Department of Homeland Security, Notification of Issuance of Binding Operational Directive 17-01 and Establishment of Procedures for Responses , September 13, 2017. Unclassified.
National Security Archive
DHS’s 2017 ban on Kaspersky products turned a classified cyber‑threat assessment into a sweeping procurement directive, reshaping federal IT security and setting a template for future supply‑chain bans.
Source: Department of Homeland Security, Notification of Issuance of Binding Operational Directive 17-01 and Establishment of Procedures for Responses , September 13, 2017. Unclassified. Date: Sep 13, 2017 Archive: Federal Register Collection: Cyber Vault: OPM Responsible for 2015 Hack of Personal Info? Sep 27, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Cold‑War Echo in a Digital Age
On September 13 2017 the Department of Homeland Security issued Binding Operational Directive (BOD) 17‑01, ordering every civilian federal agency to inventory and, within ninety days, purge Kaspersky‑branded security products. The notice that accompanied the directive—now declassified and posted to the Federal Register—was not a routine IT memo; it was a public articulation of a secretive inter‑agency assessment that Kaspersky Lab, a Russian‑owned cybersecurity firm, posed a “reasonably suspected” threat to U.S. government networks. The timing is crucial: the directive arrived just weeks after the 2016 U.S. presidential election, a period when intelligence agencies were publicly warning that Russian actors had attempted to infiltrate election infrastructure. The DHS document therefore sits at the intersection of two overlapping crises—electoral interference and a broader scramble to secure the federal cyber‑ecosystem.
The Policy Context and Legal Mechanics
BOD 17‑01 is anchored in the Federal Information Security Modernization Act of 2014 (FISMA) and the statutory authority granted to DHS under 44 U.S.C. § 3553(b). The notice spells out that a BOD is a “compulsory direction” to safeguard federal information from a known or reasonably suspected risk. By invoking this legal framework, DHS signaled that the Kaspersky issue was not a diplomatic dispute but a national‑security imperative that required immediate, uniform compliance across the civilian executive branch. The document also outlines a rare procedural concession: commercial entities directly affected—here, Kaspersky Lab and its U.S. subsidiaries—could submit written responses within a 45‑day window after the Federal Register publication. This mirrors the limited “notice‑and‑comment” process usually reserved for rulemaking, underscoring how contentious the move was expected to be.
Actors, Rhetoric, and the Unseen Intelligence
The directive bears the signatures of Elaine C. Duke, Acting Secretary of DHS, and is copied to Mick Mulvaney, Director of the Office of Management and Budget. Their involvement reveals the high‑level inter‑agency coordination behind the decision. While the notice cites “inter‑agency partners” and “consultation,” it does not name the intelligence agencies that likely supplied the underlying threat assessment—most plausibly the NSA, CIA, or the Office of the Director of National Intelligence. The language is deliberately vague (“reasonably suspected information security threat”), a hallmark of classified intelligence being distilled for public consumption. The omission of any specific technical evidence forces readers to infer that the assessment rested on classified sources, perhaps signals intelligence indicating covert Kaspersky back‑doors or supply‑chain compromises.
What the Document Reveals Beneath the Formalities
Beyond the procedural boilerplate, the notice’s definitions are revealing. By limiting the directive’s reach to “non‑National Security Systems,” DHS acknowledges that DoD and intelligence networks already have separate, more stringent vetting processes. The list of Kaspersky products—spanning antivirus suites to cloud security services—shows that DHS had already mapped the firm’s footprint within federal environments. Moreover, the exclusion of “Kaspersky code embedded in the products of other companies” hints at an awareness of supply‑chain complexity, suggesting that DHS was prepared to expand the ban if further evidence emerged.
Legacy and Continuing Relevance
BOD 17‑01 set a precedent for how the U.S. government can leverage procurement authority to address perceived foreign cyber threats. The directive catalyzed a cascade of similar bans on other foreign‑origin hardware and software, most notably the 2019 executive order targeting Chinese telecommunications firms. It also sparked a legal and diplomatic backlash: Kaspersky filed a lawsuit alleging unlawful procurement discrimination, and the Russian government condemned the move as a “politically motivated” act of economic warfare. The procedural pathway opened by the notice—allowing affected firms to respond—has become a template for subsequent BODs.
Today, as supply‑chain risk management dominates federal cybersecurity strategy, the 2017 Kaspersky ban remains a touchstone. It illustrates how a single intelligence judgment, couched in statutory authority, can reshape the software market for an entire government and signal to allies and adversaries alike that the United States will act decisively when foreign technology is deemed a security liability.
This document is scheduled to be published in the
Federal Register on 09/19/2017 and available online at
https://federalregister.gov/d/2017-19838, and on FDsys.gov
9110-9P-P
**DEPARTMENT OF HOMELAND SECURITY**
National Protection and Programs Directorate
Notification of Issuance of Binding Operational Directive 17-01 and Establishment of
Procedures for Responses
**AGENCY:** National Protection and Programs Directorate, DHS.
**ACTION:** Issuance of binding operational directive; procedures for responses; notice of
availability.
**SUMMARY:** In order to safeguard Federal information and information systems, DHS
has issued a binding operational directive to all Federal, executive branch departments
and agencies relating to information security products, solutions, and services supplied,
directly or indirectly, by AO Kaspersky Lab or affiliated companies. The binding
operational directive requires agencies to identify Kaspersky-branded products (as
defined in the directive) on Federal information systems, provide plans to discontinue use
of Kaspersky-branded products, and, at 90 calendar days after issuance of the directive,
unless directed otherwise by DHS in light of new information, begin to remove
Kaspersky-branded products. DHS is also establishing procedures, which are detailed in
this notice, to give entities whose commercial interests are directly impacted by this
binding operational directive the opportunity to respond, provide additional information,
and initiate a review by DHS.
**DATES:** Binding Operational Directive 17-01 was issued on September 13, 2017. DHS
must receive responses from impacted entities on or before [INSERT DATE 45 DAYS
AFTER DATE OF PUBLICATION IN THE *FEDERAL REGISTER*].
1
ADDRESSES: Submit electronic responses to Binding Operational Directive 17-01, along with any additional information or evidence, to BOD.Feedback@hq.dhs.gov.
SUPPLEMENTARY INFORMATION: The Department of Homeland Security ("DHS" or "the Department") has the statutory responsibility, in consultation with the Office of Management and Budget, to administer the implementation of agency information security policies and practices for information systems, which includes assisting agencies and providing certain government-wide protections. 44 U.S.C. 3553(b). As part of that responsibility, the Department is authorized to "develop[] and oversee[] the implementation of binding operational directives to agencies to implement the policies, principles, standards, and guidance developed by the Director [of the Office of Management and Budget] and [certain] requirements of [the Federal Information Security Modernization Act of 2014.]" 44 U.S.C. 3553(b)(2). A binding operational directive ("BOD") is "a compulsory direction to an agency that (A) is for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk; [and] (B) [is] in accordance with policies, principles, standards, and guidelines issued by the Director[.]." 44 U.S.C. 3552(b)(1). Agencies are required to comply with these directives. 44 U.S.C. 3554(a)(1)(B)(ii).
OVERVIEW OF BOD 17-01
In carrying out this statutory responsibility, the Department issued BOD 17-01, titled "Removal of Kaspersky-Branded Products." The text of BOD 17-01 is reproduced in the next section of this document.
2
Binding Operational Directive 17-01 may have adverse consequences for the commercial interests of AO Kaspersky Lab or other entities. Therefore, the Department will provide entities whose commercial interests are directly impacted by BOD 17-01 the opportunity to respond to the BOD, as detailed in the Administrative Process for Responding to Binding Operational Directive 17-01 section of this notice, below.
TEXT OF BOD 17-01
Binding Operational Directive BOD-17-01
Original Issuance Date: September 13, 2017
Applies to: All Federal Executive Branch Departments and Agencies
FROM: Elaine C. Duke, Acting Secretary, Department of Homeland Security
CC: Mick Mulvaney, Director, Office of Management and Budget
SUBJECT: Removal of Kaspersky-Branded Products
A binding operational directive is a compulsory direction to Federal, executive branch, departments and agencies for purposes of safeguarding Federal information and information systems. 44 U.S.C. 3552(b)(1). The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014 (“FISMA”). 44 U.S.C. 3553(b)(2). Federal agencies are required to comply with these DHS-developed directives. 44 U.S.C. 3554(a)(1)(B)(ii). DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense and the Intelligence Community. 44 U.S.C. 3553(d)-(e).
3
Background: DHS, in consultation with interagency partners, has determined that the risks presented by Kaspersky-branded products justify issuance of this Binding Operational Directive. Definitions:
4
"Agencies" means all Federal, executive branch, departments and agencies. This directive does not apply to statutorily defined "National Security Systems" nor to certain systems operated by the Department of Defense and the Intelligence Community. 44 U.S.C. 3553(d)-(e)
"Kaspersky-branded products" means information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates, including Kaspersky Lab North America, Kaspersky Lab, Inc., and Kaspersky Government Security Solutions, Inc. (collectively, "Kaspersky"), including those identified below.
Kaspersky-branded products currently known to DHS are: Kaspersky Anti-Virus; Kaspersky Internet Security; Kaspersky Total Security; Kaspersky Small Office Security; Kaspersky Anti Targeted Attack; Kaspersky Endpoint Security; Kaspersky Cloud Security (Enterprise); Kaspersky Cybersecurity Services; Kaspersky Private Security Network; and Kaspersky Embedded Systems Security.
This directive does not address Kaspersky code embedded in the products of other companies. It also does not address the following Kaspersky services: Kaspersky Threat Intelligence and Kaspersky Security Training.
"Federal information system" means an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency.
Required Actions: All agencies are required to:
- Within 30 calendar days after issuance of this directive, identify the use or presence of Kaspersky-branded products on all Federal information systems and provide to DHS a report that includes:
5
a. A list of Kaspersky-branded products found on agency information systems. If agencies do not find the use or presence of Kaspersky-branded products on their Federal information systems, inform DHS that no Kaspersky-branded products were found.
b. The number of endpoints impacts by each product, and
c. The methodologies employed to identify the use or presence of the products.
- Within 60 calendar days after issuance of this directive, develop and provide to DHS a detailed plan of action to remove and discontinue present and future use of all Kaspersky-branded products beginning 90 calendar days after issuance of this directive. Agency plans must address the following elements in the attached template¹ at a minimum:
a. Agency name
b. Point of contact information, including name, telephone number, and email address
c. List of identified products
d. Number of endpoints impacted
e. Methodologies employed to identify the use or presence of the products
f. List of Agencies (components) impacted within Department
g. Mission function of impacted endpoints and/or systems
h. All contracts, service-level agreements, or other agreements your agency has entered into with Kaspersky
i. Timeline to remove identified products
j. If applicable, FISMA performance requirements or security controls that product removal would impact, including but not limited to data loss/leakage prevention,
¹ The template for agency plans has not been reproduced in the Federal Register, but is available (in electronic format) from DHS upon request.
6
network access control, mobile device management, sandboxing/detonation chamber, website reputation filtering/web content filtering, hardware and software whitelisting, vulnerability and patch management, anti-malware, anti-exploit, spam filtering, data encryption, or other capabilities k. If applicable, chosen or proposed replacement products/capabilities l. If applicable, timeline for implementing replacement products/capabilities m. Foreseeable challenges not otherwise addressed in this plan n. Associated costs related to licenses, maintenance, and replacement (please coordinate with agency Chief Financial Officers) 3. At 90 calendar days after issuance of this directive, and unless directed otherwise by DHS based on new information, begin to implement the agency plan of action and provide a status report to DHS on the progress of that implementation every 30 calendar days thereafter until full removal and discontinuance of use is achieved. DHS Actions: • DHS will rely on agency self-reporting and independent validation measures for tracking and verifying progress. • DHS will provide additional guidance through the Federal Cybersecurity Coordination, Assessment, and Response Protocol (the C-CAR Protocol) following the issuance of this directive. Potential Budgetary Implications: DHS understands that compliance with this BOD could result in budgetary implications. Agency Chief Information Officers (CIOs) and procurement officers should coordinate with the agency Chief Financial Officer (CFO), as appropriate.
7
DHS Point of Contact: Binding Operational Directive Team²
Attachment: BOD 17-01 Plan of Action Template³
ADMINISTRATIVE PROCESS FOR RESPONDING TO BINDING OPERATIONAL DIRECTIVE 17-01
The Department will provide entities whose commercial interests are directly impacted by BOD 17-01 the opportunity to respond to the BOD, as detailed below:
• The Department has notified Kaspersky about BOD 17-01 and outlined the Department’s concerns that led to the decision to issue this BOD. This correspondence with Kaspersky is available (in electronic format) to other parties whose commercial interests are directly impacted by BOD-17-01, upon request. Requests must be directed to BOD.Feedback@hq.dhs.gov.
• If it wishes to initiate a review by DHS, by [INSERT DATE 45 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER], Kaspersky, and any other entity that claims its commercial interests will be directly impacted by the BOD, must provide the Department with a written response and any additional information or evidence supporting the response, to explain the adverse consequences, address the Department’s concerns, or mitigate those concerns.
• The Department’s Assistant Secretary for Cybersecurity and Communications, or another official designated by the Secretary of Homeland Security (“the Secretary”), will review the materials relevant to the issues raised by the entity, and will issue a recommendation to the Secretary regarding the matter. The Secretary’s decision will be
² The email address to be used by Federal agencies to contact the DHS Binding Operational Directive Team has not been reproduced in the Federal Register. ³ The template for agency plans has not been reproduced in the Federal Register, but is available (in electronic format) from DHS upon request.
8
communicated to the entity in writing by [INSERT DATE 85 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER].
• The Secretary reserves the right to extend the timelines identified above.
Elaine C. Duke Secretary of Homeland Security (Acting) Department of Homeland Security [FR Doc. 2017-19838 Filed: 9/18/2017 8:45 am; Publication Date: 9/19/2017]
9
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu