NDAA Section 889 Compliance for Security Cameras & Access Control
A plain-English guide to what Section 889 actually bans, who has to comply, how to verify whether your existing physical security equipment is compliant, and what to do when it isn't — written for the organizations that carry the obligation, not the lawyers who drafted it.
This guide is provided for general educational purposes and reflects WCC Technologies Group's experience as a physical security integrator. It is not legal advice. Federal regulations and named-entity lists change over time — confirm current requirements with your legal and contracting teams before making procurement or compliance decisions.
If your organization touches federal money — a contract, a grant, an E-Rate reimbursement, a federal healthcare program — there is a good chance Section 889 applies to your security cameras and parts of your network. Most organizations discover this the hard way: during a funding review, a contract renewal, or an audit. This guide exists so you can get ahead of it.
What NDAA Section 889 Actually Is
Section 889 is part of the 2019 National Defense Authorization Act — the annual law that funds the U.S. Department of Defense, with riders that reach well beyond defense. Section 889 specifically addresses national security risk in telecommunications and video surveillance equipment.
It has two parts that matter in practice. Part A prohibits the federal government from buying covered equipment. Part B — the one that catches most private organizations off guard — prohibits the government from contracting with any entity that uses covered equipment, anywhere in that entity's operations, regardless of whether the equipment touches the federal contract.
That second part is why a manufacturing company with a single banned camera in its parking lot can find itself ineligible for a federal contract, and why a school district running covered cameras can put its E-Rate funding at risk. The obligation attaches to the organization, not just the project.
Which Security Camera and Network Brands Are Banned
The statute names five manufacturers explicitly, plus their subsidiaries and affiliates:
- Huawei — telecommunications equipment
- ZTE — telecommunications equipment
- Hytera — two-way radio and communications
- Hangzhou Hikvision — video surveillance
- Dahua Technology — video surveillance
The last two are the ones that matter most for physical security, because Hikvision and Dahua are among the largest camera manufacturers in the world — and their hardware is sold under many other brand names through OEM arrangements. The named list also extends to subsidiaries and affiliates, so the practical scope is broader than five logos.
The compliant alternatives. The camera and access control platforms WCC specifies for compliance-driven environments — including Verkada, Avigilon, Rhombus, Axis, and Hanwha — are NDAA Section 889 compliant. We cover the tradeoffs between them in our commercial security camera buyer's guide.
| Category | Covered / Banned | Common compliant choices |
|---|---|---|
| Video surveillance | Restricted Hikvision, Dahua & their OEM relabels | OK Verkada, Avigilon, Rhombus, Axis, Hanwha |
| Telecom / radio | Restricted Huawei, ZTE, Hytera | OK Mainstream enterprise networking vendors |
| Relabeled OEM | Restricted Any brand built on covered hardware | OK Verify manufacturer, not the label |
Who Actually Has to Comply
This is where most organizations underestimate their exposure. Section 889 reaches much further than "federal agencies." If any of the following describe your organization, you should treat compliance as a live requirement:
K-12 School Districts
Districts drawing E-Rate or other federal funds are expected to run compliant equipment. Covered cameras can jeopardize reimbursement.
Universities & Research
Institutions holding federal research grants carry Section 889 obligations across their facilities, not just grant-funded buildings.
Healthcare Systems
Organizations billing federal healthcare programs or holding federal contracts are commonly in scope across their full estate.
Federal Contractors
Any business that bids on or holds a federal contract — including subcontractors — must certify it does not use covered equipment.
The pattern is consistent: it is rarely the federal agency itself that gets caught short — it's the contractor, the district, or the institution that didn't realize a few cameras placed years ago now sit between them and their funding.
The OEM Relabeling Trap
Here is the single most important thing in this guide, and the one most organizations miss: the brand on the camera is not the same as the manufacturer of the camera.
Hikvision and Dahua manufacture hardware that is then sold under dozens of other brand names through original-equipment-manufacturer (OEM) relationships. A camera with an unfamiliar Western-sounding brand on the label can be, internally, covered equipment. Buying "not Hikvision" off the label is not the same as buying compliant.
Why this matters for your audit. A self-assessment that only checks the brand label will produce false confidence. Genuine verification requires identifying the actual hardware manufacturer — chipset, firmware origin, and FCC ID lookups are part of how integrators trace this. If your compliance record only lists brand names, it will not survive scrutiny.
How to Verify Whether Your Equipment Is Compliant
A defensible compliance posture isn't a hunch that your gear is fine — it's documentation. Here is the process WCC follows when auditing a site:
- Inventory every device. Cameras, recorders/NVRs, encoders, intercoms, and the networking gear they depend on. You cannot certify what you haven't counted.
- Identify the true manufacturer. Trace each device past its brand label to the actual manufacturer using model records, FCC IDs, and firmware/chipset signatures — specifically to catch OEM relabels.
- Cross-reference the named entities. Check each manufacturer (and its parent/subsidiary relationships) against the Section 889 covered list as it currently stands.
- Obtain written attestations. Request compliance documentation from current vendors. A reputable manufacturer will provide an NDAA compliance statement.
- Produce a per-device record. The deliverable is a documented compliance status for each device — the artifact you can hand to an auditor, contracting officer, or funding reviewer.
For organizations with more than a handful of devices, or any organization whose funding depends on getting this right, a professional security camera and access control audit produces a stronger record than an internal spot-check.
What to Do When Non-Compliant Equipment Is Found
Finding covered equipment is not a crisis if you handle it methodically. Continuing to use it after you know is the real risk. Remediation generally follows this arc:
- Document the affected devices — model, location, and the basis for the non-compliance finding.
- Plan a phased replacement with NDAA-compliant hardware, prioritizing the highest-exposure areas first (anything tied directly to federal-funded operations).
- Replace and decommission covered devices, retaining records of removal — auditors care that the equipment is gone and that you can prove when.
- Update your compliance file so the post-remediation state is documented for the next funding cycle or contract certification.
Remediation is also an upgrade opportunity. Organizations replacing covered cameras often move to a modern cloud-managed platform at the same time — gaining better analytics, remote management, and unified access control integration. The forced replacement becomes a planned modernization. See our camera cost guide for budgeting ranges.
Does Section 889 Cover Access Control Systems?
Section 889 targets covered telecommunications and video surveillance equipment. Pure access control — readers, controllers, credentials — isn't the primary target the way cameras are. But access control rarely lives in isolation: it runs on your network, often integrates with video, and sometimes ships with covered components.
For compliance-driven environments, the clean posture is to specify access control platforms and cameras from manufacturers with documented NDAA compliance across the full stack, so there's no covered hardware anywhere in the security system. That removes the ambiguity rather than arguing it.
NDAA Compliance Is Not the Same as TAA Compliance
These two get conflated constantly, and they're different requirements that frequently both apply to a single procurement:
| NDAA Section 889 | TAA (Trade Agreements Act) | |
|---|---|---|
| What it does | Prohibits specific named manufacturers' covered equipment | Requires manufacture in the US or a designated country |
| Basis | Named-entity list (who made it) | Country of origin (where it was made) |
| Can fail one, pass other? | Yes — a product can be NDAA-compliant but not TAA-compliant, or vice versa. Verify both. | |
If a procurement specifies both — common in government and education — confirm each independently. A vendor's NDAA attestation says nothing about TAA, and assuming otherwise is a frequent and avoidable mistake.
The short version. Know whether you're in scope (most federally-connected organizations are), verify the real manufacturer rather than the brand label, document compliance per device, and remediate covered equipment on a planned schedule before it's flagged. Getting ahead of it is straightforward; getting caught behind it during a funding review is not.
NDAA Section 889 — Frequently Asked Questions
Not Sure If Your Cameras Are Compliant?
WCC audits physical security equipment across Southern California, traces every device to its true manufacturer, and produces a per-device compliance record you can hand to a funding reviewer or contracting officer — plus a phased remediation plan if anything needs to go. CSLB #819788.