One classified-adjacent program office. 11 prohibited components, blocked at the wire.

The setup

The customer is a major US defense contractor with multiple program offices spanning IC, DoD, and civilian-agency work. The program office in scope handled classified-adjacent work that placed the entire AV and conference-room infrastructure under NDAA Section 889 enforcement. A scheduled sustainment review by the contracting officer was due in three weeks. The compliance lead's concern: covered telecommunications equipment from prohibited vendors (Huawei, ZTE, Dahua, Hikvision, Hytera) might be present inside vendor-managed signage, conference cameras, or display systems labeled as a different brand. The paper trail cleared 889 — but paper trails do not see component-level supply chains.

Why CybrIQ

The contractor evaluated CybrIQ specifically for Layer 1 fingerprinting capability. NAC and EDR could not identify the underlying silicon when a device was relabeled or when prohibited components were embedded inside an otherwise compliant product. The criteria for the 889 enforcement use case were narrower than typical:

• Component-level identification. The platform had to fingerprint by electrical signature, not by device label or vendor descriptor.
• Auto-block on detection. Identified prohibited equipment had to be quarantined at the port without operator delay.
• Contracting-officer evidence shape. The artifact had to be one a DCMA auditor or contracting officer would take at face value.
• SCIF-adjacent deployment posture. The platform had to deploy without changes to the existing AV control configuration or risk to the secure-room sign-off.

The engagement

SpacesIQ deployed against the program office's AV and conference-room infrastructure. The platform was placed at the building's fabric, passive at the wire, with no agent on monitored endpoints and no changes to the existing switch configuration. The compliance lead and the program office's information-systems-security manager (ISSM) joined the daily review.

What the wire showed

• 11 covered components identified across the program office. Six were inside conference-room camera systems labeled as a US-vendor brand. Three were embedded in digital-signage controllers in the lobby and briefing-room hallways. Two were inside an executive videoconferencing kit that had cleared procurement under a different brand label.
• Auto-block fired on every component within 60 seconds of detection. Each prohibited device was quarantined at the switch port; the contracting officer's evidence pack documented the detection time, the Device DNA fingerprint that triggered the rule, and the action taken.
• Two replacement-cycle anomalies caught. A camera that had been swapped under RMA the previous quarter without paperwork update — and a signage player that had been installed by a vendor maintenance visit, also unlogged.
• Zero false positives in the first sweep. Every flagged component was confirmed prohibited under 889 by the ISSM during the daily review.

The outcome

The 889 sustainment review closed in five business days with no findings on covered telecommunications equipment. The contracting officer accepted CybrIQ's per-device evidence pack as the underlying artifact, dated and signed by the wire. The contractor expanded SpacesIQ to the remaining program offices over the next six months; ComplianceIQ now runs the 889 enforcement program continuously rather than at scheduled review intervals.

More case studies

• Fortune 500 healthcare system. 312 unmanaged devices found, 47 missing from the register, audit prep collapsed from six weeks to four days.
• Top-25 US bank. 846 devices reconciled across one trading floor, 73 missing from the register, SOX inventory-completeness finding closed.
• Federal defense contractor. 11 NDAA-prohibited components identified and auto-blocked at the wire ahead of a 889 sustainment review.