Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Foreign-made routers on the covered list: what changes for buyers?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: US authorities are restricting foreign-made consumer-grade routers from default sale in the US and requiring special approval, with China still supplying about 60% of routers sold in the market and TP-Link holding about 35%, according to Swarmnetics. The policy shifts router procurement from commodity buying to supply chain assurance, where origin, assembly, and firmware provenance now shape availability and risk decisions.

NHIMG editorial — based on content published by Swarmnetics: Foreign Internet Routers Restricted in US Over National Security Interests

By the numbers:

Questions worth separating out

Q: How should organisations evaluate router supply chain risk before procurement?

A: Treat router sourcing as a trust decision, not just a specification check.

Q: Why does foreign-made networking hardware create governance concerns for security teams?

A: Because routers sit at the boundary where traffic, remote administration, and segmentation controls depend on the device behaving predictably.

Q: What breaks when router procurement ignores component provenance?

A: Teams can end up standardising on devices that appear compliant at purchase time but are hard to defend later if regulators, auditors, or internal risk teams challenge the sourcing path.

Practitioner guidance

  • Inventory router models by sourcing path Classify current and planned devices by country of origin, final assembly location, and component sourcing so procurement can distinguish acceptable, conditional, and restricted options.
  • Require provenance evidence in procurement reviews Ask suppliers for bill of materials, firmware update governance, and assembly evidence before approving new router models for sensitive environments.
  • Segment legacy and new-device approval workflows Keep existing approved routers in a legacy support track while routing new purchases through a separate assurance review, especially where regulated networks or remote access paths are involved.

What's in the full analysis

Swarmnetics' full analysis covers the procurement and policy detail this post intentionally leaves for the source:

  • How the Covered List process changes approval paths for new router purchases
  • Which manufacturers may face faster or slower approval based on assembly and sourcing
  • What the policy could mean for availability, pricing, and supply constraints
  • How existing deployed routers remain supported under the new directive

👉 Read Swarmnetics' analysis of foreign-made router restrictions and supply chain risk →

Foreign-made routers on the covered list: what changes for buyers?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Supply chain trust is becoming a control plane for network infrastructure. The router market has traditionally been judged on price, throughput, and supportability, but this policy shows that origin and manufacturing path now influence whether a device can be safely adopted at scale. That does not make every foreign-built device unsafe, but it does mean procurement teams need a defensible trust model rather than a generic vendor shortlist. Practitioners should treat source assurance as part of architecture, not a late-stage purchasing check.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37%.

A question worth separating out:

Q: Who is accountable when network hardware is later found to pose supply chain risk?

A: Accountability usually spans procurement, security architecture, and the business owner of the environment using the device. The control failure sits at the point where supplier assurance, architecture review, and operational acceptance should have intersected. Organisations should assign that decision explicitly rather than leaving it implicit in purchasing.

👉 Read our full editorial: Foreign-made routers face US approval rules over supply chain risk



   
ReplyQuote
Share: