You may have heard news recently that federal government agencies were directed to stop using products made by the computer security vendor Kaspersky Lab because of potential security risks from links between Kaspersky officials and the Russian government. The directive was issued by U.S. Department of Homeland Security ("DHS") Secretary Elaine Duke on Sept. 13, 2017.
Kaspersky products have broad access to files and elevated privileges on the computers on which they are installed. As a result, the DHS is concerned that the Russian government, alone or in collaboration with Kaspersky, could use access provided by the Kaspersky products to compromise federal systems and U.S. national security. The Sept.13 directive gave federal agencies 90 days to stop using the products.
That same directive was issued to federal contractors who use classified information systems. On Sept. 28, 2017, the Defense Security Service ("DSS") issued a memodirecting all federal contractor participants in the National Industrial Security Program ("NISP") who use classified information systems to immediately implement a process for removing all Kaspersky Lab software and hardware being used in those information systems.
Pursuant to the memo, federal contractors using classified information systems are being given a total of 90 days to have the products removed from their systems. The 90 days is divided into three distinct 30 day segments:
- 30 days to identify the presence of Kaspersky products in the classified information systems.
- 30 days to develop detailed plans to discontinue the use of those products and remove them from their systems.
- 30 days to implement those plans.
DSS explained that the directive is being implemented due to recent directives and orders issued by various federal government agencies. A copy of the DSS directive can be viewed here.