Buying Guide · NDAA Compliance
NDAA Section 889 compliance checklist for security hardware.
A practical checklist for installers and procurement teams sourcing surveillance, access, and network hardware into federal, government-funded, or grant-eligible deployments. What Section 889 actually restricts, what survives the screening, and what installers get wrong.
01 / What NDAA Section 889 Actually Restricts
The five names on the list.
Section 889 of the FY 2019 National Defense Authorization Act prohibits federal agencies, contractors, and grant recipients from procuring, contracting with, or using “covered telecommunications equipment or services” from five named entities (Part A and Part B of the act):
- Huawei Technologies — networking, telecom infrastructure
- ZTE Corporation — networking, telecom infrastructure
- Hytera Communications — two-way radio (LMR/PMR)
- Hikvision Digital Technology — video surveillance (and OEM rebranded variants)
- Dahua Technology — video surveillance (and OEM rebranded variants)
“And any subsidiary or affiliate” — which expands the practical restriction significantly. Many rebranded OEM cameras (white-label DVRs and IP cameras built by Hikvision or Dahua) are also restricted even when sold under different brand names.
02 / Who Section 889 Applies To
Wider than most installers expect.
- Direct federal procurement — Part A; restricts agencies from buying the hardware.
- Federal contractors and subcontractors — Part B; restricts using the hardware in performing federal contracts.
- Federal grant and loan recipients — can be required to certify against use, depending on the grant terms.
- Critical infrastructure (often via state mandates) — several states and provinces have layered their own rules that mirror Section 889.
- Commercial customers with federal exposure — defense contractors, hospitals receiving federal funds, universities, transportation authorities. Many require NDAA compliance as a procurement-default to keep federal eligibility clean.
Practical effect for Ottawa-region installers: any project bidding work for federal buildings, military, RCMP, or organizations with cross-border federal exposure should default to NDAA-screened hardware even when not strictly required.
03 / Compliance Checklist
Pre-procurement screening.
Before quoting or specifying hardware for an NDAA-affected project, work through this list. Vendor sales sheets often state “NDAA compliant” without footnotes — verify against the actual SKU and current firmware revision.
// Per-SKU Screening
☐ Brand verified not on Section 889 covered entity list
☐ Brand verified not a subsidiary or affiliate of a covered entity
☐ SKU is not an OEM rebrand of Hikvision or Dahua hardware
☐ SKU compliance documentation available from the manufacturer (datasheet or compliance letter)
☐ Firmware version verified — some manufacturers had restricted components in older firmware
☐ Bundled accessories (cables, NVRs, displays) also verified
☐ Network equipment in the path (PoE switches, recorders) also screened
☐ Procurement record retained for 5 years (federal audit timeline)
The trap most installers hit: spec’ing an NDAA-compliant camera but pairing it with an unscreened NVR or PoE switch in the same recording path. The whole path needs to be clean, not just the camera body.
04 / NDAA-Compliant Brand Reference
What survives Section 889 screening.
Practical short-list of brands we stock for NDAA-aware deployments. Always verify the specific SKU against current manufacturer documentation — vendor product lines change.
Surveillance Cameras & NVRs
Hanwha Vision (Samsung Techwin lineage), Axis Communications, i-PRO (formerly Panasonic surveillance), ACTi, Uniview (specifically their NDAA-marked SKUs — not all Uniview models qualify), Bosch IP cameras.
Networking / PoE
Cisco Catalyst series, Aruba, Juniper, Allied Telesis, NETGEAR ProSAFE business line, TP-Link Omada (verified SKUs). Avoid generic Hikvision/Dahua-branded PoE switches even if they “just power cameras.”
Access Control
Kantech, Lenel/S2, HID Global, Mercury Security, ProDataKey, ZK Teco (verify per SKU). Access control rarely has Section 889 exposure but procurement teams often require the screening anyway.
05 / Common Compliance Failures
Where projects fail audit.
- “NDAA compliant” sticker without documentation — installers accept the marketing claim without pulling the manufacturer compliance letter. On audit, the letter is what counts.
- OEM rebrand blind spots — house-brand NVRs from major distributors often run Hikvision OEM internals. Verify the actual chipset and firmware origin, not just the badge.
- Mixed-path installations — compliant cameras feeding an unscreened NVR. The recording path is what matters, not just the camera SKU.
- Legacy installations carried forward — site upgrades that swap cameras but leave the old non-compliant NVR. Federal audits look at the whole stack, not just the new SKUs.
- Cloud bridges and analytics services — third-party cloud platforms that ingest video may use restricted infrastructure on their back end. Check the SOC2 / FedRAMP posture of the service, not just the hardware on-prem.
NDAA Spec Review
Sourcing for a Section 889-affected project?
Send the project details — agency, contract type, and current bill-of-materials. We verify each SKU against the latest manufacturer compliance documentation before the order ships, not after.
Equipment Referenced · NDAA-Compliant
Hardware that survives Section 889 screening.
Related Guides
Deployment Architectures
Related Categories