FAR 52.204-23 — Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities

Contract clause · dated Dec 2023 · prescribed in FAR 4.200 · current through FAC 2026-01

In plain English

FAR 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities, is a contract clause prescribed at FAR 4.200, most recently dated Dec 2023. The complete official text is reproduced below, verbatim, from GSA's published FAR source files.

Its own text directs the contractor to include it in subcontracts — the exact mandate sentence is quoted in the flowdown section below.

Does it flow down to subcontracts?

Flows down — explicit mandate in the clause text

“The Contractor shall insert the substance of this clause, including this paragraph (d), in all subcontracts including subcontracts for the acquisition of commercial products or commercial services.”— FAR 52.204-23, paragraph (d), official text

Required in subcontracts by OTHER clauses

These clauses direct that FAR 52.204-23 be included in certain subcontracts:

“(e) (1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c), and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1), in a subcontract for commercial products or commercial services. … (iv) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities (Dec 2023) (Section 1634 of Pub.”FAR 52.212-5, Contract Terms and Conditions Required To Implement Statutes or Executive Orders—Commercial Products and Commercial Services
“(c) (1) The Contractor shall insert the following clauses in subcontracts for commercial products or commercial services: (i) 52.203-13, Contractor Code of Business Ethics and Conduct (Nov 2021) (41 U.S.C. 3509), if the subcontract exceeds the threshold specified in FAR 3.1004(a) on the date of subcontract award, and … … (vi) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities (Dec 2023) (Section 1634 of Pub.”FAR 52.244-6, Subcontracts for Commercial Products and Commercial Services

Where it's prescribed

As prescribed in 4.2004 , insert the following clause:

Prescribing reference: FAR 4.200.

The official text, verbatim

FAR 52.204-23 · Dec 2023 current through FAC 2026-01 acquisition.gov eCFR (48 CFR)

As prescribed in 4.2004 , insert the following clause:

Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities. (Dec 2023)

  • (a) Definitions. As used in this clause—

    Kaspersky Lab covered article means any hardware, software, or service that–

    • (1) Is developed or provided by a Kaspersky Lab covered entity;

    • (2) Includes any hardware, software, or service developed or provided in whole or in part by a Kaspersky Lab covered entity; or

    • (3) Contains components using any hardware or software developed in whole or in part by a Kaspersky Lab covered entity.

    Kaspersky Lab covered entity means–

    • (1) Kaspersky Lab;

    • (2) Any successor entity to Kaspersky Lab, including any change in name, e.g., “Kaspersky”;

    • (3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or

    • (4) Any entity of which Kaspersky Lab has a majority ownership.

  • (b) Prohibition. Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91) prohibits Government use of any Kaspersky Lab covered article. The Contractor is prohibited from—

    • (1) Providing any Kaspersky Lab covered article that the Government will use on or after October 1, 2018; and

    • (2) Using any Kaspersky Lab covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract.

  • (c) Reporting requirement.

    • (1) In the event the Contractoridentifies a Kaspersky Lab covered article provided to the Government during contract performance, or the Contractor is notified of such by a subcontractor at any tier or any other source, the Contractor shall report, in writing, to the Contracting Officer or, in the case of the Department of Defense, to the website at https://dibnet.dod.mil. For indefinite delivery contracts, the Contractor shall report to the Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil.

    • (2) The Contractor shall report the following information pursuant to paragraph (c)(1) of this clause:

      • (i) Within 3 business days from the date of such identification or notification: the contract number; the order number(s), if applicable; supplier name; brand; model number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.

      • (ii) Within 10 business days of submitting the report pursuant to paragraph (c)(1) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of a Kaspersky Lab covered article, any reasons that led to the use or submission of the Kaspersky Lab covered article, and any additional efforts that will be incorporated to prevent future use or submission of Kaspersky Lab covered articles.

  • (d) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (d), in all subcontracts including subcontracts for the acquisition of commercial products or commercial services.

(End of clause)

The text above is reproduced from GSA's published FAR source files (GSA/GSA-Acquisition-FAR @ da52ccb (2026-03-30)), retrieved 2026-07-17. The official publication at acquisition.gov / eCFR controls if they differ.