DA 21-1234 Released: September 30, 2021 WIRELINE COMPETITION BUREAU ANNOUNCES BEST PRACTICES FOR EQUIPMENT DISPOSAL AND REVISES FCC FORM 5640 CERTIFICATIONS FOR THE SECURE AND TRUSTED COMMUNICATIONS NETWORKS REIMBURSEMENT PROGRAM WC Docket No. 18-89 By this Public Notice, the Wireline Competition Bureau (Bureau) provides guidance and voluntary best practices regarding the Secure and Trusted Communications Networks Reimbursement Program (Reimbursement Program) disposal and verification requirements to assist providers of advanced communications services participating in the Reimbursement Program.1 The Bureau finds that the best practices set forth in this guidance comply with the requirements in section 1.50004(j) of the Commission’s rules.2 Reimbursement Program participants are free to choose alternative approaches to comply with the Reimbursement Program’s disposal and verification requirements. In such instances, the Commission will review the specific circumstances to determine whether or not the alternative approach selected by the provider complies with the disposal and verification requirements set forth in section 1.50004(j) of the Commission’s rules. Separately, pursuant to section 1.108 of the Commission’s rules,3 the Bureau reconsiders and revises, on its own motion, the certifications contained in FCC Form 5640 Application Request for Funding Allocation and the Reimbursement Claim Request that the Bureau adopted in the Finalized Reimbursement Process Public Notice.4 These revised certifications will further protect the Reimbursement Program against waste, fraud, and abuse. The Bureau also makes minor corrections to 1 See 47 CFR § 1.50004(j). The rules adopted by the Commission in section 1.50004, and cited herein, contain new or modified information collection requirements subject to approval from the Office of Management and Budget (OMB) pursuant to the Paperwork Reduction Act of 1995, Pub. L. 104-13, before becoming effective. Accordingly, those rule subparts requiring OMB approval are currently denoted as “reserved” in the Electronic Code of Federal Regulations, eCFR.gov. To find the full text of the adopted rule, see Appx. A to the 2020 Supply Chain Order, as amended by Appx. A to the 2021 Supply Chain Order. Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, WC Docket No. 18-89, Second Report and Order, 35 FCC Rcd 14284, 14374-83, Appx. A (2020) (2020 Supply Chain Order); Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, WC Docket No. 18-89, Third Report and Order, FCC 21-86, 2021 WL 3024271, at 49-51, Appx. A (Jul. 14, 2021) (2021 Supply Chain Order). 2 47 CFR § 1.50004(j). 3 See id. § 1.108. 4 Wireline Competition Bureau Finalizes Application Filings, Procedures, Cost Catalog, and Replacement List for the Secure and Trusted Communications Networks Reimbursement Program, WC Docket No. 18-89, Public Notice, DA 21-947, Appx. A & B (WCB Aug. 3, 2021) (Finalized Reimbursement Process Public Notice). Federal Communications Commission DA 21-1234 certain cost estimates incorrectly identified in the Final Catalog of Eligible Expenses and Estimated Costs (Cost Catalog) adopted in the Finalized Reimbursement Process Public Notice.5 Background. As required by the Secure and Trusted Communications Networks Act of 2019 (Secure Networks Act), as amended, the Commission established the $1.9 billion Reimbursement Program to reimburse eligible providers of advanced communications service, with ten million or fewer customers, for reasonable costs incurred when removing, replacing, and disposing of covered communications equipment and services from their networks.6 Covered communications equipment and service for purposes of the Reimbursement Program are currently limited to the equipment and service produced or provided by Huawei Technologies Company (Huawei) or ZTE Corporation (ZTE), that was obtained on or before June 30, 2020.7 Disposal and Verification Obligations. In accordance with the Secure Networks Act, the Commission adopted a rule requiring Reimbursement Program participants to: (1) “dispose of the covered communications equipment and services in a manner to prevent the equipment or service from being used in the networks of other advanced communications service providers;” and (2) “retain documentation demonstrating compliance with this requirement.”8 The disposal, according to the Commission, “must result in the destruction of the covered communications equipment or service, making the covered communications equipment or service inoperable permanently,” and participants “must retain documentation demonstrating compliance with this requirement.”9 The Commission also specifically prohibited the “transfer of covered communications equipment or service to non-U.S. providers in an operable state that would allow for use of the equipment or service in another provider’s network, foreign or domestic.”10 The Commission expected the Bureau to provide participants with additional guidance with the disposal and verification process.11 5 See id. at 26, para. 73; id., Appx. C. 6 Secure Networks Act § 4(a); 47 U.S.C. § 1603(a); see 47 U.S.C. §§ 1603(c), 1608 (stating “‘advanced communications service’ has the meaning given the term ‘advanced telecommunications capability’ in section 706 of the Telecommunications Act of 1996”); Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, WC Docket No. 18-89, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11475-76, para. 140 (2019) (2019 Supply Chain Order and Further Notice); 2021 Supply Chain Order at 21, para. 46. 7 2021 Supply Chain Order, 2021 WL 3024271, at 49-51, Appx. A; see generally Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – Huawei Designation, PS Docket No. 19-351, Order, 35 FCC Rcd 6604 (PSHSB 2020); Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – ZTE Designation, PS Docket No. 19-352, Order, 35 FCC Rcd 6633 (PSHSB 2020); see 47 CFR § 1.50004(a)(1)-(2) (effective Sept. 30, 2021). 8 Secure Networks Act § 4(d)(7); 47 U.S.C. § 1603(d)(7); 47 CFR § 1.50004(j). The disposal and verification requirements apply to covered communications equipment and service produced or provided by Huawei and ZTE. See 47 CFR § 1.50004(a)(1)-(2), (j). Accordingly, other ancillary equipment and service removed in connection with the removal, replacement, and disposal of the communications equipment produced or provided by Huawei and ZTE would not be subject to the requirements of section 1.50004(j) of the Commission’s rules. See id. § 1.50004(j). 9 47 CFR § 1.50004(j). 10 2020 Supply Chain Order, 35 FCC Rcd at 14358, para. 179 (citing Puerto Rico Telecommunications Company Section 4 Public Notice Reply at 9-10). However, the Commission allowed providers to satisfy the Commission’s disposal requirements “‘by documenting their transfer of removed equipment to third parties tasked with destruction or other disposal of the equipment.’” Id. (quoting CCA Section 4 Public Notice Comments at 10). 11 Id. 2 Federal Communications Commission DA 21-1234 Best Practices Overview. Based on comments addressing the disposal process filed in this docket, presentations from entities with disposal experience,12 and Bureau staff’s review of similar disposal processes, we identify certain voluntary “best practices,” attached in Appendix A, to help guide participants as they fulfill their Reimbursement Program disposal and verification obligations.13 These best practices include procedures to effectuate equipment removal, data destruction, media sanitization, storage, transportation, physical destruction and recycling, and also cover the selection of certified data sanitization services, equipment destruction services, and electronic waste (e-waste) recycling services. The best practices further discuss documentation sufficient to demonstrate compliance, including the use of detailed equipment inventories, certificates of media disposition, and certificates of destruction. While the best practices are voluntary, we find that these practices will help companies meet their disposal obligations efficiently, while also ensuring the safe and secure removal and disposal of covered communications equipment and services that pose a national security threat consistent with the Secure Networks Act and the Commission’s rules. Providers can employ alternative compliance measures, but risk the Commission subsequently finding that such measures are not in compliance with section 1.50004(j) of its rules. Non-compliance can result in the assessment of fines and forfeitures by the Commission14 and can also result in additional enforcement actions provided for in section 1.50005 of the Commission’s rules, including the repayment of Reimbursement Program funding.15 The Commission directed the Office of Managing Director (OMD), or a third-party identified by OMD, to prepare a system to conduct audits and field investigations to ensure Reimbursement Program participants are acting in compliance with the Commission’s rules.16 These audits and field investigations will include the inspection of documentation to verify compliance with the disposal and verification requirements in section 1.50004(j) of the Commission’s rules.17 Providers participating in the Reimbursement Program are likely to encounter different categories of covered communications equipment and services. These different categories may pose different security threats based on their individual capabilities, including processing and/or retaining sensitive network or customer identifiable information. Therefore, as part of the best practices, we identify recommended practices for treating covered communications equipment based on the category of equipment. We understand that it may be more efficient for a destruction company to destroy and recycle a large amount of equipment at once, for example, by destroying all equipment in a box at one time that may include a combination of the categories of equipment described below, and we defer to both the 12 See Letter from Jared M. Carlson, Vice President, Government Affairs and Public Policy, Ericsson, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89, at 1 (filed June 18, 2021) (Ericsson June 18, 2021 Ex Parte) (requesting “further guidance from the Commission regarding the level of detail required from operators disposing of equipment”); Comments of Competitive Carriers Association, WC Docket No. 18-89, at 4 (filed Apr. 26, 2021) (CCA Cost Catalog Public Notice Comments) (requesting “additional detail regarding what information will be necessary to satisfy [the disposal] documentation requirement”); Letter from Carri Bennet, General Counsel, Rural Wireless Association, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89 (Jul. 13, 2021) (RWA Jul. 13, 2021 Ex Parte); Letter from Andrew C. McManus, General Manager, Gannon & Scott, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89 (Aug. 31, 2021) (Gannon & Scott Ex Parte); Letter from Brodie Ehresman, Director of Marketing and Business Development, Advanced Technology Recycling, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89 (Sept. 3, 2021) (ATR Ex Parte); Letter from Caressa Bennet et al., Counsel for Teltech Group, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89 (Sept. 17, 2021) (Teltech Letter). 13 See 47 CFR § 1.50004(j). 14 47 U.S.C. § 503; 47 CFR § 1.80. 15 47 U.S.C. § 1606; 47 CFR § 1.50005. 16 2020 Supply Chain Order, 35 FCC Rcd at 14362, para. 193; see 47 U.S.C. § 1603(e) (directing the Commission to “take all necessary measures to avoid waste, fraud, and abuse with respect to the [Reimbursement] Program”); 47 CFR § 1.50004(o) (subjecting Reimbursement Program recipients to “audits and other investigations to evaluate compliance with the statutory and regulatory requirements for the Reimbursement Program”). 17 See 47 U.S.C. 1603(e); 47 CFR § 1.50004(j), (n). 3 Federal Communications Commission DA 21-1234 provider and the destruction company as to the most efficient process to achieve the required disposal obligation. The categories are organized by level of risk, starting with equipment posing the highest risk, based on whether the equipment retains or processes data.18 Category 1 equipment is equipment that processes and retains data. Category 2 equipment is equipment that processes but does not retain data. Category 3 equipment is equipment that does not retain or process data. For category 1 equipment, we recommend the provider sanitize any media, followed by physical destruction and then recycling.19 For category 2 equipment, we recommend physical destruction and then recycling.20 For category 3 equipment, we recommend recycling this equipment.21 We will consider category 3 equipment as “inoperable” if permanently dismantled from other communications equipment and services and it is unable to be reconnected to any other communications equipment. Reimbursement Program participants are encouraged to retain certain documentation, based on the categories of covered communications equipment, including certificates of media disposition and certificates of destruction, which will help participants and the Bureau verify compliance with their disposal and verification obligations. Guidance is also provided on selecting certified disposal services and e-waste recyclers. If using a third party, the Bureau recommends using a company that provides complete asset management solutions, from removal to destruction, including transportation and chain of custody tracking to avoid the potential for misplaced or lost equipment containing sensitive information. Providers may utilize one company for the entire disposal and recycling process, or different companies for different aspects of the disposal and recycling process based upon the categories of covered communications equipment outlined above.22 Because the Commission in the 2020 Supply Chain Order prohibited the transfer of operable covered communications equipment or service to non-U.S. providers, we recommend providers use U.S. disposal companies that conduct the disposal process on U.S. soil.23. Equipment is still considered operable until it is properly disposed. In particular, we recommend providers use a U.S. disposal company registered with the U.S. Department of State’s Directorate of Defense Trade Controls pursuant to the International Traffic in Arms Regulations (ITAR).24 We agree with Advanced Technology Recycling that “utilizing ITAR processing guidelines is an ideal mechanism to ensure sensitive electronics as outlined in the [Secure Networks Act] are properly disposed of in a manner that protects national security.”25 While the covered communications equipment may not fall within the scope of ITAR,26 we find that an ITAR-registered 18 While section 1.50004(j) of the Commission’s rules apply to covered communications equipment and service, we expect Reimbursement Program participants, to the extent they are disposing of non-covered communications equipment and service, to do so in an environmentally responsible manner. 19 Category 1 equipment examples include Mobility Management Entity and Home Subscriber Server equipment, which process and retain network and customer proprietary data. 20 Category 2 equipment examples include Antenna Array Units, Radio Units, Baseband Units, and Control Units. 21 Category 3 equipment examples include cables, brackets, cabinets, and miscellaneous components. 22 See 2020 Supply Chain Order, 35 FCC Rcd at 14358, para. 179. 23 Id. 24 See 22 CFR § 122.1 et seq. (ITAR registration and certification requirements); see generally 22 CFR §§ 120-130; U.S. Dept. of State, Directorate of Defense Trade Controls, The International Traffic in Arms Regulations, https://www.pmddtc.state.gov/ddtc_public?id=ddtc_kb_article_page&sys_id=%2024d528fddbfc930044f9ff621f961 987 (last visited Sept. 17, 2021). 25 ATR Ex Parte at *2. 26 The U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) offers a tool to help users determine whether an article is subject to ITAR. See DDTC, https://www.pmddtc.state.gov/ddtc_public?id=ddtc_ public_portal_dt_order_of_review (last visited Sept. 17, 2021). 4 Federal Communications Commission DA 21-1234 disposal company will likely have the procedures in place and the facilities necessary to effectively handle the safe and secure destruction of covered communications equipment, including the most sensitive equipment.27 We find that, based on the record, ITAR-registered companies likely can provide complete asset management services, including tracking equipment, maintaining records, and documentation and certifying destruction.28 According to Advanced Technology Recycling, “ITAR registered service providers must follow strict disposal guidelines to ensure scrap materials generated throughout the disposal process remain on U.S. soil and be processed exclusively by U.S. persons.”29 ITAR-registered companies are required to maintain records concerning manufacture, acquisition, and disposition of defense articles, including technical data, subject to ITAR,30 and are subject to civil and criminal penalties for violations.31 According to Advanced Technology Recycling and Gannon & Scott, ITAR-registered companies may also hold e-waste recycling or other certifications and provide media sanitization services, allowing for a one-stop disposal facility to handle the disposal of different categories of equipment according to the best practices outlined in Appendix A.32 We agree with Teltech Group that through the disposal process we should “consider environmental issues” so that the covered communications equipment “do not create environmental problems.”33 Accordingly, the Bureau recommends for providers to recycle covered communications equipment to ensure the secure and environmentally responsible disposal of equipment as recommended by the Environmental Protection Agency (EPA).34 Consistent with EPA guidelines, the Bureau recommends utilizing electronic waste (e-waste) recyclers that are certified by either the Responsible Recycling (R2) Standard for Electronics Recyclers or the e-Stewards Standard for Responsible Recycling and Reuse of Electronic Equipment (e-Stewards).35 As noted above, ITAR-registered companies may also hold R2 and e-Stewards certifications. For example, according to Advanced Technology Recycling, as an ITAR-registered disposal company, disposal processes are “carried out … at R2 certified and ITAR registered facilities.”36 27 See ATR Ex Parte at *2; Gannon & Scott Ex Parte. 28 See Wireline Competition Bureau Seeks Comment on a Report and Preliminary Cost Catalog and Replacement List to Help Providers Participate in the Supply Chain Reimbursement Program, WC Docket No. 18-89, Public Notice, 36 FCC Rcd 5770, 5848, Appx. A at 71 (WCB 2021) (Cost Catalog Public Notice) (“ITAR registered recyclers are in a position to effectively track individual items, facilitate secure logistics, provide complete destruction services, maintain records, provide documentation and certification of destruction.”); ATR Ex Parte at *2-8; see also Gannon & Scott Ex Parte at 1. 29 ATR Ex Parte at *2. 30 See 22 CFR § 122.5(a). 31 See id. § 127.3. 32 See ATR Ex Parte at *2 (noting that “[u]nder ITAR regulations,” disposal processes are “carried out by authorized and vetted U.S. persons, at R2 certified and ITAR registered facilities”); Gannon & Scott Ex Parte. 33 Teltech Group Letter at 4. 34 EPA, Certified Electronics Recyclers, https://www.epa.gov/smm-electronics/certified-electronics-recyclers (last visited Sept. 27, 2021). 35 Id.; E-Stewards, e-Stewards, http://e-stewards.org/ (last visited Sept. 27, 2021); SERI, R2, https://sustainableelectronics.org/r2/ (last visited Sept. 27, 2021); see Ericsson June 18, 2021 Ex Parte at 1 (noting that Ericsson holds its recycling partners to R2 and EPA standards). This is consistent with the Commission leaving open the possibility of participants utilizing third-party certified electronic recyclers as encouraged by COMSovereign. See 2020 Supply Chain Order at 14358, para. 179 n.516 (citing COMSovereign Section 4 Public Notice Comments at 10); see also id. at 14358, para. 179 (agreeing with the Competitive Carriers Association (CCA) that program participants could satisfy their disposal obligations “‘by documenting the transfer of removed equipment to third parties tasked with destruction or other disposal of the equipment’”). 36 ATR Ex Parte at *1-2. 5 Federal Communications Commission DA 21-1234 The best practices also provide guidance on disposal verification documentation. We recommend providers retain shipping or transportation documentation, including detailed inventories supported by an affidavit, dates, locations, transportation service provider name, and means of transportation. These may be kept individually or as part of a larger asset management solution.37 Reimbursement Program participants are encouraged to retain documentation, including certificates of media disposition and certificates of destruction, that will help participants and the Bureau verify compliance with their disposal and verification obligations. These recommendations reflect input received from the Rural Wireless Association, Teltech Group, and the Competitive Carriers Association on the importance of tracking the removal and destruction of covered equipment and on clarifying the “level of detail any documentation will need to contain to be compliant.”38 In sum, these best practices will help ensure the security of sensitive data processed or retained by the covered equipment, including network and customer proprietary information, from unauthorized access. These best practices will also help participants comply with the requirements of section 1.50004(j) of the Commission’s rules, to ensure that covered communications equipment and service that pose an unacceptable risk to the national security of the United States or the security and safety of United States persons is made inoperable and recycled in an environmentally safe manner. Prospective-Only Guidance. The Rural Wireless Association asserts that some of its “members have already completed the destruction of, or are in the process of disposing of,” covered communications equipment.39 Providers of advanced communications services that have already removed and disposed of covered communications equipment or services could not have known the best practices provided in Appendix A. Accordingly, we will take this into account when evaluating compliance with section 1.50004(j) for disposal occurring prior to the release of these best practices. We expect providers have acted reasonably, however, in carrying out the safe and secure disposal of covered communications equipment and have retained sufficient documentation to verify the disposal efforts taken.40 To the extent that covered communications equipment is still in a provider’s custody and not destroyed, providers are encouraged to follow the disposal guidance provided herein going forward. Reimbursement Program Certifications. Additionally, the Bureau, on its own motion pursuant to section 1.108 of the Commission’s rules,41 hereby reconsiders and revises the certifications contained in the FCC Form 5640 Application Request for Funding Allocation and the Reimbursement Claim Request.42 These revised certifications, included in Appendix B, are consistent with the certifications 37 See Teltech Letter at 2 (describing how an asset management solution was used to decommission a Huawei network). 38 CCA Cost Catalog Public Notice Comments at 4; see RWA Jul. 13, 2021 Ex Parte at 1 (noting Teltech Group’s asset management capabilities to track equipment by “location, serial numbers and a multitude of granular levels”); ATR Ex Parte at *8 (recommending “only ITAR registered companies that can establish a secure chain of custody from the originating customers location all the way to an ITAR approved processing facilities be utilized”); Teltech Letter at 4 (noting Teltech’s asset management tool, TAM 2.0, which purports to provide clients with tracking capabilities for “Huawei and ZTE equipment removed from U.S. carrier networks throughout the reverse logistics life-cycle”). 39 Letter from Carri Bennet, General Counsel, RWA, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89, at 1 (Sept. 14, 2021) (RWA Sept. 14, 2021 Ex Parte). 40 This is consistent with language in the 2020 Supply Chain Order, whereby the Commission applauded providers for proactively taking steps to increase the security of their networks by proactively removing and replacing covered communications equipment prior to the establishment and funding of the Reimbursement Program. 2020 Supply Chain Order, 35 FCC Rcd at 14340, para. 130. For those companies that proactively began the process, the Commission allowed them to be reimbursed for reasonable costs incurred as part of their removal, replacement, and disposal. 41 See 47 CFR § 1.108. 42 See Finalized Reimbursement Process Public Notice, Appx. A & B. 6 Federal Communications Commission DA 21-1234 recently employed for other funding programs implemented by the Commission and will further protect the Reimbursement Program from waste, fraud, and abuse.43 The Commission directed the Bureau to “create one or more forms to be used by entities to claim reimbursement from the Reimbursement Program, to report on their use of money disbursed and the status of their construction efforts, and for any other Reimbursement Program-related purposes.”44 The Commission also delegated authority to the Bureau to “adopt the necessary policies and procedures relating to allocations, draw downs, payments, obligations, and expenditures of money from the Reimbursement Program to protect against waste, fraud, and abuse . . . .”45 In the Reimbursement Process Public Notice, the Bureau sought comment on the proposed information fields for FCC Form 5640, including the form certifications required by applicants.46 The Bureau finalized the FCC Form 5640 Application Request for Funding Allocation and Reimbursement Claim Request in the Finalized Reimbursement Process Public Notice.47 The Bureau, on its own motion, now reconsiders and revises these FCC Form 5640 certifications. The revised certifications largely track the substance of the prior certifications that were derived from the Secure Networks Act and the Commission’s rules.48 However, to further protect the Reimbursement Program from waste, fraud, and abuse and to align the certifications with other recently implemented funding programs by the Commission, we have added additional certifications.49 For example, we now explicitly require certifying officials to certify that they are authorized to certify on behalf of the applicant. The certifying official must also acknowledge that any false, fictitious, or fraudulent information or statement, or the omission of any material fact on the form or any other documents submitted may subject the participant to fine or forfeiture under the Communications Act,50 fine or imprisonment under Title 18 of the United States Code,51 or liability under the False Claims Act.52 The Bureau also requires certifying officials to acknowledge that failure to comply with the statute, rules, and orders governing the Reimbursement Program could result in civil and criminal prosecution by law enforcement authorities. The certifying official must further certify that the applicant will not use Reimbursement Program funds for any portion of expenses that have been or will be reimbursed by other 43 See 47 U.S.C. § 1603(e); see also FCC, Emergency Broadband Benefit, https://www.fcc.gov/broadbandbenefit (last visited Aug. 27, 2021); 47 CFR § 54.1608(e)(12)-(15) (requiring an officer of a provider participating in the Commission’s Emergency Broadband Benefit Program to certify as part of each request for reimbursement: “that the provider neither received nor paid kickbacks,” “information contained in this form is true, complete, and accurate,” “the officer is aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject the officer to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise,” and “[n]o service costs or devices sought for reimbursement have been waived, paid, or promised to be paid by another entity, including any federal program.”). 44 2020 Supply Chain Order, 35 FCC Rcd at 14358, para. 180. 45 47 CFR § 1.50004(p). 46 Wireline Competition Bureau Seeks Comment on Secure and Trusted Communications Networks Reimbursement Program Application Filings and Process, WC Docket No. 18-89, Public Notice, DA 21-607 (WCB May 24, 2021) (Reimbursement Process Public Notice). 47 Finalized Reimbursement Process Public Notice, Appx. A & B; see FCC, Wireline Competition Bureau Finalizes Application Filings, Procedures, Cost Catalog, and Replacement List for the Secure and Trusted Communications Networks Reimbursement Program, 86 Fed. Reg. 48521 (Aug. 31, 2021) (effective date of September 30, 2021). 48 See 47 U.S.C. § 1603(d)(4); 47 CFR § 1.50004(a)(3), (c)(iii), (c)(v). 49 See id. § 1603(e)(1) (“The Commission shall take all necessary steps to avoid waste, fraud, and abuse with respect to the Program.”). 50 See 47 U.S.C. §§ 502, 503(b), 1606. 51 See 18 U.S.C. §§ 1001, 286-287, 1343. 52 See 31 U.S.C. §§ 3729-3733, 3801-3812. 7 Federal Communications Commission DA 21-1234 sources of state or federal funding. This certification, in particular, is aimed at protecting against the receipt and use of duplicative funding from different state and federal sources. Finally, certifying officials will also need to certify that no “kickbacks” (i.e., money or anything of value) were paid or received by the participant from a contractor or vendor in connection with the Reimbursement Program.53 Collectively, the revised and added certifications provide additional notice to certifying officials and applicants as to potential civil and criminal penalties for violating Reimbursement Program requirements and will strengthen the Commission’s ability to investigate and hold applicants accountable for rule violations and fraudulent conduct. These revised certifications will become effective immediately upon publication in the Federal Register, pursuant to section 553(d)(3) of the Administrative Procedure Act.54 We find good cause exists for an expedited effective date to ensure these certifications can be included in the forms necessary for the expeditious opening of the Reimbursement Program filing window, which is now scheduled to occur on October 29, 2021.55 An expedited effective date will further assist the Commission in speedily addressing the pressing national security concerns that prompted the establishment this Reimbursement Program. Cost Catalog Corrections. Finally, the Bureau corrects cost estimates incorrectedly identified in the Cost Catalog adopted on August 3, 2021 in the Finalized Reimbursement Process Public Notice.56 Since the release of the Cost Catalog on August 3, 2021, the Bureau was made aware of a few instances where the cost estimate identified in that version of the Cost Catalog was listed incorrectly. Specifically, the average cost estimate reported for items 2.1.2 and, 2.2.3 was inaccurate given the range of cost estimates reported. In addition, the low-end cost range for item 5.16.5 was incorrectly listed as $1,7687.17 instead of $17,687.17. The average cost estimate for item 5.16.5 is, however, correct. Separately, the final version of the Cost Catalog incorrectly included a costs estimate for item 5.1.4 regarding “Participation for FCC Rulemaking” even though the Bureau explicitly called for the removal of this item in the Finalized Reimbursement Process Public Notice.57 Accordingly, we will make these corrections to the Cost Catalog and publish a corrected version on the Commission’s website.58 Paperwork Reduction Act. This document does not contain any new information collection(s) subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. The Commission has separately sought and obtained approval, per the PRA, from the Office of Management and Budget (OMB) for the information collection requirements contained in the 2020 Supply Chain Order from which the rules and obligations discussed herein, where applicable, are derived.59 Therefore, this document does not contain any new or modified information collection burden for small business 53 See 41 U.S.C. § 8701(2) (“kickback” means “any money, fee, commission, credit, gift, gratuity, thing of value, or compensation of any kind that is provided to a prime contractor, prime contractor employee, subcontractor, or subcontractor employee to improperly obtain or reward favorable treatment in connection with a prime contract or a subcontract relating to a prime contract.”); 42 U.S.C. § 1320a-7b. 54 5 U.S.C. § 553(d)(3) (“The required publication or service of a substantive rule shall be made not less than 30 days before its effective date, except . . . as otherwise provided by the agency for good cause found and published with the rule.”). 55 See Wireline Competition Bureau Announces Application Filing Window for the Secure and Trusted Communications Networks Reimbursement Program – Filing Window Opens October 29, 2021, Public Notice, DA 21-1207 (WCB Sept. 27, 2021). 56 See Finalized Reimbursement Process Public Notice at 26, para. 73; id., Appx. C. 57 Id. at 29, para. 81. 58 See FCC, Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, http://www.fcc.gov/supplychain (last visited Sept. 27, 2021). 59 See Notice of Office of Management and Budget Action for OMB Control No. 3060-1270 (approved Sept. 8, 2021), https://www.reginfo.gov/public/do/DownloadNOA?requestID=348935. 8 Federal Communications Commission DA 21-1234 concerns with fewer than 25 employees, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198.60 Final Regulatory Flexibility Certification. The Regulatory Flexibility Act of 1980, as amended (RFA), requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that “the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.” 61 The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.”62 In addition, the term “small business” has the same meaning as the term “small business concerns” under the Small Business Act.63 A “small business concern” is one that: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA).64 The Commission prepared Initial Regulatory Flexibility Analyses (IRFAs) in connection with the 2020 Supply Chain Declaratory Ruling and Second Further Notice and the 2021 Supply Chain Third Further Notice.65 The Commission sought written public comment on the proposals in the 2020 Supply Chain Declaratory Ruling and Second Further Notice and the 2021 Supply Chain Third Further Notice, including comments on the IRFAs. No comments were filed addressing the IRFAs. The Commission included Final Regulatory Flexibility Analyses (FRFAs) in connection with the 2020 Supply Chain Order and the 2021 Supply Chain Order.66 This Public Notice establishes provides: (1) voluntary guidance on complying with the Reimbursement Program’s disposal and verification requirements; (2) revises the certifications associated with the FCC Form 5640 application filings; and (3) corrects cost estimates identified in the Cost Catalog that were listed incorrectly. These actions flow from the proposals set forth in the 2020 Supply Chain Declaratory Ruling and Second Further Notice and the 2021 Supply Chain Third Further Notice and discussed in the IRFAs accompanying those Notices, and are consistent with the requirements established in the 2020 Supply Chain Order and the 2021 Supply Chain Order and addressed in the FRFAs accompanying those orders. Accordingly, no changes to our earlier analyses are required. We have determined that the impact on the entities affected by the requirements contained in this Public Notice will not be significant. The effect of these measures is to establish for the benefit of those entities, including small entities, the procedures for filing an application consistent with existing rules, to participate in the Reimbursement Program to obtain funding support to remove from their networks, replace, and dispose of communications equipment and service considered a national security risk. 60 See 44 U.S.C. § 3506(c)(4). 61 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601-612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Public L. No. 104-121, Title II, 110 Stat. 857 (1996). 62 5 U.S.C. § 605(b). 63 Id. § 601(6). 64 Id. § 601(3) (incorporating by reference the definition of ““small-business concern” in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the SBA and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” 65 Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, WC Docket No. 18-89, Declaratory Ruling and Second Further Notice of Proposed Rulemaking, 35 FCC Rcd 7821 (2020) (2020 Supply Chain Declaratory Ruling and Second Further Notice); Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, WC Docket No. 18-89, Third Further Notice of Proposed Rulemaking, FCC 21-26 (Feb. 22, 2021) (2021 Supply Chain Further Notice). 66 2020 Supply Chain Order, 35 FCC Rcd at 14385, Appx. B (Final Regulatory Flexibility Analysis); 2021 Supply Chain Order, Appx. B (Final Regulatory Flexibility Analysis). 9 Federal Communications Commission DA 21-1234 Report to Congress. The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, concurs, that these modified certification requirements are non-major under the Congressional Review Act, 5 U.S.C. § 804(2). The Bureau will send a copy of this Public Notice to Congress and the Government Accountability Office pursuant to 5 U.S.C. § 801(a)(1)(A). Additional Information. For additional information about the Reimbursement Program application and filing process, interested parties should review the Finalized Reimbursement Process Public Notice and visit the Reimbursement Program webpage: https://www.fcc.gov/supplychain. Questions specific to the Reimbursement Program or application process should be directed to the Reimbursement Program Fund Administrator by emailing SCRPFundAdmin@fcc.gov or by calling (202) 418-7540 from 9:00 AM ET to 5:00 PM ET, Monday through Friday, except for Federal holidays. For further information regarding this Public Notice, please contact supplychain@fcc.gov. - FCC - 10 Federal Communications Commission DA 21-1234 APPENDIX A SECURE AND TRUSTED COMMUNICATIONS NETWORKS REIMBURSEMENT PROGRAM DISPOSAL PROCESS GUIDANCE AND BEST PRACTICES September 30, 2021 Federal Communications Commission DA 21-1234 Table of Contents I. INTRODUCTION ............................................................................................................................ 1 II. THE DISPOSAL PROCESS ............................................................................................................. 2 A. Introduction to the Disposal Process ............................................................................................ 2 B. Removal, Storage, and Transportation of Covered Communications Equipment .......................... 3 C. Identifying the Appropriate Disposal Process .............................................................................. 3 D. Media Sanitization ...................................................................................................................... 6 E. Equipment Destruction................................................................................................................ 6 F. Selecting a Certified Electronic Waste Recycler .......................................................................... 7 III. DOCUMENTATION DEMONSTRATING COMPLIANCE ............................................................ 9 IV. CONCLUSION ............................................................................................................................... 10 i Federal Communications Commission DA 21-1234 I. INTRODUCTION 1. The Secure and Trusted Communications Networks Act of 2019 (Secure Networks Act), as amended, directed the Federal Communications Commission (Commission) to establish the Secure and Trusted Communications Networks Reimbursement Program (Reimbursement Program).1 The Commission established the Reimbursement Program in the 2020 Supply Chain Order.2 The Reimbursement Program is intended to reimburse providers of advanced communications services with 10 million or fewer customers for costs incurred in the removal, replacement, and disposal of covered communications equipment and services deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.3 For purposes of the Reimbursement Program, “covered communications equipment and services” means any communications equipment or services produced or provided by Huawei Technologies Company (Huawei) or ZTE Corporation (ZTE) that was obtained by providers on or before June 30, 2020.4 2. The Secure Networks Act called for the Commission to adopt regulations requiring the removal of all covered communications equipment or services “from the network of the recipient in order to prevent such equipment or services from being used in the networks of providers of advanced communications service.”5 The Commission interpreted this provision as “requiring the destruction of the equipment or service by the recipient so as to make the equipment or service inoperable and incapable of use.”6 The Commission thus adopted section 1.50004(j) of its rules in the 2020 Supply Chain Order, which states as follows: Reimbursement program recipients must dispose of the covered communications equipment or service in a manner to prevent the equipment or service from being used in the networks of other providers of advanced communications service. The disposal must result in the destruction of the covered communications equipment or service, making the covered communications or service inoperable permanently. Reimbursement Program recipients must retain documentation demonstrating compliance with this requirement.7 The Commission said, in adopting this rule, that it expected Wireline Competition Bureau (Bureau) “to provide additional guidance to help participants with the disposal and verification process.”8 Accordingly, the Bureau hereby provides the following guidance and suggested best practices to help guide Reimbursement Program participants through the disposal and verification process. 1 Secure and Trusted Communications Networks Act of 2019, Pub. L. No. 116-124, § 4, 134 Stat. 158 (2020) (codified as amended at 47 U.S.C. §§ 1601–1609) (Secure Networks Act), amended by, Consolidated Appropriations Act, 2021, Pub. L. No. 116–260, § 901, 134 Stat. 1182 (2020). 2 Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, WC Docket No. 18-89, Second Report and Order, 35 FCC Rcd 14284, 14330-68, paras. 106-208 (2020) (2020 Supply Chain Order); see 47 CFR § 1.50004 et seq. The Commission’s rules for the Reimbursement Program adopted in the 2020 Supply Chain Order were subsequently revised in the 2021 Supply Chain Order. See Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, WC Docket No. 18-89, Third Report and Order, FCC 21-86, 2021 WL 3024271 (Jul. 14, 2021) (2021 Supply Chain Order). 3 47 U.S.C. § 1603. 4 See 2021 Supply Chain Order at 8-17, paras. 18-36 5 Secure Networks Act § 4(d)(7); 47 U.S.C. § 1603(d)(7). 6 2020 Supply Chain Order, 35 FCC Rcd at 14357-58, paras. 178. 7 47 CFR § 1.50004(j). 8 2020 Supply Chain Order, 35 FCC Rcd at 14358, para. 179; see id. at 14357-58, paras. 178-179. 1 Federal Communications Commission DA 21-1234 II. THE DISPOSAL PROCESS A. Introduction to the Disposal Process 3. These best practices address how covered communications equipment or services should be securely stored, documented, and transported throughout the disposal and verification process. These best practices also cover how equipment or services should be categorized, sanitized, destroyed, and recycled. Although voluntary, the Bureau believes that the best practices set forth in this guidance would comply with the requirements set forth in section 1.50004(j) of the Commission’s rules. The Bureau will consider Reimbursement Program participant’s disposal and verification methods reasonable and in compliance with section 1.50004(j) of the Commission’s rules if the best practices are followed. Reimbursement Program participants are not, however, required to follow these best practices and may employ alternative compliance measures. For providers undertaking a different disposal process, the Commission will review the specific circumstances but may find that the processes do not comply with the disposal and verification requirements contained in section 1.50004(j) of the Commission’s rules. 4. Non-compliance can result in the assessment of fines and forfeitures by the Commission.9 In addition, non-compliance can result in additional enforcement actions provided for in section 1.50005 of the Commission’s rules, which includes the repayment of Reimbursement Program funding.10 The Office of Managing Director (OMD), or a third-party identified by OMD, will conduct audits and field investigations to ensure Reimbursement Program participants are acting in compliance with the Commission’s rules.11 These audits and field investigations will include the inspection of documentation to verify compliance with the disposal and verification requirements in section 1.50004(j) of the Commission’s rules.12 5. In considering these best practices, we emphasize that the disposal and verification requirements contained in section 1.50004(j) of the Commission’s rules only apply to “covered” communications equipment and services.13 For purposes of the Reimbursement Program, including the disposal and verification requirements, the Commission has interpreted “covered” communications equipment and service to mean equipment and services produced or provided by Huawei and ZTE that was obtained by the provider on or before June 30, 2020.14 Further, the Commission has stated that “covered” communications equipment and service includes “all equipment or services used in fixed and mobile broadband networks, provided they include or use electronic components.”15 To the extent providers are removing and disposing of other equipment and services that are not considered covered communications equipment and services, and thus not subject to section 1.50004(j) of the Commission’s rules, we would expect such providers to dispose and recycle their non-covered equipment and services in an environmentally responsible manner. 9 47 U.S.C. § 503; 47 CFR § 1.80. 10 47 U.S.C. § 1606; 47 CFR § 1.50005. 11 Id. § 1.50004(o). 12 2020 Supply Chain Order, 35 FCC Rcd at 14362, para. 193; 47 CFR § 1.50004(j), (n); see 47 U.S.C. § 1603(e). 13 47 CFR § 1.50004(j). 14 See 2021 Supply Chain Order at 10, para. 23; id. at 14, para. 31 (“By revising the scope of equipment and services eligible for reimbursement, we provide clarity to providers of advanced communications service as to the expectations for participation in the Reimbursement Program and assurance as to what costs associated with the removal, replacement, and disposal of covered equipment and services they can expect to be reimbursed, if accepted.”). 15 Id. at 8, para. 20 (emphasis added); see also 2020 Supply Chain Order, 35 FCC Rcd at 14309, para. 52 (“We believe that all equipment or services that include or use electronic components can be reasonably considered essential to broadband networks . . . .”). 2 Federal Communications Commission DA 21-1234 6. Disposal Best Practices Overview. The disposal process begins with the removal of the covered communications equipment or service from Reimbursement Program participants’ networks. The equipment should be carefully inventoried and sorted into different categories for destruction or recycling based on the equipment’s underlying capabilities and whether the equipment contains network or customer identifiable information. Any equipment that processes and retains data such as network or 16 customer identifiable information should also go through media sanitization before destruction. All equipment that can be recycled should be tracked and shipped directly to a certified electronic waste (e- waste) recycler. Reimbursement Program participants should retain certificates of media disposition and certificates of destruction for all equipment that processes and retains data long-term. Maintaining detailed documentation of the disposal process from removal to destruction or recycling of the equipment is essential to demonstrating compliance with the Reimbursement Program’s disposal requirements.17 B. Removal, Storage, and Transportation of Covered Communications Equipment 7. Throughout the removal process, covered communications equipment should be carefully inventoried, and securely stored and shipped. The equipment should be handled in a secure manner throughout the entire removal, replacement, and disposal process. During the removal process the Reimbursement Program participant should maintain a detailed and comprehensive inventory of all covered communications equipment removed from their networks. If the removal of the covered communications equipment spans multiple days, the Reimbursement Program participant should maintain a log detailing what equipment was removed each day from each site. After removal, if the covered communications equipment cannot be immediately transferred to a certified disposal service or e-waste recycler, the Reimbursement Program participant should store the equipment in a secure manner. Once the equipment is ready to ship, the Reimbursement Program participant should select a disposal company with an in-house freight capacity, individual freight carriers with experience handling freight for sensitive equipment, or asset management vendors that use secure shipping methods to transfer the equipment. If a delay occurs between the arrival of the equipment at the disposal service or e-waste recycler and the processing of the equipment, the Reimbursement Program participant should ensure that the disposal service or e-waste recycler store the equipment in a secure manner until destruction or recycling. The Reimbursement Program participant should be able to show a clean chain of custody from its site to the disposal company or recycler. C. Identifying the Appropriate Disposal Process 8. The purpose of the disposal process is to ensure that all covered Huawei and ZTE communications equipment is removed from the providers’ networks and rendered permanently “inoperable.”18 Making communications equipment and services inoperable will prevent the reuse of such equipment and service, or any component of the equipment or service, in another provider’s network, thus preventing the introduction of an increased security risk in another provider’s network. In the 2020 Supply Chain Order, the Bureau clarified that the Secure Networks Act did not “permit the transfer of covered communications equipment or service to non-U.S. providers in an operable state” as a means of disposing of the covered equipment.19 Reimbursement Program participants are thus prohibited from transferring any covered equipment in an operable state outside of the United States including for 16 See Wireline Competition Bureau Seeks Comment on a Report and Preliminary Cost Catalog and Replacement List to Help Providers Participate in the Secure and Trusted Communications Networks Reimbursement Program, WC Docket No. 18-89, Public Notice, DA 21-355, Attach. 1 at 70-72 (WCB Mar. 25, 2021) (Cost Catalog Public Notice); see generally 47 U.S.C. § 222 (discussing the responsibility of the provider to “protect the confidentiality of proprietary information” including customer information). 17 See 2020 Supply Chain Order, 35 FCC Rcd at 14358, paras. 179; 47 CFR § 1.50004(j). 18 See 2020 Supply Chain Order, 35 FCC Rcd at 14357-58, paras. 178-79; 47 CFR § 1.50004(j). 19 2020 Supply Chain Order, 35 FCC Rcd at 14358, para. 179. 3 Federal Communications Commission DA 21-1234 recycling or destruction purposes.20 Proper disposal of covered equipment should render the equipment permanently inoperable on any network, foreign or domestic.21 9. The disposal process will vary depending on the underlying nature and capabilities of the equipment.22 The Bureau suggests that covered communications equipment be sorted into three categories for the disposal process, with higher expectations of destruction for Categories 1 and 2 due to the capabilities of that equipment. Category 1 includes equipment that processes and retains network or customer identifiable information long-term.23 Category 2 includes equipment that processes data but does not retain any network or customer identifiable information. Category 3 includes equipment that has no data processing or retention capacity. Table 1 – Categorization of Covered Equipment for Disposal Categorization: Suggested Minimum Equipment Criteria: Illustrative Examples: Steps for Disposal: Category 1 Equipment Equipment that processes • Mobility Management necessitating: (1) and retains data. Entity (MME); media sanitization, (2) • Home Subscriber destruction, and (3) Server (HSS).24 recycling. Category 2 Equipment Equipment that processes • Antenna Array Units necessitating: (1) data but does not retain (AAU); destruction and (2) data. • Radio Units (RU); recycling. • Baseband Units (BU/BBU); • Control Units (CU). Category 3 Equipment Equipment or components • Cables; necessitating: (1) that do not have data • Brackets, cabinets; recycling. processing capabilities. 20 See id. Reimbursement Program participants, however, may transfer the recycled raw materials derived from destroyed, inoperable, equipment outside the United States. 21 2020 Supply Chain Order, 35 FCC Rcd at 14358, para. 179; see 47 CFR § 1.50004(j). 22 See generally Cost Catalog Public Notice, 36 FCC Rcd at 5847-49, Attach. 1 at 70-72 (making the distinction between sensitive and non-sensitive covered communications equipment). 23 See generally 47 U.S.C. § 222; Cybersecurity and Infrastructure Security Agency, Supply Chain Risks for Information and Communication Technology (Dec. 2018), https://www.cisa.gov/sites/default/files/publications/19_ 0424_cisa_nrmc_supply-chain-risks-for-information-and-communication-technology.pdf (listing improper disposal of information and communication technology as a supply chain risk). 24 MME manages the “control plane” and “signaling related to mobility and security.” HSS is a database containing user and subscriber information that supports “mobility management, call and session setup, user authentication and access authorization.” Frédéric Firmin, 3rd Generation Partnership Project (3GPP), The Evolved Packet Core, https://www.3gpp.org/technologies/keywords-acronyms/100-the-evolved-packet-core#:~:text=Basically% 2C%20the%20HSS%20(for%20Home,user%20authentication%20and%20access%20authorization (last visited Aug. 10, 2021); see Magnus Olsson, et al., EPC and 4G Packet Networks, Ch. 10 (2nd Ed. 2013); Wireline Competition Bureau Finalizes Application Filings, Procedures, Cost Catalog, and Replacement List for the Secure and Trusted Communications Networks Reimbursement Program, WC Docket No. 18-89, Public Notice, DA 21-947, Appx. C at 19, § 3.1.0 (WCB Aug. 3, 2021) (Finalized Reimbursement Process Public Notice) (listing enhanced packet core (EPC) cost categories for MME and HSS including a range of estimated costs). 4 Federal Communications Commission DA 21-1234 Categorization: Suggested Minimum Equipment Criteria: Illustrative Examples: Steps for Disposal: • miscellaneous components.25 10. Category 1 is comprised of all covered communications equipment that “poses an unacceptable risk to the national security of the United States or the security and safety of United States persons” and should be disposed of under a heightened standard.26 This includes all equipment that processes and retains network, proprietary, or customer identifiable information,27 or other information that poses an unacceptable risk to the security and safety of United States persons. Because such equipment retains data, we recommend all data on Category 1 equipment should first be wiped clean of any data, i.e., sanitized, before securely destroying. By destroying, equipment should be shredded or pulverized and the byproduct smelted down to its raw materials by a disposal company registered with the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) pursuant to the International Traffic in Arms Regulations (ITAR).28 A certificate of media disposition29 and a certificate of destruction should be retained to provide assurance that Category 1 equipment was properly destroyed. To the extent that equipment exists that combines multiple functionalities falling in more than one category, e.g. equipment includes components falling in both Category 1 and 2, then the equipment should be destroyed in accordance with the guidelines set out for Category 1. 11. Category 2 is comprised of all electronic covered communications equipment that processes data but does not retain data, particularly network or customer identifiable information. This type of equipment raises an increased concern if it, or any component of it, are reused in another provider’s network. Accordingly, we recommend that Category 2 equipment be destroyed (e.g., disintegrate, pulverize, melt, and incinerate), and the byproduct (i.e., inoperable component parts or raw materials) recycled by a certified e-waste recycler. Most covered electronic communications equipment will likely fall under Category 2. A certificate of destruction should be retained to provide assurance that the equipment was properly destroyed. 12. Category 3 is comprised of all covered communications equipment that does not have the capacity to retain or process data. Examples of equipment that falls under Category 3 could conceivably include, but is not limited to, cabinets and equipment racks to the extent such communications equipment includes an “electronic component.” Because this type of covered communications equipment lacks the ability to retain or process data, there is less of a concern of introducing a new security risk if reused in another provider’s network. We therefore adjust the disposal process best practices accordingly to merely recommend that such equipment be recycled by a certified e-waste recycler. We do not, however, find total destruction of this category of equipment necessary to prevent the reintroduction of a security risk 25 This disposal guidance applies only to covered communications equipment and service, i.e., communications equipment produced or provided by Huawei or ZTE that includes or uses electronic components. 26 See Secure Network Act § 2(b); 47 U.S.C. § 1601(b). 27 See 47 U.S.C. § 222 (requirements for telecommunications carriers to protect customer proprietary information). 28 See Letter from Andrew C. McManus, General Manager, Gannon & Scott, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89 (Aug. 31, 2021) (Gannon & Scott Ex Parte); Letter from Brodie Ehresman, Director of Marketing and Business Development, Advanced Technology Recycling, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89 (Sept. 3, 2021) (ATR Ex Parte); see generally 22 CFR §§ 120-130; U.S. Dept. of State, Directorate of Defense Trade Controls, The International Traffic in Arms Regulations, https://www.pmddtc.state. gov/ddtc_public?id=ddtc_kb_article_page&sys_id=%2024d528fddbfc930044f9ff621f961987 (last visited Sept. 17, 2021). 29 See supra note 32. 5 Federal Communications Commission DA 21-1234 into another providers network. Accordingly, a certificate of destruction is not necessary for Category 3 equipment. We will consider such equipment as “inoperable” if permanently dismantled from other communications equipment and services and it is unable to be reconnected to any other communications equipment. We understand that it may be more efficient for a destruction company to destroy and recycle a large amount of equipment at once, for example, by destroying all equipment in a box at one time that may include a combination of the categories equipment described below, and defer to both the provider and destruction company as to the most efficient process to achieve the required disposal obligation. D. Media Sanitization 13. We recommend all Category 1 covered communications equipment be sanitized before its destruction or recycling to prevent unauthorized access to information contained on the media. Sanitization should occur in accordance with the National Institutes of Standards and Technology (NIST) Special Publication 800-88 Revision 1, Guidelines for Media Sanitization (NIST Media Sanitization Guidelines).30 At a minimum, media sanitization should include processes to clear (i.e., overwrite data), purge data rendering recovery infeasible, or destroy media (e.g., pulverize, incinerate, etc.).31 Media sanitization renders the underlying data irretrievable. After the digital media is securely sanitized, the remaining equipment should be physically destroyed and the byproduct recycled by a certified e-waste recycler. Following sanitization and consistent with NIST Media Sanitization Guidelines, we recommend for a certificate of media disposition to be completed to document each piece of electronic media that is sanitized.32 E. Equipment Destruction 14. To ensure the proper destruction of covered equipment, we recommend choosing a qualified U.S. disposal company that can perform destruction services and provide sufficient documentation evidencing the destruction of the equipment. At a minimum, the disposal company should be able to provide the Reimbursement Program participant with a certificate of destruction. The Commission prohibited the transfer of operable covered communications equipment or service to non- U.S. providers. Providers cannot transfer the covered communications equipment or service to facilities located outside the United States because equipment that has not yet been disposed of is still operable. Thus, we recommend providers use U.S. disposal companies that conduct the disposal process on U.S. soil.33 In choosing a qualified disposal company, we recommend selecting vendors that are certified to provide complete asset management solutions, from removal to destruction, including transportation and chain of custody tracking. Reimbursement Program participants should select disposal vendors that are certified by reputable standards-setting bodies, particularly those that require registration and subject providers to audit, to comply with their disposal obligations under the Reimbursement Program. 15. We recommend Reimbursement Program participants use companies registered with the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) pursuant to the International Traffic in Arms Regulations (ITAR). While the covered communications equipment may or may not fall within the scope of ITAR, we find that an ITAR-registered disposal company will likely have the procedures in place and the facilities necessary to effectively handle the safe and secure destruction of covered communications equipment, including the most sensitive equipment.34 ITAR-registered 30 Richard Kissel, et al., National Institute of Standards and Technology (NIST), U.S. Dept. of Commerce, Guidelines for Media Sanitization, Special Publication 800-88 Rev. 1 (Dec. 2014), https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-88r1.pdf (NIST Media Sanitization Guidelines). 31 See id. at 8-9, § 2.5. 32 See id. at 22-23, § 4.8; id. at 56, Appx. G, Sample Certificate of Media Sanitization Form. 33 See 2020 Supply Chain Order, 35 FCC Rcd at 14358, para. 179. 34 The DDTC offers a tool to help users determine whether an article is subject to ITAR. See DDTC, https://www.pmddtc.state.gov/ddtc_public?id=ddtc_public_portal_dt_order_of_review (last visited Sept. 17, 2021). 6 Federal Communications Commission DA 21-1234 companies are required to maintain records concerning manufacture, acquisition, and disposition of defense articles, including technical data, subject to ITAR,35 and are subject to civil and criminal penalties for violations.36 Moreover, According to ex parte submissions in this docket from ITAR-registered companies Advanced Technology Recycling and Gannon & Scott,37 ITAR-registered disposal companies may also hold an e-waste recycling certification and be able provide media sanitization services, allowing for a one-stop disposal facility to handle the disposal of different categories of equipment and able to provide the necessary documentation for providers to verify compliance with section 1.50004(j) of the Commission’s rules. F. Selecting a Certified Electronic Waste Recycler 16. If Reimbursement Program participants do not have the disposal vendor destroy and recycle all their covered communications equipment, the Bureau recommends Reimbursement Program participants use certified electronic recyclers endorsed by the Environmental Protection Agency (EPA) to ensure that equipment is disposed of in a secure and environmentally responsible manner.38 Certified electronic (e-waste) recyclers are subject to auditing by an independent accreditation body and held to strict quality standards.39 Improper disposal of e-waste raises the risk of both environmental and public health harms.40 Moreover, incomplete destruction of covered communications equipment jeopardizes national security by risking the possibility of equipment or its components being re-sold or transferred out 41 of the United States. For e-waste disposal, EPA guidelines recommend the use of recyclers certified by either: (1) Responsible Recycling (R2) Standard for Electronics Recyclers; or (2) e-Stewards Standard for Responsible Recycling and Reuse of Electronic Equipment (e-Stewards).42 Certifications issued by R2 or e-Stewards provide standards for e-waste disposal that are environmentally responsible and offer 35 See 22 CFR § 122.5(a). 36 See id. § 127.3. 37 See ATR Ex Parte at *2; Gannon & Scott Ex Parte. 38 EPA, Certified Electronics Recyclers, https://www.epa.gov/smm-electronics/certified-electronics-recyclers (last visited Jun. 18, 2021). 39 See id. 40 See e.g., Damian Carrington, $10bn of precious metals dumped each year in electronic waste, says UN, The Guardian (Jul. 22, 2020), https://www.theguardian.com/environment/2020/jul/02/10bn-precious-metals-dumped- each-year-electronic-waste-un-toxic-e-waste-polluting. For a comprehensive overview of e-waste statistics, laws, and the impact on the environment and human health in the year 2020, see generally Vanessa Forti, et al., United Nations University, United Nations Institute for Training and Research, SCYCLE Programme, International Telecommunication Union, and International Solid Waste Association, The Global E-waste Monitor 2020: Quantities, flows and the circular economy potential (2020), https://globalewaste.org/proxy/?publication=/v1/file/ 271/The-Global-E-waste-Monitor-2020-Quantities-flows-and-the-circular-economy-potential.zip. 41 See generally 2020 Supply Chain Order, 35 FCC Rcd at 14358, para. 179. Using recyclers that have not been certified increases the risk of improper disposal or potential fraud. See United States Attorney’s Office District of Colorado, Executive Recycling Company And Executives Sentenced For Fraud And International Environmental Crimes (Jul. 23, 2013), https://www.justice.gov/usao-co/pr/executive-recycling-company-and-executives-sentenced- fraud-and-international (recycling company executives fraudulently exported e-waste overseas after making representations that the waste would be disposed of in compliance with EPA standards and U.S. law). 42 The EPA assessed the standards that both e-Stewards and R2 certified recyclers are held to without making any determinations of which program is more successful. EPA, Frequent Questions about the Implementation Study of R2 and e-Stewards Certification Programs, https://www.epa.gov/smm-electronics/frequent-questions-about- implementation-study-r2-and-e-stewards-certification#external%206 (last visited Jun. 20, 2021). 7 Federal Communications Commission DA 21-1234 responsible asset management.43 Reimbursement Program participants may elect to choose a certified recycler with other certifications in addition to R2 or e-Stewards certifications.44 Recyclers can also hold certifications from third party standards-setting bodies that independently audit practices such as, for example, companies certified compliant with International Organization for Standardization (ISO) 14001 standards for environmental management systems, including certification and audit processes, consistent with statutory and regulatory requirements.45 e-Stewards standards, for example, incorporate certain ISO 14001 standards.46 17. R2. R2 certified recyclers are issued certification through the certifying body Sustainable Electronics Recycling International (SERI) and are subject to auditing to ensure compliance with SERI’s standards.47 R2 offers recyclers who provide data destruction services and provides environmentally responsible recycling services.48 There are over 600 R2-certified recycling facilities, including refurbishers, brokers, and warehouse sites, operating in the United States which Reimbursement Program participants can locate on R2’s webpage.49 18. E-Stewards. Recyclers certified by e-Stewards receive certification through the Basal Action Network (BAN) and are subject to auditing to ensure compliance with BAN’s standards.50 E- Stewards provides data destruction services and environmentally responsible recycling services.51 There are over 1,400 e-Stewards-certified recyclers operating in the United States, including recycling, refurbishing, and consumer drop-off sites, which Reimbursement Program participants can locate on e- Steward’s webpage.52 19. Alaska and Hawaii. We acknowledge there are no R2 or e-Stewards certified recyclers operating in Hawaii or Alaska so Reimbursement Program participants operating in these areas will need to find alternative reliable e-waste recycling partners or will need to securely transport covered equipment to a State where an R2- or e-Stewards-certified recycler is located. 43 See generally EPA, Certified Electronics Recyclers, https://www.epa.gov/smm-electronics/certified-electronics- recyclers (last visited Jun. 18, 2021); Letter from Jared M. Carlson, Vice President, Government Affairs and Public Policy, Ericsson, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 18-89, at 1 (filed June 18, 2021) (Ericsson June 18, 2021 Ex Parte). 44 See EPA, Certified Electronics Recyclers, https://www.epa.gov/smm-electronics/certified-electronics-recyclers (last visited Jun. 18, 2021); Ericsson June 18, 2021 Ex Parte at 1. 45 See ISO, Certification & Conformity, https://www.iso.org/conformity-assessment.html (last visited Aug. 13, 2021); ISO, ISO 14001: Key Benefits, https://www.iso.org/files/live/sites/isoorg/files/store/en/PUB100372.pdf (last visited Aug. 13, 2021); see also Ericsson June 18, 2021 Ex Parte at 1 (Ericsson requires its recycling providers to follow certain standards including ISO 9001 and ISO 14001). As of 2019, there were 3,671-certified ISO 14001 providers in the United States. See ISO, ISO Survey 2019, https://www.iso.org/the-iso-survey.html (last visited Aug. 13, 2021). 46 See e-Stewards, Frequently Asked Questions: Consumer Questions, http://e-stewards.org/faq/?choice=consumer (last visited Aug. 11, 2021). 47 SERI, About SERI, https://sustainableelectronics.org/about-story-and-mission/ (last visited Jun. 18, 2021). 48 SERI, R2 Business Solutions, https://sustainableelectronics.org/business-solutions/#telecom (last visited Jun. 18, 2021). 49 SERI, Find R2 Certified Facilities, https://sustainableelectronics.org/find-an-r2-certified-facility/ (last visited Aug. 11, 2021). 50 e-Stewards, The e-Stewards Story, http://e-stewards.org/about-us/the-e-stewards-story/ (last visited Jun. 20, 2021). 51 e-Stewards, What’s the e-Stewards Standard?, http://e-stewards.org/learn-more/for-enterprises/overview/whats- the-e-stewards-standard/ (last visited Jun. 20, 2021). 52 See e-Stewards, Find a Recycler, http://e-stewards.org/find-a-recycler/ (last visited Aug. 12, 2021). 8 Federal Communications Commission DA 21-1234 III. DOCUMENTATION DEMONSTRATING COMPLIANCE 20. Documentation. The Secure Networks Act authorized the Commission to undertake “regular audits and reviews of reimbursements”53 and engage in “random field investigations”54 in order to ensure that Reimbursement Program participants are complying with the requirements of the Reimbursement Program.55 In the 2020 Supply Chain Order, the Bureau advised Reimbursement Program participants to “retain all documentation related to their requests for funding reimbursement for actual expenses incurred” for a period of ten years.56 Thus, “[r]egardless of the method of disposal or destruction, [the Commission] require[s] participants to retain detailed documentation to verify compliance with this requirement.”57 21. Reimbursement Program participants should retain documentation for each step of the removal, replacement, and disposal process.58 The Bureau suggests that Reimbursement Program participants retain documentation for each step of the disposal process providing clear documentation of the process from the removal of the equipment to the final destruction and recycling. As a best practice, certificates of destruction should be retained to document the destruction of all covered communications equipment that processes data or has the ability to retain information.59 As a best practice, a certificate of destruction should contain at least the following information: manufacturer of the equipment, model, serial number, media sanitization information (if applicable), source of the equipment (i.e., Reimbursement Program participant/specific cell site), categorization of the equipment (i.e., Category 1, 2, or 3), type of destruction method, destruction equipment used, information of the person(s) completing the destruction process including name, title, date, location, and contact information.60 22. Similarly, certificates of media disposition should be retained for all equipment that is subject to data sanitization before the destruction and recycling of the physical equipment.61 The NIST Media Sanitization Guidelines suggest that the following information should be included on certificates of disposition: manufacturer of equipment, model, serial number, media type, media source (i.e., Reimbursement Program participant/specific cell site), categorization of the equipment, type of sanitization method, sanitization tool, method of verification for sanitization, post-sanitization destination, and information of the person who completed the sanitization and verification including name, title, date, location, and contact information.62 23. As a best practice, Reimbursement Program participants should maintain a “chain of custody” for removed covered communications equipment awaiting destruction or recycling.63 Each time 53 Secure Networks Act § 4(e)(3)(a); 47 U.S.C. § 1603(e)(3)(a). 54 Secure Networks Act § 4(e)(3)(b); 47 U.S.C. § 1603(e)(3)(b). 55 Secure Networks Act § 4(e)(3); 47 U.S.C. § 1603(e)(3). 56 2020 Supply Chain Order, 35 FCC Rcd at 14361, para. 192. 57 Id. at 14358, para. 179. 58 See id. 59 See supra section II.B. 60 These guidelines are based on the NIST Media Sanitization Guidelines at 22-23, § 4.8. 61 NIST provides detailed guidelines of what information should be recorded in a certificate of media sanitization and an example certificate of media sanitization. See NIST Guidelines for Media Sanitization at 16-23, § 4. For an example certificate of media sanitization, see NIST Media Sanitization Guidelines at 56, Appx. G. 62 Id. at 22-23. 63 See Cost Catalog Public Notice, 36 FCC Rcd at 5849, Appx. A at 72 (“Once the sensitive equipment is removed and documented at the site, a secure ‘chain of custody’ will need to be kept until the equipment arrives, and is verified, at the certified recycler”). 9 Federal Communications Commission DA 21-1234 covered communications equipment is removed from a site the Reimbursement Program participant should make a detailed inventory of all items removed from the site. This inventory should be dated by the date of removal and include how the items are being destroyed, where the equipment is being shipped, and the means of transportation to the recyclers. If the removal process spans a period of several days or weeks, then the inventory should include what equipment was removed each day. This documentation could take the form of short affidavits by the removal workers detailing the equipment they removed from the site each day. If the equipment is stored for any period of time before being transported to the disposal facility the program participant should retain documentation showing that the equipment was securely stored. This documentation could include receipts for storage facilities, affidavits attesting to the storage conditions, and photographic or video documentation. 24. For covered communications equipment being shipped or deposited at recyclers, Reimbursement Program participants should retain the shipping or transportation documentation. This documentation should include a detailed inventory of the equipment being shipped supported by an affidavit, the date of shipment, the destination, the name of the transportation service, and documentation showing that the shippers used a secure means of transportation. The Reimbursement Program participant should also retain detailed documentation throughout the destruction and recycling phase of the disposal process. This documentation should include the initial contract with the vendor,64 an inventory of all recycled and destroyed equipment, and certificates of media disposition and equipment destruction when applicable. If equipment is stored at the recyclers before it is destroyed the Reimbursement Program participant should retain documentation that indicates the length of time the equipment was stored and evidence that the equipment was stored in a secure manner. This could include contractual specifications that the equipment be stored securely, affidavits of the recyclers, and photographic or video documentation. IV. CONCLUSION 25. These recommended best practices will help ensure the security of sensitive data processed or retained on the covered communications equipment including network and customer proprietary information from unauthorized access. These best practices will also help Reimbursement Program participants in complying with the requirements of section 1.50004(j) of the Commission’s rules, to ensure covered communications equipment and service, posing an unacceptable risk to the national security of the United States or the security and safety of United States persons, are made inoperable and recycled in an environmentally safe manner. * * * 64 If the initial contract with the vendor is insufficient to show that a certified recycler was used, the Reimbursement Program participant should also retain documentation showing that a certified recycler was used for the final disposal after data or equipment destruction. 10 Federal Communications Commission DA 21-1234 APPENDIX B Revised Certifications for FCC Form 5640: SCRP Application Request for Funding Allocation, Section 1.50004(c) (Part C): By checking the box and providing the electronic signature where indicated below, the Certifying Official on behalf of the Applicant certifies under penalty of perjury that: 1. The Certifying Official is authorized to submit this request for funding allocation on behalf of the above-named Applicant and, based on information known to me or provided to me by employees responsible for the information being submitted, the information set forth in this request for funding allocation has been examined and is true, accurate, and complete. The Certifying Official acknowledges that any false, fictitious, or fraudulent information or statement, or the omission of any material fact on this or on any other documents submitted by the Applicant may subject the Applicant and the undersigned to punishment by fine or forfeiture under the Communications Act (47 U.S.C. §§ 502, 503(b), 1606), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. § 1001, §§ 286-287, and § 1343), or can lead to liability under the False Claims Act (31 U.S.C. §§ 3729-3733, and §§ 3801-3812). 2. The Applicant will comply with the statute, rules, and orders governing the Reimbursement Program, including but not limited to allocations, draw downs, payments, obligations and expenditures of money, and the Certifying Official acknowledges that failure to be in compliance and remain in compliance with those statutes, rules, and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. The Certifying Official acknowledges that failure to comply with the statute, rules, and orders governing the Reimbursement Program could result in civil or criminal prosecution by law enforcement authorities. 3. The Applicant as of the date of submission of this application has developed a specific plan and timeline for the permanent removal, replacement, and disposal of covered communications equipment or service. 4. If the application is approved, and then starting from the approval date of the application, the Applicant: (1) will not purchase, rent, lease or otherwise obtain covered communications equipment or service published by the Commission under 47 U.S.C. § 1601(a), using reimbursement funds (including funds derived from private sources) and (2) in developing and tailoring risk management practices, will consult and consider the standards, guidelines, and best practices set forth in the cybersecurity framework developed by the National Institute of Standards and Technology. 5. The Applicant’s cost estimates claimed as eligible for reimbursement were made in good faith and are limited to only the portion of the costs that will be reasonably incurred for the removal, replacement, and disposal of covered equipment and services in accordance with the Secure and Trusted Communications Networks Act of 2019, as amended, Pub. L. 116-124 § 4 (47 U.S.C. § 1603) and the Commission’s rules (47 CFR § 1.50004). 6. The Applicant will use all money received from the Reimbursement Program only for expenses eligible for reimbursement in accordance with the Reimbursement Program rules, orders, and statute (47 U.S.C § 1603). 1 Federal Communications Commission DA 21-1234 7. The Applicant will file all required documentation for its expenses. 8. The Applicant will not use Reimbursement Program funds for any portion of expenses that have been or will be reimbursed by other sources of funding (e.g., Federal pandemic relief funding such as the Coronavirus Aid, Relief, and Economic Security (CARES) Act, Emergency Broadband Benefit Program, or other provisions of the American Rescue Plan; targeted state funding; other external sources of targeted funding; or other universal service support mechanisms). 9. The Applicant will maintain detailed records, including receipts, of all costs claimed as eligible for reimbursement for a period of ten years. 10. The Applicant recognizes that it may be subject to an audit, inspection or investigation pursuant to its request for funding allocation, that it will retain for ten years any and all records related to its participation in the program as required by 47 CFR § 1.50004(n), and will make such records and equipment purchased with Reimbursement Program reimbursement available at the request of any representative (including any auditor) appointed by the Commission and its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity. 11. No kickbacks, as defined in 41 U.S.C. § 8701 and/or 42 U.S.C. § 1320a-7b, were paid or received by the Applicant to anyone in connection with the Reimbursement Program. 2 Federal Communications Commission DA 21-1234 Revised Certifications for FCC Form 5640: SCRP Reimbursement Claim Request, Section 1.50004(g) (Part G): By checking the box and providing the electronic signature where indicated below, the Certifying Official on behalf of the Applicant certifies under penalty of perjury that: 1. The Certifying Official is authorized to submit this request for reimbursement on behalf of the Applicant and, based on information known to me or provided to me by employees responsible for the information being submitted, the information set forth in this request for reimbursement has been examined and is true, accurate, and complete, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. The Certifying Official acknowledges that any false, fictitious, or fraudulent information or statement, or the omission of any material fact on this request for reimbursement or on any other document submitted by the Applicant may subject the Applicant and the undersigned to punishment by fine or forfeiture under the Communications Act (47 U.S.C. §§ 502, 503(b), 1606), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. § 1001, §§ 286-287, and § 1343), or can lead to liability under the False Claims Act (31 U.S.C. §§ 3729-3733, and §§ 3801-3812). 2. The Applicant is in compliance with the statute, rules, and orders governing the Reimbursement Program, including but not limited to allocations, draw downs, payments, obligations and expenditures of money, and the Certifying Official acknowledges that failure to be in compliance and remain in compliance with those statutes, rules, and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. The Certifying Official acknowledges that failure to comply with the statute, rules, and orders governing the Reimbursement Program could result in civil or criminal prosecution by law enforcement authorities. 3. The Applicant has filed all required documentation for its expenses to be reimbursable under the Reimbursement Program rules. 4. The amounts claimed for reimbursement are limited to only the portion of the costs that were or will be reasonably incurred for the removal, replacement, and disposal of covered communications equipment and services in accordance with the Secure and Trusted Communications Networks Act of 2019, as amended, Pub. L. 116-124 § 4 (47 U.S.C. § 1603) and the Commission’s rules (47 CFR § 1.50004). 5. The Applicant as of the date of this submission has developed a specific plan and timeline for the permanent removal, replacement, and disposal of covered communications equipment or service. 6. The Applicant: (1) will not purchase, rent, lease or otherwise obtain covered communications equipment or service published by the Commission under 47 U.S.C. § 1601(a), using reimbursement funds (including funds derived from private sources) and (2) in developing and tailoring risk management practices, will consult and consider the standards, guidelines, and best practices set forth in the cybersecurity framework developed by the National Institute of Standards and Technology. 7. The Applicant will not use Reimbursement Program funds for any portion of expenses that have been or will be reimbursed by other sources of funding (e.g., Federal pandemic relief funding 3 Federal Communications Commission DA 21-1234 such as the Coronavirus Aid, Relief, and Economic Security (CARES) Act, Emergency Broadband Benefit Program, or other provisions of the American Rescue Plan; targeted state funding; other external sources of targeted funding; or other universal service support mechanisms). 8. The Applicant recognizes that it may be subject to an audit, inspection or investigation pursuant to its request for reimbursement, that it will retain for ten years any and all records related to its participation in the program as required by 47 CFR § 1.50004(n), and will make such records and equipment purchased with Reimbursement Program reimbursement available at the request of any representative (including any auditor) appointed by the Administrator, the Commission and its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity. 9. No kickbacks, as defined in 41 U.S.C. § 8701 and/or 42 U.S.C. § 1320a-7b, were paid or received by the Applicant to anyone in connection with the Reimbursement Program. 4