NDAA Section 889 cameras: what's banned, what's compliant, how to fix it

What Section 889 actually says

Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115-232) is two prohibitions. Subsection (a)(1)(A), effective August 13, 2019, bars federal agencies from procuring covered telecommunications and video surveillance equipment, or any system with that equipment as a substantial component. Subsection (a)(1)(B), effective August 13, 2020, extends the bar to federal contractors: agencies cannot contract with a company that uses covered equipment in any of its systems, even on private work that touches the federal contract.

FAR 52.204-25 operationalizes 889 in federal acquisition. Every federal contract above the micro-purchase threshold includes it by reference, and the contractor signs a representation that they don't use covered equipment. The FCC Covered List at fcc.gov/supplychain/coveredlist is the authoritative inventory of banned manufacturers and equipment categories. Practical translation: if you sell to the federal government, take federal grant money, or sit downstream of a federal prime, your camera stack cannot contain Hikvision, Dahua, Hytera, Huawei, or ZTE equipment. Not at headquarters, not at a remote DC, not even at a warehouse bought four years before the rule existed. Age of equipment is not a defense.

The five banned vendors, and what they hide behind

Five Chinese-headquartered companies are named in 889(f). Each ships cameras and recorders under its own brand and under multiple US-distributed OEM relabels. The relabels are where most contractors get burned, because the box at receiving says one thing and the FCC ID inside says another.

The OEM relabel issue compounds when a recorder or VMS server bundles cameras at sale. A buyer might purchase a name-brand NVR and discover, on FCC ID lookup, that the bundled cameras are Hikvision-OEM with a different sticker. That bundle still trips 889 because covered equipment is a substantial component of the system as installed.

Who has to comply

Section 889 reaches further than people expect. The clearly-bound categories:

• Federal prime contractors. Anyone on a federal contract above the $10,000 micro-purchase threshold. The FAR 52.204-25 representation is signed at offer and re-signed at modification.
• Federal subcontractors in flow-down work. If a subcontractor's deliverable touches the prime's federal scope, the clause flows down by FAR 52.204-25(d).
• Federal grant recipients. 2 CFR 200.216 implements 889 for federal awards. NSGP and SVPP awardees, and most DHS, DOJ, and DoT formula grants explicitly bar covered equipment.
• GSA Schedule 84 sellers. Schedule 84 covers commercial security products sold to federal buyers and includes 889 representations; contractors are deleted from the schedule for non-compliance.
• Federally-funded construction. Federal Highway Administration, FAA airport grants, and ARRA-style infrastructure money carry 889 flow-downs to the security scope.

Not bound, despite frequent confusion: private commercial buyers with no federal relationship (a private retail chain can buy any camera, though many elect 889-compliant gear to keep federal options open); state and local governments using only state and local money (federal pass-through pulls 889 in, pure state procurement does not); and federal employees buying personal cameras for home use. The gray zone is private firms in federal supply chains. A plant shipping finished goods to the DoD via a tier-one prime can be asked, contractually, to certify 889 compliance even though it isn't a federal contractor. Read your master purchase agreement.

How to verify your existing fleet

Three checks, in this order. Run them before you sign any 889 representation, not after.

1. Model number lookup. Walk the floor with a spreadsheet. Capture make, model, FCC ID, and serial for every camera, recorder, NVR, encoder, and intercom. Cross-reference each FCC ID at fcc.gov/oet/ea against the FCC Covered List at fcc.gov/supplychain/coveredlist. Anything that resolves to Hangzhou Hikvision, Zhejiang Dahua, Hytera, Huawei, or ZTE is covered.
2. Vendor self-cert page review. For every non-banned manufacturer in your stack, pull the published NDAA Section 889 statement from the manufacturer's site. A real one names FAR 52.204-25 explicitly, lists the covered companies it does not source from, and is signed or attested by a corporate officer. Save the PDF. Verkada's, Avigilon's, Axis's, Hanwha's, and Genetec's pages are linked in the alternatives section below.
3. Third-party audit if anything is uncertain. If you have legacy inventory with no FCC ID readable on the label, no manufacturer documentation, or installer-built-in-house gear, get an independent integrator to physically inspect the equipment and produce a written 889 attestation. Tec-Tel runs these audits as a free working session for federal-touching customers; the deliverable is a documented bill of materials with each row tagged compliant, banned, or unknown.

The rip-and-replace reality

Once you find covered equipment, you have to replace it. Cost runs on three variables: how many cameras, what camera class, and whether the cable plant survives. Public benchmarks from the SDM Magazine 2025 Industry Forecast and GSA Schedule 84 pricing put per-camera installed cost at $1,500 to $3,500 for commercial fleets and $2,200 to $5,000 for federal and government installs, all-in: camera, mount, cable run if reused, license, labor, commissioning. Cost rises if the recorder or VMS also needs replacing, which happens when the banned NVR won't handshake with the new compliant cameras. Most won't; ONVIF interop helps but doesn't always rescue you.

Timeline for a medium install (50 to 200 cameras, one or two sites) typically runs 60 to 180 days from signature to commissioning. Drivers: vendor lead time (Verkada and Avigilon Alta typically ship inside 30 days; Hanwha and Axis can run longer), cable inspection and re-pulls if runs were undersized for PoE+, and integration with existing access control and VMS. Multi-site rollouts at 500-plus cameras are 6 to 12 month programs.

Funding is where contractors get bad advice. The FCC's $1.9 billion Secure and Trusted Communications Networks Reimbursement Program is for telecom carriers replacing Huawei and ZTE network gear; it does not cover commercial camera replacement. NSGP awards (up to $200,000 per nonprofit site under the FY24 NOFO) can fund 889-compliant replacements as part of an eligible security project, but only for awarded nonprofits. For most rip-and-replace work, the contractor pays out of operating budget or rolls the cost into the next federal bid.

NDAA-compliant alternatives

The vendors below all publish NDAA Section 889 self-certifications and ship on GSA Schedule 84 or via federal-cleared distribution. The right pick depends on whether you need cloud-native, on-prem-on-the-LAN, or hybrid architecture.

A practical pick guide. Verkada and Eagle Eye Networks are cloud-native and ship the fastest install for federal-cleared offices. Avigilon Alta runs cloud or hybrid with strong edge AI for analytics-heavy use cases. Axis and Hanwha are the on-prem workhorses for sites that prefer data-stays-local, both with deep VMS integration into Genetec and Milestone. Genetec is the pick when the customer needs unified access, video, and license-plate recognition on one on-prem platform.

The full vendor matrix, including access control and analytics layers, is on the vendor comparison matrix. The compliance-regime overview, covering NDAA alongside HIPAA, PCI, FERPA, FTC Safeguards, and CMMC, is at the compliance quick reference.

How Tec-Tel handles 889 work

Tec-Tel maintains an explicitly NDAA-compliant vendor matrix and excludes Hikvision, Dahua, Hytera, Huawei, ZTE, and their OEM relabels from any federal-touching install. Bills of materials for federal-grant-funded projects (NSGP, SVPP, BSIR) ship with each vendor's signed 889 statement attached. We work across manufacturing, education, and houses of worship, and we run NDAA gap audits as the first step on any new federal-contractor engagement.

Source citation for everything on this page: Public Law 115-232, Section 889; FAR 52.204-25, plus the FCC Covered List and the vendor self-cert pages linked above. This is a buyer-facing reference, not legal advice; for a specific 889 representation, work with your federal contracts counsel.