SEC. 1634. PROHIBITION ON USE OF
PRODUCTS AND SERVICES DEVELOPED OR PROVIDED BY KASPERSKY LAB.
(a) Prohibition.—No department, agency,
organization, or other element of the Federal Government may
use, whether directly or through work with or on behalf of
another department, agency, organization, or element of the
Federal Government, any hardware, software, or services
developed or provided, in whole or in part, by—
(1) Kaspersky Lab (or any successor
(2) any entity that controls, is controlled by, or is under
common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.
(b) Effective Date.—The prohibition in
subsection (a) shall take effect on October 1, 2018.
(c) Review And Report.—
(1) REVIEW.—The Secretary of Defense,
in consultation with the Secretary of Energy, the Secretary of
Homeland Security, the Attorney General, the Administrator of
the General Services Administration, and the Director of
National Intelligence, shall conduct a review of the
procedures for removing suspect products or services from the
information technology networks of the Federal Government.
(A) IN GENERAL.—Not later than 180
days after the date of the enactment of this Act, Secretary
of Defense shall submit to the appropriate congressional
committees a report on the review conducted under paragraph
(B) ELEMENTS.—The report under subparagraph (A) shall
include the following:
(i) A description of the Federal
Government-wide authorities that may be used to prohibit,
exclude, or prevent the use of suspect products or
services on the information technology networks of the
Federal Government, including—
(I) the discretionary
authorities of agencies to prohibit, exclude, or prevent
the use of such products or services;
(II) the authorities of a suspension and debarment
official to prohibit, exclude, or prevent the use of
such products or services;
(III) authorities relating to supply chain risk
(IV) authorities that provide for the continuous
monitoring of information technology networks to
identify suspect products or services; and
(V) the authorities provided under the Federal
Information Security Management Act of 2002.
(ii) Assessment of any gaps in the
authorities described in clause (i), including any gaps in
the enforcement of decisions made under such authorities.
(iii) An explanation of the capabilities and methodologies
used to periodically assess and monitor the information
technology networks of the Federal Government for
prohibited products or services.
(iv) An assessment of the ability of the Federal
Government to periodically conduct training and exercises
in the use of the authorities described in clause (i)—
(I) to identify recommendations
for streamlining process; and
(II) to identify recommendations for education and
training curricula, to be integrated into existing
training or certification courses.
(v) A description of information
sharing mechanisms that may be used to share information
about suspect products or services, including mechanisms
for the sharing of such information among the Federal
Government, industry, the public, and international
(vi) Identification of existing tools for business
intelligence, application management, and commerce
due-diligence that are either in use by elements of the
Federal Government, or that are available commercially.
(vii) Recommendations for improving the authorities,
processes, resourcing, and capabilities of the Federal
Government for the purpose of improving the procedures for
identifying and removing prohibited products or services
from the information technology networks of the Federal
(viii) Any other matters the Secretary determines to be
(C) FORM.—The report under
subparagraph (A) shall be submitted in unclassified form,
but may include a classified annex.
(3) APPROPRIATE CONGRESSIONAL
COMMITTEES DEFINED.—In this section, the term “appropriate
congressional committees” means the following:
(A) The Committee on Armed Services,
the Committee on Energy and Commerce, the Committee on
Homeland Security, the Committee on the Judiciary, the
Committee on Oversight and Government Reform, and the
Permanent Select Committee on Intelligence of the House of
(B) The Committee on Armed Services, the Committee on Energy
and Natural Resources, the Committee on Homeland Security
and Governmental Affairs, the Committee on the Judiciary,
and the Select Committee on Intelligence of the Senate.
Prohibition on use of products and services developed or provided
by Kaspersky Lab (sec. 1634)
The Senate amendment contained a provision (sec. 11603) that
would prohibit any department, agency, organization, or other element
of the United States Government from using any product developed
by Kaspersky Lab or any entity of which Kaspersky Lab has majority ownership.
The House bill contained no similar
The House recedes with an amendment that
would add a review and report on the procedures for removing
suspect products or services from the information technology
networks of the Federal Government.