NDAA compliance, in the context of physical security, means that your surveillance cameras, recorders, VMS software, and associated components contain no equipment produced by a defined list of prohibited Chinese manufacturers. If your organisation holds a federal contract, receives federal funding, operates as a subcontractor on government work, or is planning to — every camera on your network is a compliance question.
The National Defense Authorization Act (NDAA) is the annual US federal law that sets the budget and policies for the Department of Defense. Section 889 of the FY2019 NDAA, signed into law on 13 August 2018, introduced specific restrictions on telecommunications and video surveillance equipment that have significant implications for the physical security industry worldwide.
The law contains two distinct prohibitions, commonly referred to as Part A and Part B.
Part A (effective 13 August 2019) prohibits federal agencies from directly procuring or obtaining telecommunications or video surveillance equipment from covered manufacturers.
Part B (effective 13 August 2020) is broader and more consequential for the private sector. It prohibits federal agencies from entering into contracts with any entity that uses covered equipment in its systems — regardless of whether that use is related to the federal contract in question. In practical terms: if you sell anything to the federal government or receive federal funding, you cannot have prohibited cameras anywhere on your network.
Federal Acquisition Regulation (FAR) 52.204-25 operationalises these prohibitions in all federal contracts above the micro-purchase threshold. Every contractor must represent that they do not use covered equipment. This representation applies to the entire organisation, not just the work being contracted.
Section 889 names five Chinese companies and bans their equipment as a substantial or essential component of any system:
The ban extends to all subsidiaries and affiliates of each named company. For Hikvision and Dahua specifically, this is a very long list that includes regional entities, OEM arrangements, and brands that resell Hikvision or Dahua hardware under different names without disclosing the underlying manufacturer.
The FCC reinforced the ban in 2022 by prohibiting new equipment authorisations for all five companies. This means even previously authorised Hikvision and Dahua equipment can no longer be updated or replaced with like-for-like hardware in compliant deployments.
OEM relabelling is not a defence. If a camera is manufactured by Hikvision or Dahua — or contains components such as chipsets or sensors produced by these companies — it is covered by the ban regardless of the brand name on the box. Some cameras sold under non-banned manufacturer names use HiSilicon chipsets, a Huawei subsidiary. Equipment containing these components may create compliance exposure even when the camera manufacturer itself is not named.
The reach of Section 889 is wider than most organisations initially assume.
Federal agencies — all US federal agencies and departments cannot purchase or use covered equipment directly.
Federal contractors — any company holding a federal contract, at any tier, cannot use covered equipment in any of its systems. This applies regardless of whether the system in question is used in performance of the federal contract. A Hikvision camera in a warehouse unrelated to federal work still creates a compliance issue for a company that holds federal contracts elsewhere.
Federal grant and loan recipients — organisations receiving federal funding, including schools, hospitals, universities, and local authorities that accept federal grants, cannot use federal funds to purchase covered equipment. 2 CFR 200.216 codifies this separately from the contractor prohibition.
Subcontractors — if your prime contractor holds a federal contract, Section 889 flows down. A subcontractor two or three tiers removed from a federal prime is subject to the same restrictions.
UK and international implications — while Section 889 is US federal law, its effects are global for any organisation with US government supply chain exposure. The UK government has also implemented its own restrictions, with central government departments required to remove Hikvision and Dahua equipment from sensitive sites. Canada, Australia, and several EU member states have introduced parallel restrictions. Organisations supplying into any of these markets should be applying equivalent scrutiny to their camera supply chain.
For a security system to be NDAA-compliant, every component in the stack must be free of covered manufacturer content:
This is where an open-platform VMS becomes critical to NDAA compliance. A closed or proprietary VMS that requires cameras from a specific manufacturer creates a single point of risk: if that manufacturer is on the prohibited list or uses prohibited components, the entire system is non-compliant. An open-platform VMS that works with any ONVIF-compatible camera gives procurement teams the freedom to specify only verified, compliant hardware — and to replace cameras as the compliance landscape evolves, without replacing the entire platform.
Wavestore's VMS software — WaveView and WaveFusion — is developed and maintained in the United Kingdom and contains no components from any NDAA-prohibited manufacturer. As an open-platform VMS, Wavestore does not require cameras from any specific manufacturer. Security teams can specify cameras from any NDAA-compliant manufacturer that supports ONVIF, with full confidence that the management layer will not introduce supply chain risk.
Wavestore's camera integration library includes NDAA-compliant models from Axis, Hanwha Vision, Bosch Security Systems, and many other manufacturers — all verified against open-platform compatibility. When an organisation needs to migrate away from non-compliant cameras, Wavestore's architecture allows phased replacement: compliant cameras can be added to an existing deployment without disrupting the management layer.
For US federal contracts, critical infrastructure, and government-adjacent projects, Wavestore's team can provide documentation of supply chain provenance on request. Speak to Wavestore's Americas team for NDAA compliance support on specific projects.
If your organisation holds or is pursuing federal contracts, the following steps provide a practical starting point. This is not legal advice — consult qualified legal and compliance professionals for guidance specific to your situation.
Does NDAA compliance apply to private companies?
Yes, if they hold federal contracts, subcontracts, or receive federal grants or loans. Section 889(a)(1)(B) applies to any entity that uses covered equipment in systems tied to federal work, regardless of whether the entity is a government agency. A private company with a single federal subcontract faces the same restrictions as a DoD facility.
Are Hikvision cameras NDAA compliant?
No. Hangzhou Hikvision Digital Technology Co. is explicitly named in Section 889 as a covered company. Hikvision cameras — including all OEM relabels — are prohibited from federal procurement and from use in any system connected to federal contracts or funding.
Are Dahua cameras NDAA compliant?
No. Dahua Technology Co. is also explicitly named as a covered company under Section 889 and is subject to the same prohibitions as Hikvision.
Does NDAA compliance extend to the UK?
Section 889 is US federal law. However, the UK government has implemented its own restrictions: central government departments have been directed to remove Hikvision and Dahua equipment from sensitive sites, with Scotland, Wales, and multiple UK police forces having initiated replacement programmes. UK organisations supplying into US federal supply chains are subject to Section 889 through the contractor prohibition. Wavestore, as a UK-developed VMS, contains no components from any named prohibited manufacturer.
What happens if non-compliant equipment is found after a contract is signed?
Federal contractors who misrepresent compliance under FAR 52.204-25 face contract termination, civil penalties, and potential debarment from future federal work. The statute of limitations for False Claims Act violations is up to ten years. The risk of retroactive enforcement makes proactive auditing a business priority, not just a compliance checkbox.
Can NDAA-prohibited cameras be used if isolated on a separate network?
No. Section 889(a)(1)(B) applies to covered equipment used as a substantial or essential component of any system, regardless of whether that use is in performance of the federal contract. Network segmentation does not satisfy the statute.
Is Wavestore NDAA compliant?
Yes. Wavestore's VMS software is developed in the United Kingdom and contains no components from any NDAA-prohibited manufacturer. As an open-platform system, it operates with cameras from any ONVIF-compliant manufacturer, allowing procurement teams to specify verified compliant hardware independently of the VMS. Contact Wavestore's Americas team for project-specific supply chain documentation.
NDAA Section 889 prohibits federal agencies, contractors, subcontractors, and grant recipients from using surveillance equipment produced by Hikvision, Dahua, Huawei, ZTE, or Hytera — including OEM relabels and equipment containing components from these manufacturers. The ban extends to the entire organisation, not just the work performed under federal contract.
For security integrators and end users, NDAA compliance starts with knowing exactly what is in your camera stack and extends to the VMS layer. An open-platform VMS that does not lock you into a single camera manufacturer is the correct foundation for a compliant, future-proof surveillance architecture.
Wavestore's open-platform VMS and NDAA-compliant hardware range give security teams the freedom to specify verified compliant cameras and the flexibility to replace hardware as the regulatory landscape evolves — without replacing the management platform.
Contact Wavestore's Americas team for NDAA compliance support, or explore Wavestore's open-platform VMS to understand how it protects your procurement flexibility.