Compliance regimes at a glance
Use this table to pick which regimes touch you, then jump to the deeper section below.
| Regime | Category | Applies to | Source |
|---|---|---|---|
| NDAA Section 889 | Federal procurement | federal-prime-contractors, federal-grantees, federal-touching-vendors | Text |
| HIPAA Security Rule | Healthcare protected health information (PHI) | healthcare-providers, health-plans, business-associates | Text |
| PCI-DSS | Card-data environments | retail, hospitality, finance, ecommerce-with-physical-presence | Text |
| FERPA | Education student records | k-12, higher-ed | Text |
| FTC Safeguards Rule | Financial institutions and many auto dealers | non-bank-finance, auto-dealers, tax-preparers, wealth-managers | Text |
| CMMC 2.0 | Defense industrial base | defense-contractors, subcontractors-with-cui | Text |
| GDPR (US-touching) | EU resident data | us-companies-serving-eu-residents, global-multi-site-enterprises | Text |
| BIPA | State biometric privacy | any-illinois-facility-using-biometrics | Text |
| Section 504 / ADA | Accessibility | public-accommodations, federally-funded-facilities | Text |
Each regime in detail
What it is, what evidence an auditor wants, and how Tec-Tel installs typically meet it.
NDAA Section 889
Federal procurementNational Defense Authorization Act FY2019, Section 889
Prohibits federal agencies and their contractors/grantees from using or procuring covered telecommunications and video surveillance equipment from Hikvision, Dahua, Hytera, Huawei, ZTE, and their subsidiaries. Covers any system that has the equipment as a substantial component, regardless of vintage.
Key evidence required
Vendor self-certification + bill-of-materials review showing no covered equipment is in the procured stack.
How Tec-Tel installs typically handle it
Tec-Tel maintains an explicitly NDAA-compliant vendor matrix and excludes Hikvision, Dahua, and Lorex from any federal-touching install. Bills of materials for federal-grant-funded projects (NSGP, SVPP, BSIR) are documented with each vendor's own 889 statement attached.
HIPAA Security Rule
Healthcare protected health information (PHI)Health Insurance Portability and Accountability Act, Security Rule (45 CFR 164 Subpart C)
Requires administrative, physical, and technical safeguards for electronic PHI. Physical safeguards specifically include facility access controls, workstation use rules, and device/media controls. Camera footage capturing identifiable patients can itself be PHI in some contexts.
Key evidence required
Risk analysis (164.308(a)(1)(ii)(A)), facility access control policy (164.310(a)(1)), audit logs, BAA with cloud video providers when applicable.
How Tec-Tel installs typically handle it
Tec-Tel healthcare installs use access-control audit trails for door-by-door entry/exit logging, segment camera storage from clinical networks, and configure retention windows to match facility policy (typically 30-90 days). Cloud video deployments for healthcare use providers that sign Business Associate Agreements.
Source 45 CFR Part 164, Subpart C
PCI-DSS
Card-data environmentsPayment Card Industry Data Security Standard (v4.0)
Mandatory for any merchant or service provider that stores, processes, or transmits cardholder data. Requirement 9 governs physical access. Camera coverage of areas where card data is handled is required, with footage retained 90 days and reviewed for anomalies.
Key evidence required
Camera placement covering cardholder data environment ingress/egress, 90-day footage retention, badge/visitor logs, periodic review evidence.
How Tec-Tel installs typically handle it
Retail and hospitality installs are designed with PCI-DSS Requirement 9 in mind: cameras cover all CDE entry points, retention is set to 90 days minimum, and access-control logs map badge holders to areas. Tec-Tel monitoring agents provide retrieval support inside one business day for incident queries.
FERPA
Education student recordsFamily Educational Rights and Privacy Act
Federal law (1974) protecting student education records. Identifiable footage of students may qualify as an education record requiring parental consent before disclosure. Schools typically retain 30-90 days and limit access to staff with a documented need.
Key evidence required
Written camera-use policy, retention policy, role-based access controls, FERPA-aware redaction process for footage requests.
How Tec-Tel installs typically handle it
K-12 installs use role-based access control on the video management system, restrict footage export to a documented chain-of-custody workflow, and align retention to the school district's records-retention policy. NSGP and SVPP grant-funded projects are configured to FERPA expectations from day one.
Source 20 U.S. Code Section 1232g
FTC Safeguards Rule
Financial institutions and many auto dealersStandards for Safeguarding Customer Information (16 CFR Part 314)
Updated in 2023 to require a written information security program with administrative, technical, and physical safeguards. Physical safeguards expressly include facility access controls and surveillance. Penalties apply for breaches with documented control failures.
Key evidence required
Written information security program, risk assessment, designated qualified individual, encryption, facility access controls, incident response plan.
How Tec-Tel installs typically handle it
Auto dealer and finance installs are designed to satisfy 16 CFR 314.4(c) physical safeguards: cameras cover finance offices and after-hours intrusion zones, access control logs are retained, and incident retrieval workflows are documented. Tec-Tel provides written control summaries for the customer's WISP.
Source 16 CFR Part 314 (FTC)
CMMC 2.0
Defense industrial baseCybersecurity Maturity Model Certification, Level 2
Defense contractors handling Controlled Unclassified Information (CUI) must implement NIST SP 800-171 controls. Physical security controls (PE-1 through PE-6) include physical access authorization, monitoring, and visitor records. Level 2 requires third-party assessment for prime contractors.
Key evidence required
Implementation of all 110 NIST 800-171 controls, including physical access logs, visitor records, monitoring of physical access, and media protection.
How Tec-Tel installs typically handle it
Defense-contractor installs use NIST 800-171-aligned controls: badge-based PE-3 enforcement, visitor escort logs, CCTV coverage of CUI work areas, retention to match the contractor's SSP. Vendor selection is constrained to NDAA 889-compliant manufacturers.
Source 32 CFR Part 170 (CMMC Program Final Rule, 2024) + NIST SP 800-171 Rev 2
GDPR (US-touching)
EU resident dataGeneral Data Protection Regulation (EU 2016/679)
Camera footage that captures EU residents at US facilities can fall under GDPR if the controller offers goods or services to EU residents. Requires lawful basis, retention minimization, and DPO appointment in some cases. Enforcement covers cross-border transfers.
Key evidence required
Lawful basis documentation, signage, retention policy aligned to purpose, data processing agreement with cloud providers, DPIA for facial recognition.
How Tec-Tel installs typically handle it
Global enterprise installs include GDPR-compliant signage at EU-touching sites, retention controls scoped to the camera's documented purpose, and DPIA support for any facial-recognition deployment. Cloud video provider DPAs are reviewed before deployment.
Source EU Regulation 2016/679
BIPA
State biometric privacyIllinois Biometric Information Privacy Act
Requires written, informed consent before collecting biometric identifiers (face geometry, fingerprints, retina). Has produced billion-dollar class-action settlements. Affects facial recognition and biometric door access.
Key evidence required
Written consent records, retention schedule (max 3 years or end of purpose), data destruction policy, written disclosure of purpose.
How Tec-Tel installs typically handle it
Illinois deployments default to badge or PIN credentials over biometrics unless the customer has a written BIPA-compliant consent program. Where biometrics are deployed, Tec-Tel documents the consent flow as a deliverable.
Source 740 ILCS 14
Section 504 / ADA
AccessibilityRehabilitation Act of 1973 Section 504 + Americans with Disabilities Act
Access-control hardware and emergency-response signage must meet ADA accessibility requirements. Door operators, reach ranges (15-48 inches), and audible/visual alarm coverage are specified.
Key evidence required
ADA-compliant door hardware specifications, audible/visual alarm coverage, accessible visitor management.
How Tec-Tel installs typically handle it
Door access hardware is specified to ADA reach ranges and force requirements. Visitor management kiosks are deployed at accessible heights. Audible/visual alarm coverage is included in design plans for public-accommodation installs.
A note on what this page is and isn't
This is a buyer-facing reference, not legal advice. The regulatory text on each linked source is authoritative; this page summarizes for procurement context. For any specific compliance decision, work with your counsel, your auditor, and your integrator together. Tec-Tel produces the install-side documentation an auditor expects; we don't draft your written security program.
Tec-Tel installs cover NDAA 889 procurement, HIPAA-touching healthcare environments, PCI-DSS retail and hospitality, FERPA-aware education, FTC Safeguards finance and auto-dealer environments, and CMMC defense work. Source: Tec-Tel public industry pages.