multiple devices including devices produced by 
any of the entities (or their respective subsidiaries or affiliates) 
specified on the Covered List, the Commission seeks comment on how to 
treat composite systems. First, recognizing that a composite system 
could contain only already-certified

[[Page 14315]]

modules, the Commission seeks comment on treating them in the same 
manner described above for modules. That is, if any module in such a 
device is produced by any of the entities (or their respective 
subsidiaries or affiliates) specified on the Covered List, that device 
would be required to obtain a separate certification (including the 
attestation requirement adopted in the Report and Order stating that 
the composite system does not contain any ``covered'' equipment). The 
Commission seeks comment on this approach. Second, in cases where a 
composite system contains only devices that on their own would require 
certification or a mix of such devices and already approved modules, 
the Commission notes that the rules already required such devices to 
obtain a separate certification. Because such devices can be assembled 
by parties other than the original device manufacturer, the Commission 
seeks comment on requiring the attestation the Commission adopted in 
the Report and Order to affirmatively state that none of the devices 
that comprise the composite system are on the Covered List. The 
Commission does not believe such a requirement would impose any cost or 
undue burden on equipment certification applicants as such a 
requirement would be consistent with the requirements adopted in the 
Report and Order. The Commission seeks comment on this approach. The 
Commission also seeks comment on other approaches to dealing with 
composite systems in the certification process to ensure that such 
devices do not pose a security risk to the United States and its 
citizens.
    The Commission also seeks comment on other broad approaches that 
could appropriately address concerns about component parts in the 
Commission's equipment authorization program. For instance, if 
equipment includes any component parts that could be authorized on a 
standalone basis, and such a component on its own would be considered 
``covered'' equipment prohibited from authorization, then the equipment 
would be deemed ``covered'' equipment and thus prohibited from 
obtaining an equipment authorization. In addition, the Commission notes 
that if any determinations about ``covered'' equipment made by any 
enumerated source pursuant to the Secure Networks Act includes 
component parts, then this too would mean that equipment that includes 
such component parts would be ``covered'' equipment for purposes of the 
Commission's prohibition. The Commission seeks comment on this as well.
    The Commission believes that dealing with component parts as 
described above is relatively straightforward. However, focusing on 
component parts at a more granular level, i.e., looking at all of the 
individual component parts that might be used to assemble a final 
device, would be more complicated. In the record of the NPRM, several 
commenters contend that, for purposes of prohibiting authorization of 
``covered'' equipment, many component parts would not raise security 
concerns. The Commission invites comment, including specific comment on 
whether certain types of component parts potentially raise such a 
concern, while others do not. For example, do passive electronic 
components such as resistors, diodes, inductors, etc., pose a security 
risk by themselves? Do random access memory (RAM) chips, whose stored 
data is lost once power is disconnected or turned off, or components 
that comprise the bus, whose function is solely to link input and 
output ports, pose any security risk? Should the Commission focus 
instead on those components that have the ability to examine data 
traffic and route such traffic or provide the instructions to do so, or 
might otherwise pose an unacceptable risk to national security? The 
Commission includes here read only memory (ROM), flash memory, the 
central processing unit (CPU) or any other processor within the device, 
and the input and output ports (as they may be able to carry out 
routing functions). Should the Commission be concerned about 
semiconductors? Do commenters think that the Commission should consider 
rules regarding other component parts and if so, what rules would be 
appropriate? Should the Commission here be guided by the Reimbursement 
Program and, rather than try to identify every type of component, 
simply prohibit authorization of components that process and/or retain 
data? Notwithstanding any specific method of addressing these component 
parts within the equipment authorization process as described below, 
the Commission seeks comment on any overall approach to separating out 
component parts of interest that could pose a security risk versus 
component parts that do not. Does equipment need to be examined down to 
this level to ensure compliance with the prohibition on authorization 
of communications equipment that poses an unacceptable risk to national 
security under the Secure Networks Act? Should equipment that contains 
certain component parts produced by any of the entities listed on the 
Covered List be considered ``covered''? If the Commission were to adopt 
rules to address component parts, what types of components may need to 
be considered as posing an unacceptable security risk? Commenters also 
should explain the reasons that particular component(s) would create an 
unacceptable risk. For example, should such components be limited to 
only those able to examine and route data or execute certain functions 
on an incoming or outgoing data stream? Would the Commission need to 
specifically define the components of interest in its rules or would a 
descriptive statement suffice? For example, would it be sufficient to 
specify that any component part within a device that is capable of 
examining an incoming or outgoing data stream and performing routing 
functions would fall under the umbrella of component parts of interest 
within the equipment?
    In addition to categorizing the component parts that may be of 
interest when determining whether certain equipment should be 
considered covered equipment, the Commission seeks comment on how any 
identified component parts would be addressed in the equipment 
authorization process, both for certified devices and devices 
authorized through the SDoC process. Because parties seeking an 
equipment authorization must attest that the equipment in question is 
not ``covered'' equipment, how would a manufacturer, assembler, or 
other entity ascertain whether the components in question could result 
in their intended end product being ``covered'' equipment? Could an 
end-product produced or assembled by an entity not identified on the 
Covered List become ``covered'' equipment if it includes certain 
components produced by any entity identified on the Covered List? 
Should entities producing or assembling end products themselves obtain 
statements from their suppliers that certain components within any 
products obtained for inclusion in a Commission-regulated end product 
for the U.S. market do not contain components that are covered 
equipment or that could result in a device being classified as 
``covered'' equipment? If so, should such statements be required to be 
provided in the authorization process, and/or available to the 
Commission upon request? What criteria could be used to decide when 
such equipment should be considered ``covered'' equipment? Are there 
objective standards for determining when a final

[[Page 14316]]

product produced by an entity not identified on the Covered List that 
contains at least one component part produced by an entity named on the 
Covered List (or any of its affiliates or subsidiaries) is considered 
to be ``covered'' equipment? To what extent must the applicant for 
equipment certification be responsible for knowing whether any 
component part of its equipment was produced by any entity identified 
on the Covered List?
    Elsewhere within the federal government, pursuant to E.O. 13873, 
efforts are underway to address the national security risks stemming 
from vulnerabilities in information and communications technology (ICT) 
hardware, software, and services. Among these efforts, the 
Cybersecurity & Infrastructure Security Agency (CISA) established the 
ICT supply chain risk management (SCRM) Task Force, which is working on 
developing a taxonomy of a ``hardware bill of materials'' that can be 
used when procuring ICT products (e.g., an inventory of elements that 
makes up a particular piece of equipment) as well as a ``software bill 
of materials.'' The Task Force's efforts potentially could provide 
guidance and certainty in the equipment authorization process as to 
whether a piece of equipment complies with the Commission's rules. 
Should the Commission work with this Task Force to identify potential 
solutions to the lack of awareness of equipment components? How should 
this Task Force inform the Commission's potential treatment of 
component parts in its equipment authorization process? Should the 
Commission consider an applicant's exercise of reasonable diligence in 
seeking to determine whether the equipment includes a component part 
that potentially raises national security concerns be sufficient for 
purposes of its attestation about whether the equipment is ``covered''? 
What other steps could an applicant take to ensure that all component 
parts comply with the Commission's rules? What specific attestation 
should the Commission require? Would an attestation that the device is 
not ``covered'' equipment be sufficient, and should the attestation 
include more specific information about component parts? What 
additional information should an entity provide to a TCB along with the 
application for certification or retain with records for SDoC 
authorizations? How can the Commission ensure that any action on 
components that it takes falls within the whole-of-government approach 
toward network and United States security?
    The Commission seeks comment on each of these questions, and also 
on the overarching questions of the impact on both equipment security 
and the economy of considering component parts in the Commission's 
analysis of ``covered'' equipment. Specifically, the Commission seeks 
comment and data on the quantity and market share of entities on the 
Covered List in supplying modules or other devices for products 
intended for sale in the U.S. market, including composite devices as 
well as component parts as described above. The Commission further 
seeks comment, and encourages commenters to provide data, on the 
availability and costs of substitute modules, devices, and component 
parts from suppliers that are not identified on the Covered List, as 
well as the average lifespan/product cycle of affected final products. 
In the case that a component part may be identified as ``covered'' 
equipment, the Commission seeks comment on the feasibility and costs of 
replacing such component part. Would taking account of component parts 
broadly to include modules, devices, and the building block parts that 
make up a device produce an overall net positive benefit, taking into 
account both equipment security and economic impact? Is there a 
particular approach to identifying component parts that would maximize 
net benefits, such as focusing only on those component parts or type of 
parts that have been determined as posing an unacceptable risk to 
national security or the security and safety of U.S. persons?

Revocation of Existing Equipment Authorizations Involving ``Covered'' 
Equipment

    In the NPRM, the Commission sought comment on the extent to which 
the Commission should revoke any existing equipment authorization if it 
adopted rules to prohibit future authorization of ``covered'' 
equipment. In the Report and Order, the Commission concluded that it 
has the existing authority to revoke such authorizations, including 
those granted prior to adoption of the Report and Order. With regard to 
revocation of any existing authorizations of ``covered'' equipment, in 
the NPRM the Commission did not propose to revoke any existing 
authorizations (and does not do so in this Report and Order), but 
instead sought comment on whether there are particular circumstances 
that would merit revocation of specific equipment, and if so, the 
procedures that should apply (including possible revisions to those 
procedures).
    In the NPRM, the Commission sought comment on what particular 
circumstances would merit Commission action to revoke any existing 
authorization of ``covered'' equipment. To the extent revocation of any 
``covered'' equipment might be appropriate, the Commission inquired 
about whether there was some process in which the Commission should 
engage to help identify particular equipment that should be considered 
for revocation. The Commission recognized that, in many situations, the 
revocation of any particular equipment might benefit from an 
appropriate and reasonable transition period for removing the 
equipment, but also sought comment on whether any situations might 
merit immediate compliance with a revocation. Further, the Commission 
sought comment on appropriate enforcement policies that should be 
associated with any revocation, including whether any monetary 
penalties should be considered. The Commission also inquired whether 
any educational or outreach efforts should be undertaken in the event 
of any equipment revocation. In addition, the Commission also asked 
about the specific procedures that the Commission should use if it were 
to seek to revoke any existing authorization of ``covered'' equipment. 
In particular, it noted that the existing procedures for revocation of 
equipment authorizations, as set forth in section 2.939(b), are the 
same procedures as for revocation of radio station licenses, which 
include several involved steps and procedures (e.g., Commission order 
to show cause, and opportunity for a hearing). The Commission sought 
comment on whether these extensive procedures would be appropriate 
considering that ``covered'' equipment has been determined to pose an 
unacceptable risk to national security.
    As the Commission noted in the Report and Order, commenters raised 
a range of concerns about whether the Commission should revoke any 
existing authorizations of ``covered'' equipment, and the Commission 
seeks further comment here on the issues the Commission raised in the 
NPRM on this topic. The Commission's further consideration here also 
complies with the Secure Equipment Act, in which Congress recognized 
the Commission's authority to examine the necessity for review and 
possible revocation of previously existing equipment authorizations 
and/or to consider the Commission's rules providing for possible 
revocation of previously granted equipment authorizations. The 
Commission uses this Further Notice to further explore the issues 
concerning equipment authorization revocation

[[Page 14317]]

with respect to ``covered'' equipment authorized prior to the 
Commission's adoption of a prohibition on authorization of such 
equipment, and to expand the record on this topic, particularly in 
light of the actions taken and guidance provided in the Report and 
Order.
    Scope of revocation. In the NPRM, the Commission sought comment on 
whether, following adoption of the rules in the Report and Order, it 
should consider revoking any existing authorizations involving 
``covered'' equipment. Many commenters generally oppose action by the 
Commission to revoke existing authorizations of ``covered'' equipment, 
however worthy the security goal, expressing various concerns such as 
the potential for adverse impact to consumers and the supply chain. 
Others advocated that the Commission should revoke authorizations if 
the equipment would now be considered ``covered'' equipment. The 
Commission seeks comment on the scope of possible revocation of 
existing authorizations that it should consider, and whether there 
might be situations that would warrant revocation in certain 
circumstances.
    Identification of devices that possibly should be revoked. In 
considering whether any existing equipment authorizations of 
``covered'' equipment should be revoked, the Commission in the NPRM 
sought comment on whether there should be some process in which the 
Commission should engage to identify particular equipment 
authorizations that should be considered for revocation. It invited 
commenters to suggest such a process. The Commission also asked whether 
it should rely on outside parties' reports in its considerations. The 
Commission recognized the need to avoid taking any actions that would 
be overbroad in terms of affecting users of the previously-authorized 
equipment or would require removal of this equipment faster than it 
reasonably can be replaced.
    The Commission now seeks further comment on whether there should be 
some process for identifying particular ``covered'' equipment whose 
authorization should be revoked because its continued authorization 
poses an unacceptable risk to national security. The Commission notes 
that it previously has authorized equipment produced by the companies 
producing equipment on the current Covered List, and the Commission 
anticipates that additional equipment produced by other companies may 
be determined to pose an unacceptable risk to national security and 
added to the Covered List as that list is updated in the future. How 
might the Commission or others identify existing authorizations among 
these if considering whether some of this equipment might merit 
revocation? Are there any specific cases of equipment that might merit 
immediate revocation? To what extent should the risk of such equipment 
to national security be considered, and how could such risk be 
evaluated? What are the benefits of eliminating this risk and the 
associated costs of revoking equipment necessary to eliminate this 
risk? The Commission concludes that it has the authority, as affirmed 
by Congress in the Secure Equipment Act, to consider the necessity to 
review or revoke an existing authorization of ``covered'' equipment 
approved prior to adoption of the Report and Order, and that it has 
such authority to consider such action without considering additional 
rules providing for any such review or revocation of existing 
authorizations. Considering the potential risk to national security 
concern, should the Commission consider revoking all authorizations of 
``covered'' equipment, and if so how would such a potential revocation 
be implemented given the wide variety of existing authorizations? Also, 
to what extent should revocation of any particular equipment depend on 
establishment of a reimbursement program?
    Considerations related to revocation of existing authorizations. In 
the event the Commission conclude that revocation of an equipment 
authorization may be appropriate, the Commission notes that such 
revocation might take different shapes. For instance, the revocation 
potentially could go so far as to involve not only prohibiting the 
future manufacture, importation, marketing, and sale of specified 
devices, but also requiring that the equipment no longer be used. On 
the other hand, the revocation of an existing authorization could 
conceivably be partial and limited, such as a revocation of an existing 
authorization that could, at some time in the future, preclude further 
importation, marketing, or sale of the affected equipment.
    The Commission sought comment in the NPRM on the appropriate and 
reasonable transition period that may be necessary if the Commission 
decides to revoke an existing authorization. The Commission now 
requests additional comment on determining an appropriate transition 
period and whether and how that might depend on the scope of the 
revocation and the particular equipment involved. Should the Commission 
provide a suitable amortization period for equipment already in the 
hands of users? To what extent might the expected life-cycle of the 
equipment be taken into account? Pursuant to section 2.939(c), which 
provides for the revocation of any equipment authorization in the event 
of changes in its technical standards, the Commission previously sought 
comment on the provision of a suitable amortization period for 
equipment already in the hands of users or in the manufacturing 
process, and invites further comment here.
    The Commission also seeks comment on the extent to which issues 
related to the supply chain and consumer-related concerns might figure 
in the Commission's considerations. How might the Commission evaluate 
supply chain issues in its consideration of whether to revoke an 
existing authorization, and what information and data (e.g., number of 
devices, market share, substitutes, and prices) might be useful to such 
a consideration?
    How should consumer-related concerns be factored in? In its 
comments on the NPRM, CTIA raises concerns relating to consumers. CTIA 
states that revoking existing authorizations for consumer products 
without a mechanism for removing them from the market would create 
significant confusion for consumers and could pass significant costs on 
to consumers who would presumably be placed in the difficult position 
of needing to replace newly-unauthorized devices. CTIA further argues 
that building a mechanism to remove retroactively de-authorized devices 
from the market would be complex and would need to consider how 
consumers would be made aware of the need to replace devices.
    As noted above, there could be more than one type of revocation of 
existing equipment authorizations. Many commenters express concerns in 
the event the Commission revoked an existing authorization and required 
users to stop using that equipment. The Commission also might consider 
a kind of partial revocation of an existing authorization, such as in 
the case in which, at some specified date in the future, the 
importation, sale, or marketing of equipment that had previously been 
authorized could be prohibited. Such an action could eliminate any 
costs on users that would be associated with a requirement that 
existing equipment be replaced, while also promoting national security 
by preventing further purchasing and use of ``covered'' equipment that 
has been determined to pose an unacceptable risk

[[Page 14318]]

to national security. The Commission seeks comment on the market impact 
of various types of revocation mentioned above, including estimates of 
the impact on costs and availability of equipment. The Commission also 
seeks comment on how the transition period for any such revocation 
affect the costs of revocation and availability of equipment.
    To what extent should the time at which the equipment authorization 
was initially granted be a factor? For instance, in its comments on the 
NPRM, IPVM contends that, to the extent that some equipment that could 
no longer be authorized under the rules and procedures adopted in the 
Report and Order may only recently have been authorized (such as in the 
months immediately before adoption of the new rules), it would be 
reasonable for the Commission to revoke such authorizations; IPVM notes 
that in these cases revocation of the equipment would have minimal 
impact on American end-users because most of these products have not 
yet been widely sold or installed. The Commission seeks comment, 
including on the extent to which ``covered'' equipment has been 
authorized recently (e.g., after issuance of the NPRM, or at any time 
before the effective date of the rules adopted in the Report and Order. 
Alternatively, to the extent that the equipment was authorized many 
years ago and has surpassed its expected life-cycle, might that be more 
reasonable grounds for the Commission to revoke the authorization?
    Also, the Commission notes that there might be other alternatives 
to that of requiring complete revocation of an authorization. For 
instance, might there be measures, such as requiring the particular 
components of equipment be replaced or certain security patches be 
implemented, that might avoid the need to replace equipment that had 
been previously authorized? If so, how would such an approach be 
implemented? Should the estimated costs associated with these 
alternative measures be taken into account? If so, the Commission seeks 
comment and quantitative data associated with the costs of the 
alternative measures. Finally, the Commission requests any additional 
thoughts on other considerations that the Commission should take into 
account with regard to potential revocation of particular existing 
authorizations.
    Procedures for revocation. In the NPRM, the Commission asked 
whether the Commission should revise or clarify the existing processes 
for revocation set forth in section 2.939(b) with regard to existing 
authorizations of ``covered'' equipment, given that the equipment has 
been determined to pose an unacceptable risk to national security. 
Under section 2.939(b), the procedures for revoking an equipment 
authorization are the same procedures as revoking a radio station 
license under section 312 of the Communications Act. Section 2.939(b) 
requires that revocation of an equipment authorization must be made in 
the ``same manner as revocation of radio station licenses,'' and thus 
generally would include the requirement that the Commission serves the 
grantee/responsible party with an order to show cause why revocation 
should not be issued and must provide that party with an opportunity 
for a hearing. As discussed in the Report and Order, however, applying 
section 312's procedures to revocation of equipment authorizations is 
not statutorily required.
    In its comments on the NPRM, Hytera recommends that, if the 
Commission pursues revocation of existing authorizations, it should 
provide full and complete due process protections for the holders of 
the authorizations as spelled out in section 2.939(b). The Commission 
notes that Huawei, Dahua, and Hikvision also object to any revocation 
of existing equipment authorizations premised on potential 
constitutional claims related to due process. In considering the 
serious concerns surrounding equipment on the Covered List, the 
Commission seeks additional comment on the potential for expedited or 
otherwise different procedures for revocation of ``covered'' equipment. 
The Commission seeks comment on the necessity for section 312 
procedures, which apply to the revocation of a ``station license or 
construction permit'' as defined in the Act, to apply with respect to 
revocation of any existing ``covered'' equipment. Should the process 
the Commission adopts in new rule 2.939(d) apply more broadly to 
existing equipment authorization revocations? The Commission also seeks 
comment on the scope of any due process or other constitutional 
requirements for such revocation procedures.
    Enforcement. In the NPRM, the Commission sought comment on 
enforcement issues that could arise if the Commission revoked equipment 
authorizations. It noted that, pursuant to section 503(b)(5) of the 
Act, the Commission must first issue citations against non-regulatees 
for violations of FCC rules before proposing any monetary penalties. 
Such citations ``provide notice to parties that one or more actions 
violate the Act and/or the FCC's rules--and that they could face a 
monetary forfeiture if the conduct continues.'' In contrast, pursuant 
to section 503(b)(1)(A) of the Act, the Commission may assess a 
monetary forfeiture against grantees for violations of the Commission's 
rules without first issuing a citation. Therefore, the Commission may 
take enforcement action against a grantee who continues to market 
equipment after the authorization for that equipment has been revoked. 
The Commission also notes that third party suppliers, importers, 
retailers, and end users (i.e., non-regulatees), who are not Commission 
regulatees, may not be aware that they are subject to Commission rules. 
Similarly, such non-regulatees may not be aware when equipment they 
market or use has been revoked by the Commission.
    The Commission seeks comment on the best enforcement mechanisms the 
Commission should employ to swiftly curb the potential for post-
revocation equipment marketing or use by such parties. Are there 
obligations that could be imposed on grantees or responsible parties 
that would help alleviate these concerns? The Commission also seeks 
comment on how it might revise its rules or work with federal partners 
and the communications industry to address existing ``covered'' 
equipment that may be in the marketplace post-revocation without 
adversely affecting consumers and others downstream in the supply 
chain. The Commission seeks further comment on these issues, as well as 
any comment that could help the Commission enforce the requirements 
imposed following revocation, such as an appropriate enforcement policy 
for the continued marketing, sale, or operation of equipment if the 
revocation involves a transition period.
    Other revisions. The Commission again requests comment on whether 
it should make any other revisions to section 2.939 that would address 
revocation of ``covered'' equipment. Should specific provisions be 
included that focus on revocation of equipment that involve the types 
of equipment prohibited based on an unacceptable risk to national 
security? Do these concerns merit particular procedures commensurate 
with the risk to national security? If so, the Commission asks that 
commenters provide details and explain the rationale with the 
suggestions.
    Outreach. In the NPRM, the Commission asked about whether it should 
undertake any educational and outreach efforts to inform the public 
regarding any revocations of ``covered'' equipment that may be made, 
such as regarding the legal effect of revocations. The Commission did 
not receive any

[[Page 14319]]

comments on this particular question and again invites comment on this 
issue.

Supply Chain Considerations

    In commenting on the proposals in the NPRM, some commenters ask 
whether, in the event that there are additions of ``covered'' equipment 
to the Covered List, the Commission should consider the potential 
impact of certain prohibitions where immediate implementation of a 
prohibition could result in supply chain problems. For instance, Drone 
Deploy expresses concerns that certain equipment used by U.S. 
businesses may be produced by only a few suppliers, and that in the 
event that equipment from such suppliers is placed on the Covered List, 
urges the Commission to consider providing clear market signaling and 
adequate notice before such a prohibition on authorization takes 
effect, so as not to harm US businesses. Drone Deploy further asks that 
the Commission work with other federal agencies in promoting the 
development of alternatives to equipment that may ultimately be added 
to the Covered List and to consider the market realities and ensure 
that adequate alternatives exist before restrictions on authorizations 
take effect. The Commission seeks comment on whether it should, in 
certain instances, take into account how the prohibition of particular 
``covered'' equipment, and if such a prohibition could, if implemented 
immediately without sufficient advance notice or opportunity for the 
development of alternative sources of equipment, have a deleterious 
effect on the public interest.

United States Point of Presence Concerning Certified Equipment

    In seeking comment in the NPRM on actions that the Commission 
should take that would better ensure compliance with, and enforcement 
of, Commission rules, the Commission proposed requiring that the party 
responsible for compliance with the Commission's certified equipment 
rules have a party located within the United States that would be 
responsible for compliance, akin to the current requirement applicable 
for equipment authorized through the SDoC process. The Commission 
observed that if there were a responsible party for certified equipment 
that has a physical presence in the United States, this would allow the 
Commission to conduct timely investigations and readily take effective 
enforcement action in instances of noncompliance, including 
noncompliance with the requirements promulgated in this proceeding. 
Only one commenter provided directly addressed comment in response to 
the Commission's proposal, supporting the identification of a U.S.-
based responsible party.
    The Commission continues to believe that it is important to 
facilitate enforcement of the Commission's rules and that requiring a 
U.S.-based responsible party for certified equipment would represent a 
significant step in achieving this goal. The Commission's actions in 
this proceeding to prohibit future authorization of ``covered'' 
equipment that poses an unacceptable risk to national security 
underscore the need for effective enforcement of applicable rules 
associated with certified equipment. Many certified devices that are 
imported to and marketed in the United States are manufactured in 
foreign countries and grantees of equipment authorizations with those 
devices are located outside of the United States. It can be difficult 
to effectively communicate with grantees, particularly foreign-based 
grantees, to engage in relevant inquiries, determine compliance, or 
enforce the Commission's rules when appropriate. Accordingly, it is 
important to have a reliable and effective means by which the 
Commission can readily identify and directly engage the grantee of an 
FCC equipment certification, which would be facilitated by requiring a 
U.S.-based presence for associated with certified equipment.
    Under the current equipment certification rules set forth in 
section 2.909(a), the grantee obtaining the certification is the 
responsible party, and the only party responsible for compliance with 
applicable Commission requirements concerning that equipment. Requiring 
that, for certified equipment, there be a responsible party in the 
United States, would require revisions to the Commission's rules. In 
the NPRM, the Commission proposed adopting a general requirement that 
all applicants for equipment certification have a responsible party 
located in the United States, which could help ensure compliance with 
appliable Commission rules regarding the authorized equipment. At a 
minimum, such a requirement would require that any grantee that resides 
outside the United States to designate a party located within the 
United States that would have legal responsibility concerning 
compliance with such rules.
    The Commission requests comment on the appropriate approach to 
implementing a U.S.-based responsible party requirement, as well as the 
details of implementing the approach in the Commission's rules. The 
Commission believes that it remains important that the grantee of the 
equipment authorization always be a responsible party for ensuring 
compliance under the Commission's rules, as this helps ensure that 
there are a wide range of tools available to the Commission that can be 
leveraged with respect to the grantee to help promote compliance. If 
the grantee continues to be a responsible party, but is not located in 
the United States and therefore names a separate entity located in the 
United States as a responsible party, how would this affect the 
Commission's goal of promoting compliance? Would this result in there 
being two responsible parties? Under this approach, what would be the 
relationship between the U.S.-based responsible party and the grantee, 
and should the Commission impose certain minimal requirements on that 
relationship? Would the grantee and the U.S.-located responsible party 
act as a co-equal in responsibility for compliance? Would both the 
applicant (if foreign-based) and designated U.S.-based responsible 
party have to attest and sign the FCC Form 731 application for 
equipment certification or would a single attestation be sufficient?
    Should the Commission revise section 2.909(a) concerning the 
responsible party for certified equipment to more closely align with 
the approach concerning responsible parties set forth in section 
2.909(b), i.e., the rule already in place for equipment authorized 
under the SDoC process? Are there important differences between 
certified equipment and SDoC-authorized equipment that should be taken 
into consideration as the Commission considers requiring a U.S. point 
of presence for certified equipment? Under the SDoC approach, the 
responsible party must be located in the United States, and could be, 
depending on the situation, the manufacturer, the assembler, the 
importer, or the retailer. Specifically, the Commission notes that 
under 2.909(b), if the manufacturer or assembler of the equipment is 
not located in the United States, and the equipment is imported, the 
importer of the equipment would be the responsible party unless the 
retailer(s) in the U.S. enter into agreement(s) with the importer or 
manufacturer (or assembler) to become the new responsible party. The 
Commission seeks comment on the extent to which a similar approach 
should be adopted for certified equipment. Should the Commission 
consider requiring that the importer, the retailer, the distributor, or 
some other entity be the U.S.-located responsible

[[Page 14320]]

party? Should there only be one U.S.-located responsible party 
permitted? The Commission seeks comment on these issues and the rules 
and implementation details that commenters request that the Commission 
consider.
    If the Commission requires a U.S.-located responsible party, how 
does the Commission ensure that any designated U.S.-based responsible 
party has the requisite qualifications, necessary organizational or 
corporate authority, capabilities, abilities and connection to the 
grantee to enable it to appropriately and fully respond to Commission 
inquiries and remedy violations of the Act and the Commission's rules? 
Should the Commission, for instance, require there be a formal 
agreement between the responsible party and the grantee? Should the 
Commission specify a particular status for the U.S.-based responsible 
party (i.e., a citizen, a lawful resident, etc.)? What minimum criteria 
should the Commission consider for a U.S.-based responsible party's 
physical presence in the United States? Should the Commission require 
some form of financial security to ensure the Commission's ability to 
enforce its rules? How should the Commission collect and maintain 
information on any designated responsible party, through the TCB or 
directly with the Commission? What requirements are needed to ensure 
the grantee and/or the U.S.-based responsible party keeps its contact 
information up-to-date with the Commission? The Commission notes that 
these possible procedures could require updating FCC Form 731 and the 
Commission-maintained equipment authorization system (EAS) database 
procedures to address this additional entry and require necessary 
updating if there are any subsequent changes.
    If the Commission adopts a requirement to have a U.S.-based 
responsible, is there any reason for the U.S.-based responsible party 
to be the same designee as the U.S.-based entity for service of process 
required by section 2.911(d)(7), or should they be different designees? 
In order to effectuate enforcement over time, should the grantee be 
required to maintain a U.S.-based responsible party for a certain 
period of time after the grantee ceases marketing the device? Finally, 
as the Commission considers which approach to take, the Commission 
seeks comment on the burdens placed on applicants and the TCBs in 
implementing the appropriate approach.

Other Issues

    Now that the Commission's revised rules and approach have been 
established in the Report and Order, commenters and other interested 
parties may wish to submit further comments on these issues or other 
issues. The Commission seeks further comment on some of the issues the 
Commission raised in the NPRM. The Commission also invites comment on 
additional issues.
    Additional information under section 2.1033. In the NPRM, the 
Commission asked whether to require the applicant to provide, under 
section 2.1033, additional information (possibly including a parts 
list) that could help establish that the equipment is not ``covered'' 
in order to assist TCBs and the Commission in the effort to prohibit 
authorization of ``covered'' equipment. If so, what additional 
information might be helpful or appropriate, and how should the 
requirement be crafted to mitigate any undue burden on applicants?
    Review of the equipment authorization post-grant. Following a TCB's 
grant of certification, the Commission will post information on that 
grant ``in a timely manner'' on the Commission-maintained public EAS 
database, and that the TCB or Commission may set aside a grant of 
certification within 30 days of the grant date if it is determined that 
such authorization does not comply with applicable requirements or is 
not in the public interest. In the NPRM, the Commission invited comment 
on whether it should consider adopting any new procedures for gathering 
and considering information on potentially relevant concerns that the 
initial grant is not in the public interest and should be set aside. In 
particular, the Commission asked about the extent to which interested 
parties, whether the public or government entities (e.g., other expert 
agencies) should be invited to help inform the Commission as to whether 
particular equipment inadvertently received a grant by the TCB and is 
in fact ``covered'' equipment such that the grant should be set aside. 
The Commission notes that commenters on the NPRM generally opposed 
establishing any new procedures. The Commission, however, invites 
further comment about whether procedures for a post-grant review 
process should be established now that the specific new rules and 
procedures are effective.
    Post-market surveillance. In the NPRM, the Commission also sought 
comment on whether the Commission should consider any revisions or 
clarifications to the section 2.962(g) rules concerning ``post-market 
surveillance'' activities with respect to products that have been 
certified. Those rules currently require TCBs to perform appropriate 
post-market surveillance activities with respect to testing samples of 
certified equipment for compliance with technical regulations. The 
Commission noted that OET has delegated authority to develop procedures 
that TCBs will use for performing such post-market surveillance, and 
sought comment on whether any revisions or clarifications should be 
adopted with respect to post-market surveillance. In its comments on 
the NPRM, CTIA expresses concern that increasing the scope of TCBs' 
post-market surveillance responsibilities could result in delays in 
authorizing equipment and higher TCB costs. Now that rules and 
procedures for prohibiting authorization of ``covered'' equipment are 
effective, the Commission invites additional comment on this issue. 
Beyond the existing requirements under section 2.962(g), are there 
particular additional activities that TCBs should conduct in light of 
the goals of this proceeding?
    Certification process for equipment that is prohibited from using 
SDoC. In the Report and Order of this proceeding, the Commission 
adopted a rule prohibiting any of the entities named on the Covered 
List as producing ``covered'' equipment, and their respective 
subsidiaries or affiliates, from using the SDoC process to authorize 
any equipment--not just ``covered'' equipment identified on the Covered 
List. Thus, any equipment eligible for equipment authorization that is 
produced by any entities so identified on the Covered List, or their 
respective subsidiaries or affiliates, must be processed pursuant to 
the Commission's certification process, regardless of any Commission 
rule that would otherwise permit use of the SDoC process. While the 
Commission maintains its belief that the implementation of this rule is 
not unnecessarily burdensome, the Commission did note in adopting it 
that as the Commission, industry, and manufacturers gain more 
experience over time on the effectiveness of its procedures concerning 
``covered'' equipment, the Commission may wish to revisit this process. 
As such, the Commission takes this opportunity to seek comment on 
alternative procedures that the Commission could consider to maintain 
oversight over equipment identified on the Covered List, while ensuring 
consistent application of the Commission's equipment authorization 
procedures. What procedures should the Commission consider to 
specifically address the authorization of equipment produced by 
entities named on the

[[Page 14321]]

Covered List as producing ``covered'' equipment? What specific aspects 
of the standard SDoC process and the Certification process should the 
Commission combine to ensure the necessary oversight for the Commission 
to readily identify and address equipment of concern?
    Enforcement. In light of the rules and approach that the Commission 
adopted in the Report and Order, the Commission invites comment on 
other actions it should consider to promote enforcement of the 
prohibitions in the Commission's equipment authorization program 
relating to ``covered'' equipment.
    Other issues. Finally, the Commission invites comment on other 
rules or procedures that the Commission should consider as it moves 
forward with implementation of the prohibition on authorization of 
``covered'' equipment.

Further Notice on Competitive Bidding

    In addition to considering revisions to the Commission's equipment 
authorization program, the Commission sought comment in the NPRM on 
whether to ``require an applicant to participate in competitive bidding 
[for Commission spectrum licenses] to certify that its bids do not and 
will not rely on financial support from any entity that the Commission 
has designated under section 54.9 of its rules as a national security 
threat to the integrity of communications networks or the 
communications supply chain.''
    If adopted, such a requirement could prevent the entities 
designated pursuant to section 54.9 from influencing the bidding in an 
auction for Commission spectrum licenses. The Commission has designated 
Huawei and ZTE, and their subsidiaries, parents, or affiliates, 
pursuant to section 54.9. In doing so, the Commission noted Huawei's 
and ZTE's ties to the Chinese government and military apparatus, along 
with Chinese laws obligating those companies to cooperate with any 
Chinese government requests to use or access their systems. It also is 
well-established that the Chinese government helped fuel Huawei's 
growth by deploying powerful industrial policies to make Huawei 
equipment cheaper to deploy than the alternatives. These policies 
include both direct subsidies to Huawei and state-funded export 
financing. The Chinese government support for Huawei has been 
repeatedly documented.
    In the NPRM, the Commission stated that indirect subsidies may 
include ``[d]istortionary financing intended to support participation 
in spectrum auctions of network operators who then deploy covered 
equipment and services [and thereby] may raise concerns about risks to 
the national security of the United States and the security and safety 
of United States persons.'' The Commission noted concerns that such 
financing had enabled a party to outbid others for spectrum licenses at 
auction, effectively blocking other equipment providers. It sought 
comment on whether a potential certification might address the risk of 
such distortionary financing in Commission auctions.
    Only a handful of commenters responding to the NPRM address the 
potential auction certification. None dispute the potential risk, 
though each raises different concerns with a certification requirement 
and each offers different suggestions to address those concerns. 
Addressing the potential difficulty of identifying the ultimate sources 
of financing, one commenter suggests that the Commission accept a 
certification based on reasonable belief ``after sufficient due 
diligence.'' Another commenter alternatively proposes that the 
certification only apply to applicants receiving ``financial support'' 
of greater than 10%, though it does not detail how this is to be 
measured. That commenter also notes some risk that the potential 
certification may interfere with allowing market forces to determine 
the use of spectrum by artificially limiting the number of applicants 
seeking the licenses. Echoing another commenter's concern with the 
breadth of the potential certification, an additional commenter 
suggests that the certification concern only those funds ``specifically 
for the purpose of auction participation.'' They further recommend 
limiting the certification to those entities specifically designated, 
and proposes clarifications that subsequent changes in the list of 
those designated would have no effect on earlier certifications. A 
different commenter, on the other hand, proposes expanding the entities 
covered by the certification to include relevant Chinese financial 
institutions. Finally, rather than focus on financing, another 
commenter would refocus the certification and make it into a bar on 
specific entities participating in Commission spectrum license auctions 
or the use by auction winners of equipment provided by those entities. 
Concerns about Huawei and ZTE and the risks posed by their equipment 
have continued since adoption of the NPRM and submission of the record 
in response, both in connection with spectrum license auctions and more 
generally. Concerns about the security of Huawei equipment were a 
significant topic in connection with Brazil's 2021 auction of spectrum 
licenses for use with 5G wireless technology. More recently, separate 
from any license auction, Canada issued a ban on equipment from Huawei 
and ZTE with respect to all licenses.
    In light of the record in response to the NPRM, continuing concerns 
regarding Huawei and ZTE, and the Commission's action in the Report and 
Order with respect to equipment certification, the Commission seeks 
further comment on the risk of distortionary auction financing and 
potentially addressing that risk with a required auction application 
certification. Given developments since the NPRM, including the steps 
taken with respect to equipment approvals, has the risk of 
distortionary auction financing to benefit section 54.9 companies 
lessened or increased? As additional actions are taken with respect to 
untrusted equipment and vendors, is a potential auction certification 
more or less likely to be effective in addressing the underlying 
concern? As noted in response to the NPRM, such an inquiry can be 
difficult to tailor to address the underlying concern without imposing 
a burden on or creating uncertainty for auction participants. Would any 
of the alternatives suggested in the record address the underlying risk 
more effectively? Are there alternative ways to narrow or otherwise 
target the certification that would address the national security 
concerns, while limiting any negative impacts on competitive bidding?

Ordering Clauses

    Accordingly, it is ordered, pursuant to the authority found in 
sections 4(i), 301, 302, 303, 309(j), 312, 403, and 503 of the 
Communications Act of 1934, as amended, 47 U.S.C. 154(i), 301, 302a, 
303, 309(j), 312, 403, 503, and the Secure Equipment Act of 2021, 
Public Law 117-55, 135 Stat. 423, that the Further Notice of Proposed 
Rulemaking is hereby adopted.
    It is further ordered that the Commission's Consumer and 
Governmental Affairs Bureau, Reference Information Center, shall send a 
copy of this Further Notice of Proposed Rulemaking, including the 
Initial Regulatory Flexibility Analysis, to the Chief Counsel for 
Advocacy of the Small Business Administration.
    It is further ordered that the Commission's Consumer and 
Governmental Affairs Bureau, Reference Information Center, shall send a 
copy of this Further Notice of Proposed Rulemaking, including the 
Initial Regulatory Flexibility Analysis, to Congress and the Government

[[Page 14322]]

Accountability Office pursuant to the Congressional Review Act, see 5 
U.S.C. 801(a)(1)(A).

Federal Communications Commission.
Marlene Dortch,
Secretary.
[FR Doc. 2023-04608 Filed 3-7-23; 8:45 am]
BILLING CODE 6712-01-P