The short definition

Section 889 is two paragraphs of Public Law 115-232, enacted August 2018. Part A took effect in 2019 and barred federal agencies from procuring covered equipment. Part B took effect in August 2020 and went further: it bars federal agencies from contracting with any company that uses the covered equipment, even on systems unrelated to the federal contract. That second piece made 889 a procurement-wide concern, not a federal-IT-only one.

FAR 52.204-25 is the clause that operationalizes the law. Every federal RFP and award above the simplified acquisition threshold contains it. Contractors self-certify by representation in SAM.gov. False certification is a False Claims Act exposure, not a paperwork foot-fault.

The five covered vendors

Section 889(f)(3) names them by company. Subsidiaries and affiliates are caught by the same prohibition.

  • Hikvision (Hangzhou Hikvision Digital Technology). The largest video-surveillance manufacturer in the world by unit volume. Includes Hikvision-branded cameras, NVRs, and access-control hardware. Affected products carry the HIK or HW prefix.
  • Dahua (Zhejiang Dahua Technology). The number-two surveillance manufacturer globally. Includes Dahua-branded products and the Dahua-owned Lorex consumer line, which gets caught by the affiliate clause.
  • Hytera Communications. Two-way radio and land-mobile-radio systems. Less common in commercial-camera installs but caught when the security stack includes radio dispatch.
  • Huawei Technologies. Networking gear, switches, routers, and some camera lines. Most relevant where cameras share infrastructure with the data network.
  • ZTE Corporation. Networking and telecommunications equipment. Same exposure pattern as Huawei.

Source: Section 889(f)(3) of Public Law 115-232. The full statutory text and the FAR clause are linked from our compliance quick reference NDAA row.

FAR 52.204-25 in practice

FAR 52.204-25 requires the contractor to "represent that it does or does not provide covered telecommunications equipment or services." Provide once means caught everywhere. The exception process under FAR 52.204-25(c) is narrow: the contractor must apply for a waiver before award, document why the covered equipment cannot be replaced, and accept ongoing reporting requirements. Waivers are uncommon and time-bounded.

Annual representation in SAM.gov plus contract-by-contract reaffirmation creates a continuous compliance obligation. A contractor that buys a Hikvision camera on an unrelated commercial site has a representation problem at the next federal contract action.

The OEM relabel trap

Several US-branded camera lines are Hikvision or Dahua hardware with a different label. The relabel doesn't change the 889 status: the covered-equipment list follows the original component's manufacturer, not the brand on the box. CISA and DOD have flagged Honeywell's Performance Series, ADI's W Box, LTS Security, and others as historically Hikvision or Dahua OEM depending on model and year. The bill of materials determines compliance, not the brand.

That's why a "made in USA" sticker doesn't satisfy the rule. The check is the OEM source of the chipset and firmware, traceable to the original manufacturer. Tec-Tel installs federal-touching projects with vendor self-certifications attached to the bill of materials, including chipset-level sourcing.

Who is affected

The obvious population is federal prime contractors. The less-obvious ones drive most of the calls we get:

  • Federal grantees. 2 CFR 200.216 extends the prohibition to recipients of federal grants and cooperative agreements. NSGP-funded nonprofits, SVPP-funded schools, and BSIR-funded transit are all in scope.
  • Subcontractors. The flow-down clause means a subcontractor on a federal job carries the same obligation as the prime.
  • Federal-touching commercial vendors. A manufacturer in the DoD supply chain, a hospital with VA-funded research, a university with NSF grants. Easier to maintain a single NDAA-compliant procurement policy than to track which sites are federal-touching this quarter.
  • State and local governments mirroring federal rules. Many states (Florida, Georgia, Texas, Vermont) have passed parallel state statutes. The covered-vendor list is largely the same.

How to verify your install is NDAA-compliant

Three checks separate a compliant install from a paperwork problem.

  1. Bill of materials with manufacturer self-certifications. Each line item references a vendor's published 889 statement. Axis, Hanwha, Avigilon, Verkada, Genetec, Bosch, and Pelco all publish them. Save the dated PDF, not just a screenshot of a marketing page.
  2. Chipset-source review on any house-brand or OEM-relabeled product. If the brand isn't a name you recognize, the original manufacturer matters more than the label. Check the FCC ID and the firmware vendor.
  3. Network-component audit. Switches, routers, and access points carrying camera traffic are in scope under Part B. A Huawei switch in an otherwise-compliant install creates the exposure.

Tec-Tel maintains an explicitly NDAA-compliant vendor matrix. Hikvision, Dahua, and Lorex are excluded from any federal-touching install. For grant-funded projects, each line item ships with the manufacturer's own 889 statement attached to the project file. See the deep-dive on NDAA camera compliance for the procurement workflow we use on NSGP and SVPP awards.

When to ask Tec-Tel about NDAA compliance

If you're a federal grantee, a federal contractor, or a state-government buyer mirroring federal rules, and you've inherited a security stack with unclear vendor provenance, we can audit the bill of materials and tell you what stays and what swaps out. Free working session.