U.S. flag

An official website of the United States government

Kaspersky Lab, Inc. Prohibition

To protect our nation, the Department of Commerce (Department) has issued a Final Determination prohibiting Kaspersky Lab, Inc. and its affiliates, subsidiaries, and parent companies (Kaspersky) from engaging in transactions involving the provision of certain cybersecurity and anti-virus products and services to U.S. persons. In accordance with this Final Determination, any resale of Kaspersky cybersecurity or anti-virus software, integration of Kaspersky cybersecurity or anti-virus software into other products and services, or licensing of Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services, is prohibited in the United States or by U.S. persons.

Kaspersky's products and services pose an unacceptable risk to United States national security and the security and safety of U.S. persons, and an undue risk of subversion of, or sabotage to, the integrity and operation of Information and Communications Technology and Services (ICTS) in the United States. In particular, there is a significant risk of harm to the integrity and operation of ICTS and the ICTS supply chain in the United States.

WHY WERE KASPERSKY PRODUCTS PROHIBITED?

The Bureau of Industry and Security (BIS) conducted a review of Kaspersky's cybersecurity and anti-virus transactions under its legal authorities pursuant to Executive Order 13873 and 15 C.F.R. Part 791. The Office of Information and Communications Technology and Services (OICTS) within BIS determined that the transactions pose a number of risks to the United States, and therefore prohibited these transactions.

WHY ARE KASPERSKY PRODUCTS CONSIDERED A SECURITY RISK?

BIS found that the dangers of Kaspersky's cybersecurity and anti-virus products and services (“ICTS offerings”) pose unacceptable risks to the United States' national security and the security and safety of its people. The risk factors considered were:

The threats posed by the Russian Federation (Russia).

The vulnerabilities that Kaspersky's ICTS products create for U.S. national security.

Safety and the consequences of Russia exploiting the vulnerabilities presented.

BIS found that Kaspersky's ICTS offerings pose the following risks to the national security of the United States and the security and safety of U.S. persons:

Russia is a foreign adversary that continues to threaten the United States.

Kaspersky is subject to the jurisdiction, control, or direction of the Russian Government.

Kaspersky software provides the Russian Government access to sensitive U.S. customer information.

Kaspersky software allows for the capability and opportunity to install malicious software and withhold critical updates.

The manipulation of Kaspersky software, including in U.S. critical infrastructure, can cause significant risks of data theft, espionage, and system malfunction. It can also risk the country's economic security and public health, resulting in injuries or loss of life.

WHAT DOES THE FINAL DETERMINATION PROHIBIT?

BIS has issued a Final Determination that prohibits Kaspersky from engaging in the following ICTS transactions in the United States or with U.S. persons:

  • ICTS transactions involving any cybersecurity product or service designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky, including those products and services listed in Appendix B of the Final Determination;

  • ICTS transactions involving any anti-virus software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky including those products and services listed in Appendix B of the Final Determination; and

  • ICTS transactions involving the integration of software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky into third-party products or services (e.g., “white-labeled” products or services).

A non-exhaustive list of products and services covered by the Final Determination is available in the linked Appendix B.

The Final Determination takes effect as follows:

At 12:00 AM EDT on July 20, 2024, Kaspersky is prohibited from entering into any new agreement with U.S. persons involving one or more ICTS transactions identified above.

At 12:00 AM EDT on September 29, 2024, Kaspersky, and any of its successors or assignees, shall be prohibited from:

  • Providing any anti-virus signature updates and codebase updates associated with the ICTS transactions identified above; and

  • Operating the Kaspersky Security Network (KSN) in the United States or on any U.S. person's information technology system.

At 12:00 AM EDT on September 29, 2024, the following is prohibited:

  • Reselling Kaspersky cybersecurity or anti-virus software;

  • Integrating Kaspersky cybersecurity or anti-virus software into other products and services; and

  • Licensing Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services.

The Department recognizes that many U.S. individuals and businesses rely on Kaspersky software for protection against viruses and other cyber threats. To provide users of Kaspersky software with time to seek alternative products and services, the Department has calibrated its prohibition to allow Kaspersky to continue to operate the KSN for U.S. persons, as well as provide anti-virus signature updates and codebase updates to current U.S. subscribers and users of cybersecurity and anti-virus products and services as identified in Appendix B, until 12:00 AM EDT on September 29, 2024.

After 12:00 AM EDT on September 29, 2024, Kaspersky will be prohibited from providing any anti-virus signature updates and codebase updates associated with the ICTS transactions identified above; and operating the KSN in the United States or on any U.S. person's information technology system.

This Final Determination does not apply to transactions involving Kaspersky Threat Intelligence products and services, Kaspersky Security Training products and services, or Kaspersky consulting or advisory services (including SOC Consulting, Security Consulting, Ask the Analyst, and Incident Response) that are purely informational or educational in nature.

FIND MORE INFORMATION FOR KASPERSKY USERS ABOUT THE PROHIBITION.

WHERE CAN I FIND MORE INFORMATION ON CYBERSECURITY THREATS?

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)

CISA works with partners to defend against today’s cyber threats and collaborates with industry to build more secure and resilient infrastructure for the future. CISA seeks to help organizations better manage risk and increase resilience using all available resources and maintains a list of free cybersecurity services and tools found here.

The National Counterintelligence and Security Center (NCSC)

NCSC is part of the Office of the Director of National Intelligence and responsible for leading and supporting the U.S. Government’s counterintelligence (CI) and security activities critical to protecting our nation; providing CI outreach to U.S. private sector entities at risk of foreign intelligence penetration; and issuing public warnings regarding intelligence threats to the U.S. NCSC works with the U.S. Government cyber community and the IC to provide perspective on foreign intelligence and other threat actors’ cyber capabilities and provides context and possible attribution of adversarial cyber activities.

Federal Bureau of Investigation (FBI)

The FBI is the lead federal agency for investigating cyberattacks and intrusions. Report cybercrime, including computer intrusions or attacks, fraud, intellectual property theft, identity theft, theft of trade secrets, criminal hacking, terrorist activity, espionage, sabotage, or other foreign intelligence activity to FBI Field Office Cyber Task Forces. Report individual instances of cybercrime to the FBI's Internet Crime Complaint Center (IC3), the nation's central hub for reporting cyber crime. IC3 accepts Internet crime complaints from both victims and third parties. If you feel as though you are a victim of cybercrime, please contact the FBI.

Office of Information and Communications Technology and Services (OICTS)

Learn more about BIS and OICTS at the OICTS Main webpage.

An official website of the,
Published June 20, 2024