One solution is for Cisco to produce network products that use external storage instead of internal chips for firmware storage. Have the customer download a firmware image from a source outside of the US and "burn" that onto a SD card (or whatever medium is to be used). The card is then inserted into the Cisco device which is now ready to use.
I understand that the Cisco system would still require an equivalent of a bios in order to initialise the card reader but as the bios would only need to initialise the card reader and none of the network hardware, it could be fairly securely isolated to prevent hacking at that level. Also the firmware (on the SD card) could checksum the bios in order to detect modifications and prevent initialisation of the hardware, resulting in a brick.