Full Report
The Australian Department of Home Affairs has mandated that government entities must prevent the installation of products and... The post Australia bans Kaspersky Lab products on government systems to mitigate cybersecurity risks appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: Australian Government Directive on Kaspersky Lab Products
## Overview
This is a mandatory directive issued by the Australian Department of Home Affairs, specifically under the Protective Security Policy Framework (PSPF), requiring Australian Government entities to remove all Kaspersky Lab products and web services from their systems and prevent any future installation. The action is based on a risk analysis determining that the use of Kaspersky products poses an unacceptable security risk due to threats of foreign interference, espionage, and sabotage.
## Key Details
- Issuing Authority: Australian Department of Home Affairs (Secretary of the Department)
- Effective Date: Directive issued "last week" (relative to the article date of Feb 26, 2025). The removal deadline is April 1, 2025.
- Jurisdiction: Australian Commonwealth entities.
- Status: Final and In Effect (Directive issued).
## Requirements
### Mandatory Requirements
1. **Identification and Removal:** All non-corporate Commonwealth entities must identify and remove all existing instances of Kaspersky Lab products and web services on Australian government systems and devices by April 1, 2025.
2. **Prohibition of Installation:** Entities must prevent the installation of Kaspersky Lab products and web services on Australian government systems and devices henceforth.
3. **Reporting:** Entities must report the completion of these removal and prevention requirements to the Department.
### Recommended Practices
1. Entities are strongly advised to consider this policy signal when managing risks related to technology supplied by vendors potentially subject to extrajudicial directions from foreign governments, especially concerning data collection practices.
## Affected Organizations
- Industries: All sectors using Australian Government systems, with particular attention noted for **Critical Infrastructure** and other Australian governments.
- Organization Size: Non-corporate Commonwealth entities are specifically named.
- Geographic Scope: Australia.
## Compliance Timeline
- **Date (Last Week, relative to Feb 26, 2025):** Directive issued by the Secretary of Home Affairs.
- **April 1, 2025:** Final deadline for all non-corporate Commonwealth entities to complete identification, removal, and prevention measures.
## Implementation Guidance
### Assessment Phase
- Conduct a comprehensive audit across all government systems and devices (hardware and software) to identify all installed Kaspersky Lab products and web service dependencies.
### Implementation Phase
- Develop and execute a documented remediation plan for the complete decommissioning and removal of all identified Kaspersky instances.
- Update procurement and configuration management policies to explicitly block future installation or use of Kaspersky products.
### Validation Phase
- Obtain confirmation or artifacts proving the complete removal of the software.
- Report completion status to the Department of Home Affairs as required.
## Technical Requirements
The requirement is the absolute **removal and prevention of installation** of Kaspersky Lab Inc. products and web services on systems and devices managed by the Australian Government entities. The underlying concern relates to significant user data collection and potential exposure to foreign government extrajudicial directions.
## Penalties & Enforcement
The article does not specify explicit financial fines or penalties for non-compliance, as this is a directive under the PSPF.
- Fines: *Not specified in the provided text.*
- Other Consequences: Formal breach of the Protective Security Policy Framework (PSPF), potentially leading to sanctions, adverse findings during audits, or loss of necessary credentials/approvals for system operation.
- Enforcement: Enforcement is implied through the authority of the Secretary of the Department of Home Affairs issuing a formal "direction" under the PSPF.
## Related Standards
- **Protective Security Policy Framework (PSPF):** This directive is issued under the authority of this framework, making compliance mandatory for Commonwealth entities' security posture.
## Resources
- Official Documentation: The directive was published on the protective security website (link provided in the article text: `https://www.protectivesecurity.gov.au/news/pspf-direction-update-kaspersky-lab-inc-products-and-web-services`).
- Guidance Documents: Entities should refer to associated PSPF guidance regarding software assurance and supply chain risk management.
- Tools: Standard IT asset management and patch management tools will be required for identification and remote removal.
## Practical Recommendations
1. **Immediate Inventory:** Prioritize the inventory of all endpoints, servers, and critical infrastructure components where Kaspersky may be running.
2. **Data Backup & Restoration Plan:** Before removal, ensure all necessary data associated with systems running the software is securely backed up, as removal processes can sometimes impact system stability.
3. **Vendor Replacement Strategy:** Securely replace Kaspersky functionality with approved, trusted security solutions well ahead of the April 1, 2025 deadline to avoid operational gaps, especially in OT environments.
4. **Documentation:** Ensure all steps taken (identification, removal logs, reporting submission) are meticulously documented for audit purposes.