Your Router Is Not Banned (Yet)

dispatches
#nonprofit-it #cybersecurity

The US FCC just added all foreign-produced consumer routers to its naughty list. The Internet is panicking. Here's what this actually means for IT practitioners - and why the unknowns are the real risk.

Close-up photo of a white broadband router with green status LEDs and a large question mark superimposed over a warm orange glow to the left. The router has two circular buttons labelled Wi-Fi and PAIR, with status indicators reading ONLINE, WAN/DSL, MOBILE MODE, MOBILE SIGNAL, and PHONE, all showing green lights.

Yesterday, the United States Federal Communications Commission (FCC) added all consumer-grade routers produced in foreign countries to the Covered List under the Secure Networks Act. Practically, this means that new models of foreign-produced routers can no longer receive FCC equipment authorization, which means they cannot be imported or sold in the United States. This took effect immediately, with no transition period.

The security concerns behind this are real. The Volt Typhoon, Salt Typhoon, and Flax Typhoon cyberattacks all exploited vulnerabilities in consumer routers to target critical US infrastructure. Router security is a genuine problem. Whether a blanket country-of-origin import ban is the right tool to address a firmware security question is a different question, as this action appears to be a part of this current administration's broader posture toward China. But, the order is here. Let us talk about what that means.

What actually happened. The FCC acted on a National Security Determination from a White House interagency body. The FCC did not initiate this and cannot modify the Covered List on its own authority. The definition of "consumer-grade router" comes from NIST IR 8425A: residential, customer-installable networking devices. This is not enterprise gear. Your office Meraki, Cisco, or Juniper is not in this scope.

What did not happen. Your current home router is not banned and suddenly illegal to use in the US. Previously authorized models can still be sold, imported, and used. Manufacturers of routers can apply for Conditional Approval through the Department of Defense or the Department of Homeland Security, which would exempt their products. But as of publication of this post and as of today, no router approvals have been granted. But, there is a pathway.

Why the unknowns are the real risk. The immediate impact is manageable. The medium-term picture is where things could get very ugly, very fast, and the reason is that this order has exposed how little domestic manufacturing infrastructure exists in this space.

There are, to the best of anyone's knowledge, no consumer-grade routers currently manufactured in the United States. TP-Link, Netgear, ASUS, Ubiquiti/UniFi all manufacture abroad, whether in China, Vietnam, Taiwan, Malaysia, or Thailand. The definition of "production" in the National Security Determination is broad: it includes manufacturing, assembly, design, and development. That catches nearly everything on the market.

The Conditional Approval pathway exists, but it appears to require more than a paperwork exercise. Early reporting suggests that applicants must disclose their management structure, and then present plans for onshoring manufacturing to the United States. That is not a six-month paper project. That is a multi-year capital investment, and the consumer router market's thin margins probably don't support that.

Meanwhile, about half of consumer routers in American homes are leased from internet service providers (ISPs) themselves -- think Cox, Spectrum, or Xfinity. These gateways get refreshed as standards evolve and the marketing arms race for "the fastest in-home wi-fi" gets stronger. Practically, every new model of router needs FCC authorization. Every new model is now blocked until domestic manufacturing materializes or conditional approvals are granted. The ISPs have significant lobbying infrastructure, and their equipment pipelines depend on this getting resolved. But "the cable lobby will probably fix it" is not a risk mitigation strategy I would put in a planning document.

Why this matters for nonprofit IT. If your organization has enterprise networking equipment, then you are likely not impacted by this new order. But not every nonprofit has enterprise gear. The smaller the organization, the more likely the office network runs on consumer -- or prosumer -- gear like the UniFi Dream Machine, Netgear Nighthawk, or whatever was available from the computer store in budget. That equipment is, by the NIST definition, consumer-grade. Existing models are fine, but the upgrade path just got uncertain.

Then there is the remote worker angle. Your staff connect to organizational resources through whatever their ISP provided them or whatever they bought from Amazon, Best Buy, or Micro Center. You have never controlled their equipment, and you still do not. But if the supply of consumer routers contracts or prices increase, then that cost lands on your staff, and indirectly on your organization's ability to support remote work.

There is one more thread worth watching, especially for nonprofits that receive Federal funding. The Secure Networks Act already prohibits Universal Service Fund recipients from using Federal subsidies to purchase or maintain Covered List equipment. The US Cybersecurity and Infrastructure Security Agency (CISA) has encouraged organizations to incorporate the FCC's Covered List into their supply chain risk management. That guidance has not yet cascaded into general Federal grant compliance requirements, but the mechanisms and precedent exist. The distance between "CISA recommends" and "your grant requires certification" is not as far as one might think, and the trajectory of this administration's regulatory posture suggests it's a distance worth monitoring.

What I am watching. The FCC's December 2025 drone ban followed a similar structure: blanket prohibition on foreign-produced devices with a conditional approval pathway. Within three months, four non-Chinese drone systems received conditional approval. I expect that this will become more permeable over time; however, "expect" and "know" are different words, and the timeline is genuinely uncertain.

For now, the practical advice is straightforward. If you are evaluating networking equipment purchases, existing authorized models remain available. Buy what you need while it's available. If you manage remote workers, this does not create an immediate operational crisis, but it's worth documenting what your staff use at home as part of your risk assessment. If your organization receives Federal funding, put the Covered List on your compliance radar. And regardless of how this order plays out, the NIST cybersecurity requirements for consumer routers (IR 8425A) are sound guidance for evaluating any router product.

This particular one has the potential to become a slow-moving mess. The biggest risk, as often is the case, is the things we do not yet know.