DHS: A 'vast majority' of agencies on track with Kaspersky directive

Shutterstock image: looking for code. 

A Department of Homeland Security official said that the "vast majority" of federal agencies have met the first of three deadlines imposed by a September directive to eliminate Kaspersky Lab products from federal systems.

Michael Duffy, branch chief for the DHS Office of Cybersecurity and Communications, said that fewer than half of agencies who met the Oct. 13 deadline in the directive reported the presence of Kaspersky Lab software or products.

The Russia-based vendor has been in the hot seat with the U.S. government for months because of allegations of ties to Russian intelligence and specific accusations, denied by Kaspersky, that the company captured classified malware from an intelligence contractor's home computer and shared it with Russian officials.

Speaking to reporters after an Oct. 27 meeting of the National Institute of Standards and Technology's Information Security and Privacy Advisory Board, Duffy declined to provide hard numbers or estimates around overall agency compliance and told the board that it was a "safe assumption" DHS will not be publicly releasing or discussing individual responses.

The directive set a 90-day clock for agencies to begin the process of removing Kaspersky software, but that task is complex. Many other software programs communicate with antivirus software through the application programming interface. Kaspersky's own website boasts about its software's ability to integrate into operating systems and hardware.

Duffy said it was "too soon to tell" how long it will take to finish the job.

Even after agencies remove the products, some residual traces of Kaspersky software and data may remain. James Norton, formerly a senior DHS official during the George W. Bush administration, told FCW that it is notoriously tricky to completely flush all aspects of a software program once it has been installed.

"Probably the best example is anybody who has a home computer and has tried to remove some kind of app they didn't want anymore," Norton said. "It's still in there in some form. It's difficult to clean that up."

The department has publicly released the full text of its last two Binding Operational Directives, a departure from past practice. Duffy said this was done to align with a May 2017 cybersecurity executive order calling for greater coordination between cyber and non-cyber officials and to set clear expectations around what DHS was seeking from agencies as well as other stakeholders in the contracting community. DHS is working with agency chief procurement officers to make sure they are ready for what comes next, Duffy said.

"A big piece of that was knowing that of course in directing removal [of Kaspersky Lab products], we can make the assumption that replacement may be down the line and agencies should start thinking about that," Duffy said.

There's no hard and fast rule about whether contractor systems are subject to the same requirement. Duffy said DHS is content to let individual departments and agencies hash out whether to require a ban affecting contractor devices and networks.

"What we've tried to do is have agencies determine the risk for themselves versus us driving that action," Duffy said.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.