The Federal Communications Commission quietly moved on May 8, 2026 to head off a looming cybersecurity problem of its own making. Through its Office of Engineering and Technology, the agency extended temporary waivers that allow manufacturers of certain foreign-made drones and consumer routers to keep issuing software and firmware updates in the United States — pushing the new deadline to at least January 1, 2029.

The waivers apply only to devices that received FCC equipment authorization before being added to the agency’s “Covered List” — a roster of foreign communications equipment deemed to pose unacceptable risks to U.S. national security. The extension does not remove any device from that list, nor does it roll back the broader framework of restrictions that have accumulated over the past several months.

How the Covered List Created a Security Dilemma

The FCC added foreign-made uncrewed aircraft systems (UAS) — commonly known as drones — and their critical components to the Covered List in December 2025, citing national security concerns raised by an executive branch interagency body. A few months later, in March 2026, the agency extended the list to include all consumer-grade routers produced outside the United States, following a White House-convened determination that such devices “pose unacceptable risks to the national security of the United States.”

Under the FCC’s device certification rules, placement on the Covered List blocks new models from receiving equipment authorization — but it also had an unintended side effect: already-authorized devices became ineligible for post-certification software and firmware modifications. For millions of in-use products, that meant manufacturers would be legally barred from pushing security patches, bug fixes, or compatibility updates.

Prohibiting updates may reduce the security of already-deployed devices — the precise outcome the Covered List framework was designed to prevent.

The FCC acknowledged the paradox directly in its announcement, noting that continued software support remains necessary to protect U.S. consumers. Blocking security patches for widely deployed hardware would, in effect, undermine the cybersecurity goals the Covered List was created to advance.

What the Updated Waivers Allow

The new waivers, which extend deadlines previously set at January 1, 2027 for drones and March 1, 2027 for consumer routers, establish a uniform cutoff of January 1, 2029. Within that window, the agency permits three categories of software and firmware changes:

Permitted Update Categories Under the Extended Waivers
  • 01Maintaining basic device functionality — updates necessary to keep existing, authorized hardware operating as intended.
  • 02Patching security vulnerabilities — firmware revisions that address known exploits or cybersecurity weaknesses.
  • 03Preserving compatibility — changes needed to maintain interoperability with evolving operating systems and network environments.

The updated waivers also broaden the scope slightly to include certain Class II permissive changes involving software and firmware intended to mitigate consumer harm — a technical designation that covers modifications manufacturers can make without full recertification, provided they fall within previously authorized parameters.

A Regulatory Timeline Under Pressure

The sequence of events leading to the current situation reflects the speed at which U.S. telecommunications policy has moved on foreign technology in recent months. The FCC revised its device licensing rules in October 2025, prohibiting “licensed changes” — including software and firmware updates — to regulated devices. Those rules took effect before the Covered List was fully populated, creating the conflict the new waivers are designed to manage.

October 2025
FCC revises device licensing rules, prohibiting post-certification software and firmware modifications to regulated equipment.
December 2025
FCC adds foreign-made drones (UAS) and UAS critical components to the Covered List; initial waivers permit software updates through January 1, 2027.
March 2026
FCC expands Covered List to include all foreign-manufactured consumer-grade routers, with an update waiver running through March 1, 2027. Routers conditionally approved by the Department of War or Department of Homeland Security are exempted.
May 8, 2026
FCC Office of Engineering and Technology extends both waivers to January 1, 2029, and broadens permitted update categories to include Class II permissive changes mitigating consumer harm.

Restrictions Remain in Full Force

It is important to be precise about what the waivers do not do. Foreign-made drones and consumer routers remain on the Covered List. New device models from affected foreign manufacturers still cannot receive FCC equipment authorization. Manufacturers must continue to comply with all other FCC requirements governing permissive changes and equipment certification. The agency has framed the extended waivers explicitly as a bridge measure — buying time for regulators to develop a more permanent policy framework — rather than a relaxation of the underlying national-security posture.

Devices covered under conditional approvals granted by the Department of War or the Department of Homeland Security — a pathway created when the Covered List was first expanded — continue to operate under a separate track and are not subject to the same restrictions as other Covered List entries.

Outlook

The FCC’s move illustrates a tension regulators worldwide are navigating as governments move aggressively to reduce reliance on foreign communications hardware: the very act of restricting a device from the market can leave already-deployed units more vulnerable if software support is severed at the same time. By extending the update window to 2029, the agency has signaled that it views operational cybersecurity for existing users as a public-interest obligation — even as it maintains the harder line on new market access.

Manufacturers with products on the Covered List who believe they may qualify for conditional approval can submit applications to conditional-approvals@fcc.gov.