NDAA Section 889 hardware migration: a rip-and-replace playbook

NDAA Section 889 hardware migration: a rip-and-replace playbook for federal contractors

NDAA Section 889 (Public Law 115-232) bars federal agencies, contractors, and grantees from using covered telecommunications and video surveillance equipment from Hikvision, Dahua, Hytera, Huawei, ZTE, and their subsidiaries. FAR 52.204-25 makes the prohibition contractual. Migration runs in six phases: bill-of-materials audit, identify banned vendors and OEM relabels, NDAA-compliant vendor selection, procurement, phased install, and verification documentation. Do this before your next contract option year, not during the audit.

Why federal contractors can't ride this out

Section 889 has been federal law since 2018 and contractually binding since 2020. Enforcement has tightened. CMMC 2.0 Level 2 assessors check for covered equipment as part of the physical-security control review under NIST SP 800-171, and False Claims Act exposure on a covered-equipment representation is real. The Department of Justice has settled cases in the millions.

The cheap path most contractors took was to swap the cameras facing federal data and leave the rest. That doesn't work now. Auditors look at the network, not just the office. A covered NVR on the same VLAN as a federal workload is a finding regardless of which camera is plugged into it. This playbook is for the IT director, facility manager, or contracts officer told to "deal with the camera thing" before the next option year. It's the install-side playbook, not legal advice; pair it with your contracts counsel and CMMC assessor.

Phase 1: Run a bill-of-materials audit on every camera, NVR, and access head-end

Walk every site and pull serial numbers, OEM markings, firmware versions, and chipset stickers off every camera, NVR, and access-control panel. The covered list isn't only Hikvision and Dahua. It includes Hytera radios, Huawei networking, ZTE telecom, and any OEM that uses covered components as a substantial part. The audit captures the full stack so a covered chipset hidden inside a relabeled NVR doesn't survive the migration. Tec-Tel runs this audit as part of the free consultation, on site, with a written deliverable that maps each device to a covered or compliant status.

Phase 2: Identify the OEM relabels that hide banned vendors

Hikvision and Dahua sell through dozens of OEM relabel brands. Lorex is Dahua. Honeywell Performance Series cameras have shipped with Dahua firmware. Watchguard, ezviz, LaView, Annke, Swann (some models), and Night Owl have all carried covered components at points in their line. The relabel doesn't change Section 889 status. The audit deliverable lists each device with the underlying OEM identified, sourced from the FCC ID database, the vendor's own filings, and SIA technology bulletins. Lorex on the wall is Dahua on the contract.

Phase 3: Select NDAA-compliant vendors that match your operational needs

The NDAA-compliant market has consolidated around a clear short list. For video, the practical choices include Verkada, Avigilon (Motorola Solutions), Genetec, Axis Communications, Hanwha Vision, Milestone, and Eagle Eye Networks, each with documented Section 889 statements. Selection criteria run beyond compliance: cloud-native versus on-prem, edge AI capability, open API for integration, and total cost over a five-year horizon. We don't push one vendor. The migration scope picks the camera that fits the environment, and multi-vendor deployments are common where sites have different operational profiles.

Phase 4: Build the procurement plan around your contract clock

Don't migrate during a federal audit or a contract option year. Migrate before. The procurement plan sequences purchases against the contract calendar, the budget cycle, and the lead time on long-pole hardware. Camera lead times in 2026 run 4 to 12 weeks depending on model; access-control credentials and head-ends can stretch longer. Build the PO sequence so install starts the day hardware lands. For grant-funded scope (NSGP, SVPP, BSIR), procurement happens after EHP review, so the timeline runs through that gate too.

Phase 5: Phase the install around continuous operations

Federal contractors usually can't go dark on surveillance. The phased install keeps coverage live while devices swap: build the new VMS or cloud platform on parallel infrastructure, install replacement cameras at full capacity, cut over zone by zone, then decommission and physically remove the covered devices. Network segmentation matters. Until the covered devices are off the network, they should sit on a quarantined VLAN with no path to anything touching federal data. Tec-Tel sequences cuts around your operating hours and any classified-handling windows.

Phase 6: Document verification for the contracting officer and the SSP

The endpoint isn't an installed camera. It's documentation that satisfies a contracting officer or CMMC assessor: vendor self-certifications under Section 889, a final bill of materials with serial numbers, photographic evidence of decommissioned covered devices, network logs showing the covered VLAN is offline, and a written representation suitable for your System Security Plan. CMMC 2.0 Level 2 assessors expect this under PE-1 through PE-6 controls. Skipping the documentation is what gets contracts pulled, not the install itself. Full regulatory background and citations: Public Law 115-232, Section 889; FAR 52.204-25.

NDAA-compliant vendors we install on federal-touching scope

Each vendor below has documented Section 889 self-certifications. Tec-Tel is multi-vendor by default and picks what fits the environment.

Verkada - video, cloud-native, edge AI. 889 statement
Avigilon (Motorola Solutions) - video, cloud-native, on-prem option, edge AI. 889 statement
Genetec - video, cloud-native, on-prem option, edge AI. 889 statement
Axis Communications - video, on-prem, edge AI. 889 statement
Hanwha Vision - video, on-prem, edge AI. 889 statement
Milestone Systems (XProtect) - video, on-prem. 889 statement
Eagle Eye Networks - video, cloud-native, edge AI. 889 statement
Brivo, Avigilon Alta Access, Kisi, Genetec Synergis, HID Global - access control, all NDAA-compliant.

Full matrix: vendor comparison matrix.

Frequent buyer questions

Does the rule apply to existing equipment, or only new purchases?

It applies to existing equipment if you're a federal contractor or grantee and the equipment is in active use. The rule is not a forward-only purchasing restriction. A federal contractor running covered cameras at a non-federal facility may still be required to remove them under their contract terms, depending on the contract and the data flow. Federal grant rules under FAR 52.204-25 explicitly cover existing infrastructure. The safe path is migration before your next contract option or grant cycle, not after.

Is Lorex banned? It says "Made in USA" on some models.

Lorex is a Dahua subsidiary. Country of assembly does not change Section 889 status. The covered-vendor list applies to the parent company and its subsidiaries regardless of where final assembly happens. SIA and FCC documentation links Lorex products to Dahua firmware and silicon. Federal contractors should treat Lorex as covered. Replace it. Confirm any specific model with the manufacturer's own 889 statement before relying on a brand-level claim.

How much does an NDAA migration typically cost?

Full rip-and-replace runs roughly the same as a fresh install of equivalent scope, less the salvage value of any reusable mount, conduit, and cabling. For a mid-size facility with 50 to 150 cameras, expect $75K to $300K depending on cloud vs on-prem, edge AI, and how much existing cable can be reused. Federal grant funding under NSGP, SVPP, and BSIR can sometimes be applied if the migration fits AEL categories. The bigger cost is contract-loss exposure if you don't migrate.

What about access control? Are HID, Brivo, and others compliant?

Most major access-control platforms (HID Global, Brivo, Avigilon Alta Access, Genetec Synergis, Kisi, Openpath/Avigilon Alta) are NDAA-compliant under their own 889 self-certifications. Hikvision and Dahua sell access-control products too, so the audit needs to look at access head-ends and credentials, not only cameras. The same OEM-relabel risk applies. Tec-Tel maintains an NDAA-compliant access-control vendor matrix alongside the video matrix.

Will Tec-Tel work as a sub on a sealed federal RFP for the migration?

Yes. Tec-Tel works inside whatever procurement rule applies, including direct award, open competition, sealed RFP, and GSA schedule purchases. We scope covered-equipment migration to fit the procurement vehicle you're operating under. The free consultation is a no-obligation way to start the BOM audit and scope conversation before any RFP language is locked.

How long does a full NDAA migration take?

End-to-end timelines for a 50-to-150-camera site usually run 8 to 16 weeks once procurement clears. The audit phase runs 1 to 2 weeks. Vendor selection and procurement run 4 to 10 weeks depending on lead times. Install runs 2 to 6 weeks. Verification documentation runs another 1 to 2 weeks. For multi-site programs, plan a wave-based rollout across sites rather than a simultaneous cut. Federal grant-funded scope adds the EHP review window, which extends the front end.

Bring us your camera list. We'll bring the covered-vendor map.

A free working session. On-site BOM walk with a written deliverable mapping each device to covered or compliant status.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Talk to our team 855-577-0400