The US Secure and Trusted Communications Networks Act, signed into law in March 2020 and effective from November that year, represents a cornerstone of federal efforts to protect the nation’s telecommunications infrastructure from security risks associated with high-risk suppliers. The Act prohibits US government agencies and federally funded projects from procuring, leasing, or maintaining telecommunications equipment or services from entities identified as posing national security threats. At the heart of this effort is the Federal Communications Commission’s (FCC) published list of “covered” or prohibited entities. For telecom operators, particularly those engaged in government contracts or benefiting from federal subsidies, auditing their network equipment suppliers against this list has become an essential element of supply-chain risk management.
The Act’s requirements go beyond government agencies themselves; they extend to any private telecom operator that receives federal funding or participates in programs such as the Universal Service Fund (USF). Such operators must ensure that their network infrastructure is free from equipment or services provided by vendors designated on the FCC’s prohibited entity list, including well-known companies flagged for connections to foreign adversaries or security vulnerabilities. Failure to comply can result in disqualification from federal programs, regulatory penalties, and reputational damage. As a result, telecom operators are increasingly formalizing their supplier due-diligence procedures, integrating FCC guidance into their procurement and contract management workflows.
To effectively audit network equipment suppliers for compliance with the Secure and Trusted Communications Networks Act, telecom operators should first establish a comprehensive supplier inventory. This inventory should catalog all network hardware, software, and services currently in use, as well as identify the original equipment manufacturers (OEMs), resellers, and service providers involved. Special attention should be given to core network components, including switches, routers, base stations, and transmission equipment. The inventory should also capture details of maintenance and support agreements, as these can involve prohibited entities even if the original hardware does not.
Once the supplier inventory is in place, operators should cross-reference each entity against the FCC’s published prohibited entity list. This list is updated periodically and made available through the FCC’s official website and related regulatory advisories. Operators can automate this process by integrating the FCC data feed with their vendor management systems, ensuring that any changes to the list trigger automatic rechecks of supplier records. For entities identified as high-risk, telecom operators should develop risk-mitigation plans, which may include phasing out affected equipment, securing alternative suppliers, or applying for reimbursement under federal rip-and-replace programs where eligible.
In addition to internal audits, telecom operators are encouraged to publish supplier checklists on their company websites as a transparency and assurance measure. These checklists should provide stakeholders—including customers, regulators, and business partners—with clear information on how the operator ensures compliance with the Secure and Trusted Communications Networks Act. A well-structured checklist can include: (1) a summary of the company’s supply-chain security policy; (2) details of the due-diligence process for supplier vetting, including checks against the FCC’s prohibited entity list; (3) the frequency of supplier audits; (4) escalation procedures if prohibited equipment is discovered; and (5) commitments to periodic public updates.
Creating and publishing such a checklist can be accomplished in a few practical steps. First, the compliance or procurement team should draft the checklist in plain language, avoiding overly technical jargon so that it is accessible to a broad audience. The draft should be reviewed by legal and regulatory experts to ensure that it aligns with both federal requirements and the company’s contractual obligations. Next, the checklist should be formatted for online publication—typically as a dedicated webpage or downloadable PDF hosted on the company’s corporate responsibility or compliance portal. Operators should also consider providing a contact point for stakeholders to submit inquiries or concerns regarding the company’s supply-chain practices.
Regular updates to the published checklist are essential to maintain credibility and accuracy. Telecom operators should commit to reviewing and revising the checklist at least annually, or more frequently if significant changes occur—such as updates to the FCC’s prohibited entity list, changes in supplier relationships, or enhancements to the company’s supply-chain security processes. Operators may also choose to highlight major milestones in their supply-chain security efforts, such as the completion of rip-and-replace projects or the adoption of new supplier risk assessment tools.
The Secure and Trusted Communications Networks Act exemplifies how telecom supply chains are increasingly becoming a focal point for national security policy. For operators, compliance with the Act is not just a regulatory requirement but an opportunity to demonstrate leadership in supply-chain integrity and resilience. By proactively auditing suppliers, publishing transparent supplier checklists, and engaging with stakeholders on supply-chain security, telecom operators can build trust and position themselves as responsible stewards of critical infrastructure.
Telecom operators should prepare for continued evolution in supply-chain security regulations, as policymakers and regulators respond to emerging threats and technological developments. Investing now in robust supplier due-diligence frameworks, automated compliance tools, and transparent communication strategies will help operators stay ahead of regulatory expectations and safeguard their networks against future risks.