Wednesday, Sep 13, 3:58 PM

DHS STATEMENT ON THE ISSUANCE OF BINDING

OPERATIONAL DIRECTIVE 17-01
by U.S. Department of Homeland Security |
departmentofhomelandsecurity@service.govdelivery.com

Private Sector Update

Created and distributed by the U.S. Department of Homeland Security Private Sector
Oce private.sector@dhs.gov | 202-282-8484

September 13, 2017

DHS STATEMENT ON THE ISSUANCE OF

BINDING OPERATIONAL DIRECTIVE 17-01

WASHINGTON After careful consideration of available information and consultation

with interagency partners, Acting Secretary of Homeland Security Elaine Duke today
issued a Binding Operational Directive (BOD) directing Federal Executive Branch
departments and agencies to take actions related to the use or presence of
information security products, solutions, and services supplied directly or indirectly by
AO Kaspersky Lab or related entities.

The BOD calls on departments and agencies to identify any use or presence of
Kaspersky products on their information systems in the next 30 days, to develop
detailed plans to remove and discontinue present and future use of the products in the
next 60 days, and at 90 days from the date of this directive, unless directed otherwise
by DHS based on new information, to begin to implement the agency plans to
discontinue use and remove the products from information systems.

This action is based on the information security risks presented by the use of
Kaspersky products on federal information systems. Kaspersky anti-virus products
and solutions provide broad access to files and elevated privileges on the computers
on which the software is installed, which can be exploited by malicious cyber actors
 to compromise those information systems. The Department is concerned about the
ties between certain Kaspersky ocials and Russian intelligence and other
government agencies, and requirements under Russian law that allow Russian
intelligence agencies to request or compel assistance from Kaspersky and to intercept
communications transiting Russian networks. The risk that the Russian government,
whether acting on its own or in collaboration with Kaspersky, could capitalize on
access provided by Kaspersky products to compromise federal information and
information systems directly implicates U.S. national security.

The Departments priority is to ensure the integrity and security of federal information
systems. Safeguarding federal government systems requires reducing potential
vulnerabilities, protecting against cyber intrusions, and anticipating future threats.
While this action involves products of a Russian-owned and operated company, the
Department will take appropriate action related to the products of any company that
present a security risk based on DHSs internal risk management and assessment
process.

DHS is providing an opportunity for Kaspersky to submit a written response

addressing the Departments concerns or to mitigate those concerns. The Department
wants to ensure that the company has a full opportunity to inform the Acting Secretary
of any evidence, materials, or data that may be relevant. This opportunity is also
available to any other entity that claims its commercial interests will be directly
impacted by the directive. Further information about this process will be available in a
Federal Register Notice.

###

Update your subscriptions, modify your password or e-mail address, or stop subscriptions at any time on
your Subscriber Preferences Page. You will need to use your e-mail address to log in. If you have questions
or problems with the subscription service, please contact subscriberhelp.govdelivery.com.

This service is provided to you at no charge by the U.S. Department of Homeland Security.

Privacy Policy | GovDelivery is providing this information on behalf of U.S. Department of Homeland
Security, and may not use the information for any other purposes.

U.S. Department of Homeland Security Washington, DC 20016