Physical Security Compliance Guide: NDAA, SOC 2, HIPAA & GDPR (2026)

Quick Summary

• NDAA Section 889 bars federal agencies and their contractors from buying or using surveillance gear from Hikvision, Dahua, Hytera, Huawei, ZTE, or any PRC-connected affiliate. The rule reaches every subcontract tier.
• SOC 2 Type II is the buyer-relevant standard. Its Security criterion explicitly covers physical access controls and surveillance systems, so the report applies directly to cloud security vendors.
• HIPAA governs healthcare facilities and their business associates, including camera vendors. GDPR governs any organization processing EU residents’ video, wherever it sits.
• Cloud-managed platforms push automatic firmware updates, encrypt by default, and centralize audit logs. On-prem systems leave patching, encryption keys, and disaster recovery to your IT team.

Why Physical Security Compliance Matters in 2026

Your cameras and access control readers are network endpoints now. They transmit electronic protected health information (ePHI), employee credentials, and video footage to the cloud, which pulls physical security straight into the same audit scope as your servers and databases. A breached camera feed or an unpatched door controller carries the same regulatory weight as a leaked customer record.

Regulators have moved faster than most security programs. NDAA Section 889 completed its phase-in by August 2020, banning federal buyers from contracting with any entity using equipment from named Chinese vendors like Hikvision and Dahua (FAR 52.204-25). FedRAMP’s modernization effort is active in 2026, and GDPR enforcement reaches any organization handling EU residents’ data regardless of where the company sits.

This guide is written for the people who own that exposure. If you manage IT security, run a compliance function, or direct physical security at a mid-market or enterprise organization, you need to know which frameworks apply to your cameras and access control before an auditor or a contracting officer asks. The sections below define each framework in plain terms and give you a checklist for proving compliance.

Key Compliance Frameworks for Physical Security Systems

Five frameworks govern most physical security deployments in regulated environments. NDAA Section 889 dictates which camera and access control vendors you can buy. SOC 2 sets the bar for how a cloud security vendor handles your data. HIPAA, GDPR, and a set of industry rules layer on top depending on your sector and where you operate. The sections below define each one and give you a checklist you can run against any platform you evaluate.

NDAA Section 889: Banned Vendors and Federal Procurement Rules

The National Defense Authorization Act for Fiscal Year 2019 (NDAA) restricts federal purchases of certain Chinese-made surveillance and telecommunications gear through Section 889. The Federal Acquisition Regulation clause FAR 52.204-25 implements it in two phases. The first phase, effective August 13, 2019, barred agencies from buying equipment, systems, or services that use covered telecommunications gear as a substantial component or critical technology. The second phase, effective August 13, 2020, went further and barred agencies from contracting with any entity that uses covered equipment anywhere in its operations, even outside the federal contract.

The clause names five companies, along with their subsidiaries and affiliates. Huawei and ZTE are covered for telecommunications equipment. Hytera, Hangzhou Hikvision, and Dahua are covered for video surveillance and telecommunications equipment used for public safety, government facilities, and critical infrastructure security. The rule also reaches any entity the Secretary of Defense reasonably believes is owned by or connected to the government of the People’s Republic of China.

Who must comply runs from the top down. Federal agencies cannot procure covered equipment. Prime contractors cannot supply it to the government, and the second-phase prohibition reaches their own internal use. Subcontractors at every tier are bound, so primes must insert the substance of FAR 52.204-25 into all subcontracts, including those for commercial products.

Run this checklist before you buy.

• Confirm the supply chain for every camera and access control device against the five named vendors.
• Insert FAR 52.204-25 into all subcontracts at each tier.
• If you discover covered equipment during contract performance, notify the Contracting Officer within one business day with the supplier name, model, and any mitigation steps.
• Submit further mitigation details within ten business days.

SOC 2 Type II: What It Audits and Why It Matters for Security Vendors

SOC 2, short for System and Organization Controls 2, is an auditing framework from the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization handles customer data. The audit covers five Trust Services Criteria. Those are security, availability, processing integrity, confidentiality, and privacy. Security is the only criterion required in every report, and it explicitly includes physical and environmental controls.

That requirement makes SOC 2 directly relevant to anyone buying cameras or access control. The Security criterion evaluates physical access controls to facilities, monitoring and surveillance systems, and environmental protections like fire suppression. A cloud-managed security vendor that stores your video and credentials sits squarely inside this scope.

You will see two report types, and the difference matters for buyers. Type I reviews whether controls are designed correctly at a single point in time. Type II observes whether those controls actually operate over a period of three to twelve months. A Type II report proves the vendor’s controls work in real conditions, not just on paper. Treat Type II as the standard you require and Type I as insufficient for a vendor holding your footage.

What to check in a vendor’s SOC 2 report

Ask for the full SOC 2 Type II report, not a logo or a one-line claim. Reports stay valid for twelve months and require annual renewal, so confirm the report date reflects the current audit period. A report older than a year may not describe the controls in place today.

Read the auditor’s opinion on control effectiveness and the management assertion to confirm it covers the services you actually use. Review any deficiencies the auditor noted during testing. A clean Type II opinion from a licensed CPA firm gives you defensible evidence for your own vendor risk reviews.

HIPAA Physical Safeguards: Requirements for Healthcare Facilities

HIPAA governs how healthcare organizations protect electronic protected health information, known as ePHI. The Security Rule at 45 CFR 164.310 applies to covered entities such as health plans, clearinghouses, and providers who transmit health data electronically. It also reaches business associates, which include vendors that handle ePHI on a provider’s behalf. The rule protects ePHI only, not paper records or verbal disclosures.

HIPAA does not hand you a fixed list of physical controls. The Security Rule is flexible, scalable, and technology neutral, so you select safeguards that fit your size, complexity, technical infrastructure, cost constraints, and risk profile. A 12-bed clinic and a 600-bed hospital both have to meet the standard, but the controls that count as reasonable and appropriate differ for each.

Your physical safeguard program starts with a documented risk analysis. Build the rest of the program from that foundation.

• Conduct and document a risk analysis covering threats to ePHI confidentiality, integrity, and availability.
• Implement facility access controls that limit who can enter spaces holding ePHI systems.
• Enforce workstation security so unauthorized people cannot view or operate devices that touch ePHI.
• Maintain device and media control records covering disposal, reuse, and movement of hardware.
• Review access logs and audit records on a regular schedule to catch security incidents early.

Security camera and access control vendors that serve healthcare customers usually qualify as business associates. After the HITECH Act expanded the Security Rule, those vendors carry direct HIPAA liability rather than relying on the provider to shield them. Before you deploy a cloud-managed camera or door controller in a clinical environment, confirm the vendor signs a business associate agreement and can support the encryption, logging, and access controls your risk analysis requires.

GDPR: Video Surveillance Rules for EU Operations

The General Data Protection Regulation (GDPR) reaches any organization that processes the personal data of EU residents, regardless of where that organization sits. A US company running cameras in a London office or recording EU customers falls under it. GDPR treats identifiable video footage as personal data, so your surveillance system inherits the full set of processing obligations (gdpr.eu).

Five obligations shape how you deploy cameras. You need a lawful basis before recording, and most surveillance relies on legitimate interests rather than consent. You must minimize what you capture, limiting coverage to areas that justify monitoring. Retention has to be time-bound, with footage deleted once its purpose ends. Individuals hold a right to erasure, though that right narrows when footage also captures third parties. Large-scale systematic monitoring triggers a Data Protection Impact Assessment (DPIA) before deployment.

GDPR surveillance checklist

• Document a lawful basis before any camera goes live, and record the legitimate interests assessment that supports it.
• Post visible signage at every monitored entrance so people know they are recorded and who controls the footage.
• Define a written retention policy and enforce automatic deletion when the window closes.
• Complete and file a DPIA for any large or systematic deployment.
• Map your cross-border transfer mechanism if footage leaves the EEA, such as Standard Contractual Clauses or an adequacy decision.

For the specific signage and retention detail that supervisory authorities expect, consult the European Data Protection Board Guidelines 3/2019 on processing personal data through video devices. Those guidelines set out the two-layer notice requirement and the reasoning authorities apply when judging retention periods. National regulators commonly point to short retention windows, so confirm the rule for each country where you operate.

Industry-Specific Regulations: FedRAMP, FERPA, and PCI DSS

Three frameworks govern physical security in specific sectors. Each treats your camera and access control vendor as part of the regulated system, not an exempt utility.

FedRAMP for federal deployments

FedRAMP, the Federal Risk and Authorization Management Program, sets the security baseline any cloud service must meet before a federal agency can use it. A cloud-managed camera or access platform handling federal data needs FedRAMP authorization, and that authorization is driven by the agency that sponsors it. The FedRAMP Marketplace lists 525 certified services as of mid-2026, alongside 28 services under the newer FedRAMP 20x track. The program is finalizing its Consolidated Rules for 2026 (CR26), expected to guide compliance through 2028.

FERPA for schools and universities

FERPA, the Family Educational Rights and Privacy Act, protects student records at any K-12 or postsecondary institution receiving federal funding. The Department of Education’s Student Privacy Policy Office maintains a dedicated FAQ on photos and videos under FERPA, which signals that surveillance footage in schools is a recognized compliance question rather than a gray area. A security vendor running a school’s cameras acts as a third-party data processor, and the SPPO publishes a separate guidance track for vendors. Before deploying, confirm how your vendor stores footage, who can access it, and whether that access maps to FERPA’s record-handling rules.

PCI DSS for payment environments

PCI DSS, the Payment Card Industry Data Security Standard, requires physical controls around systems that handle cardholder data. That means restricted access to server rooms and camera coverage of areas where payment data is processed or stored. The exact control language sits with the PCI Security Standards Council, so check its documentation for current requirements rather than relying on summaries. Match those requirements against your vendor’s access logging and retention features during evaluation.

Cloud-Managed vs. On-Premises Security: Compliance Comparison

The compliance gap between cloud-managed and on-premises physical security comes down to who handles the work and how much of it stays manual. The table below maps the controls that auditors examine most often.

Cloud platforms run on a shared responsibility model. The vendor secures the infrastructure, hardware, networking, and patching, while you manage access, configuration, and policy settings. That split matters because Gartner projects 99 percent of cloud security failures through 2025 trace back to the customer, usually misconfiguration or weak identity management. A platform with strong RBAC, enforced MFA, and encryption on by default removes the most common ways you create your own exposure.

What to Look for in a Compliance-Ready Physical Security Platform

Use this checklist when you evaluate any cloud-managed camera or access control vendor. Each item maps to a framework requirement you will have to satisfy during an audit, so treat a missing answer as a reason to keep looking.

SOC 2 Type II report available on request. A vendor that stores or transmits your video and credential data should hand you a current report covering a 3 to 12 month observation period. Check the report date. Anything older than 12 months may not reflect the controls running today.

NDAA and TAA-compliant hardware supply chain. Confirm that no camera or panel uses components from the five vendors named in FAR 52.204-25. Ask for written attestation, not a verbal assurance.

Automatic firmware updates with no manual patching. Manual updates across dozens of sites leave devices unpatched and out of compliance. A cloud platform should push firmware to every device without a site visit.

AES-256 at rest and TLS encryption in transit, on by default. You should not have to configure encryption or manage your own keys.

Role-based access control with enforced multi-factor authentication. Permissions should map to job function, and MFA should be mandatory across your whole team.

Centralized audit logs with export. One dashboard should record every user action and let you export logs for auditors.

Defined data retention controls. You set retention by location or camera and enforce it automatically.

Business associate agreement available. Healthcare buyers need a signed BAA before any vendor handles ePHI.

Documented incident response SLA. Get the response commitment in writing.

How Rhombus Meets Physical Security Compliance Requirements

Rhombus maps directly to each framework covered in this guide, and the platform’s design choices make audit evidence easier to produce. Here is how the platform addresses the requirements buyers ask about most often.

For SOC 2, Rhombus is SOC 2 Type II certified, with an annual independent audit completed in February 2026. A Type II report covers operating effectiveness over a multi-month observation period, which is the standard your security team should require from any cloud vendor. You can request the current report through the Rhombus trust center.

For NDAA Section 889, Rhombus cameras and access control hardware are built with NDAA and TAA-compliant supply chains. No covered telecommunications equipment from Huawei, ZTE, Hytera, Hikvision, or Dahua appears as a substantial or essential component. Federal contractors and agencies can deploy Rhombus without triggering the prohibitions under FAR 52.204-25.

For encryption and infrastructure, Rhombus runs on AWS and encrypts data at rest with AES-256 and in transit with TLS. These defaults satisfy the confidentiality controls SOC 2 auditors examine and the technical safeguards healthcare and EU deployments expect. You do not configure key infrastructure or maintain your own encryption stack.

For patching and audit evidence, Rhombus pushes automatic firmware updates to every device from the cloud. A facilities team running 20 locations no longer coordinates per-site visits to install a single patch. Centralized audit logging records who accessed which footage and when, and role-based access controls with MFA limit permissions by job function across global teams. Both produce the access records SOC 2, HIPAA, and GDPR reviewers ask to see.

For healthcare, Rhombus offers a business associate agreement (BAA) to covered entities and their partners. Post-HITECH, a security vendor handling ePHI is directly liable under HIPAA, so the BAA matters. See the healthcare deployment details for how facility access controls and device records support a documented risk analysis.

Rhombus has remained breach-free since founding. That record, combined with the certifications above, gives compliance officers a defensible answer when auditors and enterprise customers ask how physical security data stays protected.

Frequently Asked Questions

What cameras are banned under NDAA Section 889? Section 889 names video surveillance equipment from Hytera, Hangzhou Hikvision, and Dahua, along with telecommunications equipment from Huawei and ZTE. The ban also covers any subsidiary or affiliate of those companies. Equipment from any entity the Secretary of Defense links to the government of the People’s Republic of China falls under the same restriction (FAR 52.204-25).

Does NDAA apply to private companies? Yes, if the company contracts with the federal government. Under Section 889(a)(1)(B), the prohibition extends to a contractor’s own use of covered equipment, even outside work performed under a federal contract. Prime contractors must also flow the clause down to subcontractors at every tier.

What is the difference between SOC 2 Type I and Type II? Type I assesses whether controls are designed correctly at a single point in time. Type II tests whether those controls actually operate effectively over a period of three to twelve months. Buyers should require Type II because it proves controls work consistently in real conditions (A-LIGN).

Does HIPAA require security cameras? HIPAA does not mandate cameras specifically. The Security Rule requires reasonable and appropriate physical safeguards scaled to an organization’s size, complexity, and risk profile. Cameras and access controls are common ways healthcare facilities satisfy facility access control requirements after a documented risk analysis (HHS).

Does GDPR apply to US companies using cameras in EU offices? Yes. GDPR applies to any organization processing the personal data of EU residents, regardless of where the organization is based (GDPR.eu). A US company filming employees or visitors at an EU office needs a lawful basis, retention limits, and visible signage for those cameras.

What is FedRAMP and when is it required for physical security? FedRAMP authorizes cloud services to handle federal data, administered by the GSA (FedRAMP). Any cloud-managed camera or access control platform deployed in a federal agency environment must hold FedRAMP authorization. The requirement is agency-driven and applies to cloud services that store or transmit federal data.

Start Building a Compliant Physical Security Program

Rhombus is a SOC 2 Type II certified platform with NDAA and TAA compliant hardware, built on AWS infrastructure with AES-256 encryption. You can evaluate the supply chain, audit logging, and access controls against the checklist above before you commit. Request a demo to see how the platform maps to your compliance requirements.