October 1, 2018 Deadline for Government Contractors to Comply with the FAR Ban on Kaspersky Lab Products Nears
On October 1, 2018, U.S. government contractors will need to be compliant with the government-wide ban on the use of Kaspersky Lab products and services in support of their government contracts. An interim rule requiring the insertion of contract clause, 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities, was published on June 15, 2018. The interim rule amends the Federal Acquisition Regulation (FAR), which governs most executive agency procurement contracts.
Moscow-based Kaspersky Labs is a cybersecurity firm that created the popular antivirus software, Kaspersky Antivirus. Major news outlets reported that the U.S. government believes the software tool was turned into an espionage tool by the Russian government. The Wall Street Journal reported a 2015 incident in which an NSA contractor’s home computer (running the Kaspersky antivirus) was used in espionage. Other major news media reports that Russian intelligence agencies have leveraged the antivirus software to remotely access confidential information from computers where the software was installed. The interim FAR rule is currently the subject of a federal lawsuit filed by Kaspersky Labs claiming the rule is unconstitutional.
How Far Must the IT Department Go to Comply with The Ban?
Under the rule, contractors are prohibited from “using any such hardware, software, or services in the development of data or deliverables in the performance of the contract.”
The rule covers Kaspersky-branded products and services, as well as Kaspersky “related entities.”
This raises many questions amongst technologists, compliance officers, government contractors, and others: “What’s a related entity?” “How far do I have to go to identify what product or service vendors are related to Kaspersky?” “Do I have to remove products or services that use Kaspersky code?” “Can I remove the code and keep the product?”
For example, one product vendor, Check Point Software Gateway, states it “uses some 3rd party code in several features. One of the 3rd party vendors is Kaspersky Lab.” A Check Point webpage provides instructions on how to remove the code.
Is this a compliant solution? In accordance with advice from those involved in the rulemaking process, part of that answer lies with the contracting officer. Of course, we will watch for clarifications on the embedded code issue from the rule-makers as well. Perhaps when the final rule is published, there will be more information to help businesses interpret and implement the ban.
The Kaspersky ban and the embedded code issue will have broad impact on both the federal contracting community and the agencies themselves. The interim rule expressly flows down to subcontractors. This means that government contractors not only have to interpret the rule for themselves, but they must make decisions regarding their supply chains. The government is also tasked with removing Kaspersky products from its systems. The NY Times reported the Kaspersky software has been used widely in many federal agencies, but did not have a reliable statistic to report. The paper also reported the software is used in many state government agencies – which, of course, the FAR ban does not address.
More to Come
The specific ban on Kaspersky products may be just the beginning. Under the 2019 National Defense Authorization Act (signed into law August 13, 2018), the White House now has stronger authority to block foreign investment based on national security concerns. By enacting new regulation, other foreign-made, developed, or owned products could be banned from being used inside government, and beyond. Stay tuned.