CybrIQ for government
Section 889(a)(1)(B) detection methodology
One-page technical brief — for forwarding internally

================================================================
PROBLEM
================================================================

NDAA Section 889(a)(1)(B) prohibits federal agencies from USING
covered telecommunications and video-surveillance equipment from
five named entities (Huawei, ZTE, Hytera, Hikvision, Dahua) and
their subsidiaries — regardless of how the equipment got onto the
network.

Asset-register-based detection is structurally incomplete:

  - Procurement records reflect what the agency intentionally bought.
  - CDM HWAM data reflects what endpoint-management tools can see.
  - Building-systems integrators routinely deliver covered hardware
    as part of a turnkey rack the agency does not inspect individually.
  - Relabeled covered hardware ships under a downstream-integrator brand.
    The chassis sticker says one vendor; the hardware presents to the
    network as another.

IG audits across cabinet departments have surfaced (a)(1)(B) findings
that asset-based detection did not produce.

================================================================
APPROACH — LAYER-1 FINGERPRINT IDENTIFICATION
================================================================

CybrIQ identifies devices on managed switches by reading FIVE
classes of switch-side signals the switch is already producing
for its own operation:

  1) Link negotiation pattern        — speed, duplex, auto-neg behavior
  2) MAC OUI + identity descriptors  — vendor block + presented attributes
  3) LLDP / CDP advertisements       — TLV ordering, chassis-ID format,
                                       system descriptor signatures
  4) Port statistics                  — counter behavior, frame-size
                                       distributions, link-flap history
  5) VLAN and topology context       — segment placement, neighbor
                                       relationships, BPDU patterns

These five inputs combine into a Layer-1 device fingerprint
("Device DNA(TM)") that is matched against a 750-million-device
reference library curated and updated by CybrIQ.

The reference library catalogs the five covered entities by:

  - OUI ranges
  - Model-family signature patterns
  - LLDP TLV ordering specific to vendor firmware
  - Port-stat footprints characteristic of camera, radio, and
    networking-gear classes

Relabeled hardware identifies by its switch-side signal set, not
by what the chassis claims. A Hikvision camera relabeled as
"AcmeCorp 2300" presents to the switch the way a Hikvision camera
presents — link negotiation, OUI block, LLDP signature, port-stat
footprint. CybrIQ identifies it as Hikvision regardless of the
sticker.

================================================================
DEPLOYMENT POSTURE
================================================================

  - Customer-installed software. Two components (External Scan Engine
    and main instance), both on agency-controlled hardware. No vendor
    appliance enters the agency network.

  - Read-only switch access via SNMP. SNMP v2c community or SNMPv3
    user configured with read-only permissions. SNMP write is not
    used, granted, or required.

  - No SPAN port. No mirror port. No inline tap. No packet inspection.

  - No agents on endpoints, OT, lab gear, or third-party devices.

  - ESE-to-main communication over SSL inside the agency network.
    No vendor cloud, vendor tunnel, or vendor phone-home in the path.

  - Air-gap capable. Reference library updates ship as signed offline
    packages for SCIF and disconnected environments. The agency moves
    the package into the enclave through the existing approved-media
    process.

  - The CybrIQ software stack does not depend on, embed, or recommend
    hardware from any covered entity. The reference library identifies
    covered hardware on agency networks; it does not introduce any.

================================================================
WHAT CYBRIQ SUPPORTS COMPLIANCE WITH
================================================================

  - FAR 52.204-25, 52.204-24, 52.204-26
  - NIST SP 800-53 Rev. 5: CM-8 family, SI-4, SR-3, SR-11
  - NIST SP 800-161 Rev. 1: Supply-chain monitoring controls
  - NIST CSF 2.0: ID.AM-1, ID.AM-2, DE.CM-7
  - OMB Memorandum M-23-13: ICT supply-chain risk management

Independent third-party assessment against the controls above is
available on request under MNDA.

================================================================
WHAT CYBRIQ DOES NOT DO
================================================================

  - CybrIQ is not a NAC. The agency's NAC (Cisco ISE, Forescout,
    Aruba ClearPass, etc.) enforces access policy on the device
    CybrIQ identifies.

  - CybrIQ is not a SIEM. Identity events feed the SIEM via syslog
    (RFC 5424) and REST. The SIEM correlates and stores.

  - CybrIQ does not authorize a system, replace an ATO, or substitute
    for an agency's authorization process. It supplies the
    device-discovery evidence those activities require.

================================================================
NEXT STEPS
================================================================

A 30-minute briefing call walks (a)(1)(B) detection against the
specific environment the agency operates: switch vendor mix, SCIF or
air-gap requirements, integration with the agency's NAC and SIEM,
and the FAR-clause representation context.

Briefing requests:  contact_us@cybriq.io
Subject:           "Section 889 briefing — [agency name]"

CybrIQ.io / cybriq.io/government / contact_us@cybriq.io