Firewalla: on Recent FCC Regulatory Developments

Hi everyone,

Over the past few days, many of you have reached out asking how the FCC's March 23rd update regarding foreign-manufactured consumer-grade routers might affect us. We want to be completely transparent with our community about where we stand and where we are going.

First, we actually think it is fantastic that the FCC is shining a spotlight on the importance of network cybersecurity! We have existed since 2016 specifically to protect networks.

We may be a small fish in the massive networking industry, but our agility is our superpower. Our CEO and co-founders are still in the trenches every day—designing, coding, inventing new features like the DAP, and answering your questions on Reddit, with the single most important goal: to secure the world.

Firewalla’s software is open source (https://github.com/firewalla) and is being contributed to, tested, inspected, and watched by many around the world. Our platform is also open; you can always see what’s going on inside.

While Firewalla devices route traffic, we don't define ourselves as a "consumer-grade router." We build comprehensive, kick-ass security devices. These integrate advanced firewalls, IDS, IPS, Radius, complex VPN, DNS, and Zero Trust Architecture. They are specifically tailored for prosumers, small businesses, professional installers, and commercial networks. Our focus has always been, and always will be, defending your networks against cyber attacks and keeping your families and employees safe.

[[ draft: at the moment, we do NOT see Firewalla Products fit NIST IR 8425A definition of a consumer grade router, we may change the wording of this response later

The FCC’s Covered List action in DA-26-278 adopts the NIST definition and associated profile for 'consumer-grade routers.' As the FCC noted, 'the presumption for consumer equipment or small businesses that use consumer-grade equipment is that the manufacturer cannot assume the user has cybersecurity expertise or the ability to take significant action to secure the product' (NIST IR 8425A; see also FCC DA-26-278). In contrast, our device is explicitly designed with the expectation that users have a baseline level of cybersecurity expertise in order to properly install and manage the device, including but not limited to actively interpreting security alerts, making policy decisions (e.g., block or allow traffic), and managing exceptions.  Because our device depends on informed user participation and the very ability to take 'significant action' rather than passive operation, it fundamentally does not align with the NIST/FCC characterization of consumer-grade routers underlying the FCC’s Covered List action in DA-26-278.

]]

Here is what you need to know about how the FCC's update impacts Firewalla:

• Existing Products are Safe: While we await further regulatory clarity, all of our existing products remain fully authorized for sale, use, and ongoing support. Your current networks are secure and uninterrupted.
• The Upcoming Switch is on Track: As many of you know, we are actively developing a new switch. We do not anticipate this product being impacted by the new guidelines, and we are still pushing for a summer launch!
• For any new products, we will follow FCC recommendations and either accelerate our efforts to move manufacturing to the USA or receive conditional approval from the FCC, if needed.

We are incredibly grateful to serve such a wonderful, engaged customer base all over the world. Thank you for continuing to trust us with your network security.

Cheers,

Firewalla Team

Reference

https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf

Appendix C. Consumer-Grade Router Acquisition Scenarios Discussion

Routers are network devices that forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Their physical interfaces may be a combination of wired (e.g., Ethernet) and wireless (e.g., Wi-Fi, long term evolution (LTE), 5G). Consumer-grade identifies those routers that may appear in an individual’s residence such that their primary use case is residential rather than enterprise, industrial, etc. However, some small businesses may choose to use consumer-grade equipment given the limited performance needs of those businesses. The presumption for consumer equipment or small businesses that use consumergrade equipment is that the manufacturer cannot assume the user has cybersecurity expertise or the ability to take significant action to secure the product.