Back to Knowledge Base
Compliance Guides

NDAA Compliance Explained

NDAA Compliance Explained

If you are involved in purchasing, installing, or managing physical security equipment, you have likely heard the term "NDAA Compliant." Over the past few years, this designation has transformed from a niche government requirement into a fundamental standard for the entire security industry.

But what exactly does NDAA compliance mean, why does it matter for private businesses, and how can you ensure your surveillance and access control systems meet the standard? This article breaks down the legislation and its practical implications for security deployments.

What is the NDAA?

The National Defense Authorization Act (NDAA) is a series of United States federal laws specifying the annual budget and expenditures of the U.S. Department of Defense. However, the John S. McCain National Defense Authorization Act for Fiscal Year 2019 included a specific provision—Section 889—that sent shockwaves through the security industry.

Section 889 prohibits federal agencies, their contractors, and grant or loan recipients from procuring or using "telecommunications and video surveillance equipment or services" from specific Chinese companies and their subsidiaries. The primary targets of this ban were Huawei, ZTE, Hytera, Hikvision, and Dahua.

Why It Matters for Private Businesses

Initially, many assumed the NDAA ban only applied to government facilities. However, the scope of Section 889 is much broader. It applies to any organization that receives federal funding, grants, or loans, or acts as a contractor to the federal government.

  • Supply Chain Contagion: If your company sells products or services to the federal government, you cannot use banned equipment internally, even if that equipment is not directly used in the execution of the government contract.
  • Cybersecurity Baseline: Even for businesses with no government ties, NDAA compliance has become a de facto standard for cybersecurity. The banned companies were restricted due to concerns about espionage, backdoors, and data security. Many private organizations, healthcare providers, and educational institutions now mandate NDAA compliance simply as a best practice to mitigate cyber risk.
  • The OEM Problem: Hikvision and Dahua are massive Original Equipment Manufacturers (OEMs). They manufacture cameras that are rebranded and sold by dozens of other companies. A camera might have an American or European brand name on the outside but contain banned components on the inside. Ensuring compliance requires verifying the entire supply chain of the device.

How to Ensure Compliance

Navigating NDAA compliance requires diligence when selecting security vendors. Here is how to protect your organization:

  • Request Written Certification: Do not rely on verbal assurances. Require your security integrator and the equipment manufacturer to provide a written declaration of NDAA Section 889 compliance for all proposed equipment.
  • Check the SoC (System on a Chip): The ban applies not just to the final assembled product, but to critical internal components. Ensure that the cameras and NVRs do not use chipsets from banned entities like HiSilicon (a Huawei subsidiary).
  • Choose Transparent Manufacturers: Opt for manufacturers that explicitly market their products as NDAA compliant and are transparent about their supply chains and manufacturing locations. Brands like Axis Communications, Hanwha Vision, Bosch, and Motorola Solutions (Avigilon/Pelco) have built strong NDAA-compliant portfolios.

Conclusion

NDAA compliance is no longer a specialized requirement; it is a fundamental consideration for any modern physical security deployment. By understanding the legislation and asking the right questions of your vendors, you can ensure your surveillance systems protect your organization without introducing unacceptable regulatory or cybersecurity risks.