The ROUTERS Act requires the Secretary of Commerce, through the Assistant Secretary for Communications and Information, to study national security risks and cybersecurity vulnerabilities posed by consumer routers, modems, and devices that combine a modem and router when those products are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the influence of a 'covered country.' The statute ties the term 'covered country' to the list in 10 U.S.C. 4872(f)(2).
This is a study mandate, not a ban or procurement rule: the bill compels Commerce to produce a report for two congressional committees within a fixed timeframe and to consult with its internal bureaus. For professionals in telecom compliance, procurement, and national-security policy, the bill creates an evidentiary step that could presage regulatory or procurement changes affecting imported consumer networking gear.
At a Glance
What It Does
Directs Commerce to evaluate national-security and cybersecurity risks from consumer routers, modems, and combo devices tied to entities influenced by a 'covered country,' and to deliver a report to specific congressional committees. The statute requires the Secretary to act through the Assistant Secretary for Communications and Information and to consult with appropriate Commerce bureaus.
Who It Affects
Manufacturers and suppliers of consumer networking equipment with ownership or control links to countries listed in 10 U.S.C. 4872(f)(2); U.S. retailers and broadband providers that import or resell such devices; federal procurement and national-security staff who rely on the study's findings.
Why It Matters
The bill creates a formal federal fact-finding effort that could support future procurement restrictions, mitigation guidance, or statutory remedies. It focuses federal attention on home and small-office network devices—pervasive attack surfaces that are often overlooked in enterprise-focused policy.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill is narrowly scoped: Commerce must study consumer routers, modems, and combined devices when those products are connected to entities that are owned, controlled, or otherwise subject to influence from a 'covered country' as defined by the cross-reference to 10 U.S.C. 4872(f)(2). The statutory language covers the entire lifecycle of such products as designed, developed, manufactured, or supplied by those entities, so the study can address hardware, firmware, supply-chain, and vendor-control risks.
Commerce must perform the study through the Assistant Secretary for Communications and Information and consult internally with 'appropriate bureaus and offices'—the bill does not mandate interagency partners, classified briefings, or external contractors, nor does it allocate additional funding. After completing the study, Commerce must submit a report to the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee.Because the measure is a study and reporting requirement rather than a directive to change procurement, it creates an evidence base rather than immediate regulatory obligations.
That means the likely value for practitioners is the analysis and facts Commerce produces: documented vulnerabilities, supply-chain mappings, and risk assessments that Congress or agencies could use as the foundation for future rules, procurement guidance, or statutory proposals.The bill also leaves several implementation choices to Commerce: what methodologies to use, how to handle proprietary or classified information, and whether to rely on voluntary industry cooperation or independent testing. Those choices will shape how actionable the final report is for technology buyers and security teams.
The Five Things You Need to Know
The law requires Commerce to study "national security risks and cybersecurity vulnerabilities" tied to consumer routers, modems, and combo devices associated with entities linked to a covered country.
It defines 'covered country' by reference to 10 U.S.C. 4872(f)(2), rather than listing countries directly in the bill text.
The Secretary must carry out the study through the Assistant Secretary of Commerce for Communications and Information.
Commerce must consult with appropriate bureaus and offices within the Department while conducting the study, but the statute does not require interagency consultation or external participation.
Commerce must deliver a written report to the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee no later than one year after enactment.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Establishes the act's common name: the 'Removing Our Unsecure Technologies to Ensure Reliability and Security Act' or the 'ROUTERS Act.' This provision is purely titular but signals congressional intent to frame consumer networking hardware as a national-security concern.
Scope of the study
Directs Commerce to study national-security risks and cybersecurity vulnerabilities posed by consumer routers, modems, and devices that combine a modem and router when those items are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to influence of a covered country. Practically, this language puts vendor ownership and control at the center of the analysis and allows Commerce to examine both technical vulnerabilities and governance/control vectors that could enable foreign influence or compromise.
Reporting requirement
Requires Commerce to submit a report to two congressional committees—the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee—within one year of enactment. The bill specifies the recipients and the deadline but does not prescribe report format, required findings, or recommended actions, leaving those methodological choices to the Department.
Internal consultation
Mandates that Commerce consult with 'appropriate bureaus and offices' inside the Department while conducting the study. This creates an internal coordination obligation but does not compel Commerce to coordinate with other agencies (for example, DoD, DHS, or intelligence community), which may limit access to classified threat data or interagency perspectives.
Definitions and cross-reference
Defines 'covered country' by reference to 10 U.S.C. 4872(f)(2) and defines 'Secretary' as the Secretary of Commerce acting through the Assistant Secretary for Communications and Information. By using an external statutory cross-reference, the bill links its scope to an existing federal definition that can change only through amendment of that other statute.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Congressional oversight committees — they receive a focused, single-source study that can support oversight hearings, legislation, or procurement scrutiny.
- National-security and cyber policy teams — they gain an official federal assessment of vulnerabilities in ubiquitous consumer networking equipment, which can inform mitigation priorities.
- Large network operators and enterprise security teams — they benefit from rigorously collected data about consumer-device risks that may affect home-worker endpoints and small-office networks connected to corporate environments.
- Consumer-protection and privacy advocates — they can use the study's findings to push for standards, labeling, or repairability and transparency measures aimed at securing consumer devices.
Who Bears the Cost
- Department of Commerce — responsible for conducting the study and coordinating internal consultation without any appropriation specified in the bill, creating a potential resource burden.
- Manufacturers and suppliers tied to 'covered countries' — they face scrutiny, reputational harms, and possible downstream procurement impacts if the report identifies risks linked to their products.
- U.S. retailers and small ISPs that import or resell affected devices — they may face increased compliance efforts, contractual pressures from enterprise customers, or demand-side shifts if the study leads to advisories or procurement changes.
- Trade-exposed suppliers and distributors — even absent immediate rules, subject companies could encounter market exclusion or higher due-diligence costs as buyers react to the findings.
Key Issues
The Core Tension
The central dilemma is speed versus rigor: lawmakers want a grounded federal assessment of risks from consumer networking gear tied to specific foreign influence, but a deliberate study risks delaying mitigation of active vulnerabilities; conversely, immediate bans or procurement restrictions based on incomplete evidence risk overreach, commercial harm, and trade complications. The bill chooses deliberation, placing the burden on Commerce to bridge the need for authoritative analysis with the urgency of protecting networks.
The bill mandates a study but deliberately stops short of prescribing remedies, creating a classic 'analysis without action' posture. That gives Commerce flexibility to design methodologies and determine what to publish, but it also allows the Department to produce a report that is technically thorough yet politically inconclusive.
Practitioners should anticipate a range of possible outcomes—from noncontroversial risk inventories to aggressive recommendations—because the statute imposes neither content requirements for the report nor follow-on duties for agencies or industry.
Implementation choices are consequential and under-specified. The bill limits mandated consultation to bureaus and offices within Commerce, which could constrain access to classified threat intelligence or interagency technical expertise (for example from DoD, DHS, or the intelligence community).
The cross-reference to 10 U.S.C. 4872(f)(2) centralizes the definition of 'covered country' but also ties the study's scope to a list that can lag behind evolving geopolitical risk. Finally, the statute contains no appropriation language or explicit authority to compel proprietary data from vendors, so Commerce's ability to perform exhaustive supply-chain testing may be limited by resource, legal, or cooperation constraints.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.