FAR 4.2001—Definitions.
Plain-English Summary
FAR 4.2001 provides the definitions used in this subpart for identifying prohibited Kaspersky-related items and entities in federal contracting. It defines two key terms: “Kaspersky Lab covered article” and “Kaspersky Lab covered entity.” The first term is broad and captures hardware, software, or services that are developed or provided by a covered entity, developed or provided in whole or in part by a covered entity, or that contain components using hardware or software developed in whole or in part by a covered entity. The second term defines the universe of entities tied to Kaspersky Lab, including Kaspersky Lab itself, successor entities, entities under common control, and entities in which Kaspersky Lab holds majority ownership. In practice, these definitions are important because they determine what products, services, and corporate affiliates fall within the subpart’s restrictions and screening requirements. Contractors, subcontractors, and contracting personnel must use these definitions carefully when evaluating supply chains, software provenance, and vendor relationships to avoid procuring or using covered items.
Key Rules
Broad covered-article scope
A Kaspersky Lab covered article includes hardware, software, or services developed or provided by a covered entity. The definition is intentionally broad so that both direct offerings and related products or services can be captured.
Partial development is enough
The definition reaches items developed or provided in whole or in part by a Kaspersky Lab covered entity. This means a product does not have to be entirely Kaspersky-originated to be covered.
Component-based coverage
An item is also covered if it contains components using hardware or software developed in whole or in part by a covered entity. This extends the definition beyond the finished product to embedded or integrated components.
Kaspersky Lab entity definition
The term includes Kaspersky Lab itself, any successor entity or name change, any entity that controls or is controlled by or under common control with Kaspersky Lab, and any entity in which Kaspersky Lab has majority ownership.
Control and ownership matter
Affiliation is not limited to the exact corporate name. The definition captures corporate relationships that could allow Kaspersky-related technology or influence to continue through affiliates, successors, or owned entities.
Responsibilities
Contracting Officers
Use these definitions when evaluating whether an offered product, service, or vendor relationship falls within the subpart’s restrictions. Ensure solicitations, evaluations, and award decisions account for Kaspersky-related coverage where applicable.
Contractors
Review the origin, development history, component makeup, and corporate ownership of products and services offered to the Government. Avoid offering or using items that meet the definition of a Kaspersky Lab covered article when the subpart prohibits them.
Subcontractors and Suppliers
Disclose relevant product lineage and corporate affiliations to prime contractors and the Government supply chain as needed. Screen their own offerings to ensure they are not supplying covered articles or covered entities.
Agencies
Implement procurement controls and internal screening processes that identify Kaspersky-related products, services, and entities. Train acquisition and IT personnel to recognize the breadth of the definitions.
Practical Implications
The definition is intentionally expansive, so contractors should not assume only products branded “Kaspersky” are covered.
Supply-chain reviews must look beyond the final product name to component sourcing and partial development history.
Corporate restructuring, rebranding, or successor entities do not avoid coverage if the entity remains tied to Kaspersky Lab.
Common pitfalls include relying only on vendor certifications, overlooking embedded software components, and failing to check ownership/control relationships.
Contracting personnel should document their screening and any determinations, because the breadth of the definition can make close cases difficult to resolve without a clear record.
Official Regulatory Text
As used in this subpart— Kaspersky Lab covered article means any hardware, software, or service that– (1) Is developed or provided by a Kaspersky Lab covered entity (2) Includes any hardware, software, or service developed or provided in whole or in part by a Kaspersky Lab covered entity; or (3) Contains components using any hardware or software developed in whole or in part by a Kaspersky Lab covered entity. Kaspersky Lab covered entity means– (1) Kaspersky Lab; (2) Any successor entity to Kaspersky Lab, including any change in name, e.g., “Kaspersky”; (3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (4) Any entity of which Kaspersky Lab has a majority ownership.