April 8, 2020
President Donald J. Trump issued an Executive Order on April 4, 2020 creating the Committee for the Assessment of Foreign Participation in the Telecommunications Services Sector (Committee) to assist the Federal Communications Commission (FCC) review of telecommunications applications and licenses for national security and law enforcement interests. This Order formalizes the current Team Telecom review process.
The Order is the most recent act in a series of events. Specifically, legislation in March 2020 provided small telecommunications providers with $1 billion to replace equipment in their networks made by Huawei and ZTE. This funding was authorized in the wake of security-related objections to Huawei’s participation in the United Kingdom’s 5G network and U.S. Government action last fall against Huawei. Taken together, these events reflect increasing U.S. concern about the security of telecommunications networks, particularly from Chinese companies. Similarly, last spring an Executive Order was issued to secure the IT supply chain and proposed Treasury regulations.
The committee will operate in close coordination with the recently-enhanced Committee on Foreign Investment in the United States (CFIUS) to secure the U.S. telecommunications network. Collectively, these initiatives reflect the government’s expanded regulatory authority over national security risks particularly impacting companies operating in the telecommunications, IT, and technology sectors.
Overview of Executive Order
Authority and Membership: The Committee is tasked to review applications and existing licenses that involve foreign participation in the U.S. telecommunications network for risks to national security and law enforcement interests, and to respond to identified risks by recommending denial or revocation, or implementation of required mitigation measures. The Committee’s membership consists of the Attorney General (also the Committee Chair), Secretary of Defense, and Secretary of Homeland Security, and the head of any other executive department or agency designated by the president. The Committee also has at least eleven advisor members, as reflected below.
Review and Assessment Process: Upon FCC referral to the Committee of a license application or existing license, the Committee may require the parties to respond to questions or information requests. The Director of National Intelligence concurrently conducts a national security assessment. Once information gathering is complete, the Committee has 120 days to conduct an initial review to determine whether the application or existing license poses a risk to national security or law enforcement interests. Where the Committee requires additional time to assess or determine mitigation for possible risks, it is authorized to conduct a 90-day secondary assessment. The Committee must treat the gathered information as classified/protected information but allows for sharing of the information with other government entities in very limited circumstances, including with CFIUS in connection with a transaction review.
Upon completion of its review, the committee may make one of three recommendations to the FCC:
- Approval without objection;
- Approval subject to required mitigation measures addressing identified risks; or
- Denial or revocation due to the risk to the national security or law enforcement interests of the U.S.
Mitigation Measures: Mitigation measures may be negotiated between the Committee and the parties, and the Order contemplates the use of both “standard” and “non-standard” mitigation measures, though these categories are broadly defined. The Committee also is charged with monitoring compliance with required mitigation measures. Failure to comply may result in revocation of the license.
What the Order Means for Telecommunications Companies
Information Requests: The Committee may seek information from applicants, licensees, or other entities to further its review and assessment of applications and licenses. Providing detailed, complete, and accurate information will be crucial to facilitating Committee review of an application.
Know Your Partners: Understanding the extent of potential foreign participation in a telecommunications network requires understanding the parties involved, including at third or fourth levels of the supply chain, and identifying their ultimate beneficial ownership.
Design for Success: Companies preparing an FCC license application that may be reviewed by the Committee should proactively identify and seek to address potential national security risks, including identification of potential alternate domestic partners, suppliers, or vendors, or prophylactic mitigation measures. Parties that actively prepare will be better able to engage effectively with the Committee during review. Those that do not will enter the review process blind.
Retroactive Review: The Committee is empowered to retroactively review existing licenses. Current license holders should conduct a national security risk assessment to identify potential risks and consider whether any proactive measures may be appropriate to prepare for or reduce the risks associated with potential Committee review.
Mitigation Measures: As with CFIUS review, the Committee may impose mitigation measures, and non-compliance will put the license at risk. Definition and negotiation of credible and executable mitigation measures is key to success. Once mitigation measures are agreed to, companies need to implement effective, consistent controls that demonstrate compliance with required measures.
How we can help companies and counsel
Our National Security, Trade & Technology team successfully navigates the ever-changing national security regulatory review environment for clients and their counsel. We have deep telecommunications sector experience, including helping clients address a range of FCC regulatory matters. Our relevant services include:
License Risk Analysis and Diligence: Parties that currently hold an FCC license or are preparing a license application potentially subject to Committee review need to understand the process and the national security threats and vulnerabilities that the U.S. Government will associate with the application. Our professionals include former U.S. Government intelligence officials who developed the national security threat assessment process used in CFIUS reviews and the Team Telecom process. Our team identifies threat actors and vectors that may be considered U.S. national security risks and provides analyses of such threats to clients seeking to best position themselves in Committee reviews.
Mitigation Planning and Implementation: Adequate preparation will be critical for a successful Committee review. Transactions need to be designed and mitigation strategies developed to proactively address the national security and law enforcement risks the Committee will scrutinize. We work with clients and their counsel to develop and implement mitigation proposals and measures that effectively address national security concerns, including policies, procedures, and operational processes for sensitive data protection, cybersecurity protocols, personnel screening, and physical access controls.
Third-Party Monitorship (TPM): As with CFIUS, the Committee may require independent third-party monitors to oversee and verify the parties’ compliance with required mitigation measures. We currently serve as TPM for multiple national security mitigation agreements. Our professionals are market leaders in the design and implementation of independent monitoring solutions and have decades of collective experience with management and oversight of mitigation controls.
Compliance Audit: The Committee may also require independent third-party compliance audits to verify compliance with mitigation requirements. We have directly audited national security-related mitigation measures as well as conducted subject-matter specific audits of internal operations, cybersecurity, data protection, and export controls. We assist parties developing customized mitigation audit plans, performing comprehensive audits, and providing independent reporting on compliance with mitigation requirements.