NDAA Section 889 Safe Reference Architecture
Federal-grade reference architecture, SBOM template, camera compatibility matrix, and FAR 52.204-25 attestation flow for U.S. federal, state, and critical-infrastructure deployments.
Companion to the human-readable NDAA-889 Compliant VMS landing. Read the landing for the summary; download the whitepaper for the full reference architecture, SBOM, and procurement runbook.
What's inside (readable summary)
The full whitepaper is a 24-page PDF. The summary below is indexable on this page so the reference is useful even before the download, and so search engines can ground their answers against the same source we cite to federal procurement teams.
1. What Section 889 actually restricts
Section 889 of the FY 2019 NDAA prohibits U.S. federal agencies, grantees, and loan recipients from procuring, obtaining, extending, or renewing any contract that uses covered video-surveillance or telecommunications equipment from Hikvision, Dahua, Hytera, Huawei, ZTE, or any of their affiliates, OEM rebrands, or subsidiaries — as a substantial or essential component or as critical technology. The whitepaper opens with the precise statutory language, the FAR 52.204-25 implementation, and the OMB guidance every federal customer cites in a procurement defence file.
2. The three-layer 889-safe architecture
A clean software supply chain, a camera layer that admits only non-prohibited brands, and a vendor attestation that survives FAR 52.204-25 scrutiny. The whitepaper walks the seven-layer reference: edge appliance (VMukti, Make-in-India, 889-safe), cameras (Axis, Hanwha, Bosch, i-PRO, Pelco, Mobotix, Honeywell, Motorola Avigilon, FLIR), network (Cisco, Juniper, Extreme Networks, HPE Aruba), storage (Edge NVR + GovCloud archive), cloud control plane (AWS GovCloud / Azure Government), identity (Okta, Microsoft Entra ID, Ping Identity), and AI inference (VMukti 26+ models with ArcisGPT).
3. Software bill of materials
A complete SBOM template covering the VMS control plane, edge appliance, AI inference layer, and bundled integrations. The whitepaper supplies the SPDX-format template VMukti ships at contract signing and the refresh cadence (renewal + material platform change) the federal customer can include in the contract terms.
4. FAR 52.204-25 attestation flow
A step-by-step attestation flow: who signs, what they sign, what evidence accompanies the signature, and how the integrator flows the obligation down to managed-service subcontractors. The flow is drawn from the procurement files of three federal-civilian and two state customers; redaction marks indicate where customer-specific text is filled in.
5. Cloud topology — GovCloud and Azure Government
Default landing-zone topology for AWS GovCloud (US-East and US-West) and Azure Government. Account structure, IAM federation, network egress controls, audit-log forwarding, key management, and the boundary diagram a federal AO will sign against. DoD IL4 / IL5 considerations are included as a separate appendix.
6. Procurement runbook
A 10-step procurement runbook for the federal-integrator partner: FAR 52.204-25 representation, SBOM delivery, camera compatibility matrix with 889 status, vendor attestation refresh, network-segmentation diagram, subcontractor flow-down, GovCloud / Azure Government deployment runbook, PIV/CAC identity federation, audit-log retention policy, and the incident-response runbook including 889 inventory revocation. The same checklist anchors the human-readable summary on /usa/ndaa-889-compliant-vms.
What ships with the download
- 24-page PDF reference architecture (this whitepaper)
- SPDX-format SBOM template
- Camera compatibility matrix flagged for 889 status
- FAR 52.204-25 representation template
- AWS GovCloud / Azure Government landing-zone runbook
- Subcontractor flow-down clause template
- Incident-response runbook including 889 inventory revocation
- 10-step procurement runbook for the integrator partner
Download the NDAA-Safe Reference Architecture
A 24-page federal-grade reference architecture, SBOM template, camera compatibility matrix, and FAR 52.204-25 attestation flow. Includes the 10-step integrator procurement runbook.