National Association of Government Contractors

Sanctions Considered for Contractors Using Kaspersky

Secretary of Homeland Security Kirstjen Nielsen told lawmakers during a Senate Appropriations committee hearing that the Department of Homeland Security is looking to extend a ban on Kaspersky Lab products to federal contractors and third-party providers, even considering the possibility of punishment for noncompliant companies.
Kaspersky Lab, a cybersecurity company has faced scrutiny over accusations the company is controlled by the Russian government and that its software could be used to spy on Americans.
Nielsen was questioned by Sen. Jeanne Shaheen (D-N.H.), who has been one of the leading proponents of removing all Kaspersky products from federal networks. Shaheen stated that DHS had recently confirmed that all federal agencies were in compliance with Binding Operational Directive 17-01, which instructed all agencies to put plans in place to identify and remove the company's software from their networks.
However, the directive did not state whether federal contractors were also covered under the BOD, and when the National Defense Authorization Act of 2018 codified the Kaspersky ban into law, lawmakers included language specifying that anyone doing business on behalf of the federal government also adhere to the directive.
Nielsen told Shaheen that the department was looking at the issue from a supply chain perspective and found that some companies had Kaspersky software on their systems without even knowing it.
"It's very important for us to understand not only who our contractors are contracting with but when they provide a service or software, what's embedded there within," said Nielsen. "So, we've done a lot of assessment and modeling to understand where it can be found. Unfortunately for many of the third-party providers, they weren't even aware they had Kaspersky on their systems and within their products."
Nielsen floated the possibility of imposing "consequences" for noncompliant contractors.
"It has to be that we can pause and turn off contracts the moment we have a concern. If someone's been hacked, if someone is vulnerable or someone is using software that we know will put us at risk," said Nielsen.
What form those consequences take and what authorities DHS would leverage to punish contractors is not clear. The Cybersecurity Act of 2015 gives the department the power to issue binding directives to federal agencies, but Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications, acknowledged in January that –at least when it comes to federal agencies – the department lacks the authority to meaningfully punish noncompliance.
"It says [BOD's are] binding. I'm not exactly sure what sort of enforcement mechanism I have in place to make it binding," said Manfra. "We don't have the authority to slap some fine on, and we're not going to kick some federal agency off the Internet," said Manfra.
Nielsen told lawmakers that DHS is currently reviewing what authorities it has to punish contractors who are found to be using Kaspersky. 

« Back to News

News & Tips
Government contractor news & industry tips from a source you can trust. Sign up for our weekly updates to stay informed and get involved. Easily unsubscribe at any time.

Our Insider's Guide Series was developed as an easy-to-understand series of guides to assist you through the government procurement process.

National Association of Government Contractors
1250 Connecticut Ave NW
Suite 200
Washington, DC 20036
Phone: 202-465-3750
Toll Free: 1.800.979.NAGC
LinkedIn Facebook Twitter

FedEx Shipping Discount
Office Depot Member Program
OneMain Financial Loans
American Express
NAGC Health

Privacy Policy | Subscriber Agreement & Terms of Use | Purchase Policy | Data & Cookies
Copyright © 2004 - 2019 National Association of Government Contractors.   All Rights Reserved.