What to Do If Your Business Is Running Hikvision or Dahua Cameras
Key Takeaways
NDAA Section 889 prohibits federal agencies and contractors from purchasing or using Hikvision, Dahua, Huawei, ZTE, and Hytera equipment in contract performance. This is a statutory requirement that extends to contractor facilities and infrastructure where federal work is performed.
The FCC finalized a rule in November 2022 prohibiting new equipment authorizations for both Hikvision and Dahua. No new products from either manufacturer can be authorized for sale in the United States. Products already installed are not being recalled, but the support and replacement pipeline is closed.
Private businesses without federal contracts are not currently prohibited from owning or operating this equipment. Three factors create practical pressure regardless: federal contract eligibility, cyber insurance underwriting scrutiny, and a closing firmware support window as the product lifecycle winds down.
Researchers have identified serious vulnerabilities in Hikvision and Dahua products including hardcoded credentials and remote access exploits. Cameras are network devices. A compromised camera is a potential entry point to everything else on the same network.
Start with an accurate inventory before committing to a replacement scope. Knowing exactly what you have, where it sits on the network, and how it connects to other systems determines both the urgency and the path forward.
Hikvision and Dahua built their market share on competitive pricing and capable hardware. For roughly a decade they were a default choice for commercial buildings, warehouses, schools, and government facilities. That position is changing, and the decisions organizations make now about these systems will have compliance, insurance, and operational consequences that are easier to address proactively than reactively.
This post covers what the restrictions actually are, who they directly apply to, what the technical risk looks like in practice, and what a reasonable response looks like for a private business that is currently running this equipment.
The Restrictions in Plain Terms
NDAA Section 889 is the foundational restriction. The National Defense Authorization Act for Fiscal Year 2019 prohibits federal agencies and their contractors from purchasing or using covered telecommunications and surveillance equipment from Hikvision, Dahua, Huawei, ZTE, and Hytera. This is a statutory requirement, not agency policy or discretionary guidance. Federal contractors cannot use covered equipment in the performance of a government contract, which extends to their facilities and physical infrastructure where contract work is conducted.
FCC Covered List and equipment authorization prohibition. The Federal Communications Commission placed both Hikvision and Dahua on its Covered List of entities that pose an unacceptable national security risk. In November 2022, the FCC finalized a rule prohibiting new equipment authorizations for these manufacturers. No new Hikvision or Dahua products can receive FCC authorization for sale in the United States. Equipment already in service is not subject to mandatory recall, but the pipeline for new hardware and authorized replacement units is closed. This has direct implications for organizations planning to expand or replace existing systems.
U.S. Department of Commerce Entity List. Hikvision was added in 2019, Dahua in 2021. This restricts their access to U.S. technology exports and adds a layer of regulatory scrutiny to organizations that maintain ongoing relationships with either company.
The government ownership concern. CETHIK Group, a Chinese state-owned enterprise, holds approximately 42 percent of Hikvision. Dahua has comparable government ownership ties. Both manufacturers were added to the Commerce Entity List following documented use of their equipment in state-sponsored surveillance programs targeting ethnic and religious minority populations, as cited by U.S. government officials and documented by independent researchers including IPVM. The national security concern is not abstract: equipment designed, manufactured, and deployed under state influence may carry capabilities or intentional vulnerabilities that create network exposure when connected to U.S. infrastructure.
What the Technical Risk Actually Looks Like
A security camera is a network device. It has an IP address, firmware, network credentials, and outbound communication capability. If it carries undisclosed access capabilities or unpatched vulnerabilities, it is a potential entry point into everything else on the same network: access control systems, servers, shared storage, and any other connected infrastructure.
Researchers at IPVM and academic institutions have identified serious vulnerabilities in Hikvision and Dahua products over an extended period, including hardcoded credentials that cannot be changed by the end user and remote code execution exploits that allow unauthenticated access. Both manufacturers have issued firmware patches in response to discovered vulnerabilities, but organizations that have not maintained firmware updates are running hardware with known exploitable exposures. The pattern of discovery and patching is itself informative about the underlying security architecture of these products.
With no new FCC authorizations being issued, the long-term firmware support trajectory for these products in the U.S. market is declining. As vulnerabilities are discovered and patches stop coming, the risk profile of these systems grows on a schedule that the organization cannot control.
For NYC commercial buildings that have invested in access control, alarm systems, and networking infrastructure on the same network segments as their surveillance cameras, the network exposure concern is not hypothetical. It reflects the documented behavior of these products when vulnerabilities are present and exploited.
Does This Apply to Private Businesses?
NDAA Section 889 directly governs federal agencies and contractors. Private companies with no government contracts are not currently prohibited from owning or operating Hikvision or Dahua equipment under existing federal law.
Three factors create practical pressure for private businesses regardless of contractor status.
Federal contract eligibility. If your organization holds federal contracts or plans to pursue them, non-compliant equipment at facilities where federal work is performed creates a real problem. Removing the equipment before pursuing contract work is significantly less disruptive than discovering a compliance conflict during the contracting process or after contract award.
Cyber insurance. Security underwriters are paying increased attention to equipment inventories during policy renewal and claims evaluation. Cameras with documented government-identified vulnerabilities on an FCC watchlist are a more difficult conversation after an incident than before one. Organizations that cannot demonstrate they have addressed known equipment risks are in a weaker position when claims involve those systems.
Product lifecycle. With no new FCC authorizations, the support infrastructure for these products in the U.S. market is winding down. Firmware updates will eventually stop. Replacement parts will become harder to source through compliant supply chains. Organizations that plan their migration during a normal budget cycle will spend less and experience less disruption than those who address it under urgency.
NDAA-Compliant Alternatives for NYC Commercial Buildings
Two manufacturers with consistent NDAA and TAA compliance documentation and strong federal procurement track records are Axis Communications and Avigilon.
Axis Communications cameras carry no prohibited manufacturer components, integrate with a wide range of VMS and access control platforms, and are used in federal installations including U.S. military and government facilities. Connextivity holds Axis Certified Professional credentials. The Axis-specific capabilities relevant to commercial NYC deployments are covered in detail in the Axis camera installation guide.
Avigilon, part of Motorola Solutions, is NDAA and TAA compliant and is the platform Connextivity recommends for deployments requiring AI-powered investigation tools including Appearance Search, on-premises architecture for classified or high-security environments, and unified integration with Avigilon access control and analytics platforms. Connextivity is a Certified Avigilon Partner. The Avigilon platform and its differentiation from generic cameras is covered in Avigilon vs generic IP cameras.
Both platforms are installed by Connextivity for federal clients and commercial properties across New York City, and both have documented federal procurement compliance that satisfies NDAA Section 889 requirements.
What to Do Now
Start with an accurate inventory. Before making any replacement decisions, establish exactly what you have: which devices are Hikvision or Dahua, where they sit on the network, how they connect to other systems, whether they share network segments with access control or IT infrastructure, and whether your organization's current or anticipated activities involve federal contracts. That baseline determines urgency and scope.
Assess network exposure of existing equipment. Hikvision and Dahua devices that are air-gapped or on fully isolated network segments carry different risk profiles than devices sharing network infrastructure with other business systems. If existing non-compliant cameras are internet-accessible or share segments with sensitive systems, prioritizing those locations for early replacement is appropriate.
Plan the migration around budget cycles, not urgency. For most private businesses without immediate federal contract pressure, a phased migration plan aligned to normal capital budget cycles is more cost-effective than emergency replacement. Identify the highest-risk locations first, develop a phased replacement plan, and execute it in a sequence that eliminates the most significant exposures earliest.
Verify replacement hardware compliance explicitly. NDAA compliance is a component-level requirement, not a brand-level one. Confirming that replacement hardware carries no prohibited manufacturer components at the chipset level, not just at the brand label, is part of the specification process.
Asecurity assessmentthat includes a hardware compliance inventory before any replacement specification is the appropriate starting point for organizations that need documented compliance rather than assumed compliance.
FAQs
Is it currently illegal for a private business to use Hikvision or Dahua cameras?
Not under current federal law for organizations without government contracts. NDAA Section 889 directly prohibits federal agencies and contractors from using covered equipment in contract performance. Private companies with no federal contracting relationships are not currently subject to a mandatory prohibition. The practical factors creating pressure regardless of legal obligation are federal contract eligibility, cyber insurance underwriting exposure, and the declining support lifecycle of these products in the U.S. market.
Do I need to replace my existing Hikvision or Dahua cameras immediately?
No immediate federal mandate requires private businesses to remove existing equipment. The case for acting sooner rather than later is about managing risk on your timeline rather than someone else's: federal contracting eligibility, insurance position, and the support lifecycle window are all factors that become harder to manage under urgency than during planned budget cycles. Organizations with federal contract relationships or aspirations should treat this as a near-term priority rather than a deferred one.
What does NDAA-compliant camera hardware actually mean at the component level?
NDAA Section 889 covers equipment that uses covered components from the specified manufacturers, not just equipment that carries their brand name. A camera branded by a different manufacturer that uses Hikvision or Dahua imaging chips or processing components may still be covered under the restriction. Confirming NDAA compliance requires documentation at the component level, not just a brand-level assurance. Axis Communications and Avigilon both provide this documentation and have established federal procurement compliance track records that support it.
What is the FCC Covered List and what does it mean practically?
The FCC Covered List identifies companies that the FCC has determined pose an unacceptable national security risk. Equipment from companies on this list cannot receive new FCC equipment authorizations for sale in the United States. For Hikvision and Dahua, this means no new products from these manufacturers can be authorized for the U.S. market going forward. Equipment already installed is not subject to immediate recall, but the authorization closure means the replacement and support pipeline for these products is closed from the supply side.
How do I find out whether my building's cameras are Hikvision or Dahua?
A physical inventory of camera hardware combined with a network device scan is the most reliable approach. Camera housings typically carry manufacturer identification. Network management tools can identify devices by MAC address and manufacturer OUI. For buildings with cameras installed over multiple years by different contractors, the inventory process sometimes reveals hardware that building management did not know was present. Connextivity conducts hardware compliance inventories as part of security assessment scope for clients evaluating their NDAA exposure.
Conclusion
The Hikvision and Dahua restrictions are not pending legislation or speculative regulatory risk. NDAA Section 889 is in effect, FCC authorizations have been closed, and both manufacturers are on the Commerce Entity List. The documented cybersecurity vulnerabilities in these products are a matter of published research record. For private businesses, the timeline and urgency depend on the specific circumstances: federal contract status, insurance requirements, and risk tolerance for the network exposure these products carry.
What is consistent across all situations is that a planned migration executed during normal budget cycles costs less and creates less disruption than an emergency response to a contract conflict, an insurance claim, or a security incident where the compromised entry point was a camera on the banned list. The starting point is knowing what you have. Everything after that is more tractable with accurate information than without it.
Not sure whether your building's camera inventory includes Hikvision or Dahua hardware, or where those devices sit on your network?
Connextivity conducts hardware compliance inventories and camera system assessments for commercial properties across New York City, and installs NDAA-compliant replacement systems from certified manufacturer partners including Axis Communications and Avigilon. Contact us to schedule a compliance assessment.
Related Articles
Avigilon vs Generic IP Cameras: What the Difference Actually Means for NYC Buildings
How Axis Camera Installation Helps NYC Buildings Actually Improve Security
Security Assessment Before New Security Gear: Why the Sequence Matters
Professional Security Camera Installation NYC: What Building Owners Need to Know
Why Your Security Cameras Might Be Your Biggest Security Risk