The Guide To The NDAA Video Surveillance Ban / Blacklists

PUBLIC – This article does not require an IPVM membership. Feel free to share.

This 25-page guide provides a reference to the NDAA ban and blacklist. The US government has implemented wide-ranging prohibitions on using, buying, and selling video surveillance products including Dahua, Hikvision, and Huawei (Hisilicon) based products.

However, the bans and ‘blacklisting’ are not complete. In many areas, US businesses are free to buy, sell, and use these products.

The goal of this guide is to explain how these bans and ‘blacklisting’ work so that businesses can understand where and when they are applicable, including 11 major sections:

• No Workarounds for Subsidiaries or OEMs
• What Bidders / Contractors Must Do
• The ‘Blacklist’ Explained
• Maintenance Is Covered
• Reasonable Inquiry Mandated
• Federal Funding Ban Explained
• Waiver Process Explained
• The DoD Delay Does Not Cover Electronics Including Video Surveillance
• Exemptions Explained
• Penalties Explained
• NDAA Compliant Products Listed

Primary Links Provided / Confirm With Government

This guide provides extensive links and citations to US government documentation so you can review them yourself. You should confirm with the relevant government agencies on the applicability to your own particular sale or usage.

NDAA Ban Background

In August 2018, US Congress passed the John McCain National Defense Authorization Act (NDAA), which contained a section called Section 889: Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment.

Three Core Parts

Section 889 has three core parts:

• the ‘procurement ban’, which bans federal procurement of covered equipment/service and went into effect in August 2019
• the ‘blacklist clause’, which bans federal agencies from doing business with those who “use” covered equipment/services and went into effect in August 2020
• the ‘funding ban’, which prohibits federal dollars from being spent on covered goods/services and went into effect in August 2020

In this post, we will examine each core aspect in detail, along with which entities and what products are affected.

Entities Affected: No Workarounds

The ban names Hikvision and Dahua along with “any subsidiary or affiliate of such entities”:

This means there are no workarounds – i.e. Hikvision USA or Hikvision Brazil is covered just as well as Hikvision China gear. Huawei is also covered:

This is not strictly limited to Huawei telecom gear as it explicitly includes “video surveillance services” or “such equipment” produced by Huawei as well:

‘Covered Equipment/Services’ Includes OEMs, COTS, Micro-transactions

OEMs are also covered, with the procurement ban requiring “original equipment manufacturer” disclosure:

Refer to IPVM’s Dahua OEM Directory and Hikvision OEM Directory for companies OEMing.

The blacklist clause requires disclosure of “whether the entity was the original equipment manufacturer” for “covered equipment”:

“COTS items” are also covered, with the government having determined this “is in the best interests of the Government”:

Finally, “all” federal contracts are covered “including micro-purchase contracts”:

All Cameras With Huawei HiSilicon Chips Also Covered

The ban includes “any equipment, system, or service” which uses banned goods/services “as a substantial or essential component of any system”:

This is particularly important to video surveillance because many IP cameras today, particularly cheaper ones, are powered by Huawei HiSilicon SoCs and are therefore “covered” just like Hikvision or Dahua cameras.

Procurement Ban Summary

In effect since August 13, 2019, this bans federal agencies from trying to “procure or obtain or extend or renew a contract” to buy “any equipment, system, or service” that “uses covered” equipment/services:

In plain English, this means the federal government cannot, in any way, buy banned equipment, nor can it obtain products which use banned equipment “as a substantial or essential component” e.g. cameras with Huawei HiSilicon chips.

Affects Every Federal US Agency

This affects every “executive agency” of the federal government, which includes many organizations such as the FBI, the Coast Guard, the military, the VA, the State Department/USAID, the National Park Service, etc.

Bidders Must Represent

Contractors are “prohibited from providing to the Government” banned equipment/services:

That means the onus is on contractors to comply; in order to do so, bidders “shall include” a “representation” to the government about whether they “will” or “will not” provide covered equipment/services “for all solicitations”, per the implementing FAR Rule:

UPDATE 9/3: In a second interim rule, the US government announced that starting on October 26 bidders will be required to “represent” on an annual basis in the System for Award Management (SAM) whether or not they use covered services:

Prior to this, bidders were required to represent for each federal contract, so this should make compliance simpler. The government estimates “it will take 1 hour to complete the annual representation”.

The annual representation requirement kicks in October 26 but is also required for solicitations “issued before the effective date, provided award of the resulting contract(s) occurs on or after the effective date”.

Procurement Ban Examples

Below is a list of hypothetical scenarios that are prohibited under the procurement ban:

• An integrator cannot renew his contract with a local Coast Guard base for a Hikvision camera system
• A construction company cannot install Dahua NVRs for its local Veterans Administration office
• A veteran-owned security firm cannot win a US Air Force contract if it plans to install Huawei HiSilicon-based IP cameras at one of the barracks

Blacklist Clause Summary

In effect since August 13, 2020, the blacklist clause says the federal government “may not” “enter into a contract” or “extend or renew a contract” with “an entity that uses” covered equipment and/or services:

This means the federal government cannot do business with any prime contractor that “uses” banned equipment/services. Importantly, this applies “regardless of whether that use” is related to a federal contract:

Blacklist Clause “Interim”, Comments Possible

The government released the blacklist clause’s interim rule on July 14, commencing a 60-day public comment period; filing comments can be done by searching for “FAR Case 2019-009 at Regulations.gov.

After this period, the government will decide whether to make any final revisions/clarifications and then publish the final rule. However, keep in mind, the interim rule is still legally in effect since August 13.

Affects Every Federal US Agency

Just like the procurement ban, every “executive agency” of the federal government is affected:

Blacklist Clause Has No Definition of “Use” (Yet)

The blacklist clause bans the federal government from dealing with any prime contractor’s “use” of banned equipment services. However, the clause does not specifically define “use”, meaning it is unclear if a distributor who simply sells boxes of Hikvision cameras wholesale and has no meaningful interaction with them is considered a “user”.

The GSA has urged those wanting clarity on this point to file public comments on the interim rule, stating in a recent webinar:

Does “use” include selling and or servicing equipment to private industry? Again, “use” is not defined, so it’s unclear. I think that’s a good question to include in your comments to the Federal Register to the FAR rule. [emphasis added]

Blacklist Clause Only Impacts Prime Contractors

The blacklist clause prohibition “applies at the prime contract level”, per the interim rule:

That means subcontractors can still used banned goods/services as long as they don’t end up being used by the prime contractor.

Prime Contractors Must Still Examine Subcontractors

A prime contractors must still examine its “relationships with any subcontractor or supplier” to make sure it doesn’t end up using the sub’s covered goods/services:

Some prime contractors may stop working with subcontractors who use banned equipment/services entirely, just to avoid the risk of such systems ending up in their own usage.

“Maintenance” is Covered

“Maintenance” of a covered “item” is considered “covered services” and must be disclosed in the representation, i.e. leading to blacklisting:

For any “covered service” that is “not associated with maintenance”, then the Product Service Code (PSC) must be disclosed:

“Reasonable Inquiry” Mandated

“Each offer” to a federal agency requires “conducting a reasonable inquiry” beforehand on whether banned equipment/services “are used by the offeror”:

“Reasonable inquiry” is defined as an “inquiry designed to uncover any information” about banned equipment usage; an internal or third party audit is not necessary:

The government says DoD, GSA, and NSA are “currently working on updates” to System for Awards Management (SAM) to allow contractors “to represent annually after conducting a reasonable inquiry”. The government estimates about “3 hours” of paperwork per representation.

One Business Day to Report Banned Equipment/Services Use

If a contractor discovers covered equipment/services usage after winning a federal contract, it “shall report” to the contract officer “within one business day” a host of details about the banned equipment “brand”, “model”, “item description”, and any “readily available information about mitigation actions”:

Then, within ten business days after the initial report, the contractor will submit “any further information about mitigation actions undertaken or recommended”:

No Geographic Constraints On “Use”

Nowhere in the NDAA itself or the implementing regulations are geographic constraints imposed/mentioned. If an integrator has an office in South Korea using Hikvision equipment, that counts as “use” of covered equipment/services. As GSA has explained, this applies even if there is no choice but to use such equipment in the foreign country:

What about situations where the contractor is located in a country such as Ethiopia, where the monopoly internet provider, the government of Ethiopia uses covered telecom and their infrastructure? Well, if that contractor uses that internet infrastructure, that’s the use of covered telecom. And if you know about it, if your reasonable inquiry turns up that information, you have to represent to the government that you use covered telecom. [emphasis added]

Blacklist Clause Examples

The examples below are prohibited under the blacklist clause:

• An integrator which no longer deals Hikvision but does still maintain a Hikvision camera network he installed at a pizza parlor three years ago, occasionally logging in to fix bugs. This is “maintenance” of a banned item, which is a “covered service”, so this integrator will not be able to participate in a security contract for his local VA office, even though he only deals NDAA-compliant equipment now.
• A Japanese construction company that uses Hikvision cameras in its Tokyo office to monitor its staff can no longer win State Department contracts because of its use of covered equipment.
• A veteran-owned security firm that uses a wide variety of cheap cameras, some of them with Huawei HiSilicon SoCs, cannot win a simple contract for wire fencing at a nearby US Navy base.
• A subcontractor installs relabeled Hikvision cameras at a prime contractor’s new headquarters without disclosing that the cameras are Hikvision and thus NDAA-banned, meaning the prime contractor now risks being blacklisted from all federal contracts for using Hikvision cameras.

Because of how expansive the blacklist clause is, unlike the narrower procurement ban, it has raised significant opposition from groups like SIA, to no avail.

Federal Funding Ban Explained

In effect since August 13, 2020, the ‘funding clause’ is the NDAA’s Prohibition on Loan And Grant Funds, which states the federal government “may not obligate or expend loan or grant funds” to “procure or obtain” any covered “equipment, services, or systems”:

Plainly put, this component bans any federal dollars from being spent on acquiring banned equipment/services, regardless of the entity spending those federal dollars.

The implementing rule for this clause is 2 CFR 200.216, which ‘prohibits’ any federal award “recipients and subricipients” from trying to “procure or obtain”, “extend or renew a contract to procure or obtain”, and “enter into a contract […] to procure or obtain” covered equipment/services:

Affects Entities Beyond Federal Contracting Community

The funding clause applies to “federal award recipients and subrecipients”, which could be a local public school or a church or a private company or a charity etc.

Funding Clause Examples

As IPVM has reported, the examples are prohibited under the funding clause:

• An integrator cannot sell Hikvision cameras to a local private school as part of a Department of Education-funded grant to expand security
• A security firm cannot renew its DHS-funded contract with a local synagogue for a Huawei HiSilicon chip-powered surveillance system
• A construction company cannot sell Dahua NVRs for a local rec center’s expansion funded by the Veterans Administration

However, even with the funding clause in place, the examples below are not prohibited:

• An integrator using Dahua cameras can sell NDAA-compliant Pelco systems for a local school’s federal Department of Education grant to expand security
• A security firm using Huawei HiSilicon chip-powered surveillance systems at its own warehouse can obtain a DHS-funded contract with a local mosque that does not include any covered equipment/services

Waiver Process Explained

Per the NDAA, a Section 889 waiver can be issued from either the head of an executive agency on a “one-time basis” or from the Director of National Intelligence:

In order to get a waiver from a federal agency head, an entity must submit “a compelling justification for the additional time” required to comply and “a full and complete laydown or description” of the covered equipment/services being used:

The executive agency head then has “30 days” to consult with “appropriate Congressional committees” on the validity of the waiver request. Meanwhile, the submitter must also “notify and consult” with the DNI:

Finally, a “phase-out plan to eliminate” the covered services/equipment must be provided:

Waivers from federal agency heads “may only be provided” for a “period of not more than 2 years” after the effective date of Section 889’s core components, meaning:

• Procurement ban waivers from agency heads are possible until August 13, 2021
• Blacklist clause waivers from agency heads are possible until August 13, 2022
• There is no waiver provision for the funding ban.

This means, in effect, these waivers are “really delayed implementation”, GSA has commented.

Separately, the DNI itself can issue waivers as well and they have no deadlines, i.e. they can be issued “on a date later” if deemed “in the national security interests” of the US:

For background, the DNI is the federal agency that oversees the US’ Intelligence Community (CIA, NSA, etc):

GSA Says Waiver Hurdles “High”

Given all the steps and high levels of government approval required, the GSA has emphasized these waivers are difficult to obtain:

Section 889 in the NDAA and in the FAR rule does allow some waivers. However, the waivers are very narrow, and that, again, is to address the threats. These threats are real, and we need to protect the American government’s supply chain.

The Director of National Intelligence may waive Section 899 Part A, Part B both for national security interests. Clearly, that’s a very high bar.

And you can see the hurdles are quite high. A lot needs to be done before a waiver can be granted. [emphasis added]

Government Says Waivers Could Take “A Few Weeks”

In the interim rule, the government recognizes waivers “would likely take at least a few weeks” and if such time is not available, agencies can just “make award to an offeror that does not require a waiver”:

DoD Obtains Blacklist Delay But Not For Video Surveillance Sellers

The Department of Defense has obtained a DNI waiver allowing it to delay implementation of the NDAA’s “blacklist clause” until September 30, giving those who “use” Hikvision/Dahua/Huawei HiSilicon a temporary amount of relief.

However, the waiver only affects contractors’ supply to the DoD of “low-risk” products such as “food, clothing, maintenance services, construction materials that are not electronic”, the DoD told IPVM. Below are some examples, per IPVM’s interpretation, of what is now allowed:

• An integrator that uses Hikvision equipment can sell shovels to the US Air Force until September 30
• A Japanese construction company that uses Dahua cameras to monitor its Tokyo headquarters can still sell concrete, bricks, and lumber to the US Navy base in Okinawa until September 30
• A janitorial services company which also installs and maintains Huawei HiSilicon-powered cameras can continue mowing the lawns of its local US Army base until September 30

Below are some examples of what remains prohibited:

• The integrator that uses Hikvision cameras cannot win contracts from NASA, the FBI, or any other federal agency apart from the DoD
• The Japanese construction company cannot win any contracts from USAID, even if it’s just for bricks, as USAID is part of the State Department (not the DoD)
• The janitorial services company which uses Huawei HiSilicon cannot sell NDAA-compliant Pelco cameras to the US Army base as these are not “high-volume, low risk” items
• On October 1, a veteran-owned integrator cannot sell canned goods to the US Navy base because the waiver will have expired by then

Exemptions for Certain Services/Equipment

The other exemption is for “backhaul, roaming, or interconnection arrangements” with a “third-party” along with telecom equipment that “cannot route or redirect user data traffic”:

During its recent webinar, GSA gave a few examples of such equipment/services, citing “cabling and copper wiring”, Ethernet cables, and an WiFi provider’s voice data package:

Internet wireless service provider providing customers voice data services for international calls. Electrical and communications, cabling and wiring copper Ethernet cables include terminations, I’m not sure if that’s helpful, but those are the answers that we’ve come up with for examples of equipment that cannot route or redirect user data traffic. [emphasis added]

Penalties for Breaking the NDAA Ban

As GSA has noted, if someone violates the NDAA, there is no specific enforcement mechanism, “it just follows the normal enforcement” for federal contracts:

There’s no additional enforcement that’s specific to Section 899 […] It just follows the normal enforcement for everything else under government contracts.

The government states that Section 889 violations are considered “breach of trust”, stating that “failure to submit an accurate representation to the Government constitutes a breach of contract that can lead to cancellation, termination, and financial consequences”:

The False Claims Act allows the federal government to fine contractors $11,665 to $23,331 for each false claim made.

DoD On Who Handles Violations

There are few explicit announcements yet on who handles violations, however the DoD stated in recent guidelines that if a “contracting officer” doubts a contractor is being honest in their representation, the officer shall “consult with the program office” and “legal counsel”:

Compliant NDAA Products

100% NDAA-Compliant

The following companies told IPVM that all their products are compliant. Note that past models are not necessarily compliant:

• Avigilon
• Axis Communications. (Axis’ discontinued Companion Line used HiSilicon chips)
• BCD International
• Clinton
• Commend
• FLIR
• iryx
• JCI/Tyco Security
• Mobotix
• Pelco
• Rhombus Systems
• Seek Thermal
• Solink
• WatchGuard

100% NDAA-Compliant for US-Listed Products

These companies said that US-listed products are compliant but that some products not intended for US sale are not compliant:

• Bosch is in the process of dropping Dahua and, in the US, is discontinuing all models made by Dahua. Outside the US, those products will continue to be sold, for now.

Mostly Compliant

• ACTi provided a list of NDAA-compliant products.
• Digital Watchdog (DW) has a statement listing compliant products. It is a long list but they did not clarify which products were not so this requires carefully reviewing the list to see if the specific model is or is not included.
• Hanwha provided a list of compliant products. Hanwha is dropping Huawei Hisilicon from its cameras, with most of its cameras already not using Hisilicon, instead using its own Wisenet chips and Ambarella.
• Lilin provided a list of compliant products; however, Lilin did not provide a list of what products were not NDAA compliant.
• March Networks directed IPVM to a statement on their site, and said their recently-launched the X-Series recorders are compliant. They report that the 8000 and 9000 series recorders are not compliant
• Verkada referred us to a statement including a list of compliant products. Verkada’s first product lines used Huawei Hisilicon.
• Vivotek passed along this statement listing their compliant products.

Minority Compliant

• Costar did not say if they are fully compliant, but provided a list of compliant products, available for download here.
• Honeywell referred us to a page discussing NDAA compliance, where a list of compliant products is available for download. Honeywell makes it hard for buyers because they do not make clear which Honeywell video surveillance products are not compliant. For example, the ‘Performance‘ and ‘equIP‘ series are made by Dahua and therefore are banned but not disclosed by Honeywell on their product pages. Also, Honeywell thermal cameras for body temp detection are OEM Hikvision products.
• IDIS gave IPVM a list of compliant products, and said they are working to make more products compliant
• Speco provided a list of compliant products, available for download here, and told IPVM it “is actively moving to exclude components from these banned companies”
• Sunell is releasing a new series of products that are NDAA complaint but existing products are generally not NDAA compliant given Huawei Hisilicon usage.
• Panasonic: While the company claims to be fully NDAA compliant, as least for its branded Panasonic models in the US, the company has now admitted that some of its cameras still being sold use Huawei Hisilicon chips but Panasonic refuses to publicly disclose which ones.
• Uniview overwhelmingly uses Huawei Hisilicon chips, though recently they have started to offer a small number of products that are NDAA conformant.
• Vicon referred IPVM to a page listing their NDAA-compliant products.

Finding If Your Cameras Use HiSilicon

IPVM has also published a guide on How To Find If Your Cameras Uses Huawei HiSilicon. This video shows how to locate the SoC:

IPVM also showed how to find HiSilicon SoCs in models where the SoC is less easy to find such as Uniview:

Future Updates

IPVM will continue to update this guide as new developments emerge and as questions are asked. Please comment below or email us at info@ipvm.com and we will update the guide.

Source: By Charles Rollet, Published Aug 24, 2020, 01:47pm EDT
https://ipvm.com/reports/ndaa-guide