US Drafting Separate Rule for NDAA Dahua/Hikvision 'Blacklist'

Avatar
Charles Rollet
Published Mar 14, 2019 13:58 PM

The most debated provision of the NDAA ban of Dahua, Hikvision, Huawei, et al. is the so-called 'blacklist' provision which would ban any company selling Dahua or Hikvision to, say, a pizzeria from selling at all to the US government or US government-funded projects.

Now, IPVM has verified that the US government is drafting 2 FARs (Federal Acquisition Regulations) implementing the NDAA ban which specifically addresses the law's effective blacklisting.

In this post, we examine the news, explain what FAR rules are now being drafted, and look into potential impact, including:

  • FAR Background
  • Examination of Proposed FAR Rules
  • Prior Lobbying Against Blacklist Clause
  • Conclusion

**********

***** ********, *** ********** *** **** disclosed **** ** *** ******* ** a ****** *** **** ************ *** of *** ****'* ******* *** ("*********** ** ******* ****************** *** ***** Surveillance ******** ** *********.") * ***** report ** *** ******** **** *** due ********** ** ***** **; ** has *** **** ******** ******** *** comment **** ******** ***.

From *** *** **** ** ***

*******, *** ****** ***************************** **** *** *** ******** *** separate *** *****. *** *** **** ** being ******* ************ ** ********* *** blacklist ******, *.*. ********* (*)(*)(*) ** Section ***, ********* *****:

***. ***. *********** ** ******* ****************** AND ***** ************ ******** ** *********.
(*) *********** ** *** ** ***********.
— (*) *** **** ** ** executive ****** *** ***—
(*) ***** **** * ******** (** extend ** ***** * ********) **** an ****** **** **** *** *********, system, ** ******* **** **** ******* telecommunications ********* ** ******** as * *********** ** ********* ********* ** *** ******, ** ** ******** ********** ** **** ** *** ******. [emphasis added]

**** ********* **** ******* *********** **** any ****** **** **** ******* ********* as ** "*********" ** "***********" **** of ***** ******* **********.

*** ****** ** **** *** **** is *** ** *** *, ****; however **** ****** **** **** ** into ****** *** ***** ***** *** NDAA ******, *.*. ****** **, ****, as ****** ** ******* *** (*)(*) ("Effective *****").

*** ***** *** **** ******* *** on ***** **, *** ********** ********* (a)(1)(A) ** ******* ***. **** ********* is *** **** ** *** **** ban, ******* **** ** ******* ********** agencies ****** *** ********* ******* ** the ***. ** **** **** ****** one **** ***** *** **** *** passed **** ****, *.*. ****** **, 2019.

Context - ********* ****** ***** ****

*** ********* ****** *** **** ***** fire **** ***, ********* * ******** *** ********** ******* ****:

**** ***-******** *********** would ****** ** * **********-**** ******* ** “************” of businesses that utilize the covered equipment in a general sense, potentially encompassing the sale of such products to non-federal customers. Such an outcome would impose crippling ********* ******* on many U.S. security companies that serve the commercial marketplace and other non-federal customers, and ultimately increase ******** ***** to the U.S. business community at-large

******* ****** **** ****** **** ** well:

  • ********* ** ************************** *** * "****** ** ************* intent" ******* **** ******* ** *** NDAA, *** ***** ***** ********
  • *** ****************** ******** ***********, ***** ********** ******* ****** **** ******* *** **&*, **** * ****** ** *** ********** on ******* *, ******* *** ****** ***** “******* serious ********* ** ******* *********** ** ICT *******”
  • ** ********* ************** ******* ***, ****** ****** *** blacklist ****** "** *********" ***** ** penalizes ********** ***** ****** ********* **** "nothing ********** ** ** **** ***** performance ** ********** *********"

**********

*** **** **** *** ** ********** is ******* * ******** *** **** specifically ** ******* *** ********* ****** may ** * ********** ** *** amount ** ******** *** ******* *** received **** ******** ******. 

*******, ** ******* ******* ** ***** groups **** *** **** **** ****; the **** ******** *** *** **** could **** **** ********* ** ********** without ******* ****** **** *** ********.

****** ***, *** **** **** *** blacklist ****** ** ***** ********* ** a ******** *** **** **** * substantially ***** *** **** (*** * of **** ****) ***** ** **** need ** **** ****** ****** *** clarity ** *** *****.

Vote / ****

Comments (10)
U
Undisclosed #1
Mar 14, 2019

I strongly disagree with SIA's lobbying on this. There are plenty of alternatives to Hikvision and Dahua, even where cost is a consideration (Hanwha Wisenet X, Avigilon SL, Axis Companion, and others). It seems unrealistic that integrators doing a lot of business with the government, who would be banned from purchasing these products, would not be able to maintain a profitable business if they could not sell these systems at all. The likelihood that someone is doing substantial government business and substantial low-cost commodity business should be fairly low. Some integrators may need to pick one channel or the other, but I do not buy that they would be subject to "crippling" effects.

Additionally, if you believe these products represent a potential high risk of cyber security compromise, then this makes even more sense. Most integrators will have the equipment they sell and install setup in some kind of a lab, which may not be properly isolated from the rest of their network. If these devices represent a risk of remote attack, I would not want an integrator that does a lot of government-related business having their internal network open to an easy attack which could reveal compromising data about those government systems.

Finally, Hikvision, Dahua and Huawei have mostly brought this on themselves. Hikvision has an absolutely horrible cyber security record, and despite a lot of talk and hiring fashionably dressed security spokesmodels, has not shown true dedicated to making their devices truly secure. Dahua and Huawei have plenty of security knocks against them as well.

That Hikvision, Dahua, and Huawei are not choosing to address this by offering up the integrity of their products for inspection, and instead relying on money-driven organizations like SIA to campaign for them instead is very telling.

(13)
(2)
(2)
UD
Undisclosed Distributor #2
Mar 14, 2019
In reply to Undisclosed #1

Isn't SIA basically just a puppet that exists through the "contributions" from Hik, Dahua and maybe Huawei anyway?  Purely my opinion, but having SIA on your side does nothing for your credibility.

(9)
UI
Undisclosed Integrator #3
Mar 14, 2019
In reply to Undisclosed Distributor #2

The SIA puts a friendlier face on Hikua.  At this point they are a marketing arm of Hikua.

(4)
(1)
(1)
UI
Undisclosed Integrator #3
Mar 14, 2019

This area needs some translation to IPVMs savvier audience.

Such an outcome would impose expand crippling financial burdens on many U.S. security companies trunkslammers that serve the commercial marketplace BYOD marketplace and other non-federal gas stations, quick-service restaurants, and gentlemen's clubs.

(1)
(2)
(1)
(3)
(12)
Avatar
Charles Rollet
Mar 18, 2019

UPDATE: the due date for the FAR rule implementing paragraph (a)(1)(A) of Section 889 - that's the core part of the law, which bans federal agencies from buying Hikvision/Dahua equipment - has been extended yet again to March 27. (See page 5 of this latest government disclosure).

(2)
UI
Undisclosed Integrator #4
Mar 18, 2019

Where i live (Puerto Rico), there are a lot of " truckslammers" selling this equipments(myself included althought i'm not a truckslammer) AND the biggest names in monitored alarm are selling hik/epcom as part of their package. The biggest one offers 5 year warranty on hikvision/epcom equipment with a 3/5 year monitoring contract so yes, if that rules passes their gonna be hard financial burdens on a lot of security companies in PR. Im still looking for a replacement on hikvision/dahua equipment(non IP) that has the same quality/ price point with no luck. 

(1)
UI
Undisclosed Integrator #3
Mar 18, 2019
In reply to Undisclosed Integrator #4

Have you looked at Hanwha?  That seems to be a popular choice.  Geovision is another possible option.

(1)
(1)
UI
Undisclosed Integrator #4
Mar 20, 2019
In reply to Undisclosed Integrator #3

Yes, Hanwha is my first choice to look at. Dont know why but the price difference between the low end epcom and hanwha are pretty far. Im basing on ADI prices, but i will check out TriEd and Graybar this week.

GM
Greg Masters
Mar 19, 2019
In reply to Undisclosed Integrator #4

I think everyone is missing the point.  Are we not intelligent enough to look at a product, its past history, build quality (or not), soft/firmware and price point and make a decision?

If the US govt wants to "ban" a direct supplier, well, they are the customer.  They are free to choose who to buy from. A "ban" is not necessary.

To dictate how an independent business fulfills their security needs, and state they cant sell to the government if they use a Hik camera to monitor their facility, that is crossing the line.

Yes, these products have security issues.  They are easy to solve using SSH tunnels and/or VPNs.  Some of us have invested in software which is specific to these devices.  We have enough big brother in our lives, if you don't like HiK or Dahua or disagree with the way they run their plants, then don't buy them.  Easy.

I happen to agree, though, the hardware quality of the higher end Dahua  is pretty good.  The software flaws are easy to fix with a 200.00 linux box and SSH at the location.  For as many (security flawed) cameras as you want.

Just my .02

 

 

 

 

.

 

(5)
Avatar
Charles Rollet
Jul 09, 2019

Update: the latest government disclosure indicates that a draft FAR rule implementing the core of the NDAA - i.e. clause (a)(1)(A), which bans federal government procurement of Huawei, Hikvision, and Dahua equipment - has been written. As of June 29, the draft rule was sent by the GSA's Civilian Agency Acquisition Council (CAAC) chair William Clark to the Office of Information and Regulatory Affairs (OIRA), which is part of the White House's Office of Management and Budget, for review.

 

image