FAR 52.204-23—Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities.
Plain-English Summary
FAR 52.204-23 implements a governmentwide prohibition on using or supplying hardware, software, and services developed or provided by Kaspersky Lab covered entities. It defines what counts as a “Kaspersky Lab covered article” and who is a “Kaspersky Lab covered entity,” then bars contractors from providing such articles for Government use and from using them in developing data or deliverables first produced under the contract. The clause also creates a mandatory reporting process if a covered article is identified during performance, including specific timelines, required data elements, and a special reporting path for Department of Defense contracts through DIBNet. Finally, it requires flowdown of the clause to all subcontracts, including those for commercial products and commercial services. In practice, this clause is meant to protect Federal systems and deliverables from cybersecurity and supply-chain risk associated with Kaspersky-related products and services, and it places affirmative diligence, reporting, and subcontract management obligations on contractors.
Key Rules
Broad definition of covered articles
A Kaspersky Lab covered article includes hardware, software, or services developed or provided by a Kaspersky Lab covered entity, including items developed in whole or in part by such an entity and items containing components using Kaspersky-developed hardware or software. This definition is intentionally broad, so contractors must look beyond the brand name and evaluate upstream development and component sourcing.
Covered entities include affiliates and successors
A Kaspersky Lab covered entity is not limited to Kaspersky Lab itself. It also includes successors, renamed entities, entities under common control, and entities in which Kaspersky Lab has majority ownership, so contractors must assess corporate relationships, not just product labels.
No provision for Government use
The contractor may not provide any Kaspersky Lab covered article that the Government will use on or after October 1, 2018. This is a direct prohibition on delivering covered items into Government use, regardless of whether the contractor intended the item for a different purpose.
No use in first-produced deliverables
The contractor may not use any Kaspersky Lab covered article on or after October 1, 2018, in developing data or deliverables first produced in performance of the contract. This means the restriction applies to the contractor’s internal development environment and not only to final delivered products.
Mandatory reporting upon identification
If the contractor identifies a covered article provided to the Government during performance, or is notified by a subcontractor or other source, it must report the issue in writing to the Contracting Officer or, for DoD, through DIBNet. The reporting duty is triggered by identification or notice, not by proof of actual harm.
Short reporting deadlines and required details
Within 3 business days, the contractor must report the contract and order numbers, supplier name, brand, model number, item description, and any readily available mitigation information. Within 10 business days after that report, the contractor must provide additional mitigation details and explain how the issue occurred and what preventive steps will be added.
Flowdown to all subcontracts
The contractor must insert the substance of the clause, including the subcontract paragraph, in all subcontracts, including subcontracts for commercial products and commercial services. This makes subcontractor compliance part of the prime contractor’s supply-chain management responsibility.
Responsibilities
Contracting Officer
Ensure the clause is included when prescribed, receive contractor reports for non-DoD contracts, and coordinate any follow-up actions needed to address identified Kaspersky Lab covered articles during performance.
Department of Defense reporting channel (DIBNet)
Receive contractor reports for DoD contracts when a Kaspersky Lab covered article is identified, including identification of the affected contract and orders.
Contractor
Do not provide Kaspersky Lab covered articles for Government use, do not use them in developing first-produced data or deliverables, monitor performance for potential covered articles, report any identified or notified covered article within the required timeframes, provide required mitigation and explanatory information, and flow the clause down to all subcontracts.
Subcontractors
Comply with the flowed-down prohibition and reporting obligations, and promptly notify the prime contractor if a covered article is identified or suspected in the subcontract supply chain.
Agency / Government user
Avoid using covered articles in Government systems and support remediation if a contractor report reveals that a prohibited article was provided or used.
Practical Implications
Contractors need supply-chain screening, because the clause reaches successors, affiliates, and partially developed products, not just obvious Kaspersky-branded items.
The reporting clock starts fast: 3 business days for the initial report and 10 business days for follow-up mitigation details, so contractors should have an internal escalation process ready before award.
The prohibition applies to development environments and first-produced deliverables, so contractors should check tools, software libraries, security products, and hosted services used during performance, not only what is delivered.
Flowdown is mandatory even for commercial-item subcontracts, so prime contractors cannot assume commercial suppliers are outside the clause’s reach.
A common pitfall is waiting until final delivery to discover a prohibited product; contractors should document screening, maintain approved-product lists, and require subcontractor disclosure to reduce the risk of noncompliance.
Official Regulatory Text
As prescribed in 4.2004 , insert the following clause: Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities. (Dec 2023) (a) Definitions . As used in this clause— Kaspersky Lab covered article means any hardware, software, or service that– (1) Is developed or provided by a Kaspersky Lab covered entity; (2) Includes any hardware, software, or service developed or provided in whole or in part by a Kaspersky Lab covered entity; or (3) Contains components using any hardware or software developed in whole or in part by a Kaspersky Lab covered entity. Kaspersky Lab covered entity means– (1) Kaspersky Lab; (2) Any successor entity to Kaspersky Lab, including any change in name, e.g., “Kaspersky”; (3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (4) Any entity of which Kaspersky Lab has a majority ownership. (b) Prohibition . Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91) prohibits Government use of any Kaspersky Lab covered article. The Contractor is prohibited from— (1) Providing any Kaspersky Lab covered article that the Government will use on or after October 1, 2018; and (2) Using any Kaspersky Lab covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract. (c) Reporting requirement . (1) In the event the Contractoridentifies a Kaspersky Lab covered article provided to the Government during contract performance, or the Contractor is notified of such by a subcontractor at any tier or any other source, the Contractor shall report, in writing, to the Contracting Officer or, in the case of the Department of Defense, to the website at https://dibnet.dod.mil . For indefinite delivery contracts, the Contractor shall report to the Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil . (2) The Contractor shall report the following information pursuant to paragraph (c)(1) of this clause: (i) Within 3 business days from the date of such identification or notification: the contract number; the order number(s), if applicable; supplier name; brand; model number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended. (ii) Within 10 business days of submitting the report pursuant to paragraph (c)(1) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of a Kaspersky Lab covered article, any reasons that led to the use or submission of the Kaspersky Lab covered article, and any additional efforts that will be incorporated to prevent future use or submission of Kaspersky Lab covered articles. (d) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (d), in all subcontracts including subcontracts for the acquisition of commercial products or commercial services. (End of clause)