The Guide To The NDAA Video Surveillance Ban / BlacklistsBy Charles Rollet, Published Aug 24, 2020, 01:47pm EDT
This 25-page guide provides a reference to the NDAA ban and blacklist. The US government has implemented wide-ranging prohibitions on using, buying, and selling video surveillance products including Dahua, Hikvision, and Huawei (Hisilicon) based products.
However, the bans and 'blacklisting' are not complete. In many areas, US businesses are free to buy, sell, and use these products.
The goal of this guide is to explain how these bans and 'blacklisting' work so that businesses can understand where and when they are applicable, including 11 major sections:
- No Workarounds for Subsidiaries or OEMs
- What Bidders / Contractors Must Do
- The 'Blacklist' Explained
- Maintenance Is Covered
- Reasonable Inquiry Mandated
- Federal Funding Ban Explained
- Waiver Process Explained
- The DoD Delay Does Not Cover Electronics Including Video Surveillance
- Exemptions Explained
- Penalties Explained
- NDAA Compliant Products Listed
This guide provides extensive links and citations to US government documentation so you can review them yourself. You should confirm with the relevant government agencies on the applicability to your own particular sale or usage.
NDAA Ban Background
In August 2018, US Congress passed the John McCain National Defense Authorization Act (NDAA), which contained a section called Section 889: Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment.
The ban was introduced in 2018 as an amendment by US Congresswoman Vicky Hartzler (R-MO) who explained that PRC equipment "exposes the US government to significant vulnerabilities":
We must face the reality that the Chinese-government is using every avenue at its disposal to target the United States, including expanding the role of Chinese companies in the U.S. domestic communications and public safety sectors. Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities and my amendment will ensure that China cannot create a video surveillance network within federal agencies. [emphasis added]
Hartzler had previously called "very concerning" a WSJ investigation that Hikvision cameras were deployed at US Army base Fort Leonard Wood, which is in Rep. Hartzler's district (the cameras were removed after the WSJ report.)
Other factors contributing to the ban included serious Hikvision and Dahua backdoor vulnerabilities, with Hikvision's receiving the worst possible rating from DHS. Hikvision attracted particular scrutiny from the WSJ and others over its PRC Government Control.
The ban also came after the PRC passed its National Intelligence Law mandating that all PRC companies "support, assist, and cooperate" intelligence agencies and "protect national intelligence work secrets":
The PRC declared non-domestic video surveillance "risks to national security" back in 2012.
NDAA Three Core Parts
Section 889 has three core parts:
- the 'procurement ban', which bans federal procurement of covered equipment/service and went into effect in August 2019
- the 'blacklist clause', which bans federal agencies from doing business with those who "use" covered equipment/services and went into effect in August 2020
- the 'funding ban', which prohibits federal dollars from being spent on covered goods/services and went into effect in August 2020
In this post, we will examine each core aspect in detail, along with which entities and what products are affected.
The ban names Hikvision and Dahua along with "any subsidiary or affiliate of such entities":
This means there are no workarounds - i.e. Hikvision USA or Hikvision Brazil is covered just as well as Hikvision China gear. Huawei is also covered:
This is not strictly limited to Huawei telecom gear as it explicitly includes "video surveillance services" or "such equipment" produced by Huawei as well:
Risks Remaining For Non-Banned Products
In her reasoning for the NDAA ban, Congresswoman Vicky Hartzler stated that video surveillance equipment "sold by Chinese companies exposes the US government to significant vulnerabilities." However, the NDAA ban does not affect all PRC companies - just five specific ones (Hikvision/Dahua/Huawei/ZTE/Hytera.)
There is no current indication that other PRC manufacturers will be added to the NDAA ban. However, US-China relations remain tense and there is a wide body of PRC laws mandating all companies (not just Hikvision/Dahua) cooperate with PRC intelligence and police agencies.
In the long term, it remains possible that other PRC video surveillance companies will be targeted targeted by federal use bans or other sanctions. Outside the US, Taiwan's government announced this year a broad PRC tech usage ban that covers all PRC tech products, not just those from specific PRC companies.
'Covered Equipment/Services' Includes OEMs, COTS, Micro-transactions
OEMs are also covered, with the procurement ban requiring "original equipment manufacturer" disclosure:
The blacklist clause requires disclosure of "whether the entity was the original equipment manufacturer" for "covered equipment":
"COTS items" are also covered, with the government having determined this "is in the best interests of the Government":
Finally, "all" federal contracts are covered "including micro-purchase contracts":
All Cameras With Huawei HiSilicon Chips Also Covered
The ban includes "any equipment, system, or service" which uses banned goods/services "as a substantial or essential component of any system":
This is particularly important to video surveillance because many IP cameras today, particularly cheaper ones, are powered by Huawei HiSilicon SoCs and are therefore "covered" just like Hikvision or Dahua cameras.
Procurement Ban Summary
In effect since August 13, 2019, this bans federal agencies from trying to "procure or obtain or extend or renew a contract" to buy "any equipment, system, or service" that "uses covered" equipment/services:
In plain English, this means the federal government cannot, in any way, buy banned equipment, nor can it obtain products which use banned equipment "as a substantial or essential component" e.g. cameras with Huawei HiSilicon chips.
Affects Every Federal US Agency
This affects every "executive agency" of the federal government, which includes many organizations such as the FBI, the Coast Guard, the military, the VA, the State Department/USAID, the National Park Service, etc.
Contractors are "prohibited from providing to the Government" banned equipment/services:
That means the onus is on contractors to comply; in order to do so, bidders "shall include" a "representation" to the government about whether they "will" or "will not" provide covered equipment/services "for all solicitations", per the implementing FAR Rule:
UPDATE 9/3: In a second interim rule, the US government announced that starting on October 26 bidders will be required to "represent" on an annual basis in the System for Award Management (SAM) whether or not they use covered services:
Prior to this, bidders were required to represent for each federal contract, so this should make compliance simpler. The government estimates "it will take 1 hour to complete the annual representation".
The annual representation requirement kicks in October 26 but is also required for solicitations "issued before the effective date, provided award of the resulting contract(s) occurs on or after the effective date".
Procurement Ban Examples
Below is a list of hypothetical scenarios that are prohibited under the procurement ban:
- An integrator cannot renew his contract with a local Coast Guard base for a Hikvision camera system
- A construction company cannot install Dahua NVRs for its local Veterans Administration office
- A veteran-owned security firm cannot win a US Air Force contract if it plans to install Huawei HiSilicon-based IP cameras at one of the barracks
In effect since August 13, 2020, the blacklist clause says the federal government "may not" "enter into a contract" or "extend or renew a contract" with "an entity that uses" covered equipment and/or services:
This means the federal government cannot do business with any prime contractor that "uses" banned equipment/services. Importantly, this applies "regardless of whether that use" is related to a federal contract:
Blacklist Clause "Interim", Comments Possible
After this period, the government will decide whether to make any final revisions/clarifications and then publish the final rule. However, keep in mind, the interim rule is still legally in effect since August 13.
Affects Every Federal US Agency
Just like the procurement ban, every "executive agency" of the federal government is affected:
Blacklist Clause Has No Definition of "Use" (Yet)
The blacklist clause bans the federal government from dealing with any prime contractor's "use" of banned equipment services. However, the clause does not specifically define "use", meaning it is unclear if a distributor who simply sells boxes of Hikvision cameras wholesale and has no meaningful interaction with them is considered a "user".
The GSA has urged those wanting clarity on this point to file public comments on the interim rule, stating in a recent webinar:
Does "use" include selling and or servicing equipment to private industry? Again, "use" is not defined, so it's unclear. I think that's a good question to include in your comments to the Federal Register to the FAR rule. [emphasis added]
Blacklist Clause Only Impacts Prime Contractors
The blacklist clause prohibition "applies at the prime contract level", per the interim rule:
That means subcontractors can still used banned goods/services as long as they don't end up being used by the prime contractor.
Prime Contractors Must Still Examine Subcontractors
A prime contractors must still examine its "relationships with any subcontractor or supplier" to make sure it doesn't end up using the sub's covered goods/services:
Some prime contractors may stop working with subcontractors who use banned equipment/services entirely, just to avoid the risk of such systems ending up in their own usage.
"Maintenance" of a covered "item" is considered "covered services" and must be disclosed in the representation, i.e. leading to blacklisting:
For any "covered service" that is "not associated with maintenance", then the Product Service Code (PSC) must be disclosed:
"Each offer" to a federal agency requires "conducting a reasonable inquiry" beforehand on whether banned equipment/services "are used by the offeror":
"Reasonable inquiry" is defined as an "inquiry designed to uncover any information" about banned equipment usage; an internal or third party audit is not necessary:
The government says DoD, GSA, and NSA are "currently working on updates" to System for Awards Management (SAM) to allow contractors "to represent annually after conducting a reasonable inquiry". The government estimates about "3 hours" of paperwork per representation.
One Business Day to Report Banned Equipment/Services Use
If a contractor discovers covered equipment/services usage after winning a federal contract, it "shall report" to the contract officer "within one business day" a host of details about the banned equipment "brand", "model", "item description", and any "readily available information about mitigation actions":
Then, within ten business days after the initial report, the contractor will submit "any further information about mitigation actions undertaken or recommended":
No Geographic Constraints On "Use"
Nowhere in the NDAA itself or the implementing regulations are geographic constraints imposed/mentioned. If an integrator has an office in South Korea using Hikvision equipment, that counts as "use" of covered equipment/services. As GSA has explained, this applies even if there is no choice but to use such equipment in the foreign country:
What about situations where the contractor is located in a country such as Ethiopia, where the monopoly internet provider, the government of Ethiopia uses covered telecom and their infrastructure? Well, if that contractor uses that internet infrastructure, that's the use of covered telecom. And if you know about it, if your reasonable inquiry turns up that information, you have to represent to the government that you use covered telecom. [emphasis added]
Blacklist Clause Examples
The examples below are prohibited under the blacklist clause:
- An integrator which no longer deals Hikvision but does still maintain a Hikvision camera network he installed at a pizza parlor three years ago, occasionally logging in to fix bugs. This is "maintenance" of a banned item, which is a "covered service", so this integrator will not be able to participate in a security contract for his local VA office, even though he only deals NDAA-compliant equipment now.
- A Japanese construction company that uses Hikvision cameras in its Tokyo office to monitor its staff can no longer win State Department contracts because of its use of covered equipment.
- A veteran-owned security firm that uses a wide variety of cheap cameras, some of them with Huawei HiSilicon SoCs, cannot win a simple contract for wire fencing at a nearby US Navy base.
- A subcontractor installs relabeled Hikvision cameras at a prime contractor's new headquarters without disclosing that the cameras are Hikvision and thus NDAA-banned, meaning the prime contractor now risks being blacklisted from all federal contracts for using Hikvision cameras.
Because of how expansive the blacklist clause is, unlike the narrower procurement ban, it has raised significant opposition from groups like SIA, to no avail.
In effect since August 13, 2020, the 'funding clause' is the NDAA's Prohibition on Loan And Grant Funds, which states the federal government "may not obligate or expend loan or grant funds" to "procure or obtain" any covered "equipment, services, or systems":
Plainly put, this component bans any federal dollars from being spent on acquiring banned equipment/services, regardless of the entity spending those federal dollars.
The implementing rule for this clause is 2 CFR 200.216, which 'prohibits' any federal award "recipients and subricipients" from trying to "procure or obtain", "extend or renew a contract to procure or obtain", and "enter into a contract [...] to procure or obtain" covered equipment/services:
Affects Entities Beyond Federal Contracting Community
The funding clause applies to "federal award recipients and subrecipients", which could be a local public school or a church or a private company or a charity etc.
Funding Clause Examples
As IPVM has reported, the examples are prohibited under the funding clause:
- An integrator cannot sell Hikvision cameras to a local private school as part of a Department of Education-funded grant to expand security
- A security firm cannot renew its DHS-funded contract with a local synagogue for a Huawei HiSilicon chip-powered surveillance system
- A construction company cannot sell Dahua NVRs for a local rec center's expansion funded by the Veterans Administration
However, even with the funding clause in place, the examples below are not prohibited:
- An integrator using Dahua cameras can sell NDAA-compliant Pelco systems for a local school's federal Department of Education grant to expand security
- A security firm using Huawei HiSilicon chip-powered surveillance systems at its own warehouse can obtain a DHS-funded contract with a local mosque that does not include any covered equipment/services
In order to get a waiver from a federal agency head, an entity must submit "a compelling justification for the additional time" required to comply and "a full and complete laydown or description" of the covered equipment/services being used:
The executive agency head then has "30 days" to consult with "appropriate Congressional committees" on the validity of the waiver request. Meanwhile, the submitter must also "notify and consult" with the DNI:
Finally, a "phase-out plan to eliminate" the covered services/equipment must be provided:
Waivers from federal agency heads "may only be provided" for a "period of not more than 2 years" after the effective date of Section 889's core components, meaning:
- Procurement ban waivers from agency heads are possible until August 13, 2021
- Blacklist clause waivers from agency heads are possible until August 13, 2022
- There is no waiver provision for the funding ban.
This means, in effect, these waivers are "really delayed implementation", GSA has commented.
Separately, the DNI itself can issue waivers as well and they have no deadlines, i.e. they can be issued "on a date later" if deemed "in the national security interests" of the US:
For background, the DNI is the federal agency that oversees the US' Intelligence Community (CIA, NSA, etc):
GSA Says Waiver Hurdles "High"
Given all the steps and high levels of government approval required, the GSA has emphasized these waivers are difficult to obtain:
Section 889 in the NDAA and in the FAR rule does allow some waivers. However, the waivers are very narrow, and that, again, is to address the threats. These threats are real, and we need to protect the American government's supply chain.
The Director of National Intelligence may waive Section 899 Part A, Part B both for national security interests. Clearly, that's a very high bar.
And you can see the hurdles are quite high. A lot needs to be done before a waiver can be granted. [emphasis added]
Government Says Waivers Could Take "A Few Weeks"
In the interim rule, the government recognizes waivers "would likely take at least a few weeks" and if such time is not available, agencies can just "make award to an offeror that does not require a waiver":
The Department of Defense has obtained a DNI waiver allowing it to delay implementation of the NDAA's "blacklist clause" until September 30, giving those who "use" Hikvision/Dahua/Huawei HiSilicon a temporary amount of relief.
However, the waiver only affects contractors' supply to the DoD of "low-risk" products such as "food, clothing, maintenance services, construction materials that are not electronic", the DoD told IPVM. Below are some examples, per IPVM's interpretation, of what is now allowed:
- An integrator that uses Hikvision equipment can sell shovels to the US Air Force until September 30
- A Japanese construction company that uses Dahua cameras to monitor its Tokyo headquarters can still sell concrete, bricks, and lumber to the US Navy base in Okinawa until September 30
- A janitorial services company which also installs and maintains Huawei HiSilicon-powered cameras can continue mowing the lawns of its local US Army base until September 30
Below are some examples of what remains prohibited:
- The integrator that uses Hikvision cameras cannot win contracts from NASA, the FBI, or any other federal agency apart from the DoD
- The Japanese construction company cannot win any contracts from USAID, even if it's just for bricks, as USAID is part of the State Department (not the DoD)
- The janitorial services company which uses Huawei HiSilicon cannot sell NDAA-compliant Pelco cameras to the US Army base as these are not "high-volume, low risk" items
- On October 1, a veteran-owned integrator cannot sell canned goods to the US Navy base because the waiver will have expired by then
The other exemption is for "backhaul, roaming, or interconnection arrangements" with a "third-party" along with telecom equipment that "cannot route or redirect user data traffic":
During its recent webinar, GSA gave a few examples of such equipment/services, citing "cabling and copper wiring", Ethernet cables, and an WiFi provider's voice data package:
Internet wireless service provider providing customers voice data services for international calls. Electrical and communications, cabling and wiring copper Ethernet cables include terminations, I'm not sure if that's helpful, but those are the answers that we've come up with for examples of equipment that cannot route or redirect user data traffic. [emphasis added]
As GSA has noted, if someone violates the NDAA, there is no specific enforcement mechanism, "it just follows the normal enforcement" for federal contracts:
There's no additional enforcement that's specific to Section 899 [...] It just follows the normal enforcement for everything else under government contracts.
The government states that Section 889 violations are considered "breach of trust", stating that "failure to submit an accurate representation to the Government constitutes a breach of contract that can lead to cancellation, termination, and financial consequences":
The False Claims Act allows the federal government to fine contractors $11,665 to $23,331 for each false claim made.
DoD On Who Handles Violations
There are few explicit announcements yet on who handles violations, however the DoD stated in recent guidelines that if a "contracting officer" doubts a contractor is being honest in their representation, the officer shall "consult with the program office" and "legal counsel":
The following companies told IPVM that all their products are compliant. Note that past models are not necessarily compliant:
- Axis Communications. (Axis' discontinued Companion Line used HiSilicon chips)
- BCD International
- JCI/Tyco Security
- Rhombus Systems
- Seek Thermal
100% NDAA-Compliant for US-Listed Products
These companies said that US-listed products are compliant but that some products not intended for US sale are not compliant:
- Bosch is in the process of dropping Dahua and, in the US, is discontinuing all models made by Dahua. Outside the US, those products will continue to be sold, for now.
- ACTi provided a list of NDAA-compliant products.
- Digital Watchdog (DW) has a statement listing compliant products. It is a long list but they did not clarify which products were not so this requires carefully reviewing the list to see if the specific model is or is not included.
- Hanwha provided a list of compliant products. Hanwha is dropping Huawei Hisilicon from its cameras, with most of its cameras already not using Hisilicon, instead using its own Wisenet chips and Ambarella.
- Lilin provided a list of compliant products; however, Lilin did not provide a list of what products were not NDAA compliant.
- March Networks directed IPVM to a statement on their site, and said their recently-launched the X-Series recorders are compliant. They report that the 8000 and 9000 series recorders are not compliant
- Verkada referred us to a statement including a list of compliant products. Verkada's first product lines used Huawei Hisilicon.
- Vivotek passed along this statement listing their compliant products.
- Costar did not say if they are fully compliant, but provided a list of compliant products, available for download here.
- Honeywell referred us to a page discussing NDAA compliance, where a list of compliant products is available for download. Honeywell makes it hard for buyers because they do not make clear which Honeywell video surveillance products are not compliant. For example, the 'Performance' and 'equIP' series are made by Dahua and therefore are banned but not disclosed by Honeywell on their product pages. Also, Honeywell thermal cameras for body temp detection are OEM Hikvision products.
- IDIS gave IPVM a list of compliant products, and said they are working to make more products compliant
- Speco provided a list of compliant products, available for download here, and told IPVM it "is actively moving to exclude components from these banned companies"
- Sunell is releasing a new series of products that are NDAA complaint but existing products are generally not NDAA compliant given Huawei Hisilicon usage.
- Panasonic: While the company claims to be fully NDAA compliant, as least for its branded Panasonic models in the US, the company has now admitted that some of its cameras still being sold use Huawei Hisilicon chips but Panasonic refuses to publicly disclose which ones.
- Uniview overwhelmingly uses Huawei Hisilicon chips, though recently they have started to offer a small number of products that are NDAA conformant.
- Vicon referred IPVM to a page listing their NDAA-compliant products.
Finding If Your Cameras Use HiSilicon
IPVM has also published a guide on How To Find If Your Cameras Uses Huawei HiSilicon. This video shows how to locate the SoC:
IPVM also showed how to find HiSilicon SoCs in models where the SoC is less easy to find such as Uniview:
2021 Update: Marketing NDAA Compliant Doesn't Mean Cybersecure
Starting in 2021, an increasing number of sellers are marketing their products as NDAA compliant. While this marketing is typically correct in that those products are not produced or using critical components from covered companies, it does not ensure that a product is free from any cybersecurity vulnerabilities. The NDAA currently targets national security risks from specific PRC companies, but does not test or guarantee that NDAA compliant products are free from vulnerabilities.
NDAA-compliant providers still regularly suffer from cybersecurity incidents. For more, read IPVM's Directory of Video Surveillance Vulnerabilities and Exploits.
IPVM will continue to update this guide as new developments emerge and as questions are asked. Please comment below or email us at email@example.com and we will update the guide.
30 reports cite this report:
Back to Top