NDAA Compliance Is No Longer an Elective
Unless your campus has upgraded your security cameras and associated hardware recently, chances are you aren’t NDAA-compliant.
A troubling uptick of violence and aggression is already putting pressure on school, university, and hospital security teams and campus police to improve their security posture. But not to be overlooked is the fact that their aging video surveillance systems could fast become a liability due to non-compliance with the National Defense Authorization Act (NDAA). The time is now for academic and healthcare facilities to focus on upgrading their video surveillance infrastructure to meet NDAA requirements and standards and better ensure a safe environment for students, patients, staff, and the wider community.
NDAA Fines, Liabilities, Federal Loans and Funding
U.S. schools, institutions of higher education, and hospitals undoubtedly view video surveillance as a vital part of their security operation, yet many are using aging equipment that is cumbersome and expensive to maintain. This means older cameras and recorders could be leaving them open to significant risks.
When it comes to video security, it’s now critical for campuses to find a solution stakeholders can trust. In order to deliver a high-performance solution while delivering the best value for stakeholders, it’s imperative that security planners find cameras and software that meet security and safety operational needs and requirements.
Campuses that already benefit from or are looking to seek federal funding, grants, and loans need to ensure their video solution is compliant with the John S. McCain National Defense Authorization (NDAA) Act. If not, and they are in receipt of any type of federal funding, they may face legal action, including fines and penalties. In addition, the use of non-compliant equipment could result in legal liability if a surveillance system is found to have contributed to a security breach or other incident. At best, educational institutions and healthcare facilities could be given a tight time frame to rapidly replace non-compliant equipment, which usually involves a complete system upgrade and impacts business continuity as well as learning for students.
What Is the NDAA?
For those not familiar with the need for NDAA compliance, in 2018, the NDAA Act was signed into law. Until recently, the primary function of the NDAA was to authorize which U.S. military programs receive funding appropriated by Congress through the budgeting process. But Section 889 of the FY 2019 NDAA went much further.
For the 2019 Fiscal Year, the NDAA banned U.S. government agencies from purchasing any surveillance products manufactured by Dahua and Hikvision. The ban not only included the “name brand” products from these companies but also all of their OEM brands… in essence, companies that outsourced their manufacturing to Dahua and Hikvision. Additionally, security integrators can’t sell surveillance equipment to government agencies or their contractors under these brands. The regulation also prohibits federal agencies or federal loan recipients from working with integrators and their subcontractors that market, sell, or install unlawful surveillance equipment.
What is Section 889 of the FY 2019 NDAA?
The Fiscal Year 2019 National Defense Authorization Act included a prohibition on federal agencies and federal grant recipients from procuring certain Chinese telecommunications and video surveillance equipment. The Section 889 restrictions went into effect on August 13, 2020, for federal grant recipients under a new section to 2 CFR contained in 2 CFR §200.216. The prohibited telecommunications equipment is telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities). Additionally, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities) that is used for the purpose of public safety, security of 16 government facilities, physical security surveillance of critical infrastructure, and other national security purposes is covered equipment under Section 889.
The regulation is far-reaching and encompasses both new contracts and renewing or extending existing ones. It also applies regardless of whether the contractors use the cameras for government contract work. Integrators are non-compliant even if they sell and install unlawful equipment in a local convenience store.
The Huawei prohibition was also significant because it also applied to Huawei’s subsidiary company, HiSilicon, a major manufacturer of video processing chipsets or Systems on a Chip (SoC) used in many older security cameras and recorders. SoCs are essentially the brain of security cameras or network video recorders that were used by most surveillance brands.
Got Old Equipment? You Probably Don’t Comply
Bottom line: Unless schools and colleges have upgraded their security cameras and other surveillance and associated hardware recently, chances are they aren’t NDAA-compliant.
There are several reasons for this. Some schools, colleges, and healthcare facilities use local installers or systems integrators that aren’t involved in corporate or large-scale federal projects. Instead, many work with business sectors outside of federal jurisdiction and with organizations that don’t receive associated funding. As a result, many integrators didn’t need to be overly concerned by the NDAA. Other integrators may not be aware that NDAA section 889 not only applies strictly to government facilities, but it also applies to any federally funded organization, and that often includes schools, universities and hospitals.
Also adding to the problem is that organizations with well-performing surveillance systems probably haven’t sought to upgrade and may not even be aware of the need to come into compliance. In addition, non-compliant equipment is often hard to spot, as the banned companies supply multiple vendors, and their components are in equipment that does not bear the banned brand names. In essence, the unlawful components or software code could be in all types of cameras and recorders, making it particularly hard for smaller organizations without significant security and IT resources to identify, isolate, and replace the equipment.
And while HiSilicon in China stopped making chipsets, many surveillance manufacturers stockpiled before the NDAA was signed into law, giving them time to re-engineer and transition their equipment to new chipsets. That means that even if facilities are using cameras that post-date the NDAA, this doesn’t guarantee compliance as many brands were still using older SoCs. For some time, many brands were not transparent about the manufacturing origin of all their product lines. Today, many low-end camera ranges are still made in countries with untrustworthy governments, some brands continue to use Hikvision and Dahua to manufacture their lower end equipment, while distributors and dealers may still hold older stock to maintain older systems.
Non-Compliance Comes at a Cost
Another compelling reason for schools, universities, and healthcare facilities to check the NDAA compliance of their surveillance systems is because security equipment that is unlawful is now covered by the Secure Equipment Act of 2021. This newer legislation prohibits the Federal Communications Commission (FCC) from reviewing or issuing new equipment authorizations for companies placed on its “Covered List” of organizations whose equipment is considered a threat to national security. This means if you’re using older cameras and recorders with HiSilicon chipsets or Hikvision and Dahua equipment and it fails, the harder it will be to find replacements or simple fixes, leading to downtime, gaps in security, and a difficult and more expensive maintenance burden.
The presence of insecure surveillance equipment across college campuses potentially impacts multiple stakeholders from chancellors and vice-chancellors to department heads as well as students. The damage from a breach is far-reaching: from lost learning causing frustration to both parents and students paying university fees to bad publicity and a loss of trust that can take educational institutions years to rebuild.
With many lesser-known colleges already struggling financially, the cost of non-compliance could be enough to put many out of business. Some colleges exist to serve disadvantaged students, so not only would a breach negatively impact national education, the ripple effect on coffee shops, restaurants, and local stores that rely on student and faculty patronage would have a devastating effect on local economies.
In terms of K-12 campuses, few parents across the U.S. would be comfortable that Chinese cameras meant to ensure the safety of their children could be used to gather information on their local school for malicious purposes. Worse yet is the threat posed by remote back doors, meaning that video streams could be accessed and watched by bad actors for nefarious purposes. Most K-12 schools are at the heart of towns across middle America, meaning a cyber breach or disruption to learning would have an impact on wider stakeholders and the local community including negative publicity.
Audit Your Security Technologies With a Trusted Integrator
The consequences of non-compliance with NDAA regulations for surveillance cameras and equipment can be significant. It is essential for campuses to take NDAA compliance seriously and ensure that their systems are secure, reliable, and in line with current regulations.
The best way to make sure that your surveillance equipment is NDAA-compliant is to conduct a thorough audit with an experienced security consultant or reputable security systems integrator that doesn’t market, sell, or install Huawei, Hikvision and Dahua. It’s important to find partners and manufacturers that listen to your needs and can deliver the best performing solution across your facilities while ensuring they meet their obligations and responsibilities under the NDAA law.
Jason Burrows is sales director for IDIS America.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!