CMMC Security Cameras: Section 889 & Scoping Risks

Posted by Kevin StevensonCMMC, Cybersecurity, Uncategorized, Posted on
Network-connected security camera installed in a defense manufacturing facility.
Security cameras are more than physical security tools—they can be Security Protection Assets subject to CMMC assessment requirements.

When defense contractors think about CMMC, they think about laptops, servers, firewalls, and email. CMMC security cameras rarely make the list, even though the cameras bolted to the ceiling of the shop floor are squarely part of the picture. That is a mistake, and it is one an assessor will catch.

Security cameras sit at the intersection of two CMMC problem areas: they are part of how you satisfy physical security requirements, and they are networked devices that can introduce risk into the very environment they are supposed to protect. Some of them are also flat-out illegal to use on a federal contract.

Let’s take those one at a time.

CMMC Security Cameras Are In Scope

CMMC Level 2 includes the Physical Protection (PE) family, pulled directly from NIST SP 800-171. You are required to limit physical access to systems handling CUI, escort and monitor visitors, maintain audit logs of physical access, and control physical access devices.

For most small manufacturers, video surveillance is a core piece of how those requirements get met. The camera covering the shop entrance is part of your visitor monitoring story. The camera over the server closet door supports your physical access control narrative.

Here is the implication that surprises people: if a camera system supports a CMMC requirement, it is a Security Protection Asset. SPAs are in scope for your assessment. That means your camera system needs to show up in your asset inventory, appear on your network diagram, be described in your SSP, and be managed under your configuration and patching practices. An assessor can ask how the NVR is hardened, who has access to the footage, and how long recordings are retained.

“We have cameras” is not a control. A documented, managed, in-scope surveillance system is.

The Section 889 problem

This is where camera projects go from compliance paperwork to contract risk.

FAR 52.204-25, implementing Section 889 of the 2019 NDAA, prohibits federal contractors from using video surveillance equipment from Hikvision, Dahua, and Hytera, along with telecom gear from Huawei and ZTE. This is not a CMMC control. It is a condition of holding the contract, and you certify compliance with it when you bid.

The catch is that Hikvision and Dahua are two of the largest camera OEMs on the planet, and a huge share of the budget camera market is their hardware sold under other brand names. Lorex, Amcrest, and dozens of white-label brands sold through Amazon, Costco, and low-cost security integrators have shipped rebadged Dahua or Hikvision hardware. The logo on the camera tells you almost nothing.

If you bought a camera system based on price, there is a real chance you are running banned equipment right now. Check the FCC ID on the device, research the actual OEM, and ask your integrator for documentation in writing. If you find covered equipment, plan its removal. Discovering it during an assessment, or worse, during a DOJ inquiry, is the expensive way to learn this.

The cameras themselves are an attack surface

IP cameras are computers. Cheap ones are badly maintained computers with a long public history of default credentials, unpatched firmware, and undocumented cloud connections back to servers you do not control. The Mirai botnet was built largely out of devices like these.

A camera sitting on the same flat network as the workstations processing CUI is a foothold waiting to be used. The fix is straightforward and assessors expect to see it:

Segment them. Put cameras and the NVR on their own VLAN with firewall rules that block traffic into the CUI environment. The cameras need to talk to the recorder. They do not need to talk to your ERP server.

Cut the internet access. Most camera deployments have no business reaching the internet at all. Block outbound traffic at the firewall and record locally. If remote viewing is a genuine requirement, do it through your VPN, not through a vendor’s cloud relay in a jurisdiction you cannot name.

Manage them like assets. Change default credentials, update firmware on a schedule, and document the configuration baseline. The same hygiene you apply to a server applies here, scaled to the device.

Mind what the cameras can see. A camera pointed at a workstation monitor or an engineering review area can capture CUI in the footage itself. Now your video archive is a CUI repository, and everything about its storage, access, and retention inherits those requirements. Camera placement is a scoping decision, not just a coverage decision.

What to do this quarter

If you hold or are pursuing DoD work, run this checklist:

  1. Inventory every camera, NVR, and DVR on your network, including the ones the previous owner installed and nobody thinks about.
  2. Identify the true OEM of each device and verify it is not Section 889 covered equipment.
  3. Add the surveillance system to your asset inventory and network diagram as a Security Protection Asset.
  4. Segment the camera network and restrict its traffic, especially outbound.
  5. Review camera placement against where CUI is visible.
  6. Document all of it in your SSP before your assessor asks.

Security cameras are a small line item that touches contract eligibility, physical protection controls, and network security all at once. Handled early, this is a weekend of work. Handled during an assessment window, it is a finding with a procurement problem attached.

PhasedLogix helps defense manufacturers in the St. Louis region scope, remediate, and document their environments ahead of CMMC assessment. If you are not sure what is actually running on your camera network, that is exactly the kind of question we answer.

Leave a Reply

Your email address will not be published. Required fields are marked *