ARTICLE
5 June 2025

FCC Bans "Bad Labs" Connected To Foreign Adversaries, Seeks Comment On Additional Restrictions For Equipment Authorization Program

WR
Wiley Rein

Contributor

Wiley Rein logo
Wiley is a preeminent law firm wired into Washington. We advise Fortune 500 corporations, trade associations, and individuals in all industries on legal matters converging at the intersection of government, business, and technological innovation. Our attorneys and public policy advisors are respected and have nuanced insights into the mindsets of agencies, regulators, and lawmakers. We are the best-kept secret in DC for many of the most innovative and transformational companies, business groups, and nonprofit organizations. From autonomous vehicles to blockchain technologies, we combine our focused industry knowledge and unmatched understanding of Washington to anticipate challenges, craft policies, and formulate solutions for emerging innovators and industries.
Explore Firm Details
Continuing its efforts under Chairman Brendan Carr's leadership to safeguard United States communications infrastructure from foreign threats, the Federal Communications Commission adopted an Order and Further Notice of Proposed Rulemaking in its "Bad Labs" proceeding.
United States Media, Telecoms, IT, Entertainment
Sara M. Baxenberg,Sydney White,Ania Trichet
+1 Authors

Continuing its efforts under Chairman Brendan Carr's leadership to safeguard United States communications infrastructure from foreign threats, the Federal Communications Commission (FCC or Commission) adopted an Order and Further Notice of Proposed Rulemaking (FNPRM) in its "Bad Labs" proceeding, which seeks to limit national security risks in the FCC's equipment authorization program. The Order prohibits entities with certain connections to foreign adversaries from participating in the FCC's equipment authorization program as telecommunications certification bodies (TCBs), test labs, or laboratory accreditation bodies. The FNPRM seeks comment on additional proposed rules that would expand the list of prohibited entities and impose new post-market surveillance requirements.

The "Bad Labs" Order and FNPRM are part of a broader effort by the FCC to address national security risks facing communications technologies, with other recent actions including an NPRM proposing new certification and reporting requirements related to foreign adversary connections of FCC-regulated entities, and a Public Notice seeking comment on whether the Commission should update its Covered List of communications equipment and services posing a national security threat to include connected vehicle technologies targeted by a January 2025 Final Rule by the U.S. Department of Commerce's Bureau of Industry and Security (BIS). Please watch for our upcoming blog post.

Below, we summarize the steps taken in the Order and the notable issues open for comment under the FNPRM. The Order will be effective 30 days after Federal Register publication, but many of the new requirements will need to be reviewed by the Office of Management and Budget before they can become effective. Comments on the FNPRM will be due 30 days after Federal Register publication.

"Bad Labs" Report and Order

The Order prohibits FCC recognition of "any TCB, test lab, or laboratory accreditation body owned by, controlled by, or subject to the direction of a prohibited entity." (¶ 2). It also prohibits labs that meet these criteria from performing testing for products obtaining FCC equipment authorization through the Supplier's Declaration of Conformity (SDoC) process. The prohibitions apply regardless of the location of the TCB, test lab, or laboratory accreditation body.

Key Definitions

Prohibited Entity. The Order defines "prohibited entity" as any of the following:

  1. Entities identified on the FCC's Covered List;
  2. Entities identified on national security-related lists maintained by other federal agencies, including the BIS Entity List; the BIS Military End-User List; the Department of Homeland Security Uyghur Forced Labor Prevention Act Entity List; the 2023 National Defense Authorization Act list of semiconductor companies; the U.S. Department of Defense 1260H List of Chinese Military Companies; and the U.S. Department of Treasury Non-Specially Designated Nationals Chinese Military-Industrial Complex Companies (NS-CMIC) List; and
  3. Entities identified as "foreign adversaries" by Commerce regulations, which currently include China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro Regime (Venezuela).

Owned By, Controlled By, Or Subject To The Direction Of. As explained above, an entity will be barred from serving as a TCB, test lab, or accreditation body if it is "owned by, controlled by, or subject to the direction of" a prohibited entity. Under the rules adopted in the Order, this level of control is met when any of the following are true:

  • The prohibited entity has a direct or indirect equity or voting interest of 10% or more;
  • The prohibited entity "directly or indirectly possesses or has the power (whether or not exercised) to determine, direct, or decide important matters affecting the subject entity";
  • An entity "acts as an agent or representative of" of a prohibited entity;
  • An entity "acts in any other capacity at the order or request" of a prohibited entity; or
  • An entity's activities are "directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part," of a prohibited entity, "including being part of a governmental structure or hierarchy."

In the Order, the Commission elaborates on the factors the agency will consider to determine whether an entity is under the direction or control of a prohibited entity, including: "the power to decide matters pertaining to the entity's reorganization, merger, or dissolution"; "the opening or closing of facilities or major expenditures or to exercise authority over its operating budget; selection of new lines of business"; "entering into, terminating, or otherwise affecting the fulfillment of significant contracts"; "adopting policies relating to treatment of non-public or proprietary information; appointing officers or senior leadership; appointing or dismissing employees with access to critical or sensitive technology"; and "amending the entity's organizational documents." (¶ 75). The Order further explains that "[s]uch indicators . . . could take the form of, for example, ownership of securities or partnership or other ownership interests, board representation, holding a special share, contractual arrangements, or other formal or informal arrangements to act in concert or to decide important matters affecting an entity." Id.

Expansion of Reporting, Certification, and Recordkeeping Requirements

The Order implements the prohibition on "Bad Labs" by adopting new reporting, certification, and recordkeeping requirements for entities in the equipment authorization ecosystem.

First, the new rules require each recognized TCB, test lab, and laboratory accreditation body to:

  • Certify to the Commission within 30 days after the effective date of the rules that it is not owned, controlled, or subject to the direction of a prohibited entity; and
  • Report within 90 days after the effective date of the rules all equity or voting interests of 5% or greater held by any entity.

(¶ 77). The Commission will revoke any existing recognition of any TCBs, test labs, and laboratory accreditation body that fails to make the required previously described reporting and certification.

Second, going forward, any entity that seeks to be recognized by the Commission as a TCB, test lab, or laboratory accreditation body will be subject to the same certification and ownership reporting obligations. (¶ 81)

Third, to ensure that labs that cannot be recognized under the new rules do not perform testing for devices authorized through the SDoC process, the Order adopts a new regulation requiring SDoC responsible parties to maintain a certification that the laboratory performing the testing is not owned by, controlled by, or subject to the jurisdiction of a prohibited entity. (¶ 86). This requirement creates a new diligence obligation that SDoC responsible parties will need to perform prior to making the certification.

Changes to Covered List Subsidiary and Affiliate Reporting

Entities on the FCC Covered List for producing equipment are already prohibited from using the SDoC process and from obtaining authorization for the equipment identified on the List. Consistent with this prohibition, certain Covered List entities have already been required to report to the FCC about their subsidiaries and affiliates.

Because the Order's definition of "prohibited entity" includes the FCC Covered List, all Covered List entities will be relevant in determining whether a lab, TCB, or accreditation body is prohibited from recognition. Accordingly, the Order expands on the existing Covered List reporting obligations, requiring every entity on the Covered List to provide the Commission with information regarding its subsidiaries and affiliates within 30 days after the effective date of the rules. (¶ 77). This change expands the reporting to all subsidiaries and affiliates, "not merely those that produce 'covered equipment.'" (Id.) The Office of Engineering and Technology will make the lists of affiliates and subsidiaries available to the public for review and inspection. (¶ 89)

The Commission also expanded the scope of the definition previously used to identify affiliates to include entities that "have, possess, or otherwise control an equity or voting interest (or the equivalent thereof) of 10 percent or more." (¶ 90). (This threshold was previously "more than 10 percent.")

"Bad Labs" FNPRM

In the Order's accompanying FNPRM, the Commission seeks comment on whether and how to expand its list of prohibited entities, how to increase equipment testing and certification within the U.S. and allied countries, and whether impose tighter controls over post-market surveillance procedures.

Expanding the Prohibitions. The FNPRM seeks comment on various issues and proposals, including:

  • Whether to expand the test for control by a prohibited entity to include entities that are "subject to the jurisdiction of a foreign adversary country" (¶ 129)—in the proposed rules, this would include any entity "physically or legally located within the geographical jurisdiction of a foreign adversary country";
  • Whether to adopt a "presumption-of-prohibition policy" for entities subject to the jurisdiction of a foreign adversary, pursuant to which an entity could demonstrate an absence of national security risk to participate in equipment authorization (¶ 139);
  • Whether there are economic concerns with expanding the prohibition in this way, such as potential delays in the equipment approval process (¶ 130);
  • Whether to adopt alternative approaches to defining foreign adversary control or prohibited entities, including whether to borrow from federal data privacy laws or the CHIPS Act or whether the Commission should make its own adjustments to Commerce's foreign adversary list (¶¶ 135-38); and
  • Whether to incorporate additional federal agency lists into the definition of prohibited entity. (¶ 141)

Promoting "Good Labs." The Commission also seeks to understand the "ways in which the Commission can facilitate and encourage more equipment authorization testing and certification within the United States and allied countries, such as those with which we have a mutual recognition agreement (MRA)," and what barriers are preventing that outcome. (¶ 143)

Other Matters. To ensure the integrity of the Commission's equipment authorization program, the FNPRM seeks additional input on whether the Commission should revise the post-market surveillance rules, policies, or guidance to address such concerns as well as any other measures that may be taken to strengthen the post market surveillance process. (¶ 145). The Commission also seeks input on whether the current structure of rules which incorporate ISO/IEC 17025 and ISO/IEC 17065 standards, against which accreditation bodies assess test labs and TCBs, raise questions as to the integrity of the equipment authorization program or the impartiality of TCBs or test labs. (¶ 146). Lastly, the FNPRM considers requiring all equipment authorized under the SDoC process be tested at an accredited and FCC-recognized laboratory. (¶ 147)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Sara M. Baxenberg
Sara M. Baxenberg
Photo of Sydney White
Sydney White
Photo of Melissa Alba
Melissa Alba
Photo of Ania Trichet
Ania Trichet
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More