Must I replace foreign devices?

Yes, CMMC (Cybersecurity Maturity Model Certification) requirements align with broader U.S. government regulations that restrict the use of certain foreign-manufactured devices, particularly those from China, such as Huawei phones and Hikvision routers. However, CMMC itself does not explicitly list prohibited manufacturers—it follows guidance from laws and policies such as:

1. Federal Acquisition Regulations (FAR) & Defense Federal Acquisition Regulation Supplement (DFARS)

• DFARS 252.204-7012 requires compliance with NIST SP 800-171, which includes security controls affecting the use of foreign-made devices.

• DFARS 252.204-7021 enforces CMMC 2.0 for defense contractors.

2. Section 889 of the 2019 National Defense Authorization Act (NDAA)

• Bans U.S. government agencies and contractors from using telecom and security equipment from:

  • Huawei

  • ZTE

  • Hikvision

  • Dahua

  • Hytera Communications

• Contractors working with the Department of Defense (DoD) must certify that they do not use these banned devices, even for non-DoD work.

3. Supply Chain Risk Management (SCRM)

• CMMC Level 2 and above requires risk assessments for IT supply chains.

• NIST SP 800-171 Control 3.11.1 states organizations must monitor and assess their supply chain for potential security risks, including hardware from high-risk sources.

4. Executive Orders & DoD Cybersecurity Policies

• Various Executive Orders (EO 13873, EO 13984) restrict foreign-made equipment that poses national security risks.

• The Secure and Trusted Communications Networks Act (2020) mandates replacing prohibited telecom equipment.

How This Affects Your Organization

• If your company handles Controlled Unclassified Information (CUI) or works with DoD contracts, you should avoid using Huawei, Hikvision, and other banned equipment.

• If you already have such devices, they must be removed to maintain CMMC compliance and avoid contract violations.