Leaning into NDAA Provisions
By Hamish Dobson, Senior Director of Product, Video Security & Analytics, Pelco
For video security integrators and providers, “compliance” has become a daunting word in the industry, specifically in the wake of the introduction of the 2020 National Defense Authorization Act (NDAA) — and more specifically, Section 889. Many have expressed confusion as to the scope of Section 889 of the NDAA, which is the U.S. federal law that imposes significant prohibitions on the procurement and use of technology from explicitly named Chinese telecom companies and their subsidiaries — pointedly not a country of origin or manufacturing location — including video surveillance products and components.
The law went into effect on Aug. 13, 2019, with an expansion exactly one year later to cover “contracting with” and include “critical technology,” and revisions to additional rulings ongoingly being assessed by the Department of Defense (DoD). Companies offering products and services as part of current or future federal government contracts are now required to evaluate whether the equipment or services being sold are “covered,” or part of this ban.
Businesses within the broader U.S. telecommunications or video surveillance supply chain have come to realize that the requirements for NDAA compliance will not significantly change in the near future. The onus is now on the agencies, end users and their technology partners operating in a wide-range of U.S. federal government sectors to ensure that equipment is not sourced from the banned entities “as a substantial or essential component of any system,” according to the John S. McCain defense law. For providers, regardless of whether or not products or services are inherently related to the federal contract, disclosure of the OEM throughout an entire portfolio will be required.
Consequently, it has become both business savvy and practical to be proactive and take responsibility for all products sold. To achieve compliance, video security companies that deploy these types of systems in the United States can form a comprehensive and measured strategy. Putting aside the concerns around the NDAA’s compliance rationale during initial planning, think about protecting future investments and avoiding the risk of a DoD audit. There is plenty of room for different interpretations of the law and which components are actually “essential,” but the consensus across the industry is to stay conservative and begin by performing a full compliance assessment.
Even if a provider is confident that they comply with the regulations, appraising inventory may unexpectedly reveal a relationship with a supplier that’s connected to the ban. And although there are only five banned vendors outlined in the current version of the NDAA, they have numerous affiliates that are not as easily identifiable, and their integrations of various essential components are widespread.
All in all, creating a thorough list with descriptions of specific use for every device, component and major equipment part will be helpful in guaranteeing customer transparency as well as, on the flipside, potentially beginning the process of replacement or a phase-out plan. Not only will this help establish procedures for analyzing compliance in the future and expectations from subcontractors, but it will also mitigate certification and legal roadblocks down the road.
Considerations for Existing Technology
When it comes to ameliorating compliance concerns between integrators and end users, especially with large-scale video security systems, a phase-out strategy can seem impossible to take on. Fortunately, at present, Section 889 of the NDAA does not require federal government agencies to convert video surveillance technology that’s already installed and fully integrated.
Nonetheless, because any future procurement or technology upgrades will need to comply with all final NDAA provisions, reviewing the sourcing of all products may eventually be the most cost-effective plan. The good news? More and more video technology providers are offering auditing services or can help institute an identify-and-replace plan for devices that may unknowingly be white-labeled — or even present the option to fully switch surveillance systems to more reliable and compliant technology.
Meet Requirements for Future Success
Unless all of the “substantial or essential components” of a video security provider’s technology portfolio are certified from OEMs separate from the procurement ban, NDAA compliance won’t be attained. But, what’s the ultimate drawback besides a sticky legal situation? The inability to incorporate a timely sales pitch and demonstrate enhanced cybersecurity as a whole. Organizations — both currently and non-actively pursuing federal contracts — are already seeking out partners that have total NDAA compliance; it has been added to their core checklists for future video security projects. So, perhaps the time has come to adopt the compliance mindset in an evolving market where data protection and system longevity is on the minds of all stakeholders.