US Drafting Separate Rule for NDAA Dahua/Hikvision 'Blacklist'

By Charles Rollet, Published Mar 14, 2019, 09:58am EDT

The most debated provision of the NDAA ban of Dahua, Hikvision, Huawei, et al. is the so-called 'blacklist' provision which would ban any company selling Dahua or Hikvision to, say, a pizzeria from selling at all to the US government or US government-funded projects.

Now, IPVM has verified that the US government is drafting 2 FARs (Federal Acquisition Regulations) implementing the NDAA ban which specifically addresses the law's effective blacklisting.

In this post, we examine the news, explain what FAR rules are now being drafted, and look into potential impact, including:

  • FAR Background
  • Examination of Proposed FAR Rules
  • Prior Lobbying Against Blacklist Clause
  • Conclusion

**********

***** ********, *** ********** had **** ********* **** it *** ******* ** a ****** *** **** implementing *** ** *** NDAA's ******* *** ("*********** ** ******* ****************** and ***** ************ ******** or *********.") * ***** report ** *** ******** rule *** *** ********** on ***** **; ** has *** **** ******** released *** ******* **** industry ***.

From *** *** **** ** ***

*******, *** ****** ***************************** **** *** *** drafting *** ******** *** rules. One *** **** ** being ******* ************ ** implement *** ********* ******, i.e. ********* (*)(*)(*) ** Section ***, ********* *****:

***. ***. *********** ** CERTAIN ****************** *** ***** SURVEILLANCE ******** ** *********.
(*) *********** ** *** Or ***********.
— (*) *** **** of ** ********* ****** may ***—
(*) ***** **** * contract (** ****** ** renew * ********) **** an ****** **** **** any *********, ******, ** service **** **** ******* telecommunications ********* ** ******** as * *********** ** ********* ********* ** *** ******, ** ** ******** ********** ** **** ** *** ******. [emphasis added]

**** ********* **** ******* procurement **** *** ****** that **** ******* ********* as ** "*********" ** "substantial" **** ** ***** overall **********.

*** ****** ** **** FAR **** ** *** on *** *, ****; however **** ****** **** only ** **** ****** two ***** ***** *** NDAA ******, *.*. ****** 13, ****, ** ****** on ******* *** (*)(*) ("Effective *****").

*** ***** *** **** remains *** ** ***** 13, *** ********** ********* (a)(1)(A) ** ******* ***. This ********* ** *** core ** *** **** ban, ******* **** ** federal ********** ******** ****** buy ********* ******* ** the ***. ** **** into ****** *** **** after *** **** *** passed **** ****, *.*. August **, ****.

Context - ********* ****** ***** ****

*** ********* ****** *** come ***** **** **** SIA, ********* * ******** *** ********** ******* that:

**** ***-******** *********** would ****** ** * **********-**** ******* ** “************” of businesses that utilize the covered equipment in a general sense, potentially encompassing the sale of such products to non-federal customers. Such an outcome would impose crippling ********* ******* on many U.S. security companies that serve the commercial marketplace and other non-federal customers, and ultimately increase ******** ***** to the U.S. business community at-large

******* ****** **** ****** back ** ****:

  • ********* ** ************************** *** * "****** of ************* ******" ******* this ******* ** *** NDAA, *** ***** ***** ********
  • *** ****************** ******** ***********, which ********** ******* ****** **** ******* and **&*, **** * ****** ** the ********** ** ******* 1, ******* *** ****** could “******* ******* ********* to ******* *********** ** ICT *******”
  • ** ********* ************** ******* ***, ****** stated *** ********* ****** "is *********" ***** ** penalizes ********** ***** ****** equipment **** "******* ********** to ** **** ***** performance ** ********** *********"

**********

*** **** **** *** US ********** ** ******* a ******** *** **** specifically ** ******* *** blacklist ****** *** ** a ********** ** *** amount ** ******** *** section *** ******** **** industry ******. 

*******, ** ******* ******* if ***** ****** **** get **** **** ****; the **** ******** *** FAR **** ***** **** well ********* ** ********** without ******* ****** **** for ********.

****** ***, *** **** that *** ********* ****** is ***** ********* ** a ******** *** **** with * ************* ***** due **** (*** * of **** ****) ***** we **** **** ** wait ****** ****** *** clarity ** *** *****.

Vote / ****

Comments (10)

Undisclosed #1

03/14/19 02:10pm

I strongly disagree with SIA's lobbying on this. There are plenty of alternatives to Hikvision and Dahua, even where cost is a consideration (Hanwha Wisenet X, Avigilon SL, Axis Companion, and others). It seems unrealistic that integrators doing a lot of business with the government, who would be banned from purchasing these products, would not be able to maintain a profitable business if they could not sell these systems at all. The likelihood that someone is doing substantial government business and substantial low-cost commodity business should be fairly low. Some integrators may need to pick one channel or the other, but I do not buy that they would be subject to "crippling" effects.

Additionally, if you believe these products represent a potential high risk of cyber security compromise, then this makes even more sense. Most integrators will have the equipment they sell and install setup in some kind of a lab, which may not be properly isolated from the rest of their network. If these devices represent a risk of remote attack, I would not want an integrator that does a lot of government-related business having their internal network open to an easy attack which could reveal compromising data about those government systems.

Finally, Hikvision, Dahua and Huawei have mostly brought this on themselves. Hikvision has an absolutely horrible cyber security record, and despite a lot of talk and hiring fashionably dressed security spokesmodels, has not shown true dedicated to making their devices truly secure. Dahua and Huawei have plenty of security knocks against them as well.

That Hikvision, Dahua, and Huawei are not choosing to address this by offering up the integrity of their products for inspection, and instead relying on money-driven organizations like SIA to campaign for them instead is very telling.

Agree: 13
Disagree: 2
Informative: 2
Unhelpful
Funny

Undisclosed Distributor #2

In reply to Undisclosed #1 | 03/14/19 03:08pm

Isn't SIA basically just a puppet that exists through the "contributions" from Hik, Dahua and maybe Huawei anyway?  Purely my opinion, but having SIA on your side does nothing for your credibility.

Agree: 9
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #3

In reply to Undisclosed Distributor #2 | 03/14/19 04:49pm

The SIA puts a friendlier face on Hikua.  At this point they are a marketing arm of Hikua.

Agree: 4
Disagree
Informative: 1
Unhelpful
Funny: 1

Undisclosed Integrator #3

03/14/19 08:57pm

This area needs some translation to IPVMs savvier audience.

Such an outcome would impose expand crippling financial burdens on many U.S. security companies trunkslammers that serve the commercial marketplace BYOD marketplace and other non-federal gas stations, quick-service restaurants, and gentlemen's clubs.

Agree: 1
Disagree: 2
Informative: 1
Unhelpful: 3
Funny: 12
Avatar

Charles Rollet

03/18/19 11:30am

UPDATE: the due date for the FAR rule implementing paragraph (a)(1)(A) of Section 889 - that's the core part of the law, which bans federal agencies from buying Hikvision/Dahua equipment - has been extended yet again to March 27. (See page 5 of this latest government disclosure).

Agree
Disagree
Informative: 2
Unhelpful
Funny

Undisclosed Integrator #4

03/18/19 12:02pm

Where i live (Puerto Rico), there are a lot of " truckslammers" selling this equipments(myself included althought i'm not a truckslammer) AND the biggest names in monitored alarm are selling hik/epcom as part of their package. The biggest one offers 5 year warranty on hikvision/epcom equipment with a 3/5 year monitoring contract so yes, if that rules passes their gonna be hard financial burdens on a lot of security companies in PR. Im still looking for a replacement on hikvision/dahua equipment(non IP) that has the same quality/ price point with no luck. 

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #3

In reply to Undisclosed Integrator #4 | 03/18/19 10:25pm

Have you looked at Hanwha?  That seems to be a popular choice.  Geovision is another possible option.

Agree: 1
Disagree: 1
Informative
Unhelpful
Funny

Undisclosed Integrator #4

In reply to Undisclosed Integrator #3 | 03/20/19 10:19am

Yes, Hanwha is my first choice to look at. Dont know why but the price difference between the low end epcom and hanwha are pretty far. Im basing on ADI prices, but i will check out TriEd and Graybar this week.

Agree
Disagree
Informative
Unhelpful
Funny

Greg Masters

In reply to Undisclosed Integrator #4 | 03/19/19 06:24pm

I think everyone is missing the point.  Are we not intelligent enough to look at a product, its past history, build quality (or not), soft/firmware and price point and make a decision?

If the US govt wants to "ban" a direct supplier, well, they are the customer.  They are free to choose who to buy from. A "ban" is not necessary.

To dictate how an independent business fulfills their security needs, and state they cant sell to the government if they use a Hik camera to monitor their facility, that is crossing the line.

Yes, these products have security issues.  They are easy to solve using SSH tunnels and/or VPNs.  Some of us have invested in software which is specific to these devices.  We have enough big brother in our lives, if you don't like HiK or Dahua or disagree with the way they run their plants, then don't buy them.  Easy.

I happen to agree, though, the hardware quality of the higher end Dahua  is pretty good.  The software flaws are easy to fix with a 200.00 linux box and SSH at the location.  For as many (security flawed) cameras as you want.

Just my .02

 

 

 

 

.

 

Agree: 5
Disagree
Informative
Unhelpful
Funny
Avatar

Charles Rollet

07/09/19 11:19am

Update: the latest government disclosure indicates that a draft FAR rule implementing the core of the NDAA - i.e. clause (a)(1)(A), which bans federal government procurement of Huawei, Hikvision, and Dahua equipment - has been written. As of June 29, the draft rule was sent by the GSA's Civilian Agency Acquisition Council (CAAC) chair William Clark to the Office of Information and Regulatory Affairs (OIRA), which is part of the White House's Office of Management and Budget, for review.

 

image

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,938 reports, 926 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports