On March 23, 2026, the FCC added consumer-grade routers produced in foreign countries to its Covered List, effectively preventing new models in that category from receiving the approvals needed to be imported, marketed, or sold in the United States. The move was framed as a national security measure tied to growing concern over supply-chain risk and the role edge devices can play in major cyber campaigns.
At first glance, this sounds like a straightforward security win.
But for many organizations, there is a second-order risk hiding underneath it.
When uncertainty enters the market, businesses often do what feels prudent in the moment: they stop buying, delay upgrades, and try to stretch the life of what they already have. In this case, that instinct could quietly increase risk instead of reducing it.
That’s because routers, gateways, and other edge devices are not passive plumbing. They sit at the front door of the network. NIST describes routers as the gatekeepers of home and office connectivity, and warns that a compromised router can enable unauthorized access, data exposure, and attacks against connected systems. The FCC’s own supporting materials point to recent campaigns in which compromised routers were used as footholds, proxies, and pivot points in larger attacks against U.S. infrastructure.
So here’s the paradox:
A policy intended to reduce long-term supply-chain exposure may also create a short-term operational temptation to keep older hardware in service longer than organizations should.
That matters because aging network devices usually come with familiar security problems:
- delayed patching
- declining vendor support
- older management interfaces
- weaker visibility and logging
- growing compatibility gaps with current security tooling
And once devices reach end-of-support or fall behind on software maintenance, the risk profile changes fast. In February 2026, CISA ordered federal agencies to strengthen edge-device security and remove unsupported hardware and software specifically because unsupported edge systems create disproportionate risk.
To be clear, the FCC did not order businesses or consumers to rip out currently deployed routers. In fact, the agency issued a waiver allowing already authorized routers to continue receiving software and firmware updates, including vulnerability patches and compatibility fixes, through at least March 1, 2027.
But “still legal to use” is not the same thing as “strategically wise to keep indefinitely.”
This is where security leaders need to avoid two bad reactions at once.
The first is panic, where organizations assume every existing device is instantly unsafe.
The second is paralysis, where teams postpone refresh decisions, leave aging hardware in place, and wait for the market to sort itself out.
Neither response is mature risk management.
The better response is to treat this moment as a forcing function for smarter network governance.
That means inventorying every edge device in use, identifying where it was produced, confirming what support lifecycle it is on, reviewing whether it is still receiving meaningful firmware updates, and evaluating whether it aligns with current security expectations. It also means looking beyond the logo on the box. Procurement now has to include questions about manufacturing location, firmware assurance, update cadence, supply-chain transparency, and lifecycle support, not just price and throughput.
In other words, this is no longer just a purchasing conversation. It is a resilience conversation.
For some organizations, the biggest risk over the next 12 months may not be that a new router can’t be purchased from a familiar vendor. It may be that old equipment stays in place too long because the path forward feels inconvenient.
And attackers love inconvenience. It creates drift, delay, and blind spots.
The companies that navigate this transition well will not be the ones that freeze. They will be the ones that use this moment to modernize deliberately, validate their edge security posture, and make infrastructure decisions with both cyber risk and operational continuity in mind.
If your organization is unsure whether its current wireless and edge environment is still aligned with today’s threat landscape, now is the time to assess it, before uncertainty becomes exposure.