New federal contracting rule cuts off Kaspersky

Kaspersky headquarters in Moscow. (Photo credit: Tatiana Belova/Shutterstock)

The government is seeking to eliminate all traces of cybersecurity firm Kaspersky Labs from federal systems, issuing a new interim rule in the June 15 Federal Register to extend the governmentwide ban to contractors.

The rule, issued by the General Services Administration, the Department of Defense and the National Aeronautics and Space Administration, amends the Federal Acquisition Regulation to require that all contracts and solicitations finalized after July 16, 2018, include language prohibiting the presence of Kaspersky hardware, software and products.

The rule applies not just to federal contracts but also smaller "micro" purchases and the purchase of commercial off the shelf items, which are often exempt from many contracting regulations. The notice states that the interim rule was issued without prior opportunity for public comment due to "urgent and compelling reasons."

"While the law does not specifically address acquisitions of commercial items, including COTS items, there is an unacceptable level of risk for the Government in buying hardware, software, or services developed or provided in whole or in part by Kaspersky Lab," the notice reads. "This level of risk is not alleviated by the fact that the item being acquired has been sold or offered for sale to the general public…nor by the small size of the purchase."

The Department of Homeland Security and Congress both took steps last year to ban federal agencies from using of Kaspersky software and products. But it has always been less clear to what extent those restrictions might apply to contractors, and whether such prohibitions would extend only to government-supporting systems or throughout contractors' entire networks.

The new rule not only prohibits contractors from using Kaspersky products and services in federal systems, but they must also report discovery of such products and services discovered during the performance of contract work. The ban extends down to subcontractors.

Shortly after DHS issued its ban, Michael Duffy, branch chief for the DHS Office of Cybersecurity, told reporters that when it came to contractors, the department was referring to Circular A-130 guidance and indicated that it would be left up to individual agencies to manage their own risk in the contracting space.

"What we've tried to do is have agencies determine the risk themselves, versus us driving all that action," Duffy said.

However, Secretary of Homeland Security Kirstjen Nielsen told Congress in May that subsequent investigation revealed many contractors were not even aware they had Kaspersky software embedded on their systems. Nielsen said her department was exploring ways to allow for the suspension of contracts from vendors who relied on the company's code or products.

"It has to be that we can pause and turn off contracts the moment we have a concern," Nielsen said. "If someone's been hacked, if someone is vulnerable or someone is using software that we know will put us at risk."

The move is the latest blow to Kaspersky Labs, after a pair of lawsuits challenging the government ban were dismissed in U.S. court and the European Union passed a motion calling for a similar ban throughout its institutions, saying the company's products are "confirmed as malicious."

For its part, the company and its founder Eugene Kaspersky have consistently denied any involvement or assistance with Russian espionage. In an attempt to allay concerns about customer data flowing to Russian servers, the company has started a transparency initiative and announced it was opening up a new data center in Switzerland.

Kaspersky Labs is suspected of wittingly or unwittingly facilitating Russian espionage, but thus far virtually all the evidence demonstrating that threat -- such as the theft of classified files from an National Security Agency contractor's home computer -- have come from media reports. The federal government has declined to confirm or deny those reports. In court filings, government lawyers and DHS officials have claimed the potential threat alone posed by Kaspersky Labs software and hardware is enough to justify the ban on national security grounds.

That has led other cybersecurity vendors, such as Dragos CEO Robert M. Lee and Rendition Infosec founder Jake Williams, to call on the government to release more information about its case against the company. Earlier this week, former CIA Director Michael Hayden told CyberScoop that he hopes the government has "a case rather than a concern" against Kaspersky, because otherwise the move could lead to retaliation against U.S. products and companies.