Friday, December 7, 2018

Does Your Contract Contain the Clause at FAR 52.204-23 - the Kaspersky Prohibition?

FAR 52.204-23 is a relatively new contract clause that is appearing in a lot of contracts. It prohibits the Government from contracting for hardware, software, and services developed or provided by Kaspersky Labs and other covered entities. Covered entities includes successor entities to Kaspersky Lab, entities that controls, is controlled by or is under common control with Kaspersky Lab or another entity of which Kaspersky Lab has a majority ownership.

But whether the clause has been included in your contract, or not, the prohibition applies as it is based on a statutory authority that became effective last October (October 1, 2018).

So what's wrong with Kaspersky anti-virus software? The Department of Homeland Security (DHS) is of the opinion that Kaspersky software presents an information security risk because of Kaspersky's Russian connections. A report out of the University of Illinois College of Law provides these thoughts:
  1. Russian law outlines a legal obligation by Kaspersky to assist Russian FSB (their Federal Security Service) in the execution of their duties including counterintelligence and intelligence activity.
  2. Russian law also permits FSB personnel to be embedded in private enterprises
  3. Because Kaspersky qualifies as an organizer of the dissemination of information on the Internet, it is required to provide the FSB with metadata and is also required to provide Russian officials with decryption keys for its data transmissions.
  4. Under Russian law, Kaspersky is required to install equipment for the FSB to monitor data transmissions.
Those facts raises concerns that the Kaspersky is too closely tied to the Russian Government and creates an unacceptable risk to the U.S. Government.

Back in September, we reported on these pages a couple articles stating that many contractors are unprepared for October 1st 2018 deadline. In some cases, contractors are not even aware that Kaspersky is running on their networks because it came pre-installed with unrelated software. In other cases, contractors have attempted to remove Kaspersky but missed  some instances because complete removal is more complicated that simply uninstalling the program. There is even a concern that some contractors don't believe the ban applies to them, when it most certainly does. It applies to subcontractors too.

In the event a contractor finds that it has violated this prohibition, it is required to notify the contracting officer within one day along with its mitigation actions and must submit a full report within 10 days. This is how serious the Government is taking the prohibition.

No comments:

Post a Comment