Week ending May 8, 2026
A week of two storylines, not unrelated. On the robocall side, the Commission’s Know-Your-Upstream-Provider FNPRM (FCC-CIRC2605-01) is on the May open meeting agenda, and the post–April 24 sunshine NPRM cycle started producing the substantive ex partes you’d expect — four filings in five days from PhoneBurner, the major TRS providers, ZipDX, and FracTEL, all responding to a Commission framework that finally has a name. On the supply-chain side, the Covered List program got a coordinated drumbeat — a Monday consumer-marketplace update, a Wednesday bureau action conditionally approving named drone and router models, a Thursday Commissioner speech at the marquee national-security-tech venue, and a Tuesday staff promotion that elevates the Chairman’s national-security counsel. The two threads share a frame: trust as supply-chain enforcement, whether the supply chain in question is silicon coming through Amazon or telephone numbers coming through resellers.
KYUP arrives: the FNPRM has a name, and industry is responding to it
The headline of the week is that the draft Further NPRM on the May open meeting agenda — which had been circulating only as the cryptic “FCC-CIRC2605-01” — is now formally the Know-Your-Upstream-Provider FNPRM. David Frankel of ZipDX, in his May 5 meeting with WCB and the May 7 ex parte filing, refers to it by that name in his opening sentence: “We discussed the Know-Your-Upstream-Provider FNPRM (FCC-CIRC2605-01) on the agenda for the May open meeting.” That single naming convention reframes everything else that hit the docket this week. The TRS providers’ “KYUP-equivalent criteria” deck, FracTEL’s chain-of-trust argument, and PhoneBurner’s verified-KYC framing are not converging on an emerging industry term — they are responding to a Commission FNPRM that is about to be voted out and that the Commission has already structured into “five KYUP elements” (¶15 of the draft): Information Collection, Compliance Review, Information Verification, Monitoring, and Responsive Action.
ZipDX’s ex parte and its accompanying slide deck (cross-listed in WC 17-97 and CG 17-59, presented to WCB plus all three Commissioners’ offices) walk through the FNPRM paragraph by paragraph and propose concrete edits. The substantive ask is on ¶132: today the rule at 47 CFR § 64.1200(k)(3) permits terminating providers to block based on STIR/SHAKEN signer-reputation data but does not require it. Frankel wants the Commission to mandate it, at least for “larger, consumer-facing providers” (e.g., 1M+ subscribers), unless they offer an opt-in tool to consumers. The diagnostic argument is one of the clearest framings of the KYUP value proposition I’ve read: “The signer universe is very small compared to tracking calling numbers — new numbers show up every minute; new signers show up every week. A terminating provider can spot a new problematic signer in a day or less.” ZipDX has also been running a proof-of-concept called Call007 that, per the deck, achieves “minuscule rates of false-positives and false-negatives” by routing calls from problematic signers to voicemail without ringing the handset. The specific ¶132 modification Frankel proposes inserts language that providers are “violating our rules if they accept SIP calls from an upstream provider that does not have an SPC token” — a meaningfully sharper bright line than the current draft.
The other three filings line up against the same FNPRM in different layers.
PhoneBurner kicked things off Monday afternoon with a nine-docket ex parte filed by Mac Murray & Shuster, going after the analytics-engine layer that sits downstream of the FNPRM’s KYUP regime. The filing reports Tier-1 flag rates that “vary up to 30% between carriers” and frames the missing inputs as exactly the categories the FNPRM names: “Heavy reliance on probabilistic signals with limited incorporation of verified KYC, number consistency, and call purpose/context contributes to false positives. Smartphone OEMs and non-Tier 1 carriers increasingly apply spam labels but often lack public remediation processes.” PhoneBurner is essentially asking that whatever KYUP-derived signer reputation the FNPRM produces also flow into the analytics-engine labeling pipeline with a deterministic remediation path.
The Tuesday-evening companion was the joint ex parte from five major Telecommunications Relay Service providers — ClearCaptions, Convo, Hamilton Relay, Sorenson, and CaptionCall — with John Nakahata of HWG as principal counsel and a coalition of Wilkinson Barker Knauer and Cooley counsel for the other providers. The TRS providers met April 30 with CGB and WCB to flag a structural attestation gap that the draft FNPRM (which they cite by name as “the Commission’s recent draft STIR/SHAKEN Further Notice of Proposed Rulemaking”) specifically invited them to address at ¶¶123–24. The cover letter is direct: “TRS providers are experiencing ongoing challenges in obtaining A-level attestations for calls placed by relay users and handled through their services. Calls that obtain a B or a C level attestation become subject to greater blocking or call recipient rejection. Importantly, none of the Joint Providers is currently eligible to obtain a service provider code (‘SPC’) token on its own or through any affiliate.” Their accompanying deck proposes that the FCC “direct carriers and entities in the STIR/SHAKEN chain to provide A-level attestation based on the OSP confirming KYUP-equivalent criteria such as: RMD filing or exemption / ITG traceback compliance / Section 225 certification as a TRS provider / Participation in, or preparation for participation in, the TRS-URD.” That’s the FNPRM’s KYUP framework being repurposed as an evidentiary basis for an A-level attestation accommodation — a clever procedural move that lets TRS providers piggyback on the broader KYUP machinery without requiring new SHAKEN governance changes.
The Friday-evening capper came from FracTEL, LLC — a small Florida CLEC with about 4.5 million directly-assigned numbers — filing a twelve-page comment on the WC 26-49 NPRM. FracTEL President Michael Crown’s comment is one of the most thoughtful small-carrier voices in the whole post-Apr-24 cycle and is worth reading end-to-end. The diagnosis: “STIR/SHAKEN ensures that the caller ID signed in the attestation matches the caller ID presented with the call, but it does not guarantee that the caller ID is legitimately assigned to the originator… A query of the caller ID will identify the holder of record, but as the Commission correctly observes, numbers are assigned through a network of secondary providers before being assigned to a subscriber.” FracTEL’s proposed fix sits in the numbering layer rather than the voice-provider-identity layer: skip NRUF (which “was not designed for, nor is it technically capable of, serving as a real-time or operational database for traceback”) and instead operationalize the ALT SPID (Alternative Service Provider Identifier) attribute that already lives in NPAC. “Population of the ALT SPID field with carrier OCN would provide a verifiable linkage between telephone numbers and the service providers (including resellers) responsible for their use, reinforcing STIR/SHAKEN attestations.”
Stitching the four filings together: PhoneBurner wants KYUP-derived signer reputation to flow into analytics-engine labeling. The TRS providers want KYUP-equivalent regulatory-status criteria to drive A-level attestation. ZipDX wants the FNPRM’s permissive (k)(3) blocking framework converted to a mandate at the terminating provider, with a hard-fail rule on SPC-tokenless upstreams. FracTEL wants the ALT SPID attribute in NPAC operationalized as the verifiable linkage between number assignment and originating provider. Different layers — analytics, attestation, terminating-provider blocking, numbering — same Commission framework being rolled out underneath. If next week generates ITI, USTelecom, or INCOMPAS responses to any of these, the alignment (or fracture) of the broader trade-association infrastructure on KYUP will start to clarify; the FNPRM is on the May open meeting agenda, which gives that comment cycle a hard backstop.
The Covered List drumbeat: drones and routers, with names
The supply-chain enforcement track ran a coordinated cadence this week that’s worth flagging separately because the timing wasn’t accidental.
Monday morning, the Chairman’s office released the Operation Clean Carts six-month update — the consumer-marketplace tail of the same Covered List program that drives the carrier-side Section 214 framework in FCC 26-29. The number to remember is in the body: “Online marketplaces have collectively removed or blocked over 3 million product listings associated with insecure ‘covered’ equipment.” That’s the public-facing case-for-success that Carr and OEA can point to when industry asks why the Commission is layering more carrier-side enforcement on top.
Wednesday morning, the Public Safety and Homeland Security Bureau followed up with DA-26-437, conditionally approving and exempting specific drone and router models from the Covered List under the new framework. This is the third bureau-level Conditional Approval action in the past two months and it gets specific about names. The new entries this round: Air6 System GmbH’s AIR8 Medium Lifter, AIR8 Compact, and AIR4 Rugged/Light/Micro/Nano family of UAS (Conditional Approval terminating December 31, 2026), and Calix, Inc.’s 7u6.2 router, part number 100-06200 (terminating October 31, 2027). Those join earlier rounds’ approvals: SiFly Q12, Mobilicom SkyHopper, ScoutDI Scout 137, Verge X1, and Sees.ai 1.0 on the UAS side; Netgear’s Nighthawk and Orbi consumer router lines, Adtran’s SDG class routers, and eero/eero Pro/Max/PoE/Outdoor/Signal plus the Amazon Leo line on the router side. Two takeaways: first, the Department of War (the Department of Defense’s new naming convention, used unironically throughout the Public Notice) is the gatekeeper for these conditional approvals alongside DHS, and the FCC is just the mechanical updater of the list; second, the Conditional Approvals are time-limited (most expire in October 2027) and explicitly tied to specific model numbers, which means the equipment-authorization workload at PSHSB and OEA is going to be ongoing rather than one-and-done.
Thursday morning, Commissioner Trusty took the framing public at the Special Competitive Studies Project’s AI+ Expo — the Eric Schmidt-founded national-security-tech think tank that has become the regular venue for this Administration’s AI-and-national-security speeches. Trusty’s remarks (“Commanding the Skies: Drone Dominance in the Age of AI”) explicitly connect the Covered List back to the drone story: “Through tools such as the Covered List, the FCC is working to prevent insecure or untrusted equipment from being incorporated into critical infrastructure. Last year, the FCC expanded that approach to drones, adding foreign-manufactured unmanned aircraft systems and critical components to the Covered List based on national security determinations.” The speech also makes the AI-leadership-depends-on-network-leadership case the FCC has been making since the start of the year — “U.S. leadership in AI is essential to American drone dominance” — and lists the FCC’s parallel work on equipment authorization integrity, foreign-ownership transparency, and undersea-cable licensing modernization as the network-trust infrastructure. The speech doesn’t break new policy ground; what it does is signal that the Carr-administration national-security narrative is now stable enough that a Commissioner is comfortable delivering it as a set-piece at the marquee national-security-tech venue.
The staffing signal closed the loop on Tuesday. The Chairman’s office announced six promotions, and the one that matters here is Adam Chan, promoted from National Security Counsel to Senior National Security Counsel. Chan has been at the center of the Covered List enforcement build-out under this Administration; the title elevation suggests Carr is consolidating that work as a permanent fixture of the office rather than a temporary policy push. Anthony Patrone’s promotion to Senior Counsel with an Enforcement Bureau portfolio is also worth noting — the Bureau’s role in Covered List equipment-authorization disputes will only grow as the Conditional Approval cadence settles in.
FTC parallel track: the data-broker side of the same supply chain
The FTC contribution to the week was the announcement Monday morning of the Kochava settlement — the first major data-broker enforcement of 2026 and a settlement of the case the FTC filed in August 2022. Under the proposed stipulated order, Kochava and its subsidiary Collective Data Solutions “will be prohibited from selling, licensing, transferring, sharing or disclosing sensitive location data in any products or services unless they obtain a consumer’s affirmative express consent and the data is used to provide a service directly requested by the consumer.” The order also requires the subsidiary to maintain a list of sensitive locations (health facilities, places of worship, etc.) and a supplier-assessment program to confirm consent up the data-supply-chain. The Commission vote was 2-0 and the order awaits sign-off from the District of Idaho.
The connection worth drawing is structural rather than substantive: the Covered List is hardware-side supply-chain enforcement; the Kochava order is data-side supply-chain enforcement; and both agencies are gravitating toward the same architectural pattern — affirmative consent or affirmative authorization at the top, plus a vetted-supplier program below it, plus periodic incident reporting back to the regulator. If Operation Clean Carts is the consumer-marketplace tail of equipment-side Covered List enforcement, the Kochava-style data-broker bans are the consumer-data tail of the same impulse, and the two will likely keep showing up in adjacent news cycles.
Honorable mentions
Two Commission statements landed adjacent to, but outside, this week’s threads: Commissioner Gomez called for a full review of the Paramount–WBD merger, and Chairman Carr applauded the court decision overturning the Biden-era digital-equity rules.
Looking ahead
Four things to watch for next week. First, the May open meeting itself — the KYUP FNPRM (FCC-CIRC2605-01) is on the agenda; if it’s adopted, the four ex partes above become the opening exchanges of a real comment cycle on a named Commission framework rather than scattered pre-NPRM positioning. Second, trade-association responses to PhoneBurner, the TRS joint filing, ZipDX, and FracTEL — if ITI, USTelecom, or INCOMPAS file in CG 17-59 / WC 17-97 / WC 26-49 in the next ten days, the alignment (or fracture) on the KYUP-mandate-at-terminating-provider question (ZipDX’s specific ¶132 ask) will start to clarify, as will whether ALT-SPID-in-NPAC (FracTEL) gets picked up by larger carriers. Third, more Conditional Approval Public Notices — DA-26-437 was the third in two months, and the Department of War’s pipeline is now established; expect another bureau-level notice within four to six weeks adding more named UAS or router models. Fourth, the FTC’s Negative Option Rule ANPRM (FTC-2026-0265) remains quiet since April 14; if a comment lands there next week, the FTC’s identity-and-disclosure track has a hook.