In an effort to phase out what many in the security world believe are threats to the cybersecurity posture of governmental agencies and private entities alike, John Quinn, the Chief Information Officer of the State of Vermont, recently issued a memo to all state offices requesting that they determine whether any hardware or software manufactured by Kaspersky Lab (which has been linked by the U.S. government to the Russian government), Huawei or ZTE (both of which have been accused of spying on U.S. companies for the Chinese government) is being used in any state systems.
The memo asked agencies to review whether any products of these companies were being used, and if so, to remove them immediately or phase them out of use over the next 60-90 days.
According to Quinn, “[T]he federal cybersecurity and intelligence communities have documented evidence of the concerns regarding these products or telecommunications equipment and have used several mechanisms…to block their use within the federal technology community.” As such, Quinn’s Order immediately prohibits the renewal of any contracts with these companies and the use of any of their products.
The agencies are to provide Quinn’s office with a list of where the products are being used . They will have 30 days thereafter to provide a plan to phase out the prohibited products and replace them with approved products. The plans are to be updated every month until the banned products are completely eliminated.
According to Quinn, “[W]e believe we are the first state or one of the first to issue a directive like this.” We anticipate other states will follow Vermont’s lead.