Monday, June 18, 2018

Prohibition on Using Kaspersky Hardware/Software

Back in September of last year, the Department of Homeland Security (DHS) directed all civilian Government agencies to remove Kaspersky software from their systems within three months. The order did not apply to the Defense Department but the Department has just issued an interim rule following suit.

So what's wrong with Kaspersky anti-virus software? There is concern among the "experts" that Kaspersky software presents an information security risk because of Kaspersky's Russian connections. A report out of the University of Illinois College of Law provides the evidence:

  1. Russian law outlines a legal obligation by Kaspersky to assist Russian FSB (their Federal Security Service) in the execution of their duties including counterintelligence and intelligence activity.
  2. Russian law also permits FSB personnel to be embedded in private enterprises
  3. Because Kaspersky qualifies as an organizer of the dissemination of information on the Internet, it is required to provide the FSB with metadata and is also required to provide Russian officials with decryption keys for its data transmissions.
  4. Under Russian law, Kaspersky is required to install equipment for the FSB to monitor data transmissions.

Those facts raises concerns that the Kaspersky is too closely tied to the Russian Government and creates an unacceptable risk to the U.S. Government.

Kaspersky is suing the U.S. Government to remove the restrictions already in place.

Under the new FAR interim rule, which is a result of the 2018 NDAA (National Defense Authorization Act), the restrictions go into effect on July 16th, 2018 and prohibits contractors from providing any hardware, software, or services developed or provided by Kaspersky Lab or its related entities, or using any such hardware, software, or services in the development of data or deliverables first produced in the performance of the contract.

Contractors must also report any such hardware, software, or services discovered during contract performance. This requirement also flows down to subcontractors.

Contractors should be aware of the implications of this prohibition. If, for example, a contractor is developing software for a Government program, the contractor may not do so with any Kaspersky software installed on their development platforms, even though such software is not integrated into the deliverable.

To read the full interim rule, click here.

No comments:

Post a Comment