The U.S. Federal Communications Commission (FCC) is seeking public comment on an information collection review tied to its supply chain security oversight, highlighting the growing regulatory focus on cybersecurity risks in telecom infrastructure. As part of the FCC’s review under the Paperwork Reduction Act, the notice requires agencies to assess whether information collections are necessary, accurate and minimally burdensome. The Commission is specifically seeking feedback on the practical utility of the data collected, the accuracy of its burden estimates and ways to improve the quality, clarity and security of information submitted by respondents.
In a Federal Register notice published on Thursday, the agency invited feedback on data collection requirements associated with the Secure and Trusted Communications Networks Reimbursement Program, which supports the removal and replacement of communications equipment deemed to pose national security risks. The review is part of the FCC’s ongoing effort to assess whether reporting requirements remain necessary, practical and minimally burdensome while supporting oversight of network security and resilience.
The information collection under review plays a key role in monitoring how service providers mitigate cyber and supply chain threats linked to untrusted vendors embedded in critical communications networks. By requiring detailed reporting from participating providers, the FCC aims to maintain visibility into remediation progress, ensure reimbursement funds are properly administered and strengthen protections against espionage, unauthorized access and broader cyber compromise of U.S. telecommunications infrastructure.
Participants in the Cybersecurity Pilot Program are required to submit an annual amended Pilot FCC Form 484 to update previously submitted information and satisfy new annual reporting requirements.
As part of this filing, participants must provide certifications confirming compliance with program rules, helping safeguard the integrity of the pilot. These certifications include assurances of compliance with section 6001.435 of the Commission’s rules, confirmation that no disclosure under section 6001.335 was required unless otherwise applicable, and verification that downstream business partners, such as contractors, subcontractors and consultants, have complied with supply chain reporting obligations.
Service providers participating in the Cybersecurity Pilot Program face similar compliance obligations. They must submit Pilot FCC Form 474 to certify that reimbursement requests comply with Commission rules and program requirements. In addition to certifying compliance with section 6001.435, service providers must confirm whether disclosures under section 6001.335 were necessary and attest that entities across their supply chain, including contractors and consultants, have met the reporting requirements. Together, these measures are designed to strengthen oversight and reduce cybersecurity and supply chain risks across the program.
Under OMB Control No. 3060-1225, the FCC certifies one entity in each of 56 jurisdictions, including U.S. states and territories, to receive reimbursement from the Telecommunications Relay Services Fund for the National Deaf-Blind Equipment Distribution Program. Applicants must demonstrate their ability to meet certification requirements, comply with program rules and disclose any actual or potential conflicts of interest, along with steps taken to mitigate associated risks.
To strengthen oversight and supply chain security, participating providers must annually certify compliance with section 6001.435 of the Commission’s rules, confirm whether disclosures under section 6001.335 were required and ensure contractors, subcontractors and other supply chain partners have met reporting obligations. These measures are designed to improve accountability and reduce cybersecurity and supply chain risks across the program.
Furthermore, the agency certifies one entity across each of 56 U.S. jurisdictions to receive reimbursement for the National Deaf-Blind Equipment Distribution Program, requiring applicants to demonstrate operational capability, regulatory compliance and conflict-of-interest safeguards. To strengthen oversight, participating providers must also annually certify compliance with federal supply chain security rules, disclose any reportable issues and ensure contractors and other downstream partners meet required reporting obligations, reinforcing accountability and reducing cybersecurity and supply chain risks.
The notice detailed that the information collected by the FCC will help agency staff and program administrators strengthen oversight of federal programs by monitoring compliance, detecting waste, fraud and abuse, and preventing bad actors from accessing federal funds. Disclosure requirements enable the FCC to identify participants that have been suspended, debarred or involved in past misconduct, ensuring funding is directed only to responsible entities that serve the public interest.
Certifications from participants and their downstream partners also provide a key compliance safeguard, allowing the Commission to verify eligibility, enforce suspension and debarment rules, and improve accountability across the supply chain.
Earlier this year, the FCC updated its Covered List to include additional categories of communications equipment deemed to pose unacceptable risks to national security, acting on determinations made by federal national security authorities rather than independent agency discretion. The Covered List functions as a regulatory mechanism under the Secure and Trusted Communications Networks Act, prohibiting listed equipment from receiving FCC authorization, which is required for importation, marketing, or sale in the country.
The FCC move comes against the backdrop of the Salt Typhoon campaign, a long-running cyber espionage operation linked to Chinese state-backed actors that has repeatedly targeted global telecommunications and internet service providers. The activity involves sustained intrusions into telecom infrastructure, where attackers exploit vulnerabilities in network devices such as routers and edge systems to gain access and extract sensitive configuration data. In some cases, the threat actors have been able to establish persistent access and move laterally within provider environments, enabling deeper visibility into internal network traffic and communications systems.
The campaign has been associated with a broader pattern of intelligence gathering against critical communications infrastructure across multiple countries, including the U.S. and Canada. Security agencies have warned that the actors behind Salt Typhoon use compromised telecom networks to support surveillance objectives, including the potential interception of call records and messaging data. The operation is characterized by long-term persistence, exploitation of known vulnerabilities rather than zero-days, and a focus on telecom backbone systems that carry high volumes of sensitive communications.
