NDAA Section 889: why your camera brand can disqualify you from federal funding.

A school district in Georgia had seven hundred cameras across thirty-two campuses. The contract was awarded competitively, the BOM listed a U.S. brand, and the GC's submittal package was approved. Two years into deployment, the district applied for a federal Title IV-A grant for additional security cameras. The grant required NDAA Section 889 compliance attestation. The compliance officer started checking the cameras already in place. Forty percent of them were Hikvision-OEM hardware in a different brand's enclosure.

The district had a problem: not just the new grant, but every federal program that depended on Section 889 attestation, and the cost to rip-and-replace. The contractor had not been deceptive — the BOM was technically accurate. The bezel said the brand printed on it. The chip and the firmware, which is what the law actually cares about, came from a banned manufacturer.

This is the most common Section 889 failure pattern in 2026. The label is right; the OEM behind the firmware is wrong; nobody checks until grant attestation forces the question.

What Section 889 actually says

Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115-232) prohibits federal agencies and federal-fund recipients from procuring or using “covered telecommunications equipment or services” from five named manufacturers and their subsidiaries:

• Huawei Technologies Company
• ZTE Corporation
• Hytera Communications Corporation
• Hangzhou Hikvision Digital Technology
• Dahua Technology Company

The prohibition is implemented in the Federal Acquisition Regulation through FAR 52.204-25 (representations and certifications) and FAR 52.204-26 (the actual prohibition). For grants and cooperative agreements, the same prohibition is implemented through 2 CFR 200.216.

The law has two parts that matter for video surveillance:

• Part A — the procurement ban (effective Aug 2019): Federal agencies cannot directly procure covered equipment.
• Part B — the use ban (effective Aug 2020): Federal agencies cannot enter into a contract with any entity that uses covered equipment, anywhere in that entity's operations — even on systems unrelated to the federal contract.

Part B is the wider net. A general contractor with a single Hikvision camera at a regional warehouse cannot bid on a federal job until the camera is removed and the cooperative agreement is in place.

Who's actually affected

The law sweeps wider than “federal contractors” in the narrow sense. Affected entities include:

• Direct federal contractors and subcontractors at any tier.
• K-12 schools and districts receiving Title I, Title IV-A (Student Support Grant), E-Rate, or COPS School Violence Prevention Program funds.
• Higher education institutions receiving research grants, Title IV financial aid funding, or FEMA Higher Education Emergency Relief funds.
• Healthcare facilities receiving HHS funds (most hospitals and many clinics).
• Airports receiving FAA grants under AIP or BIL programs.
• Public housing authorities receiving HUD funding.
• Transit agencies receiving FTA grants.
• State and local agencies receiving DOJ COPS funds, DHS Homeland Security Grant Program funds, or DOT formula grants.

The breadth is intentional. Section 889 was written to remove these manufacturers from federal supply chains entirely, not just from the federal balance sheet.

The OEM problem — the part that catches buildings

Hikvision and Dahua manufacture private-label hardware for many other brands. Some of those brands are explicit about their OEM source; many are not. The most common categories:

• Honeywell 30-Series, 35-Series cameras (legacy): Some SKUs were Hikvision-OEM until Honeywell pivoted in 2020. Inventory in the channel for several years after.
• LTS / LT Security: Owned by Hikvision USA. Explicitly covered.
• Annke, Lorex (older lines): Dahua-OEM in many cases.
• NVR firmware on no-name boxes: A re-badged Hikvision NVR running Hikvision firmware is a Section 889 finding even if the box says “CompanyName Pro.”
• EZVIZ: Hikvision-owned.

The firmware, the chip, and the supply chain matter — not the bezel. A camera whose CGI signature, default credentials, or telnet banner reveals a Hikvision origin is a covered device, full stop. Many compliance auditors run a basic network capture on installed cameras and check the device fingerprint against a known-OEM database. If your auditor doesn't, the next one will.

The BOM audit checklist

Before accepting a delivery or signing off on a submittal package:

1. Get the manufacturer's NDAA 889 attestation in writing. Reputable manufacturers publish an attestation letter. Axis Communications, Avigilon, Bosch, Hanwha (Wisenet), Verkada, Pelco, and i-PRO all publish current letters. If the manufacturer can't or won't produce one, that is the answer.
2. Check the FCC ID on each model. Cross-reference against the FCC equipment authorization database. The grantee on the FCC ID tells you who actually built the hardware, not who sold it to you.
3. Check the firmware origin. Look at the update file format, the bootloader splash, and the web-UI source. Even when the brand on the box is U.S.-owned, the firmware can betray the OEM.
4. Document the supply chain. For grant attestation, keep purchase orders, manufacturer attestation letters, and FCC records together in one PDF per project. When the auditor shows up, you don't want to reconstruct the trail; you want to hand it over.

Compliant alternatives

The list of manufacturers with current NDAA 889 attestation letters and U.S./allied-country supply chains is healthy. For commercial video surveillance, the workhorses in 2026:

• Axis Communications — Sweden. Long history of compliance documentation, broad model range, ONVIF Profile S/T/G.
• Hanwha Vision (Wisenet) — South Korea. Cost-competitive with strong analytics.
• Avigilon (Motorola Solutions) — Canada/U.S. Especially common where unified video and access control matters.
• Bosch Security — Germany. Strong on industrial environments and mass-notification integrations.
• Verkada — U.S. Cloud-managed; popular with K-12 and multi-site retail.
• i-PRO — Japan (formerly Panasonic Security). Niche strong points in low-light and analytics.
• Pelco — U.S. Long-running in transportation and government.

This list is not exhaustive, and supply chains can change — always confirm a current attestation letter before specifying.

The audit trail you need to keep

For each project that requires Section 889 compliance, assemble and retain:

• Manufacturer NDAA 889 attestation letter, current as of the project's contract date.
• Itemized BOM with manufacturer, model, FCC ID, and firmware version.
• Purchase orders showing the chain of custody (manufacturer → distributor → integrator → end user).
• Acceptance test report confirming installed equipment matches the BOM.
• Internal compliance attestation signed by the integrator, on the integrator's letterhead.

For schools and districts, this folder belongs in the same file as the building permit, the sprinkler certificate, and the AHJ acceptance — treat it as part of the compliance record, not an IT detail.

Bottom line

NDAA Section 889 is one of the cleaner compliance tests in physical security: there's a list of five manufacturers, the rule is binary, and the documentation is straightforward. The places it goes wrong are the OEM relationships behind the bezel and the inertia of equipment installed before anyone was paying attention. The right time to audit is before you apply for the next federal grant — not after the compliance officer asks for the attestation list.