Subpart 4.20 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab

Q: What are the practical implications of Subpart 4.20 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab?

* **Supply Chain Diligence:** This subpart moves the burden of supply chain security onto the contractor. Real-world compliance requires "white-box" visibility into software components; for example, a contractor selling a firewall must ensure that no Kaspersky-developed virus signatures or scanning engines are embedded within the software. * **Strict Liability in Deliverables:** The prohibition on using Kaspersky tools *during the development* of deliverables means a contractor cannot use Kaspersky antivirus on the specific laptops used to write a report or code software for the government, even if the antivirus software itself is not being sold to the government. * **Retroactive and Ongoing Compliance:** Because the prohibition date was October 1, 2018, any legacy systems still in use that contain Kaspersky components must be identified and remediated to remain compliant with ongoing contract terms. * **Zero Exceptions:** Unlike some other FAR prohibitions that allow for waivers in specific circumstances, Subpart 4.20 is a stringent statutory requirement with no built-in "administrative" waiver process for convenience.

Q: Who is responsible for Subpart 4.20 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab?

* **Contracting Officers (COs):** * Must ensure FAR clause 52.204-23 is inserted into every solicitation and contract. * Must follow specific agency procedures if a contractor provides a notification regarding the discovery of a covered article. * **Contractors:** * Must conduct due diligence to ensure no Kaspersky products are included in their deliverables. * Must provide formal notification to the Government if they identify a covered article was used or provided during contract performance (pursuant to 52.204-23). * **Program Managers/Technical Leads:** * Responsible for reviewing technical specifications and bills of materials to ensure compliance with the prohibition during the procurement planning phase.

FAR Subpart 4.20 implements Section 1634 of the National Defense Authorization Act (NDAA) for Fiscal Year 2018, which prohibits the Federal Government from usin

Sections

4 items

4.2001 · Definitions

4.2002 · Prohibition

4.2003 · Notification

4.2004 · Contract clause

Overview

FAR Subpart 4.20 implements Section 1634 of the National Defense Authorization Act (NDAA) for Fiscal Year 2018, which prohibits the Federal Government from using products or services from Kaspersky Lab and its related entities. This subpart ensures national security by removing and preventing the introduction of "covered articles" into the government supply chain, specifically targeting cybersecurity vulnerabilities associated with these entities.

Key Rules

Broad Definition of "Covered Article": The prohibition applies to any hardware, software, or service developed or provided in whole or in part by a Kaspersky Lab covered entity, including components from other manufacturers that utilize Kaspersky technology.
Broad Definition of "Covered Entity": This includes Kaspersky Lab itself, any successor entities (even under name changes), any entities under common control with Kaspersky, or any entity where Kaspersky holds majority ownership.
The Double Prohibition:
- Contractors cannot provide any covered article for Government use.
- Contractors cannot use any covered article in the development of data or deliverables first produced during contract performance.
Mandatory Clause: The clause at FAR 52.204-23 must be included in all solicitations and contracts, regardless of the dollar value or the nature of the acquisition (including commercial items).

Responsibilities

Contracting Officers (COs):
- Must ensure FAR clause 52.204-23 is inserted into every solicitation and contract.
- Must follow specific agency procedures if a contractor provides a notification regarding the discovery of a covered article.
Contractors:
- Must conduct due diligence to ensure no Kaspersky products are included in their deliverables.
- Must provide formal notification to the Government if they identify a covered article was used or provided during contract performance (pursuant to 52.204-23).
Program Managers/Technical Leads:
- Responsible for reviewing technical specifications and bills of materials to ensure compliance with the prohibition during the procurement planning phase.

Practical Implications

Supply Chain Diligence: This subpart moves the burden of supply chain security onto the contractor. Real-world compliance requires "white-box" visibility into software components; for example, a contractor selling a firewall must ensure that no Kaspersky-developed virus signatures or scanning engines are embedded within the software.
Strict Liability in Deliverables: The prohibition on using Kaspersky tools during the development of deliverables means a contractor cannot use Kaspersky antivirus on the specific laptops used to write a report or code software for the government, even if the antivirus software itself is not being sold to the government.
Retroactive and Ongoing Compliance: Because the prohibition date was October 1, 2018, any legacy systems still in use that contain Kaspersky components must be identified and remediated to remain compliant with ongoing contract terms.
Zero Exceptions: Unlike some other FAR prohibitions that allow for waivers in specific circumstances, Subpart 4.20 is a stringent statutory requirement with no built-in "administrative" waiver process for convenience.

Need help?

Get FAR guidance, audit prep support, and proposal insights from the AudCor team.

Talk to an expert