The federal government last Friday issued plans to modify contracting regulations to prohibit the use of cyber security software provided by a Russian company by contractors in support of federal programs.
The interim rule, issued by the Defense Department, General Services Administration, and NASA, “prohibits contractors from providing any hardware, software, or services developed or provided by Kaspersky Lab or its related entities, or using any such hardware, software, or services in the development of data or deliverables first produced in the performance of the contract,” the agencies say in notice in the Feb. 15 issue of the Federal Register.
The interim rule implements Section 1634 of the fiscal year 2018 National Defense Authorization Act that prohibits all departments and elements of the federal government from using hardware, software or any services provided by Kaspersky.
The new law applies to contracts awarded on or after Oct. 1. It also requires contractors to report on their use of Kaspersky products, including in their supply chains.
“The contractor must also report any such hardware, software, or services discovered during contract performance; this requirement flows down to subcontractors,” the interim rule says.
Last September, the Department of Homeland Security ordered federal civilian agencies to remove Kaspersky products from federal networks due to concerns about linkages between the software firm and cyber spying by Russia. U.S. officials in government and Congress are worried that Russia might have a back door into networks that used Kaspersky’s products.
Following the DHS directive, the DoD also directed the removal of Kaspersky products from its networks.
The new regulation applies to all contracts, regardless of value, as well as commercial-off-the-shelf (COTS) acquisitions.
“While the law does not specifically address acquisitions of commercial items, including COTS items, there is an unacceptable level of risk for the Government in buying hardware, software, or services developed or provided in whole or in part by Kaspersky Lab,” the interim rule states.