NDAA Video Surveillance Ban / Blacklists Guide

This guide provides a reference to the NDAA ban and blacklist. The US government has implemented wide-ranging prohibitions on using, buying, and selling video surveillance products including Dahua, Hikvision, and Huawei (Hisilicon) based products.

However, the bans and 'blacklisting' are not complete. In many areas, US businesses are free to buy, sell, and use these products.

The goal of this guide is to explain how these bans and 'blacklisting' work so that businesses can understand where and when they are applicable, including 11 major sections:

• No Workarounds for Subsidiaries or OEMs
• What Bidders / Contractors Must Do
• The 'Blacklist' Explained
• Maintenance Is Covered
• Reasonable Inquiry Mandated
• Federal Funding Ban Explained
• Waiver Process Explained
• The DoD Delay Does Not Cover Electronics Including Video Surveillance
• Exemptions Explained
• Penalties Explained

Primary Links Provided / Confirm With Government

This guide provides extensive links and citations to US government documentation so you can review them yourself. You should confirm with the relevant government agencies on the applicability to your own particular sale or usage.

NDAA Ban Background

In August 2018, US Congress passed the John McCain National Defense Authorization Act (NDAA), which contained a section called Section 889: Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment.

Ban Purpose/Reasoning

The ban was introduced in 2018 as an amendment by US Congresswoman Vicky Hartzler (R-MO) who explained that PRC equipment "exposes the US government to significant vulnerabilities":

We must face the reality that the Chinese-government is using every avenue at its disposal to target the United States, including expanding the role of Chinese companies in the U.S. domestic communications and public safety sectors. Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities and my amendment will ensure that China cannot create a video surveillance network within federal agencies. [emphasis added]

Hartzler had previously called "very concerning" a WSJ investigation that Hikvision cameras were deployed at US Army base Fort Leonard Wood, which is in Rep. Hartzler's district (the cameras were removed after the WSJ report.)

Other factors contributing to the ban included serious Hikvision and Dahua backdoor vulnerabilities, with Hikvision's receiving the worst possible rating from DHS. Hikvision attracted particular scrutiny from the WSJ and others over its PRC Government Control.

The ban also came after the PRC passed its National Intelligence Law mandating that all PRC companies "support, assist, and cooperate" intelligence agencies and "protect national intelligence work secrets":

The PRC declared non-domestic video surveillance "risks to national security" back in 2012.

NDAA Three Core Parts

Section 889 has three core parts:

• the 'procurement ban', which bans federal procurement of covered equipment/service and went into effect in August 2019
• the 'blacklist clause', which bans federal agencies from doing business with those who "use" covered equipment/services and went into effect in August 2020
• the 'funding ban', which prohibits federal dollars from being spent on covered goods/services and went into effect in August 2020

In this post, we will examine each core aspect in detail, along with which entities and what products are affected.

Entities Affected: No Workarounds

The ban names Hikvision and Dahua along with "any subsidiary or affiliate of such entities":

This means there are no workarounds - i.e. Hikvision USA or Hikvision Brazil is covered just as well as Hikvision China gear. Huawei is also covered:

This is not strictly limited to Huawei telecom gear as it explicitly includes "video surveillance services" or "such equipment" produced by Huawei as well:

Risks Remaining For Non-Banned Products

In her reasoning for the NDAA ban, Congresswoman Vicky Hartzler stated that video surveillance equipment "sold by Chinese companies exposes the US government to significant vulnerabilities." However, the NDAA ban does not affect all PRC companies - just five specific ones (Hikvision/Dahua/Huawei/ZTE/Hytera.)

There is no current indication that other PRC manufacturers will be added to the NDAA ban. However, US-China relations remain tense and there is a wide body of PRC laws mandating all companies (not just Hikvision/Dahua) cooperate with PRC intelligence and police agencies.

In the long term, it remains possible that other PRC video surveillance companies will be targeted targeted by federal use bans or other sanctions. Outside the US, Taiwan's government announced this year a broad PRC tech usage ban that covers all PRC tech products, not just those from specific PRC companies.

'Covered Equipment/Services' Includes OEMs, COTS, Micro-transactions

OEMs are also covered, with the procurement ban requiring "original equipment manufacturer" disclosure:

Refer to IPVM's Dahua OEM Directory and Hikvision OEM Directory for companies OEMing.

The blacklist clause requires disclosure of "whether the entity was the original equipment manufacturer" for "covered equipment":

"COTS items" are also covered, with the government having determined this "is in the best interests of the Government":

Finally, "all" federal contracts are covered "including micro-purchase contracts":

All Cameras With Huawei HiSilicon Chips Also Covered

The ban includes "any equipment, system, or service" which uses banned goods/services "as a substantial or essential component of any system":

This is particularly important to video surveillance because many IP cameras today, particularly cheaper ones, are powered by Huawei HiSilicon SoCs and are therefore "covered" just like Hikvision or Dahua cameras.

Procurement Ban Summary

In effect since August 13, 2019, this bans federal agencies from trying to "procure or obtain or extend or renew a contract" to buy "any equipment, system, or service" that "uses covered" equipment/services:

In plain English, this means the federal government cannot, in any way, buy banned equipment, nor can it obtain products which use banned equipment "as a substantial or essential component" e.g. cameras with Huawei HiSilicon chips.

Affects Every Federal US Agency

This affects every "executive agency" of the federal government, which includes many organizations such as the FBI, the Coast Guard, the military, the VA, the State Department/USAID, the National Park Service, etc.

Bidders Must Represent

Contractors are "prohibited from providing to the Government" banned equipment/services:

That means the onus is on contractors to comply; in order to do so, bidders "shall include" a "representation" to the government about whether they "will" or "will not" provide covered equipment/services "for all solicitations", per the implementing FAR Rule:

UPDATE 9/3: In a second interim rule, the US government announced that starting on October 26 bidders will be required to "represent" on an annual basis in the System for Award Management (SAM) whether or not they use covered services:

Prior to this, bidders were required to represent for each federal contract, so this should make compliance simpler. The government estimates "it will take 1 hour to complete the annual representation".

The annual representation requirement kicks in October 26 but is also required for solicitations "issued before the effective date, provided award of the resulting contract(s) occurs on or after the effective date".

Procurement Ban Examples

Below is a list of hypothetical scenarios that are prohibited under the procurement ban:

• An integrator cannot renew his contract with a local Coast Guard base for a Hikvision camera system
• A construction company cannot install Dahua NVRs for its local Veterans Administration office
• A veteran-owned security firm cannot win a US Air Force contract if it plans to install Huawei HiSilicon-based IP cameras at one of the barracks

Blacklist Clause Summary

In effect since August 13, 2020, the blacklist clause says the federal government "may not" "enter into a contract" or "extend or renew a contract" with "an entity that uses" covered equipment and/or services:

This means the federal government cannot do business with any prime contractor that "uses" banned equipment/services. Importantly, this applies "regardless of whether that use" is related to a federal contract:

Blacklist Clause "Interim", Comments Possible

The government released the blacklist clause's interim rule on July 14, commencing a 60-day public comment period; filing comments can be done by searching for “FAR Case 2019-009 at Regulations.gov.

After this period, the government will decide whether to make any final revisions/clarifications and then publish the final rule. However, keep in mind, the interim rule is still legally in effect since August 13.

Affects Every Federal US Agency

Just like the procurement ban, every "executive agency" of the federal government is affected:

Blacklist Clause Has No Definition of "Use" (Yet)

The blacklist clause bans the federal government from dealing with any prime contractor's "use" of banned equipment services. However, the clause does not specifically define "use", meaning it is unclear if a distributor who simply sells boxes of Hikvision cameras wholesale and has no meaningful interaction with them is considered a "user".

The GSA has urged those wanting clarity on this point to file public comments on the interim rule, stating in a recent webinar:

Does "use" include selling and or servicing equipment to private industry? Again, "use" is not defined, so it's unclear. I think that's a good question to include in your comments to the Federal Register to the FAR rule. [emphasis added]

Blacklist Clause Only Impacts Prime Contractors

The blacklist clause prohibition "applies at the prime contract level", per the interim rule:

That means subcontractors can still used banned goods/services as long as they don't end up being used by the prime contractor.

Prime Contractors Must Still Examine Subcontractors

A prime contractors must still examine its "relationships with any subcontractor or supplier" to make sure it doesn't end up using the sub's covered goods/services:

Some prime contractors may stop working with subcontractors who use banned equipment/services entirely, just to avoid the risk of such systems ending up in their own usage.

"Maintenance" is Covered

"Maintenance" of a covered "item" is considered "covered services" and must be disclosed in the representation, i.e. leading to blacklisting:

For any "covered service" that is "not associated with maintenance", then the Product Service Code (PSC) must be disclosed:

"Reasonable Inquiry" Mandated

"Each offer" to a federal agency requires "conducting a reasonable inquiry" beforehand on whether banned equipment/services "are used by the offeror":

"Reasonable inquiry" is defined as an "inquiry designed to uncover any information" about banned equipment usage; an internal or third party audit is not necessary:

The government says DoD, GSA, and NSA are "currently working on updates" to System for Awards Management (SAM) to allow contractors "to represent annually after conducting a reasonable inquiry". The government estimates about "3 hours" of paperwork per representation.

One Business Day to Report Banned Equipment/Services Use

If a contractor discovers covered equipment/services usage after winning a federal contract, it "shall report" to the contract officer "within one business day" a host of details about the banned equipment "brand", "model", "item description", and any "readily available information about mitigation actions":

Then, within ten business days after the initial report, the contractor will submit "any further information about mitigation actions undertaken or recommended":

No Geographic Constraints On "Use"

Nowhere in the NDAA itself or the implementing regulations are geographic constraints imposed/mentioned. If an integrator has an office in South Korea using Hikvision equipment, that counts as "use" of covered equipment/services. As GSA has explained, this applies even if there is no choice but to use such equipment in the foreign country:

What about situations where the contractor is located in a country such as Ethiopia, where the monopoly internet provider, the government of Ethiopia uses covered telecom and their infrastructure? Well, if that contractor uses that internet infrastructure, that's the use of covered telecom. And if you know about it, if your reasonable inquiry turns up that information, you have to represent to the government that you use covered telecom. [emphasis added]

Blacklist Clause Examples

The examples below are prohibited under the blacklist clause:

• An integrator which no longer deals Hikvision but does still maintain a Hikvision camera network he installed at a pizza parlor three years ago, occasionally logging in to fix bugs. This is "maintenance" of a banned item, which is a "covered service", so this integrator will not be able to participate in a security contract for his local VA office, even though he only deals NDAA-compliant equipment now.
• A Japanese construction company that uses Hikvision cameras in its Tokyo office to monitor its staff can no longer win State Department contracts because of its use of covered equipment.
• A veteran-owned security firm that uses a wide variety of cheap cameras, some of them with Huawei HiSilicon SoCs, cannot win a simple contract for wire fencing at a nearby US Navy base.
• A subcontractor installs relabeled Hikvision cameras at a prime contractor's new headquarters without disclosing that the cameras are Hikvision and thus NDAA-banned, meaning the prime contractor now risks being blacklisted from all federal contracts for using Hikvision cameras.

Because of how expansive the blacklist clause is, unlike the narrower procurement ban, it has raised significant opposition from groups like SIA, to no avail.

Federal Funding Ban Explained

In effect since August 13, 2020, the 'funding clause' is the NDAA's Prohibition on Loan And Grant Funds, which states the federal government "may not obligate or expend loan or grant funds" to "procure or obtain" any covered "equipment, services, or systems":

Plainly put, this component bans any federal dollars from being spent on acquiring banned equipment/services, regardless of the entity spending those federal dollars.

The implementing rule for this clause is 2 CFR 200.216, which 'prohibits' any federal award "recipients and subricipients" from trying to "procure or obtain", "extend or renew a contract to procure or obtain", and "enter into a contract [...] to procure or obtain" covered equipment/services:

Affects Entities Beyond Federal Contracting Community

The funding clause applies to "federal award recipients and subrecipients", which could be a local public school or a church or a private company or a charity etc.

Funding Clause Examples

As IPVM has reported, the examples are prohibited under the funding clause:

• An integrator cannot sell Hikvision cameras to a local private school as part of a Department of Education-funded grant to expand security
• A security firm cannot renew its DHS-funded contract with a local synagogue for a Huawei HiSilicon chip-powered surveillance system
• A construction company cannot sell Dahua NVRs for a local rec center's expansion funded by the Veterans Administration

However, even with the funding clause in place, the examples below are not prohibited:

• An integrator using Dahua cameras can sell NDAA-compliant Pelco systems for a local school's federal Department of Education grant to expand security
• A security firm using Huawei HiSilicon chip-powered surveillance systems at its own warehouse can obtain a DHS-funded contract with a local mosque that does not include any covered equipment/services

Waiver Process Explained

Per the NDAA, a Section 889 waiver can be issued from either the head of an executive agency on a "one-time basis" or from the Director of National Intelligence:

In order to get a waiver from a federal agency head, an entity must submit "a compelling justification for the additional time" required to comply and "a full and complete laydown or description" of the covered equipment/services being used:

The executive agency head then has "30 days" to consult with "appropriate Congressional committees" on the validity of the waiver request. Meanwhile, the submitter must also "notify and consult" with the DNI:

Finally, a "phase-out plan to eliminate" the covered services/equipment must be provided:

Waivers from federal agency heads "may only be provided" for a "period of not more than 2 years" after the effective date of Section 889's core components, meaning:

• Procurement ban waivers from agency heads are possible until August 13, 2021
• Blacklist clause waivers from agency heads are possible until August 13, 2022
• There is no waiver provision for the funding ban.

This means, in effect, these waivers are "really delayed implementation", GSA has commented.

Separately, the DNI itself can issue waivers as well and they have no deadlines, i.e. they can be issued "on a date later" if deemed "in the national security interests" of the US:

For background, the DNI is the federal agency that oversees the US' Intelligence Community (CIA, NSA, etc):

GSA Says Waiver Hurdles "High"

Given all the steps and high levels of government approval required, the GSA has emphasized these waivers are difficult to obtain:

Section 889 in the NDAA and in the FAR rule does allow some waivers. However, the waivers are very narrow, and that, again, is to address the threats. These threats are real, and we need to protect the American government's supply chain.

The Director of National Intelligence may waive Section 899 Part A, Part B both for national security interests. Clearly, that's a very high bar.

And you can see the hurdles are quite high. A lot needs to be done before a waiver can be granted. [emphasis added]

Government Says Waivers Could Take "A Few Weeks"

In the interim rule, the government recognizes waivers "would likely take at least a few weeks" and if such time is not available, agencies can just "make award to an offeror that does not require a waiver":

DoD Obtains Blacklist Delay But Not For Video Surveillance Sellers

The Department of Defense has obtained a DNI waiver allowing it to delay implementation of the NDAA's "blacklist clause" until September 30, giving those who "use" Hikvision/Dahua/Huawei HiSilicon a temporary amount of relief.

However, the waiver only affects contractors' supply to the DoD of "low-risk" products such as "food, clothing, maintenance services, construction materials that are not electronic", the DoD told IPVM. Below are some examples, per IPVM's interpretation, of what is now allowed:

• An integrator that uses Hikvision equipment can sell shovels to the US Air Force until September 30
• A Japanese construction company that uses Dahua cameras to monitor its Tokyo headquarters can still sell concrete, bricks, and lumber to the US Navy base in Okinawa until September 30
• A janitorial services company which also installs and maintains Huawei HiSilicon-powered cameras can continue mowing the lawns of its local US Army base until September 30

Below are some examples of what remains prohibited:

• The integrator that uses Hikvision cameras cannot win contracts from NASA, the FBI, or any other federal agency apart from the DoD
• The Japanese construction company cannot win any contracts from USAID, even if it's just for bricks, as USAID is part of the State Department (not the DoD)
• The janitorial services company which uses Huawei HiSilicon cannot sell NDAA-compliant Pelco cameras to the US Army base as these are not "high-volume, low risk" items
• On October 1, a veteran-owned integrator cannot sell canned goods to the US Navy base because the waiver will have expired by then

Exemptions for Certain Services/Equipment

The other exemption is for "backhaul, roaming, or interconnection arrangements" with a "third-party" along with telecom equipment that "cannot route or redirect user data traffic":

During its recent webinar, GSA gave a few examples of such equipment/services, citing "cabling and copper wiring", Ethernet cables, and an WiFi provider's voice data package:

Internet wireless service provider providing customers voice data services for international calls. Electrical and communications, cabling and wiring copper Ethernet cables include terminations, I'm not sure if that's helpful, but those are the answers that we've come up with for examples of equipment that cannot route or redirect user data traffic. [emphasis added]

Penalties for Breaking the NDAA Ban

As GSA has noted, if someone violates the NDAA, there is no specific enforcement mechanism, "it just follows the normal enforcement" for federal contracts:

There's no additional enforcement that's specific to Section 899 [...] It just follows the normal enforcement for everything else under government contracts.

The government states that Section 889 violations are considered "breach of trust", stating that "failure to submit an accurate representation to the Government constitutes a breach of contract that can lead to cancellation, termination, and financial consequences":

The False Claims Act allows the federal government to fine contractors $11,665 to $23,331 for each false claim made.

DoD On Who Handles Violations

There are few explicit announcements yet on who handles violations, however the DoD stated in recent guidelines that if a "contracting officer" doubts a contractor is being honest in their representation, the officer shall "consult with the program office" and "legal counsel":

Compliant NDAA Products

See: NDAA Compliant Video Surveillance Whitelist