ARTICLE
12 June 2025

FCC Plugs National Security Gaps By Targeting "Bad Labs"

PC
Perkins Coie LLP

Contributor

Perkins Coie LLP logo

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

Explore Firm Details
The Federal Communications Commission (FCC) has steadily expanded its national security role in recent years by addressing risks in the telecommunications sector...
United States Media, Telecoms, IT, Entertainment
Marc S. Martin,Dania Assas,Brandon R. Thompson
+1 Authors

Key Takeaways

Background

The Federal Communications Commission (FCC) has steadily expanded its national security role in recent years by addressing risks in the telecommunications sector, such as by revoking U.S. authorizations from certain Chinese government-controlled telecommunications providers. Building on this trend, last month, the FCC issued a report and order (the Bad Labs Report and Order) eliminating apparent security gaps involving the FCC-authorized private labs responsible for testing and certifying telecommunications equipment (i.e., so-called telecommunication certification bodies or TCBs) and related lab accreditation bodies. The FCC has adopted a final rule to prohibit TCBs and lab accreditation bodies under the ownership, control, or direction of the Chinese government or military (and other "prohibited entities") from recognition by the FCC or participation in the equipment authorization program.

Concurrent with the Bad Labs Report and Order, the FCC also issued a further notice of proposed rulemaking (FNPRM) seeking comment on whether further national security measures are required, such as also prohibiting use of TCBs and lab accreditation bodies physically located within a foreign adversary country's (e.g., China, including Hong Kong, and Russia) geographic jurisdiction, even if such TCBs and lab accreditation bodies are not subject to a prohibited entity's ownership, control, or direction.

"Bad Labs" and Equipment Authorization

The FCC has exclusive jurisdiction over any radio frequency (RF) device entering or operating within the United States (except for uses exclusively by the federal government and U.S. military). Before any RF device obtains FCC equipment authorization and is permitted to hit the U.S. market, it must first comply with certain FCC equipment authorization procedures where the device is either certified by the FCC or, under certain circumstances, is self-certified by the manufacturer under the Supplier's Declaration of Conformity (SDoC) procedures. Equipment certification requires that an RF device manufacturer submit their device to a TCB for testing to ensure that the device complies with FCC regulations. Under the SDoC process, the manufacturer self-certifies compliance with FCC regulations and must provide proof of compliance upon request. To participate in equipment certification, a TCB must be "recognized" by the FCC, which requires being (1) accredited for the appropriate types of equipment to be tested, (2) designated to issue grants of certification, (3) located in the United States or in a country that has entered into a mutual recognition agreement with the United States, and (4) reassessed at least every two years for accreditation and recognition.

In the Bad Labs Report and Order, however, the FCC determined that the current equipment certification process poses national security risks and is open to abuse by untrustworthy actors and foreign adversaries who may infiltrate and exert control over TCBs. Such "bad labs" could be directed by foreign adversaries to authorize compromised or harmful equipment capable of disrupting U.S. supply chains and communication networks, particularly as 75% of all new certified devices are tested in labs located in China. To reduce these threats, the new rules prohibit TCBs and lab accreditation bodies that are controlled, owned by, or subject to the direction of a prohibited entity from participating in both the FCC's equipment certification and SDoC procedures. A prohibited entity is any entity identified (1) on the FCC's Covered List, (2) as a "foreign adversary" by the U.S. Department of Commerce, or (3) by certain other national security-related agencies and bureaus.1 The FCC characterized "ownership" objectively, as direct or indirect ownership or control of 10% or more equity or voting interest by a prohibited entity, and "direction or control" subjectively, as the power to directly or indirectly determine, direct, or decide important matters. This test for determining a "bad lab" is substantively similar to the test the FCC previously adopted as the basis for revoking spectrum licenses and other authorizations by foreign telecom service providers.

The FCC also determined that parties utilizing the SDoC process for RF devices will not be able to rely on any test data or certifications from any "bad labs," ensuring that compromised or harmful electronic devices cannot sneak into the U.S. supply chain through any loophole.

Certification and Reporting Obligations

TCBs and lab accreditation bodies will also be subject to additional and continuing ownership reporting requirements. First, such entities must certify that no prohibited entity has an equity or voting interest of 10% or more within 30 days of the new rules' publication in the Federal Register (and during each request for FCC recognition thereafter). Second, such entities must report all equity or voting interests of 5% or greater by any entity within 90 days of the new rules' publication in the Federal Register (and within 30 days of any change to entities that own 5% or more). The FCC will revoke recognition of any entity that fails to provide or provides false or inaccurate information.

To further plug any loopholes, the Bad Labs Report and Order also require that any person using the SDoC process maintain records affirming that no prohibited entity has an equity or voting interest of 5% or more in the test lab that performs the testing during the SDoC process.

Takeaways and Further Actions

The Bad Labs Report and Order builds on the FCC's ongoing national security campaign to root out vulnerabilities in the communications supply chain, targeting the testing and certification infrastructure that enables devices to reach the U.S. market. The removal of "bad labs" from the equipment authorization process is intended to strengthen the security of U.S. telecommunications networks and consumer privacy in the long term but may lead to an influx of companies seeking to secure testing and certification from recognized labs, potentially overwhelming existing test lab capacity in the short term and leading to delays in the introduction of new products to the U.S. market. Perhaps anticipating these concerns, the FNPRM seeks comment on ways in which the FCC can facilitate and encourage more RF equipment authorization testing and certification within the United States or in the territory of its allies.

The FNPRM also seeks comment on, among other things, further broadening its prohibitions to include TCBs, test labs used for self-certifying under the SDoC process, and lab accreditation bodies under the jurisdiction of a foreign adversary, even if not under the direct or indirect ownership, control, or direction of a prohibited entity. Though only at the FNPRM stage, such proposals should cause U.S.-based companies using foreign labs to review their equipment authorization programs and existing domestic testing and certification options, especially considering the evolving nature of the list of prohibited entities.

Comments on the FNPRM are due within 30 days of publication in the Federal Register. Reply comments are due within 60 days of publication in the Federal Register.

Footnote

1. The list of prohibited entities includes all entities named in the Department of Commerce Bureau of Industry and Security (BIS) Entity List; BIS Military End-User List; Department of Homeland Security Uyghur Forced Labor Prevention Act Entity List; Section 5949 of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023; Department of Defense 1260H list of Chinese Military Companies; and the Department of Treasury NS-CMIC List of Chinese military companies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Marc S. Martin
Marc S. Martin
Photo of Dania Assas
Dania Assas
Photo of Joshua Perez
Joshua Perez
Photo of Brandon R. Thompson
Brandon R. Thompson
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More