What is NDAA Compliance?

The U.S. government introduced telecommunications and video surveillance regulations in Section 889 of the 2019 National Defense Authorization Act (NDAA). These regulations prohibit the use of specific telecommunications and surveillance equipment on U.S. government properties, federally funded locations, and municipalities. The key restriction is that no components manufactured by blacklisted companies may be used in these environments.

Blacklisted Companies Under NDAA

The NDAA blacklist includes the following manufacturers:

• Hangzhou Hikvision Digital Technology Company
• Dahua Technology Company
• Huawei Technologies Company
• ZTE Corporation
• Hytera Communications Corporation

Any entity providing CCTV and surveillance solutions to the U.S. government or selling to clients who serve U.S. government projects must ensure their equipment is NDAA-compliant.

Key Points from NDAA Section 889

The law states that executive agencies may not:

• Procure or renew contracts for equipment that contains blacklisted components as a substantial or essential part of any system.
• Enter contracts with entities that use blacklisted equipment in critical systems.

This means that even if a security provider does not directly supply to the U.S. government, using non-compliant equipment in certain projects could result in contract restrictions.

Why Were These Bans Introduced?

While the U.S. government has not publicly disclosed all details, several concerns have been cited in congressional discussions:

• Risks of cyber espionage and mass surveillance by foreign governments.
• Security vulnerabilities, including documented hacking incidents involving Dahua equipment in 2017-2018.
• Human rights concerns, particularly contracts awarded to Hikvision and Dahua linked to surveillance in Xinjiang, China.
• A broader effort to bring security and surveillance manufacturing back to the U.S.

How NDAA Compliance Affects Security Installations

The NDAA applies to any government-funded buildings, municipalities, or facilities that receive federal grants, including schools and universities. CCTV and surveillance products containing components from blacklisted manufacturers—whether analogue or IP—cannot be installed in these locations.

This extends beyond direct manufacturers. Many security brands use components from blacklisted companies in their OEM (Original Equipment Manufacturer) products. Equipment that includes key components such as Huawei’s HiSilicon System on a Chip (SoC) may also be non-compliant.

Identifying NDAA-Compliant Equipment

Manufacturers and security providers do not always disclose the specific components used in their products. To ensure compliance, businesses should:

• Verify with suppliers that equipment is NDAA-compliant.
• Check for independent verification of compliance.
• Avoid products containing chipsets from blacklisted manufacturers, such as Huawei's HiSilicon.

The UK's Position on NDAA

Currently, the NDAA regulations apply only within the U.S. The UK government has not imposed similar restrictions, but concerns have been raised about surveillance equipment manufactured by blacklisted companies. A report by the House of Commons Foreign Affairs Committee in July 2021 highlighted potential risks, including the widespread use of Hikvision cameras in public areas. However, the UK government has not yet enforced a ban, stating that further guidance will be issued if sufficient evidence of human rights violations is presented.

UK’s Partial Ban on Hikvision Equipment

In November 2022, the UK government introduced a partial ban on using Hikvision equipment in "sensitive sites" within government departments. This ban applies specifically to military and intelligence facilities but does not extend to wider public sector settings, including councils and local government buildings. The ban stemmed from security concerns regarding Hikvision's potential ties to the Chinese government and the company’s role in Xinjiang, where there are allegations of human rights abuses against the Uyghur minority.

Despite the partial ban, Hikvision cameras are still in use in various public sector settings, including schools, hospitals, and local councils.

Summary

For businesses involved in security and surveillance, understanding NDAA compliance is essential. While not a legal requirement in the UK, some clients may request NDAA-compliant equipment due to contractual obligations or cybersecurity concerns. Ensuring transparency in sourcing and verifying compliance with suppliers can help maintain trust and prevent potential regulatory issues in the future.

For further information, always check for updates on NDAA regulations and supplier compliance policies.