GAO finds uneven search methods hide China-linked equipment on agency networks

Section 899 of the fiscal year 2019 National Defense Authorization Act prohibits executive agencies from procuring telecom and video surveillance equipment produced or provided by certain People's Republic of China-linked companies or their subsidiaries and affiliates. A 2020 interim final rule from DOD, GSA, and NASA codified the prohibition. Five years into implementation, GAO's May 19 report examines whether six agencies (DHS, DOJ, State, Treasury, DOD, and DOE) can actually find what the rule forbids.

The headline result is that DOD and DOE found covered devices in both recent and prior searches. The other four agencies (DHS, DOJ, State, and Treasury) reported finding nothing across searches running from 2019 through August 2025, plus additional searches run in response to a September 2025 GAO request. That split deserves scrutiny before it gets treated as reassuring.

What the search methods actually catch

Only DOD conducted a physical search of its equipment. All six agencies ran IT hardware asset inventory searches and IT network scans; DHS, DOJ, and Treasury also ran procurement record searches. GAO lays out the ceiling on each approach plainly: network scans identify connected equipment but miss anything off-network, depend on sensor placement, and cannot see classified networks or intermittently connected devices like cell phones. Procurement records can surface equipment that never touched the IT network, but don't reliably show where devices are located. Physical searches find both connected and disconnected equipment, but are resource-intensive and time-consuming, which is why only one agency did one.

The practical result is that the four zero-finding agencies used narrower methods than DOD and still concluded they have nothing to report. That is a possible outcome. It is also the outcome you would expect if the search methods were too limited to find anything.

Structural limits that cut across all six agencies

GAO identified three additional challenges that apply regardless of search method: limited visibility into product supply chains, rebranding and resale of covered equipment by third-party companies, and the absence of a comprehensive, authoritative list of PRC-linked subsidiaries and affiliates. Each of these creates a class of covered equipment that no current search method reliably catches. A device manufactured by a covered entity's subsidiary, rebranded and sold through a domestic reseller, may not appear in a procurement record, may not be flagged by a network scan, and is only likely to surface in a physical search, which only DOD ran.

DOD, DOJ, and Treasury also reported that they still have covered equipment on their networks that is not connected to IT operations. Disconnected does not mean inert; video surveillance equipment in particular does not require IT-network connectivity to present a risk.

What the open question is

The report was requested by House Oversight Chairman James Comer and Rep. Ashley Hinson. GAO has not yet indicated whether it will recommend mandatory physical search standards for all agencies or treat the current mixed-method approach as adequate Section 899 compliance. That question matters: if physical searches are optional, the zero-finding result at four agencies is essentially unfalsifiable. Agencies conducting only network scans and procurement record checks cannot rule out covered equipment, they can only confirm they didn't find any using methods with known blind spots.

For agency security teams and assessors, the practical takeaway is that a clean Section 899 inventory search result is only as reliable as the most comprehensive method applied. If your agency hasn't run a physical search, the GAO report gives you a documented basis for why that gap matters.