What is the NDAA Section 889 procurement checklist for camera surveillance?
The NDAA Section 889 procurement checklist for camera surveillance has 10 steps. (1) Request a signed FAR 52.204-25 representation from the bidder. (2) Demand a software bill of materials in SPDX format. (3) Receive a camera compatibility matrix flagged for 889 status per model and firmware. (4) Confirm refusal-of-onboarding logic at the firmware-signature level for prohibited brands. (5) Verify the vendor's subcontractor flow-down clause. (6) Pin storage and processing to AWS GovCloud or Azure Government. (7) Federate identity via PIV / CAC for federal operators. (8) Define audit-log retention and SIEM export. (9) Lock the contract terms to require attestation refresh on every platform change. (10) Run a 60-day pre-production audit before go-live. The bidder should ship the corresponding evidence at contract signing without further request.
The 10-step checklist
A federal or federally-funded buyer should run every video-surveillance bidder through this 10-step procurement checklist before contract signature.
1. FAR 52.204-25 representation — a signed vendor representation that the offered system, services, or covered telecommunications equipment do not use covered Chinese surveillance components. 2. SBOM in SPDX format — a software bill of materials covering the VMS control plane, edge appliance, AI inference layer, and bundled integrations. Refreshed at every release. 3. Camera compatibility matrix with 889 status — per-model, per-firmware listing flagged 889-safe or prohibited. Includes OEM rebrands and subsidiaries. 4. Refusal-of-onboarding logic — the VMS should refuse onboarding of prohibited MAC OUIs / firmware signatures even if the operator attempts it. Demonstrable in a test environment. 5. Subcontractor flow-down clause — the prime contractor flows the 889 obligation down to managed-service subcontractors, integrators, and OEM suppliers. 6. Cloud topology — for federal deployments, storage and processing pinned to AWS GovCloud (US-East / US-West) or Azure Government. DoD IL4 / IL5 considerations documented as an appendix. 7. Identity federation — PIV / CAC smart-card federation for federal operators. Just-in-time provisioning gated by the agency identity provider. 8. Audit-log retention and SIEM export — immutable per-event audit log with a defined retention window (typically 1-7 years depending on the agency). SIEM export to Splunk / Sentinel / Chronicle / QRadar. 9. Attestation refresh terms — contract language that requires the vendor to refresh the 889 attestation on every renewal and on every material platform change. 10. 60-day pre-production audit — a 60-day audit window before go-live where the agency or its integrator runs network sniffing, firmware-signature verification, and operator-workflow validation.
What evidence ships at contract signing
A VMukti-grade response includes, at contract signing: the FAR 52.204-25 representation, the current SBOM, the 889-status-flagged camera matrix, the GovCloud / Azure Government landing-zone runbook, the PIV / CAC federation configuration, the audit-log retention policy, and the 10-step procurement runbook so the agency or integrator can reuse it across the deployment.
Companion whitepaper
The VMukti NDAA-Safe Reference Architecture whitepaper carries this checklist plus the seven-layer reference architecture, the AWS GovCloud / Azure Government topology, the FAR 52.204-25 attestation flow, and the integrator procurement runbook. Download the whitepaper from /resources/ndaa-safe-reference-architecture.
Related
Last reviewed: 2026-05-28