Short version: Section 889 of the FY2019 NDAA bans five named Chinese companies from federal supply chains — Huawei, ZTE, Hytera, Hikvision and Dahua, plus their subsidiaries and affiliates. Part A took effect August 13, 2019. Part B — the one that catches people — took effect August 13, 2020, and it bans the government from contracting with you if you use covered equipment anywhere in your business, whether or not it touches the federal contract.
The trap is not the named brands. Nobody accidentally buys a camera with "Hikvision" on the box. The trap is OEM rebranding: Hikvision and Dahua manufacture hardware sold under dozens of other companies' labels. You can be non-compliant while holding a box that says something else entirely.
This is a reference for IT buyers and resellers who need to know what the law actually says, what it does not say, and what to specify instead.
The five covered entities
FAR 52.204-25 defines covered telecommunications equipment or services. The definition is narrower than most people assume, and the distinction between the two groups matters:
| Entity | What is covered | Scope limitation |
|---|---|---|
| Huawei Technologies Company | Telecommunications equipment | No purpose limitation — covered outright |
| ZTE Corporation | Telecommunications equipment | No purpose limitation — covered outright |
| Hytera Communications Corporation | Video surveillance and telecommunications equipment | Only "for the purpose of public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes" |
| Hangzhou Hikvision Digital Technology Company | Video surveillance and telecommunications equipment | Same purpose limitation as Hytera |
| Dahua Technology Company | Video surveillance and telecommunications equipment | Same purpose limitation as Hytera |
Two more things fall inside the definition: services provided by those entities or provided using their equipment; and equipment or services from any entity that the Secretary of Defense, in consultation with the Director of National Intelligence or the FBI Director, reasonably believes to be owned or controlled by, or otherwise connected to, the Chinese government. That last clause is open-ended by design.
"Subsidiary or affiliate" is doing a lot of work here. The clause covers each named company "or any subsidiary or affiliate of such entities." That is the hook that pulls in rebranded hardware.
Part A vs Part B — the difference that catches contractors
This is the single most misunderstood point in Section 889, and it is worth being precise about.
| Section 889(a)(1)(A) — "Part A" | Section 889(a)(1)(B) — "Part B" | |
|---|---|---|
| Effective | August 13, 2019 | August 13, 2020 |
| What it prohibits | Agencies procuring, obtaining, extending or renewing a contract for any equipment, system or service that uses covered equipment as a substantial or essential component, or as critical technology | Agencies entering into, extending or renewing a contract with an entity that uses covered equipment as a substantial or essential component of any system, or as critical technology |
| Who it constrains | What you sell to the government | What you use — anywhere in your organisation |
| The catch | Straightforward: do not deliver covered equipment | Applies "regardless of whether that use is in performance of work under a Federal contract." |
Read that last cell again. Part B means a Hikvision-made camera in the parking lot of your unrelated warehouse can make you ineligible for a federal contract, even though that camera has nothing to do with the contract, the government, or any federal facility. It is a company-wide use prohibition, not a product prohibition.
"Substantial or essential component" is defined in the clause as any component necessary for the proper function or performance of a piece of equipment, system or service. That is a low bar.
The rebranding problem — where compliance actually fails
Hikvision and Dahua are two of the largest video surveillance manufacturers on earth, and a very large share of their output ships under other brands. The camera on the box does not say Hikvision. The OEM behind it might be.
This is why "we don't buy Hikvision" is not a compliance position. It is a statement about labels.
What actually works:
- Demand a written NDAA Section 889 compliance statement from the supplier, naming the manufacturer of record. Not the brand. The manufacturer.
- Check the ONVIF conformance listing and the FCC ID. The FCC ID identifies the grantee — the entity that actually obtained equipment authorisation. It is much harder to disguise than a logo.
- Be sceptical of unusually cheap "NDAA-compliant" cameras. Compliant NVR and camera hardware from non-covered manufacturers carries a real cost premium. A price that looks like Dahua pricing usually is.
- Chipset is not the test. A common misconception is that a Chinese-made SoC (HiSilicon, for instance) automatically triggers 889. The clause names entities, not countries or chipsets — but it also reaches subsidiaries and affiliates, so a HiSilicon-based device from a Huawei affiliate is a different question from a HiSilicon-based device from an unrelated manufacturer. Get the manufacturer, in writing.
What is NOT prohibited
Two exceptions are written into the clause, and they are narrower than people hope.
Exception 1 — third-party facilities. The clause does not prohibit "a service that connects to the facilities of a third-party, such as backhaul, roaming, or interconnection arrangements." If a covered carrier's equipment sits somewhere in the transit path of a service you buy, that alone is not a violation.
Exception 2 — equipment that cannot see or steer traffic. The clause does not prohibit "telecommunications equipment that cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles." This is the exception that saves a lot of passive infrastructure — but note it says cannot, not does not. A device capable of visibility is covered even if you have not enabled it.
There is also a waiver mechanism at FAR 4.2104, granted by the agency, not by you. Do not plan around it.
Your obligations if you find covered equipment
The reporting timeline is short and specific. If, during contract performance, you identify covered equipment or services — or a subcontractor tells you about it:
| Deadline | What you must report |
|---|---|
| Within 1 business day | Contract number; order number(s) if applicable; supplier name; supplier unique entity identifier (if known); supplier CAGE code (if known); brand; model number (OEM, manufacturer or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended. |
| Within 10 business days of the first report | Any further information about mitigation actions, a description of the efforts you undertook to prevent use or submission of covered equipment, and any additional efforts that will be incorporated to prevent recurrence. |
Reports go to the Contracting Officer — or, for DoD, to dibnet.dod.mil.
Two further obligations that are easy to miss:
Flowdown. You must insert the substance of the clause — including the flowdown paragraph itself, but excluding the Part B use prohibition — into all subcontracts and other contractual instruments, including subcontracts for commercial products and commercial services. Your suppliers inherit Part A. They do not inherit Part B through you.
Reasonable inquiry. The clause defines this as "an inquiry designed to uncover any information in the entity's possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity" — and it explicitly excludes the need for an internal or third-party audit. That is a meaningful limit. You are required to ask, check what you have, and act on what you find. You are not required to commission an audit of your entire estate.
How this relates to the FCC Covered List
These are two different regimes and people conflate them constantly.
- Section 889 / FAR 52.204-25 is a procurement rule. It governs what the federal government may buy and who it may contract with.
- The FCC Covered List, maintained under the Secure and Trusted Communications Networks Act, governs equipment authorisation — whether a device may be authorised for sale or import in the US at all.
The same five companies appear on both, added to the Covered List on March 12, 2021. But the Covered List is broader in some directions and narrower in others — it also carries Kaspersky (information security products, March 25, 2022; anti-virus software, July 23, 2024), China Mobile International USA, China Telecom (Americas), China Unicom (Americas) and Pacific Networks / ComNet.
The FCC updates the Covered List as national security agencies make new determinations — the Commission cannot add entries on its own initiative. Check the live list before you commit to a purchase, because it changes and a snapshot in a blog post (including this one) is not a compliance artifact.
What to buy instead
Compliant surveillance and networking hardware is not exotic. The manufacturers that dominate NDAA-compliant specifications are the ones you would expect, and the equipment is widely available — you are paying a premium for a supply chain, not for scarcity.
- Security Cameras & CCTV — IP cameras from manufacturers outside the covered-entity list
- NVRs & Recorders — the NVR is as much a compliance surface as the camera; a compliant camera on a covered-entity NVR does not help you
- Network Switches — PoE switching for camera plant, Cisco / Juniper / Aruba / Arista
- Routers — Cisco, Juniper and other non-covered WAN edge
A note on the switch layer that buyers routinely forget: the PoE switch feeding the cameras is telecommunications equipment. If you replaced covered cameras but left a covered-entity switch in the closet, you have not solved the problem. Size the replacement properly — our PoE power budget guide covers how to avoid under-specifying the switch, and our NVR selection guide and IP camera buyer's guide cover the rest of the stack.
A short disclaimer, and it is a real one
We are a hardware distributor, not a law firm, and this is not legal advice. Section 889 compliance determinations for a specific contract are a legal question, and the clause language above — while quoted from the current FAR text — is applied by contracting officers to facts we cannot see. Use this as a map of the terrain and take the compliance decision to counsel.
What we can do is tell you the manufacturer of record for every part we quote, in writing, before you buy.
Need a quote?
Send us your camera, NVR, switch or router list and we will price it and identify the manufacturer of record for each line. We ship worldwide DDP with duties included, accept purchase orders, and return quotes within 24 hours.
Sources: FAR 52.204-25, "Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment" (Nov 2021), acquisition.gov/far/52.204-25 — all clause language, definitions, effective dates, exceptions, reporting deadlines and flowdown requirements above are quoted or paraphrased directly from this text. Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232). FAR 52.204-24 (representation) and FAR 4.2104 (waivers). Federal Communications Commission, "List of Equipment and Services Covered By Section 2 of The Secure Networks Act" (fcc.gov/supplychain/coveredlist) for Covered List entries and inclusion dates. The FCC revises the Covered List as national security agencies issue determinations — verify against the live list. This article is informational and is not legal advice.
