NDAA Compliant Security Cameras: What Organizations Need to Know

If your organization holds a federal contract, receives federal funding, or operates as a subcontractor on government work, the security cameras on your walls are a compliance question. Section 889 of the FY2019 National Defense Authorization Act (NDAA) (Public Law 115-232) restricts which surveillance equipment can be used in systems tied to federal work, and the consequences of non-compliance include contract loss, debarment, and disqualification from future federal business. The regulation is specific, the enforcement scope is broader than most teams realize, and the FY2026 NDAA signals that scrutiny is expanding further.

What Is NDAA Compliance for Security Cameras?

Section 889 contains two distinct prohibitions. The first, 889(a)(1)(A), bans federal agencies from directly procuring or obtaining equipment or services from covered manufacturers. The second, 889(a)(1)(B), is broader: it prohibits executive agencies from entering into contracts with any entity that uses covered telecommunications or video surveillance equipment as a substantial or essential component of any system.

The 889(a)(1)(B) provision took effect on August 13, 2020. Organizations with federal contracts may be subject to the broader Part B “use” prohibition. Recipients and subrecipients of federal grants or loans are separately prohibited under 2 CFR 200.216 from using federal award funds to procure, obtain, extend, or renew contracts for covered telecommunications or video surveillance equipment or services.

Which Manufacturers Are Banned?

Section 889 explicitly names five companies:

• Hangzhou Hikvision Digital Technology Co.
• Dahua Technology Co.
• Huawei Technologies Company
• ZTE Corporation
• Hytera Communications Corporation

The ban extends to subsidiaries and affiliates of all five. The Federal Communications Commission (FCC) reinforced the scope by banning new equipment authorizations for these companies in 2022, and an October 7, 2025 FCC fact sheet confirmed the ongoing restrictions.

Who Needs to Comply?

Section 889(a)(1)(B) applies to any entity that uses covered equipment in systems tied to federal contracts — not just the agencies buying cameras directly.

In practice, the list of affected groups includes government contractors and subcontractors, schools and universities receiving federal funding (Title I, E-rate), and any commercial entity with an active federal contract. Healthcare organizations may be affected if they hold federal contracts, receive applicable federal grants or loans, or are subject to program-specific procurement restrictions. The scope of each obligation depends on the nature of the federal relationship and the specific regulatory framework that applies.

Common Misconceptions About NDAA Compliance

”Only federal agencies have to comply”

Section 889(a)(1)(A) applies to federal agencies, but 889(a)(1)(B) applies to contractors, subcontractors, and grant recipients. A private company with a single federal subcontract is subject to the same restrictions as a Department of Defense facility.

”Keeping banned cameras on a separate network is enough”

Network segmentation does not satisfy the statute. Under Federal Acquisition Regulation (FAR) 52.204-25, the Part B prohibition applies to covered equipment used as a substantial or essential component of any system, regardless of whether that use is in performance of the federal contract. Isolating a Hikvision camera on a virtual local area network (VLAN) does not remove the compliance issue.

”Non-Chinese brands are automatically compliant”

Some cameras sold under non-banned brand names use HiSilicon chipsets. HiSilicon is a Huawei subsidiary, and equipment containing its components may create compliance exposure even if the camera manufacturer itself is not on the banned list. A Bill of Materials, supplier attestation, and vendor compliance documentation can help confirm component-level compliance.

How to Audit Your Existing Camera Infrastructure

A compliance audit should cover every networked device in the video surveillance chain. Network video recorders (NVRs), digital video recorders (DVRs), encoders, and network switches can all contain components from covered manufacturers.

Build a complete inventory of every camera, recorder, and networked device in your facilities. For each device, document the manufacturer, model number, and country of origin. Cross-reference model numbers against the FCC Covered List and check for known use of HiSilicon or other banned-company chipsets.

Review your recording infrastructure. If video from compliant cameras is stored on an NVR manufactured by a covered company, the system is non-compliant. Document all findings for procurement records and contract compliance representations. Contracting officers can request this documentation during audits.

What to Look for When Replacing Non-Compliant Cameras

Hardware should come from NDAA and Trade Agreements Act (TAA)-compliant manufacturers with no banned companies or subsidiaries anywhere in the supply chain. Ask for a Bill of Materials that confirms chipset origins.

On the software side, look for cloud data storage on US-based infrastructure, automatic firmware updates that eliminate manual patching risk, and encryption in transit and at rest. Verify no default passwords on shipped devices and confirm a System and Organization Controls 2 (SOC 2) audited platform.

Why the Cloud Layer Matters for Compliance

Hardware compliance alone is insufficient if the platform storing and managing your video data introduces its own risks. Where footage is stored, who can access it, how the platform handles encryption keys, and whether security patches ship automatically all affect your compliance posture.

A February 2026 White & Case analysis of the FY2026 NDAA noted that software platforms, AI systems, and data infrastructure are now treated as national security assets — a signal that regulatory scrutiny is expanding beyond hardware to include the full technology stack.

Companies evaluating NDAA compliant security cameras should assess whether their video management platform receives automatic security updates, enforces role-based access controls, maintains audit logs, and stores data within US jurisdiction. A compliant camera connected to an unaudited, offshore cloud platform creates a gap in your compliance posture.

How Rhombus Approaches NDAA and TAA Compliance

We source all hardware exclusively from NDAA and TAA-whitelisted manufacturers, and all devices are engineered in-house. There are no HiSilicon chipsets, no banned-company components, and no third-party white-label hardware in the supply chain. Rhombus cameras ship with a 10-year warranty.

On the infrastructure side, we run our cloud platform on Amazon Web Services (AWS) with US-based data storage. Customers benefit from AWS’s certified infrastructure while we manage the application-layer security through a Zero Trust architecture. The platform enforces end-to-end encryption at rest and in transit, eliminates default passwords, and includes tamper detection.

We completed a 12-month independent SOC 2 Type II attestation as of February 19, 2026. The platform supports granular role-based access controls, comprehensive audit logging, and undergoes annual third-party penetration testing. For defense contractors, we align with Cybersecurity Maturity Model Certification (CMMC) requirements. For law enforcement and public safety organizations, the platform supports Criminal Justice Information Services (CJIS) compliance. Full details on security architecture and compliance certifications are available on the Rhombus Trust page.

For companies replacing non-compliant Hikvision or Dahua cameras, Rhombus Relay (available as Relay Core and Relay Lite) supports legacy camera migration. Relay allows users to bring existing camera feeds into our platform during a phased transition, so facilities don’t lose visibility while replacing banned hardware.

Frequently Asked Questions

Are Hikvision cameras NDAA compliant?
No. Hangzhou Hikvision Digital Technology Co. is explicitly named in Section 889 as a covered company. Hikvision cameras are banned from federal procurement and from use in any system supporting federal contracts.

Are Dahua cameras NDAA compliant?
No. Dahua Technology Co. is also explicitly named as a covered company under Section 889, subject to the same prohibitions as Hikvision.

Does NDAA compliance apply to private companies?
Yes, if they hold federal contracts, grants, or loans. Section 889(a)(1)(B) covers any entity that uses banned equipment in systems tied to federal work, regardless of whether the entity is a government agency or a private business.

What is the difference between NDAA and TAA compliance?
NDAA restricts which manufacturers and components can be used. TAA requires that products be manufactured or substantially transformed in the United States or a designated country. Both requirements may apply to a single federal procurement, and meeting one does not satisfy the other.

How do I verify a camera is NDAA compliant?
Request the vendor’s official NDAA compliance letter, ask for a Bill of Materials confirming chipset origins, and confirm the manufacturer does not appear on the FCC Covered List. Do not rely on marketing claims alone.

Can I keep using banned cameras if they’re on a separate network?
No. The statute covers use of covered equipment as a “substantial or essential component of any system.” Network segmentation does not satisfy this requirement.

Start With a Platform Built for Compliance

Replacing non-compliant cameras is only half the job. The platform storing and managing that footage needs to hold up on hardware sourcing, cloud infrastructure, data encryption, access controls, and ongoing security updates. Compliance is not a feature layer on top of the platform — it is built into the hardware sourcing, cloud architecture, and update model from the start.

Request a demo to see how Rhombus handles NDAA and TAA compliance across hardware, software, and data infrastructure.