NDAA Section 889 is one of the most significant supply chain security provisions enacted in federal contracting law. First enacted in the FY2019 National Defense Authorization Act, it prohibits federal agencies from procuring telecommunications and video surveillance equipment from specific Chinese technology companies — and in Phase 2, prohibits using federal contracts with any entity that uses such equipment anywhere in its operations.
For cloud service providers and technology contractors serving the federal government, Section 889 compliance has become a standard contract requirement that affects hardware procurement, network infrastructure, and supply chain verification obligations.
What Section 889 Prohibits
Section 889 contains two subsections with different scope and applicability:
Part A (889(a)(1)(A)) — Equipment Procurement
Federal agencies are prohibited from procuring telecommunications or video surveillance equipment or services substantially or essentially manufactured by:
- Huawei Technologies Company or subsidiaries
- ZTE Corporation or subsidiaries
- Hytera Communications Corporation or subsidiaries
- Hangzhou Hikvision Digital Technology Company or subsidiaries
- Dahua Technology Company or subsidiaries
This covers the equipment itself — routers, switches, cameras, video surveillance systems — made by or substantially incorporating components from these entities.
Part B (889(a)(1)(B)) — Using a Contractor That Uses the Equipment
Phase 2 of Section 889, effective August 2020, is broader: it prohibits the federal government from entering into a contract with any entity that uses covered telecommunications equipment or services in any part of its operations — not just in the performance of the federal contract.
This means a contractor that uses Hikvision IP cameras in their corporate headquarters, even for non-federal work, is technically prohibited from holding federal contracts under a strict reading of Part B.
Contractor representation: Offerors on federal contracts must represent their compliance with Section 889 Part B in their SAM.gov registration and in responses to FAR clause 52.204-24 and 52.204-26. These representations are made under penalty of False Claims Act liability.
Scope for Cloud Service Providers
For cloud-based federal systems, Section 889 has specific supply chain implications:
Network Equipment in Cloud Infrastructure
AWS, Azure, and GCP have publicly stated Section 889 compliance — they have reviewed their infrastructure equipment suppliers and represent that their cloud services do not include equipment from Section 889 prohibited companies.
However, contractors that build federal systems on top of these cloud providers must still:
- Verify the CSP's Section 889 representation is current
- Ensure any networking equipment added by the contractor (not provided by the CSP) is compliant
- Maintain documentation of this verification as contract performance evidence
Video Surveillance and Physical Security Systems
Section 889 Part A covers video surveillance equipment. This affects:
- IP cameras in contractor facilities performing federal work
- Physical access control systems with video components
- Conference room systems with camera capabilities (Zoom Room hardware, etc.)
Some commonly used video conferencing hardware has raised Section 889 questions — particularly devices with embedded cameras sourced from Hikvision or Dahua supply chains. Contractors performing facility security due diligence check their physical security vendors' supply chain declarations.
Reseller and VAR Channel Risk
The prohibited equipment often enters contractor supply chains not through direct purchase from Huawei or ZTE, but through resellers and value-added resellers who do not clearly disclose the equipment origin. Cables, small network appliances, and IoT devices are the most common vector.
Mitigation: Purchase network and communications equipment only from vendors who can provide documented Section 889 compliance representations. Establish a procurement checklist that includes Section 889 verification for any network, communications, or surveillance equipment acquisition.
FAR Clauses That Implement Section 889
Federal contracts that implement Section 889 use these FAR clauses:
FAR 52.204-24: Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment. Offerors must represent whether they provide, will provide, or will use covered telecommunications equipment.
FAR 52.204-25: Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. The prohibition itself.
FAR 52.204-26: Covered Telecommunications Equipment or Services — Representation. Short representation that flows down to subcontractors.
Reporting requirement: If a contractor discovers covered equipment or services during contract performance, they must report it within one business day to the contracting officer and the SAM.gov database within two business days. This is the incident reporting requirement that makes ongoing supply chain monitoring important.
Practical Compliance Program for Technology Contractors
For technology companies performing federal contracts, a practical Section 889 compliance program includes:
1. Equipment inventory audit: Catalog all network, communications, and surveillance equipment in contractor facilities and cloud environments. Identify manufacturer and verify against the prohibited entity list.
2. Procurement controls: Establish a procurement checklist requiring vendor Section 889 representations for any equipment in scope. Purchasing should not approve network or surveillance equipment without documented supplier compliance.
3. SAM.gov representation maintenance: Annual review of SAM.gov registration to ensure Section 889 representations are current and accurate. Changes in equipment use require updated representations.
4. Subcontractor flow-down: FAR 52.204-26 requires flowing down the Section 889 requirement to subcontractors. Include Section 889 representations in subcontract agreements and verify subcontractor compliance before award.
5. Incident response procedure: Document a procedure for handling discovered prohibited equipment — who is notified, what the one-business-day reporting obligation requires, and how remediation is tracked.
Rutagon's Approach
Rutagon maintains active SAM.gov representations and verifies Section 889 compliance as part of procurement due diligence for equipment and services used in federal program delivery. Cloud infrastructure for federal work runs on Section 889-compliant CSPs with GovCloud authorization.
Rutagon Government Contracting and Compliance →
FISMA Impact Levels and ATO Architecture →
Frequently Asked Questions
Does Section 889 apply to commercial item contracts?
Yes, unless the contract includes a specific exception. FAR 52.204-25 (the prohibition clause) is required in contracts for commercial items with certain exceptions for micro-purchases and contracts at or below the Simplified Acquisition Threshold that don't involve the use of telecommunications. Above SAT, commercial item contracts include Section 889 requirements.
What happens if a contractor unknowingly uses Section 889 prohibited equipment?
A contractor that discovers prohibited equipment in their operations during contract performance must report it to the contracting officer within one business day of discovery and report to SAM.gov within two business days. Proactive disclosure and remediation are significantly better outcomes than discovery during an audit. False Claims Act exposure arises from knowingly making false Section 889 representations — discovered inadvertent violations that are promptly reported and remediated are treated differently than deliberate misrepresentation.
Are there any Section 889 exceptions or waivers?
Agencies may grant exceptions under FAR 4.2104 for "covered telecommunications equipment or services that cannot be replaced due to critical service impacts, national security, or other compelling reasons." Waivers must be submitted to the agency head. In practice, waivers are rarely granted — they require significant justification and senior approval. The better path is remediation (replacing prohibited equipment) rather than pursuing a waiver.
How does Section 889 interact with CMMC?
Section 889 is a separate compliance requirement from CMMC. CMMC focuses on the protection of CUI through cybersecurity practices; Section 889 focuses on prohibiting specific supply chain vendors. Both apply simultaneously to contracts for DoD work involving CUI. A contractor can be CMMC Level 2 certified while having a Section 889 issue, and vice versa — they address different risk dimensions.
Where can I verify if specific equipment is compliant with Section 889?
There is no official government whitelist of "approved" equipment. Compliance is verified through supplier declarations, manufacturer attestations, and review of the prohibited entity list in FAR 4.2101. For major network equipment purchases, ask the vendor for a written Section 889 compliance representation. For cloud services, review the CSP's FedRAMP package and public Section 889 compliance statement. The Cybersecurity Infrastructure Security Agency (CISA) at cisa.gov publishes supply chain risk guidance that includes covered entity tracking.