CybrIQ for government · NDAA Section 889
CybrIQ
Government/Mandates/NDAA Section 889
Last reviewed: 2026-05-12. Regulatory context (FAR clauses, IG findings) is monitored continuously; the briefing call surfaces any change since this date.
NDAA Section 889

An agency cannot enforce Section 889 on covered equipment it cannot see on its own network.

Section 889(a)(1)(A) prohibits federal procurement of covered telecommunications and video-surveillance equipment. Section 889(a)(1)(B) prohibits federal agencies from using such equipment, regardless of who procured it. The second clause is the harder one — enforcement requires continuous visibility into what is actually connected, including hardware the asset register does not list.

What Section 889 actually requires

Section 889 of the FY2019 NDAA names five entities of concern by reference: Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology, along with their subsidiaries and affiliates. Coverage includes "any equipment, system, or service" that "uses" covered hardware as a "substantial or essential component." The prohibition is broad on purpose.

Subsection (a)(1)(A) restricts procurement — agencies and their contractors cannot buy covered gear with federal funds. Subsection (a)(1)(B) is the operational clause: federal agencies are prohibited from using covered hardware in agency networks, even if it was acquired through other channels (donations, contractor-provided equipment, building-systems integrations, shadow procurement, residual inventory from a renamed program, prior administrations).

Agencies have been on (B) compliance posture since August 2020. The FAR clauses at 52.204-24, 52.204-25, and 52.204-26 require annual representations. Inspector General offices have audited (B) compliance in every cabinet department; the recurring finding is the same: agencies have hardware on their networks they did not know was there.

The visibility problem

Why asset inventories miss covered hardware

Federal asset inventories are built from procurement records, CDM HWAM feeds, and manually maintained CMDBs. Each captures hardware the agency intentionally introduced. None captures hardware introduced through the side channels that compliance audits keep finding:

  • Building-systems integrations. HVAC, badge readers, building-management consoles, parking gates, and CCTV systems are frequently delivered by contractors as a turnkey rack — labels obscured, model numbers buried, supply chain unverified by the agency.
  • Conference room and AV refresh. Display and codec installations from earlier years routinely include cameras, microphones, and switching gear that were not vetted against the covered-entity list at the time of installation.
  • Contractor-provided field equipment. Devices brought to the agency LAN by a tenant agency, a contractor performing on a task order, or a field office that does not coordinate with central IT.
  • Lab and OT environments. Test equipment, sensor gateways, and protocol converters acquired outside the IT acquisition path. Often invisible to CDM HWAM by design.
  • Relabeled hardware. A small but documented pattern: covered hardware shipped under a different brand label by a downstream integrator. Spot-checks of physical inventory have surfaced these; routine inventory has not.
How CybrIQ supports 889 monitoring

Switch-side identification, library-matched

CybrIQ identifies every device connected to a managed switch by reading the signals the switch is already producing: link negotiation pattern, MAC OUI and identity descriptors, LLDP/CDP advertisements and TLV ordering, port statistics and counter behavior, and VLAN/topology context. These five inputs combine into a Layer-1 fingerprint (Device DNA™) that is matched against a 750-million-device reference library curated and updated by CybrIQ.

The reference library includes the covered-entity catalogs by OUI, by model family, and by signal-set similarity — so a relabeled Hikvision camera that presents to the switch the way a Hikvision camera presents will identify as a Hikvision camera regardless of the sticker on the chassis. The signal set is the truth source; the label is not.

Relabeling-resistant identification: a covered Hikvision IP camera is delivered to an agency with a sticker reading 'AcmeCorp 2300'. The asset register reflects the label and lists the vendor as not-on-covered-list. CybrIQ reads switch-side signals — link negotiation, MAC OUI matching the Hikvision range, LLDP TLV ordering consistent with Hikvision firmware, port-statistics matching a known camera class, VLAN context on the surveillance segment — and identifies the device as Hikvision, a covered entity under NDAA Section 889, regardless of the label.

When CybrIQ identifies a covered device, the alert payload includes the switch port, VLAN, MAC, identified vendor, identified model class, and the confidence score from the library match. This is the evidence an agency needs for a 889(a)(1)(B) finding and remediation cycle.

What CybrIQ supports compliance with

  • FAR 52.204-25 and 52.204-26 — Detection of covered telecommunications equipment in agency-controlled environments.
  • NIST SP 800-53 Rev. 5 CM-8 — System Component Inventory completeness for covered-hardware identification.
  • NIST CSF 2.0 ID.AM-1, ID.AM-2 — Inventories of hardware and software managed and unmanaged by the organization.
  • NIST SP 800-161 Rev. 1 — Supply-chain risk management controls SR-3 and SR-11 (supply-chain monitoring).
  • OMB Memorandum M-23-13 — Information and communications technology supply-chain risk management.
Deployment posture for federal evaluators

What a 889 evaluator will ask

Federal evaluators read Section 889 against the deployment posture of any monitoring tool. The questions CybrIQ answers up front:

Customer-installedRoomIQ and SpacesIQ are software the agency installs on agency hardware. No vendor appliance enters the agency network.
No covered hardwareThe CybrIQ software stack does not depend on, embed, or recommend hardware from any covered entity. The reference library identifies covered hardware on other vendors' networks; it does not introduce any.
Read-only switch accessSNMP read-only permissions only. No SNMP write. No SPAN, no mirror, no inline tap.
No traffic captureCybrIQ does not inspect packets, headers, or payloads. Identification is from switch-side signals only.
Air-gap capableThe reference library updates can ship as signed offline packages for SCIF and air-gapped environments. The vendor-to-agency dependency is reduced to a signed file the agency moves into place.

Independent third-party assessment against the controls cited above is available on request under MNDA. The CybrIQ deployment shape has been used in environments accredited for FISMA Moderate. CybrIQ holds SOC 2 Type II, ISO/IEC 27001, ISO 27017, and ISO 27018 certifications; it does not hold FedRAMP authorization of any tier and is not listed on the FedRAMP Marketplace — see FedRAMP posture for the full position.

Forwardable

One-page Section 889 detection methodology brief — plain text, no email required, forwardable to your 889 program manager or IG liaison.

Download brief →

Schedule a Section 889 briefing

A 30-minute working session: we walk the (a)(1)(B) detection path against your environment, the FAR clauses you carry, and the IG audit history in your sector. No procurement commitment; no slideware.

Request briefing