Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. News & Events
  3. Cybersecurity Directives
  4. BOD 17-01: Removal of Kaspersky-branded Products
Share:

News & Events

  • News
  • Events
  • Cybersecurity Alerts & Advisories
  • Directives
  • Request a CISA Speaker
  • Congressional Testimony
  • CISA Conferences
  • CISA Live!
Binding Operational Directives

BOD 17-01: Removal of Kaspersky-branded Products

September 13, 2017
Related topics:
Cybersecurity Best Practices

In 2024, The Department of Commerce announced its Final Determination to add Kaspersky Lab to the Bureau of Industry and Security's Entity List.  As a result, Kaspersky is prohibited from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons.  This prohibition applies more broadly than BOD 17-01 (which contained exceptions), as Kaspersky is now prohibited from selling all anti-virus software and cybersecurity products or services without exception.


This page contains a web-friendly version of the Department of Homeland Security’s Binding Operational Directive 17-01, “Removal of Kaspersky-branded Products”.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014.

Federal agencies are required to comply with DHS-developed directives.

DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).

Background

DHS, in consultation with interagency partners, has determined that the risks presented by Kaspersky-branded products justify issuance of this Binding Operational Directive.

Definitions

  • “Agencies” means all Federal, executive branch, departments and agencies. This directive does not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense and the Intelligence Community. 44 U.S.C. 3553(d)–(e)
  • “Kaspersky-branded products” means information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates, including Kaspersky Lab North America, Kaspersky Lab, Inc., and Kaspersky Government Security Solutions, Inc. (collectively, “Kaspersky”), including those identified below.

Kaspersky-branded products currently known to DHS are: Kaspersky Anti- Virus; Kaspersky Internet Security; Kaspersky Total Security; Kaspersky Small Office Security; Kaspersky Anti Targeted Attack; Kaspersky Endpoint Security; Kaspersky Cloud Security (Enterprise); Kaspersky Cybersecurity Services; Kaspersky Private Security Network; and Kaspersky Embedded Systems Security.

This directive does not address Kaspersky code embedded in the products of other companies. It also does not address the following Kaspersky services: Kaspersky Threat Intelligence and Kaspersky Security Training.

  • “Federal information system” means an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency.

Required Actions

All agencies are required to:

  1. Within 30 calendar days after issuance of this directive, identify the use or presence of Kaspersky-branded products on all Federal information systems and provide to DHS a report that includes:
    1. A list of Kaspersky-branded products found on agency information systems. If agencies do not find the use or presence of Kaspersky-branded products on their Federal information systems, inform DHS that no Kaspersky- branded products were found.
    2. The number of endpoints impacts by each product, and
    3. The methodologies employed to identify the use or presence of the products.
  2. Within 60 calendar days after issuance of this directive, develop and provide to DHS a detailed plan of action to remove and discontinue present and future use of all Kaspersky-branded products beginning 90 calendar days after issuance of this directive. Agency plans must address the following elements:
    1. Agency name.
    2. Point of contact information, including name, telephone number, and email address.
    3. List of identified products.
    4. Number of endpoints impacted.
    5. Methodologies employed to identify the use or presence of the products.
    6. List of Agencies (components) impacted within Department.
    7. Mission function of impacted endpoints and/or systems.
    8. All contracts, service-level agreements, or other agreements your agency has entered into with Kaspersky.
    9. Timeline to remove identified products.
    10. If applicable, FISMA performance requirements or security controls that product removal would impact, including but not limited to data loss/ leakage prevention, network access control, mobile device management, sandboxing/detonation chamber, Web site reputation filtering/web content filtering, hardware and software whitelisting, vulnerability and patch management, anti-malware, anti-exploit, spam filtering, data encryption, or other capabilities.
    11. If applicable, chosen or proposed replacement products/capabilities.
    12. If applicable, timeline for implementing replacement products/ capabilities.
    13. Foreseeable challenges not otherwise addressed in this plan.
    14. Associated costs related to licenses, maintenance, and replacement (please coordinate with agency Chief Financial Officers).
  3. At 90 calendar days after issuance of this directive, and unless directed otherwise by DHS based on new information, begin to implement the agency plan of action and provide a status report to DHS on the progress of that implementation every 30 calendar days thereafter until full removal and discontinuance of use is achieved.

DHS Actions

  • DHS will rely on agency self-reporting and independent validation measures for tracking and verifying progress.
  • DHS will provide additional guidance through the Federal Cybersecurity Coordination, Assessment, and Response Protocol (the C–CAR Protocol) following the issuance of this directive.

Potential Budgetary Implications

DHS understands that compliance with this BOD could result in budgetary implications. Agency Chief Information Officers (CIOs) and procurement officers should coordinate with the agency Chief Financial Officer (CFO), as appropriate.

Tags

Topics: Cybersecurity Best Practices

Related Directives

Dec 17, 2024

BOD 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services

Dec 17, 2024

BOD 25-01: Implementing Secure Practices for Cloud Services

Jun 13, 2023

BOD 23-02: Implementation Guidance for Mitigating the Risk from Internet-Exposed Management Interfaces

Jun 13, 2023

BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback