NDAA-compliant alternative stack: Federal procurement and the Chinese surveillance restrictions.
Federal contractors, DoD primes and subs, and federally-funded research institutions face overlapping restrictions on Chinese surveillance equipment. The Atlas mapped through the Section 889, Section 1260H, and FCC Covered List compliance lens.
The federal procurement frame.
Federal contractors and federally-funded institutions operate under a distinct compliance regime around video surveillance equipment that does not apply to general commercial buyers. The Atlas treats ALPR vendors as a market; this document treats them as procurement subjects under the federal restrictions on Chinese surveillance equipment.
The audience for this document is narrower than the rest of the series. Three groups carry direct compliance obligations:
Federal contractors. Any entity that contracts with a federal executive agency is subject to Section 889 of the FY2019 NDAA, which prohibits not only procurement of covered equipment but also use of covered equipment anywhere in the contractor's operations, regardless of federal-contract connection.
DoD primes and subs. Defense contractors face an additional layer through Section 1260H of the FY2021 NDAA, which establishes the DoD Chinese Military Companies (CMC) List. The compliance deadline activates June 30, 2026 and restricts DoD contracting with listed entities, their affiliates, and contractors who engage lobbyists for CMCs.
Federally-funded research institutions and grant recipients. Federal funding terms typically flow down Section 889 requirements. Universities, hospitals, and research consortia receiving federal grant dollars are subject to the same prohibitions on covered equipment use that bind direct contractors.
The fourth audience, indirectly affected, is the broader commercial market. The FCC's Secure Equipment Act enforcement and the state-level mirror laws (Florida, Texas, others) increasingly extend Chinese surveillance restrictions beyond the strict federal frame.
Three restriction regimes.
Federal restrictions on Chinese surveillance equipment operate through three distinct regimes, each with different scope, enforcement mechanism, and compliance audience.
The broadest restriction. Two-part architecture: Part A prohibits federal agencies from procuring covered equipment; Part B prohibits federal contractors from using covered equipment anywhere in their operations.
Five covered entities: Huawei, ZTE, Hytera (telecommunications), Hikvision, Dahua (video surveillance), plus their subsidiaries and affiliates.
DoD-specific second layer. The Secretary of Defense publishes an annual list of Chinese Military Companies. As of January 2025, 134 entities listed including Hikvision, Dahua, and Huawei. Spans telecommunications, aerospace, semiconductors, AI, energy, and transportation sectors.
FY2025 NDAA Section 851 added prohibition on DoD contracting with companies that engage lobbyists for CMCs, even when lobbying is unrelated to the contract.
Market-access regime. FCC prohibits authorization of new telecommunications and video surveillance equipment produced by Hikvision, Dahua, Hytera, or their subsidiaries and affiliates. Restricts importation and sale, not just government procurement.
Hikvision USA, Inc. v. FCC (D.C. Cir. 2024) upheld Covered List placement but partially remanded the FCC's definition of "critical infrastructure"; FCC issued Second Further NPRM on December 4, 2025.
The three regimes overlap but are not identical. A federal contractor must comply with Section 889 (Regime 1). DoD primes and subs must comply with both Section 889 and Section 1260H (Regimes 1 and 2). Commercial buyers face the FCC market-access restrictions (Regime 3) even if they have no federal contracting relationship.
Section 889 in detail.
Section 889 is the central operational rule. Most ObscureIQ clients with federal contracting obligations encounter Section 889 first and most directly.
Part A: Federal Agency Procurement
Section 889(a)(1)(A) prohibits federal executive agencies from procuring, obtaining, or extending or renewing a contract to procure covered telecommunications equipment or services as a substantial or essential component of any system. Effective August 13, 2019. The rule operates through Federal Acquisition Regulation clauses 52.204-23 (representation) and 52.204-25 (prohibition).
Part B: Federal Contractor Use Anywhere
Section 889(a)(1)(B) is the operationally significant rule. It prohibits federal agencies from entering into, extending, or renewing a contract with any entity that uses covered equipment or services as a substantial or essential component of any system, anywhere in the entity's operations. Effective August 13, 2020. Operationalized through FAR clause 52.204-24 (representation).
The practical effect: a federal contractor with Hikvision or Dahua cameras anywhere in its operations — including private corporate facilities unrelated to federal contract work — is in violation. The "use anywhere" rule is what surprises institutional buyers most consistently. Discovery during the contracting representation process or during downstream audit can result in contract disqualification.
The Five Covered Entities
The two video surveillance entities, Hikvision and Dahua, are the most relevant for ALPR procurement. Together they account for a substantial share of the global low-cost commercial ALPR-capable camera market. They are both on Section 889, Section 1260H, the FCC Covered List, and (since 2024) the BIS Entity List under varying restrictions.
The OEM problem.
The single most common source of inadvertent Section 889 non-compliance is the OEM problem: equipment branded under non-Chinese names that contains Hikvision, Dahua, or Raysharp components or is manufactured at Hikvision or Dahua factories.
Multiple US-branded surveillance product lines are manufactured at Hikvision or Dahua factories, or use Raysharp (Chinese-owned, added to sanctions October 30, 2024) components. The branding does not indicate compliance status.
Lorex (Dahua OEM) · IC Realtime (Dahua OEM) · LTS (Hikvision OEM) · Honeywell legacy HQA series (Hikvision OEM, transitioned post-889) · Swann (Raysharp-powered) · GW Security (Raysharp) · Harbor Freight surveillance (Raysharp) · Various Western Digital Purple-paired DVR bundles
The practical implication: a federal contractor that purchases "American" cameras through a major distributor without verifying OEM lineage may have non-compliant equipment in their facility. The chipset-level risk extends further: HiSilicon (Huawei subsidiary) chipsets appear in surveillance equipment branded with no apparent Chinese connection.
The DC Circuit's partial remand in Hikvision USA, Inc. v. FCC (April 2, 2024) vacated the FCC's broad "critical infrastructure" definition but upheld the Covered List placement itself. The result has been that FCC enforcement intensified in late 2025, with major US retailers removing millions of listings for non-compliant equipment after FCC pressure in October 2025. The supply chain availability picture shifted significantly between late 2025 and early 2026; new procurement of OEM-laundered Hikvision and Dahua equipment is substantially more difficult to source through legitimate distribution channels heading into mid-2026.
The audit trail risk is the durable problem. Even if installation predates the Section 889 effective date, the "use anywhere" rule under Part B applies to current state, not historical procurement. A federal contractor with covered equipment installed in 2017 is still in violation as of any current contract representation.
Compliance timeline.
The federal restriction architecture has accumulated incrementally since 2018. The compliance timeline is worth memorializing because the question "what was effective when" matters for audit periods and historical-procurement assessments.
The Atlas through the NDAA lens.
The 45 vendors mapped in the Atlas, viewed through the federal procurement lens, are predominantly NDAA-clean at the named-vendor level. None of the five Section 889 covered entities appear in the Atlas as named ALPR platform vendors. The compliance risk in the Atlas ecosystem lives downstream of the vendor selection, in the hardware sourcing and OEM relationships that determine what actually gets installed.
The following matrix maps representative Atlas vendors to their federal compliance posture. The "NDAA Status" column reflects the named-vendor level; the "Hardware Risk" column flags where downstream OEM relationships introduce compliance risk regardless of vendor selection.
| VND | Vendor | Country / Parent | NDAA Status | Hardware Risk Notes |
|---|---|---|---|---|
| VND·001 | Flock Safety | US (Atlanta) | Clean | Designs and manufactures own integrated camera units. Hardware sourcing publicly positioned as NDAA-compliant. Federal contractor deployments require Flock-issued compliance attestation. |
| VND·002 | Vigilant Solutions | US (Motorola) | Clean | Platform layer is NDAA-clean. LE-agency-deployed fixed cameras and patrol-car integration. Camera hardware varies by deployment; agency sourcing decisions determine compliance. |
| VND·003 | DRN | US (Motorola) | Clean | Commercial database. Capture network sourcing through MVTRAC; recovery industry hardware varies. |
| VND·011 | Axon Fleet / Fusus | US (Scottsdale) | Clean | Public US company. LE-focused; NDAA-compliant by procurement design. |
| VND·014 | Avigilon | Canada (Motorola) | Clean | Explicitly positions hardware as NDAA-compliant. Frequently named alongside Axis and Hanwha as a clean alternative for federal procurement. |
| VND·022 | Sighthound | US (Florida) | Clean | Software/SDK vendor; runs on customer-deployed hardware. Compliance turns on the camera selection upstream. |
| VND·026 | Plate Recognizer | US / Canada | Verify deployment | SDK and SaaS vendor; runs on any camera. Federal contractors using Plate Recognizer must verify the underlying camera hardware compliance independently. The vendor itself is clean; the deployment may not be. |
| VND·029 | Motorola WatchGuard | US (Motorola) | Clean | Patrol-car 4RE in-car system. Motorola Solutions hardware. Clean at all layers. |
| VND·032 | Anyline | Austria (Vienna) | Clean | Mobile OCR SDK; runs on customer devices. Vendor is European; compliance turns on downstream device sourcing. |
| VND·040 | Genetec | Canada (Montréal) | Clean | VMS and ANPR platform; camera-agnostic. Compliance status determined by upstream camera selection. Genetec maintains explicit NDAA-compliant integration partners list. |
| VND·041 | Jenoptik | Germany | Clean | European photo enforcement vendor. NDAA-clean at the vendor level. Common in federal-funded municipal deployments. |
| VND·042 | Neology | Spain (SMARTRAC) | Clean | Tolling, RFID, ALPR. European parent; NDAA-clean at the vendor level. |
| VND·043 | Trellint | Canada (Constellation) | Clean | Modaxo / Constellation Software portfolio. Canadian parent; NDAA-clean. |
| VND·044 | Elovate | Canada (Constellation) | Clean | Same Constellation/Modaxo provenance as Trellint. |
| VND·045 | SAIC | US | Clean | Federal contractor itself. Operates US Land Border modernization. NDAA-clean by procurement design and contracting status. |
The patterns visible across the matrix: most named ALPR platform vendors are US-based, Canadian, or European, and clean at the vendor level. The compliance work for federal contractors lies downstream, in verifying the camera hardware that platform vendors deploy or that customers source independently. Vendors marketing themselves as "NDAA-compliant" typically maintain a documented allowed-hardware list; vendors that are camera-agnostic require customer due diligence on the camera layer.
Documented compliance failures.
The pattern across documented compliance failures: institutional buyers procured "American" branded equipment without verifying OEM lineage, leading to disqualifications, grant losses, and forced replacements at significant cost.
The structural lesson: Section 889 compliance is not a procurement-time decision; it is a continuing operational obligation. Equipment installed before the effective date is not grandfathered. The compliance clock runs to current state, not to acquisition state.
What this means.
For federal contractor CISOs and compliance officers. Section 889 compliance is an audit-everything obligation, not a procurement-only obligation. The "use anywhere" rule requires inventory across all corporate facilities, including those entirely unrelated to federal contract work. The OEM problem makes brand-name procurement insufficient; component-level due diligence is the only reliable verification path. Vendors that publish NDAA-compliance attestations covering both the platform and the underlying hardware are operationally preferable to vendors that disclaim hardware responsibility.
For DoD primes and subs. Section 1260H compliance preparation should be in progress now, ahead of the June 30, 2026 deadline. The CMC list expansion has been incremental; entities not currently listed may be added before the deadline. The Section 851 lobbyist-engagement prohibition (FY2025 NDAA) adds an indirect compliance vector that contractors with multiple federal lines of business should map carefully.
For federally-funded research institutions. Grant flow-down typically extends Section 889 to all institutional facilities receiving the federally-funded work, and sometimes to the entire institution. Universities and research consortia with federal funding should treat ALPR procurement as part of broader Chinese surveillance equipment compliance, parallel to the work many institutions have already done on Hikvision and Dahua cameras in security operations.
For institutional ALPR buyers without federal exposure. The federal frame does not directly bind general commercial buyers, but the FCC market-access restrictions are increasingly difficult to work around for new equipment procurement. Major retailers' late-2025 delistings have substantially reduced the available supply of OEM-laundered Chinese surveillance equipment. The practical effect is that commercial buyers entering the market in 2026 face many of the same procurement constraints as federal contractors, even without the direct regulatory obligation.
The implications carry to Document 08 (Defensive Doctrine), which addresses the full set of defensive moves available to institutions and individuals operating in the surveillance ecosystem documented across this series. NDAA compliance is one of several procurement-discipline workstreams that the doctrine document integrates into a unified operational framework.