FAR 4.2002—Prohibition.
Plain-English Summary
FAR 4.2002 implements a statutory prohibition on the Government’s use of certain Kaspersky Lab products and on contractor use of those products in contract performance. It addresses two related topics: first, the Government may not use any hardware, software, or services developed or provided, in whole or in part, by a covered entity on or after October 1, 2018; second, contractors may not provide any Kaspersky Lab covered article that the Government will use on or after that date, and may not use any Kaspersky Lab covered article on or after that date when developing data or deliverables first produced under the contract. In practice, this section is a supply-chain and cybersecurity restriction that affects product selection, subcontracting, IT environments, and deliverable development. Its purpose is to prevent federal systems and contract outputs from relying on technology associated with a prohibited source. Contractors and contracting officers must therefore screen products and services carefully, confirm what will be used by the Government, and ensure contract performance environments are free of prohibited Kaspersky Lab articles where the rule applies.
Key Rules
Government use is prohibited
The Government may not use any hardware, software, or services developed or provided, in whole or in part, by a covered entity on or after October 1, 2018. This is a direct statutory ban and applies regardless of whether the item is standalone, embedded, or part of a broader solution.
No prohibited Kaspersky articles for Government use
Contractors may not provide any Kaspersky Lab covered article that the Government will use on or after October 1, 2018. The key issue is intended Government use, so contractors must ensure the items they furnish are not prohibited articles before delivery or acceptance.
No use in developing deliverables
Contractors may not use any Kaspersky Lab covered article on or after October 1, 2018, in developing data or deliverables first produced in performance of the contract. This reaches contractor-side tools and environments used to create contract outputs, not just the final deliverable itself.
Applies to hardware, software, and services
The prohibition is broad and covers hardware, software, and services, not just antivirus or endpoint products. Contractors should evaluate all components and support services for covered-entity involvement, including integrated or third-party offerings.
Date-based compliance trigger
The operative date is October 1, 2018. Compliance is measured by whether the Government will use the item on or after that date, and whether the contractor used the covered article on or after that date in producing contract data or deliverables.
Responsibilities
Contracting Officer
Ensure solicitations and contracts reflect the prohibition where applicable, and verify that offered products or services do not include prohibited Kaspersky Lab covered articles for Government use. The contracting officer should also address any compliance concerns during evaluation, award, or administration.
Contractor
Screen all proposed hardware, software, and services for covered-entity involvement; do not provide Kaspersky Lab covered articles for Government use; and do not use Kaspersky Lab covered articles in developing contract data or deliverables first produced under the contract. The contractor must flow these restrictions through its supply chain and internal performance environment.
Subcontractors and Suppliers
Avoid supplying prohibited Kaspersky Lab covered articles or components that would cause the prime contractor’s offering to violate the rule. They must support the prime contractor’s compliance by identifying products, services, and embedded technologies accurately.
Agency / Government Users
Do not use hardware, software, or services developed or provided, in whole or in part, by a covered entity on or after October 1, 2018. Agencies must also avoid accepting or deploying contractor-furnished items that would violate the prohibition.
Practical Implications
Contractors should inventory all software, hardware, and service dependencies early, including development tools, cloud services, antivirus products, and embedded components.
A common pitfall is focusing only on the final deliverable and overlooking the tools used to create it; the rule also restricts use in developing data or deliverables first produced under the contract.
Another risk is assuming a product is compliant because it is resold by a different vendor; the underlying source and whether it is a covered article still matter.
Contracting officers should ask for clear representations or technical descriptions when the acquisition could involve cybersecurity tools, managed services, or integrated IT solutions.
If a prohibited article is discovered late, it can create delivery delays, rejection risk, or the need for replacement products and remediation before Government use.
Official Regulatory Text
Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91) prohibits Government use on or after October 1, 2018, of any hardware, software, or services developed or provided, in whole or in part, by a covered entity. Contractors are prohibited from— (a) Providing any Kaspersky Lab covered article that the Government will use on or after October 1, 2018; and (b) Using any Kaspersky Lab covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract.