Why the 2019 National Defense Authorization Act may force you to rethink your video surveillance plans
The Act bans the purchase and use of video surveillance cameras manufactured in China over concerns of mass espionage and hacking
It might be time for your agency to install or upgrade one or more video surveillance cameras, either to start, expand or modernize your program, or to become compliant with the 2019 National Defense Authorization Act (NDAA).
If you are not familiar with the NDAA’s requisite legislation, it bans the purchase and use of video surveillance cameras or components manufactured by named Chinese companies over concerns of mass espionage and hacking.
While some may think that the ban is only on gear manufactured in China, this is not the case. NDAA Section 889,3, B doesn't cover the country of origin of video surveillance products or components, rather it calls out specific vendors, cameras and components that are expressly forbidden for use in U.S. government-related video surveillance deployments. This also includes equipment that may contain processing components (such as SoC – system on a chip) made by the same entities.
The act requires federal and military facilities, federal law enforcement and perhaps any law enforcement agency that received federal funds to immediately remove or have a plan to remove these cameras by August 13, 2020. This is going to cause significant challenges with compliance and overall capabilities. Local agencies should take note of the NDAA as well, especially if you interface with any federal agencies.
Because many cameras and other surveillance equipment are privately labeled, it is nearly impossible to tell if a specific device is banned without performing significant research on the overall supply chain that was used to source the major components used to manufacture it. How can you tell if you have banned technology in place and what do you need to do to become compliant with the NDAA?
Even if you are not required to be NDAA compliant now, it may make sense to purchase compliant gear to future-proof your agency in case additional restrictions on Chinese-made gear are introduced. If today’s budget won’t support 100% compliant gear, try to limit installation to locations where it would not be a burden if you need to disable non-compliant gear or rip and replace it sometime in the future.
If you intend to purchase compliant equipment, ensure that your bid process explicitly requires it and ask the vendor for a letter or certificate from the manufacturer stating that it is. Don’t be afraid to insert penalties into your contract if the equipment is later found out to be non-compliant. Penalties can include supplying replacement equipment, paying for removal and reinstallation, and any additional training required to use the new equipment.
The situation could be much more complicated if you already have equipment in place, especially if the vendor or installer is no longer in business. In this case, you may have to tear down and inspect the internals. This is because legacy systems may appear compliant but could contain banned components.
The two major manufacturers that are on the banned list are Hikvision and Dahua. Each one sells to dozens of OEMs, which then sell to hundreds of other companies. Here are two tables that list the OEMs for each manufacturer to help you determine who is behind the technology in your gear: https://ipvm.com/reports/hik-oems-dir and https://ipvm.com/reports/dahua-oem.
Just because a name is on the list doesn't mean your equipment is banned. Many manufacturers offer a range of products from budget-priced to military-grade. So, one line of gear may contain banned components while another line does not. If there is no way to determine whether or not your gear contains banned components, the safest approach is to assume that it does – and you may need to make plans to remove or replace it before the deadline.
Where to start
Internet searches are your friend when looking for compliant equipment because many manufacturers of compliant video surveillance gear will proudly have a statement that they only manufacture or sell compliant equipment. Any gear listed on a company’s GSA schedule, by definition, should be compliant.
Some websites may have a statement like, “XXX does not have manufacturing relationships (OEM, ODM or JDM) with the named vendors in the NDAA.” Others may have separate lists of equipment that is either compliant or is not compliant.
All things being equal you probably will notice that non-compliant gear is much less expensive than compliant gear, which is why you should know what your agency is allowed to use in what capacity. A statement that covers your compliance requirements should be part of your video surveillance policy.