On March 23, 2026, the Federal Communications Commission added all consumer-grade routers manufactured abroad to its Covered List, the agency's roster of equipment that can no longer receive new authorization to enter the U.S. market. The order followed a National Security Determination from an executive-branch interagency panel concluding that foreign-produced routers pose unacceptable risks, following Chinese state-sponsored campaigns known as Volt Typhoon, Salt Typhoon, and Flax Typhoon that exploited consumer router vulnerabilities to penetrate U.S. telecommunications and critical infrastructure.

For MSPs that design, install, and operate bulk Wi-Fi for apartment communities, condominium associations, hotels, student housing, and other multi-tenant properties, the headlines have been alarming, and the nuance has been mostly buried. The short version: the ban is narrower than it sounds, but it materially changes how MSPs need to think about procurement, certification, and the conversations they have with property-owner clients over the next 12 months.

What actually changed on March 23

The FCC did not ban the use of foreign-made routers, did not ban the sale of existing inventory, and did not order anyone to rip and replace deployed equipment. What it did was close the front door to new models. Effective March 23, any consumer-grade router whose manufacturing, assembly, design, or development occurs in a foreign country is prohibited from obtaining a new FCC equipment authorization. Without that authorization, the device cannot be lawfully imported or sold in the United States.

Three carve-outs matter for MSPs. First, models that already hold FCC authorization can continue to be imported and sold by the original grantee. Second, devices already in customers’ hands are unaffected — clients can keep using them indefinitely. Third, manufacturers may continue to push software and firmware updates to existing approved routers through March 1, 2027, provided those updates address security or maintain device functionality. That one-year update window is, in practice, the runway every MSP has to plan a transition for any covered fleet.

How the Covered List mechanics work

The Covered List is a Secure Networks Act instrument the FCC has used since 2021 to designate equipment from companies that pose a national security risk — historically, Huawei, ZTE, Hikvision, Dahua, Hytera, and a handful of others. Adding a category, rather than a named vendor, is new and significant. The March 23 action treats the foreign country of production itself as the disqualifying factor for consumer routers, not the brand on the box.

Practically, this means the analysis an MSP needs to perform on any new SKU is no longer just "is this brand on the list?" It is "where is this specific model designed, assembled, and built, and does it currently hold an FCC grant?" The FCC's FAQ confirms that if any major production stage occurs in a foreign country, the device is covered, unless a Conditional Approval is obtained. Brand of record is not the controlling fact; country of production is.

Two product categories sit outside the consumer-router definition and therefore outside the ban. Industrial routers and managed-service-provider CPE that are not customer-installable are not considered covered equipment. That language, which appears in the FCC's published guidance, is the single most important sentence in this order for MSP owners. A device that is provisioned, mounted, and managed by the MSP — not handed to a tenant in a retail box — is generally not in scope.

The MSP carve-out, and where it stops

Before exhaling, read the carve-out closely. Two conditions must be true: the device must be enterprise or industrial in classification (not a consumer SKU re-badged for property use), and it must not be customer-installable. An access point that is professionally mounted in a hallway and managed from an MSP cloud controller fits comfortably. A retail-grade gateway dropped in a leasing office, or a tenant-installable mesh node handed out at move-in, does not.

Many bulk Wi-Fi stacks blur this line. Property-wide deployments often pair enterprise APs with consumer-grade gateways or off-the-shelf mesh hardware in back-of-house spaces. Hospitality networks often include in-room gateways that, while branded for hotel use, function as consumer routers. MSPs should expect the FCC and DHS to consider function and form factor, not marketing language, when evaluating whether a deployment relies on covered equipment.

Impact on bulk Wi-Fi: MDU, hospitality, and student housing

For MSPs whose portfolios lean on enterprise-class infrastructure from vendors with U.S. or allied-country production — Cisco Meraki, Juniper Mist, HPE Aruba, Extreme, Ruckus, and similar — most existing deployments are out of scope, and most refresh purchases will continue uninterrupted. The procurement conversation does change for product lines whose authorization paperwork is thin or whose production is concentrated in a covered jurisdiction.

The riskier exposure sits in three places. The first is the in-unit gateway used in many MDU and hospitality deployments, which is often a lightly customized consumer router. The second is the long tail of value-engineered builds where MSPs spec'd a low-cost foreign-made mesh system to hit a price point. The third is white-label hardware sold under U.S. brand names but produced abroad — the country-of-production test does not care about the label.

MSPs should audit every deployed model against three questions: does it hold a current FCC grant under the model number actually shipped, is it customer-installable in form factor, and is there a documented production location for at least one of design, manufacturing, or assembly? Any model that fails the third question and is customer-installable belongs on a transition list now, with replacement budgeted into the next refresh cycle and a firmware-update plan that respects the March 1, 2027, cutoff.

The Conditional Approval pathway

Manufacturers that want to keep selling foreign-produced routers in the U.S. can apply for Conditional Approval through the Department of War or the Department of Homeland Security by submitting to [email protected]. The application requires disclosure of ownership, board composition, country of origin for components, IP ownership, design, assembly, and firmware. Entity-level approvals are possible, covering multiple models or product types from a single applicant.

MSPs are not the applicants here — the burden sits with the manufacturer or U.S. importer of record — but tracking which vendors are pursuing Conditional Approval, and which have received it, is now part of vendor management. Expect the first wave of approvals to favor manufacturers with transparent supply chains and limited PRC exposure. Vendors that go quiet on the topic are signaling something.

A practical compliance checklist

•    Inventory now. Pull a model-level list of every router, gateway, and AP currently deployed, and tag each one with the country of production and the current FCC grant status.

•    Segment by form factor. Separate enterprise, MSP-installed devices from anything that is customer-installable. The latter is your exposure surface.

•    Pressure-test your supply. Ask each vendor in writing whether their roadmap models are covered, and whether they intend to pursue Conditional Approval.

•    Plan around March 1, 2027. Any covered model still in service after that date loses its security-update lifeline. Build refresh budgets accordingly.

•    Update client contracts. Add language clarifying who owns refresh costs triggered by federal equipment determinations and consider a hardware-substitution clause.

•    Document the analysis. If an MSP-installed enterprise device is later challenged, contemporaneous notes on form factor, professional installation, and managed operation will matter.

Bottom line

The March 23 order is best understood as a slow-moving procurement constraint rather than a fire drill. MSPs running professionally installed, enterprise-managed bulk Wi-Fi on mainstream vendor stacks face limited day-one disruption. MSPs that have relied on consumer-grade gateways in multi-tenant deployments — particularly value builds and in-room hotel hardware — have a roughly 12-month window to plan a transition before the firmware-update door closes. The MSPs that come out of this in the strongest position will be the ones that turn the audit into a sales conversation: a defensible, documented, U.S.-compliant network is now a feature worth pricing in.

Source documents

•    FCC, "FCC Adds Routers Produced in Foreign Countries to Covered List" (March 23, 2026)

•    FCC, "FAQs on Recent Updates to FCC Covered List Regarding Routers Produced in Foreign Countries"

•    FCC Public Notice DA 26-278 (March 23, 2026)

•    FCC, "Guidance on Submissions for Conditional Approval"

•    Baker McKenzie, "United States: FCC Adds Foreign-Made Routers to Covered List" (April 2026)

•    Davis Wright Tremaine, "FCC Bans New Foreign-Made Consumer Routers" (April 2026)