Businesses and independent contractors working in all modern industries must comply with various federal, state and industry-specific regulations. Failure to do so can lead to fines, reputational damage, loss of important contracts and, in some cases, criminal prosecution.
For businesses that hold contacts to work with or for government agencies, additional rules and regulations are applied to their operations. These businesses must demonstrate that the tools, technologies and services they utilize do not represent a threat to national security.
The National Defence Authorization Act (NDAA) stands as the primary bill used to conclude whether a business is fit to share operations with government agencies. To help businesses maintain compliance with these regulations, below is a guide to understanding NDAA law.
What is the National Defence Authorization Act (NDAA)?
The National Defence Authorization Act is a bipartisan agreement that sets funding levels and outlines security priorities for the US military and related federal agencies. For the last 60 years, the NDAA has been discussed in congress and adjusted annually to address key technological, socio-economic and geopolitical changes that could impact national security.
Rather than an outright spending bill, the NDAA can be viewed more broadly as a document that outlines the policies, technologies and operations government agencies are permitted to spend funding on. While the NDAA primarily applies to internal government agencies like the Department of Defence, the Department of Energy and the FBI, NDAA rules equally apply to private businesses and professionals who hold contracts to work with government agencies.
What does the NDAA cover?
The NDAA covers many aspects of government spending and provides guidance regarding compensation for government employees. Among sections covering pay rates, funding for aid initiatives and budget restrictions for specific departments, the NDAA contains a list of companies and technologies government agencies are authorized to work with and utilize.
This latter section is of particular importance to private organizations who hold contracts to work with government agencies. In accordance with NDAA regulations, these private sector entities must be audited to ensure no unauthorized or potentially compromised technologies are currently in operation, or planned to be used during the length of a government contract.
Equipment banned under the NDAA
Several types of telecommunications and surveillance equipment are banned under rules in the NDAA. Specifically, equipment produced by or containing components associated with a select number of manufacturers are banned due to concerns regarding foreign espionage.
As described in the Fiscal Year 2024 NDAA, equipment and technologies developed by the following companies cannot be utilized by government agencies or government contractors:
- ZTE Corporation
- Huawei Technologies Company
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
- Hytera Communications Corporation
Equipment and services manufactured or delivered by subsidiaries and affiliates of these companies are also banned under the NDAA. In addition, these same rules apply to any entities designated by the US Secretary of Defense as being “owned or controlled by, or otherwise connected to, the government of a covered foreign country”.
Understanding the NDAA process
As the regulations outlined in the NDAA are directly related to current world events, the US government is required to review and update the act on a regular basis. Since the bill was first passed in 1961, the NDAA has been updated and agreed upon by congress annually.
The process of reviewing and updating the NDAA begins in February of each year. At this time, the White House will send a proposed federal budget to congress spanning the coming fiscal year. Several committee sessions will then be held between the House and the Senate with the intention to decide upon a mutually agreeable draft of the NDAA bill for that year.
Committee members will act on guidance provided by government agencies regarding world events and developments that may impact national security. Intelligence from such agencies will be factored into decisions concerning banned companies, technologies and contractors.
Once the draft has been approved, it will then be turned into a parliamentary document and put to a vote. Any differences between the parliamentary and Senate versions of the NDAA must be reconciled before a final draft can be produced. The bill can then be passed by both the House and the Senate before being forwarded to the US President to be signed into law.
How to maintain NDAA compliance
All private businesses and professionals contracted to work with or for government agencies will need to prove their operations are compliant with NDAA regulations. Business owners must review all surveillance, telecommunications and cybersecurity technologies throughout their organizations to ensure no compromised components or services are present or in use.
To aid business owners in this process, the NDAA contains a list of compliant manufacturers known to produce safe devices and components. NDAA compliant cameras, communication systems, access solutions and cybersecurity tools are produced by the following companies:
- Avigilon
- Pelco
- Axis Communications
- ACTi Corporation
- Bosch
- Hanwha Techwin America
- Digital Watchdog
Provided a business can prove no banned equipment is in use, and provide evidence that all installed surveillance, telecommunications and cybersecurity technologies are produced by safe manufacturers, the organization can ensure compliance with current NDAA regulations.
However, audits will need to be conducted on at least an annual basis to ensure no changes to the NDAA cause a breach of compliance. Should such a breach occur, consequences can include the loss of government contracts, financial penalties and significant criminal charges.
Hiring a DevOps engineer is essential for companies dealing with federal agencies. In addition to guaranteeing NDAA compliance, a DevOps engineer is an expert in integrating IT operations and software development, optimizing workflows, and boosting the security and effectiveness of technological infrastructure.
Summary
To ensure government funding is spent wisely, and to protect government agencies against threats posed by foreign agitators, each year congress passes a revised version of the National Defense Authorization Act. While the primary purpose of the NDAA is to define how and where funding for federal entities will be spent, the NDAA also serves security purposes.
All private businesses and professionals wishing to secure government contracts must make sure their operations comply with NDAA regulations. Specifically, these entities must review all existing and proposed surveillance, telecommunications and cybersecurity technologies to ensure no equipment or components have been produced by banned foreign companies.
Businesses must review their systems to ensure all equipment is produced by manufacturers listed as safe in the current NDAA, with audits performed at least annually. Failure to do so can lead to the loss of contracts, financial penalties, reputational harm and criminal charges.
