What the OET waiver actually changes, and what it means for the routers already sitting in your network closets.
Kenneth Carnesi
May 21, 2026
Patches Permitted: FCC Extends Foreign Wi-Fi Router Firmware Lifeline to January 2029
What the OET waiver actually changes, and what it means for the routers already sitting in your network closets.
If your fleet still has a meaningful population of TP-Link, or any other foreign-produced consumer or cellular Wi-Fi router quietly humming away in branch offices and remote sites, you just got a reprieve worth paying attention to. On May 8, 2026, the FCC’s Office of Engineering and Technology (OET) issued a waiver that pushes the cutoff for software and firmware updates on already-deployed foreign-made routers from March 1, 2027 out to January 1, 2029. The same waiver covers foreign-produced drones (notably DJI), cellular routers, and mobile Wi-Fi hotspots that were swept onto the FCC’s Covered List earlier this year.
For IT and security teams, the headline is short: the patch pipeline for hardware you already own stays open for roughly two extra years. The longer story is more interesting, because the waiver is also the FCC quietly conceding that the original timeline would have created exactly the cybersecurity outcome it was trying to prevent.
How we got here
On March 20, 2026, the FCC received a National Security Determination flagging foreign-produced consumer-grade routers as an unacceptable supply-chain and cyber risk. Three days later, on March 23, the Commission updated its Covered List to include effectively all consumer routers produced in a foreign country, with a narrow carve-out for devices granted conditional approval by the Department of War (DoW) or the Department of Homeland Security (DHS). To date, only Netgear and Amazon’s eero have cleared that bar to keep selling new equipment in the United States. TP-Link, the single largest player by U.S. installed base, has not.
The Commission justified the listing by pointing to a now-familiar set of intrusion campaigns: Volt Typhoon, Flax Typhoon, and Salt Typhoon, all of which have leaned on compromised SOHO routers as staging infrastructure against U.S. critical assets. The policy aim was to choke off new sales and force the market toward equipment with vetted supply chains.
The unintended consequence was the part that kept network engineers up at night: as originally written, the Covered List action would have also cut off post-authorization firmware modifications, including security patches, on every affected router already in service. Millions of devices. No more CVE fixes. No more TLS library bumps. No more emergency mitigations when the next router-targeting botnet shows up.
What the waiver actually does
The OET’s order is narrow but important. It does not remove anything from the Covered List, and it does not authorize new equipment sales by vendors that have not received conditional approval. What it does is preserve the ability of manufacturers, including those on the Covered List, to push updates that:
• Patch security vulnerabilities in already-deployed devices.
• Maintain core device functionality and stability.
• Preserve compatibility with evolving operating systems, mobile clients, and ISP network changes.
In the FCC’s own framing, “special circumstances warrant a deviation from the general rules and the public interest would be better served by extending the waiver.” Translated out of regulator-speak: blocking patches on tens of millions of routers in American homes and small businesses would have produced a worse cybersecurity outcome than the supply-chain risk the Covered List was designed to address.
Why this matters for IT and security teams
If you manage anything from a small branch network up to a distributed retail or healthcare footprint, the practical implications come in three layers.
Lifecycle planning gets a real runway. The original March 2027 deadline forced a near-term forklift conversation for any organization with covered routers in production. January 2029 is far enough out that you can plan a normal refresh cycle, fold it into existing capex windows, and avoid the “rip and replace on a Saturday” pattern that usually breaks something else along the way.
Patch hygiene still has to happen. The waiver only matters if vendors actually ship updates and you actually apply them. Auto-update should be on. Firmware versions should be inventoried alongside the rest of your asset data. If a router on the Covered List has been sitting on a 2023 firmware build because nobody has logged into its admin panel in two years, the waiver does nothing for you.
The procurement clock is still ticking. New deployments are a different story. Unless a foreign manufacturer earns conditional approval from DoW or DHS, you can’t buy your way out of this problem with more of the same brand. For greenfield sites, the only vendors currently clear to sell are Netgear and Amazon eero. Anyone procuring at scale should treat that list as a moving target and monitor the approvals docket as closely as they monitor the CVE feed.
What to do this quarter
• Pull a current inventory of every router on your network, including model, manufacturer, country of origin, and current firmware version. Tag anything on the Covered List.
• Confirm that automatic firmware updates are enabled on covered devices, and that egress firewall rules are not silently blocking the vendor update endpoints.
• Build a refresh plan with January 1, 2029, as the hard backstop, not the target. Aim to be off Covered-List hardware 6 to 12 months earlier to absorb supply and budget surprises.
• For any new procurement, validate that the model is either produced outside the Covered List scope or has explicit DoW or DHS conditional approval.
• Subscribe to the FCC’s Public Notices and your vendors’ PSIRT feeds. Both the Covered List and the conditional approval set are likely to continue to shift between now and 2029.
The bigger picture
This waiver is a reminder that security policy and security outcomes are not the same thing. The FCC’s instinct to harden the supply chain for consumer networking gear is defensible, especially given the role SOHO routers have played in recent nation-state campaigns. But the agency has also acknowledged in writing that an unpatched installed base is a greater near-term threat than a slow-moving migration off foreign-made hardware. For IT leaders, the takeaway is to treat January 2029 as a planning anchor: long enough to do this transition properly, short enough that it should already be on the roadmap.
Sources
• FCC Extends Software Update Cutoff on Foreign-Made Routers Until 2029 (CE Pro)
• FCC walks back router update ban before it bricks America’s network security (The Register)
• FAQs on Recent Updates to FCC Covered List Regarding Routers Produced in Foreign Countries (FCC)
• FCC Expands Software Waiver for Covered Foreign-Produced UAS and Routers (Pillsbury Law)