October 30, 2017
TO THE ADMINISTRATOR ADDRESSED (TAA):
Subject: Cyber Alert: DHS Issues Binding Operational Directive on Kaspersky Products
On Sept. 13, 2017, the U.S. Department of Homeland Security (DHS) released the Binding Operational Directive (BOD) 17-01 directing federal agencies to remove/discontinue use of products, solutions, and services provided by AO Kaspersky Lab or related entities.
The BOD mandates that federal agencies identify Kaspersky Lab products on federal information systems within the next 30 days, develop detailed plans to remove and discontinue use of the products within 60 days and implement those removal/discontinuation plans within 90 days of the date of the September 13th directive. This follows the July 11, 2017, General Services Administration (GSA) decision to remove Kaspersky Lab from its list of approved vendors due to alleged ties between the company and Russian intelligence services.
DHS assesses that Kaspersky products, solutions, and services, supplied directly or indirectly by Kaspersky Lab or related entities, provide broad access to files and elevated privileges. The risks cited by DHS is twofold: that DHS is concerned with ties between Kaspersky Lab officials and that of the Russian government and that Russian law could allow Russian intelligence or government agencies to request or compel assistance from Kaspersky Lab. These actions could result in the interception of U.S. communications transiting Russian networks and/or capitalizing on the access provided to U.S. federal government networks through Kaspersky products.
The Texas Department of Information Resources (DIR) followed the General Services Administration (GSA) decision and has removed Kaspersky from its cooperative contracts.
- The Multi State-Information Sharing and Analysis Center (MS-ISAC) recommends members follow the guidance in the federal directive.
- Considering the high volume of sensitive student information collected, the Texas Education Agency is recommending ESCs and LEAs follow the guidance in the federal directive. FERPA generally requires that student data be kept in a secure environment. See 20 U.S.C. §1232(g) and 34 C.F.R. part 99.
Deputy Commissioner, Technology
Chief Information Security Officer