- June 26, 2024 -

Facebook  Linkedin  X

Welcome to the new Cyber Newsletter, a monthly publication from the Wisconsin Procurement Institute (WPI), Wisconsin's Apex Accelerator

If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at, or Matt Frost, Government Contract Specialist at


Kaspersky Lab, Inc. Prohibition

In December 2023, FAR clause 52.204-23 was issued. This clause prohibited Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities.

On Thursday, June 20, 2024, the Department of Commerce’s Bureau of Industry & Security issued a Final Determination “prohibiting Kaspersky Lab, Inc. and its affiliates, subsidiaries, and parent companies (Kaspersky) from engaging in transactions involving the provision of certain cybersecurity and anti-virus products and services to U.S. persons. In accordance with this Final Determination, any resale of Kaspersky cybersecurity or anti-virus software, integration of Kaspersky cybersecurity or anti-virus software into other products and services, or licensing of Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services, is prohibited in the United States or by U.S. persons.”

This determination impacts – affects both individuals and businesses.

The ruling gives users of products and services identified in Appendix B (see link below), until 12:00 AM EDT on September 29, 2024 to identify alternatives and cease using any prohibited products and/or services.

“In addition to this action, BIS added three entities—AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom)—to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives. “

Kaspersky Lab, Inc. Prohibition | Home ( --

A non-exhaustive list of products and services covered by the Final Determination is available in the linked Appendix B.

How many System Security Plans (SSP) should you have? 

This is a question that companies need to address. Having one SSP may be sufficient if all work takes place at one location but each company should evaluate if having just one adequately addresses the all security environments where employees work.

Today business is not constrained to the main office. Work can be conducted on the road, at a conference, in the airport, at a hotel and at any other number of locations. Different locations often present different threats and security concerns. Developing one SSP which will cover all potential issues in all locations could be challenging. At a minimum, it is important to remind all employees who travel that all networks used while traveling – working outside of the main office, should be viewed as not trustworthy and appropriate precautions taken. Additionally, employees should be aware that using a public computer to check/send email may create security threats and even using charging stations/cords can be risky.

Chapter 3 of NIST 800-171 r2 states, “The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems.”

When considering how many system security plans are needed, each company should first determine what information may be used, what is the operational environment, what are likely threats/risks and what connections will be made.

After performing this minimum analysis, a company can determine how to proceed. One option is to create system security plans for each potential environment and threats. Another option will be to create a master system security plan and incorporate annexes for each differing environment.

Whichever path a company decides is best, the goal is to proceed in a manner that protects and secures the necessary information.

CMMC and tunnel vision

Providing adequate security for Controlled Unclassified Information (CUI) is crucial for our national defense. Remembering that CUI is not the only type of information which a business may possess and needs to secure is also vital to achieving this goal.

For the last several years, the requirements of NIST 800-171 r2 dominate conversations, webinars and outreach events almost to the exclusion of even mentioning other types of information and what is required to secure these other categories of information. Based upon outward appearances, companies appear to have tunnel vision.

In reviewing DFARS 252.204-7012 and FAR 52.204-21 companies should pause to review paragraphs such as paragraph (l) of DFARS 252.204-7012 or paragraph 2 of FAR 52.204-21.

Paragraph (L) of DFARS 252.204-7012 and titled - Other safeguarding or reporting requirements addresses the issue of a company’s duty to protect all sensitive – controlled information. This paragraph states - The safeguarding and cyber incident reporting required by this clause in no way abrogates the Contractor’s responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicable clauses of this contract, or as a result of other applicable U.S. Government statutory or regulatory requirements.

Therefore, it is important to recognize that a Technical Data Plan for one part may need to be protected according to one or more program requirements and that NIST 800-171 r2/CMMC may be a solid starting point but these requirements do not address all requirements.

Cyber Threats

Businesses must plan for a range of cyber threats. Most of the threats originate externally to the company. These include hackers and individuals who purposely and actively attempt to evade a company’s security measures to access the network and information on the network or on devices connected to the network.

Businesses must also recognize and accept that Insider threats are real and can create just as much havoc as threats originating from external sources. Insider threats are not limited to only employees at the lower rungs of the organization. Don’t overlook this extremely important issue. Learn more by reviewing the information associated with the following article. Employee discontent: Insider threat No. 1

CISOs who focus only on detection technology — and don’t engage with the human side of the security equation — are missing a key ingredient for insider risk management.

To read the complete article see:

Another threat that needs to be considered is External machines that connect to your network. External machines connecting to the network must also be vetted and receive access credential. Just because it is a machine that will be connecting doesn’t mean that the vetting process should be any less stringent.

The following article addresses several important considerations.

What are non-human identities and why do they matter?

Asking different questions may help to better your Cybersecurity Program?

There is a saying the goes along the lines – if you don’t like the answer to a question, ask a different question.

Cybersecurity is all about asking questions about the company’s program and capabilities to defend against a variety of cyber-attacks.

The following is a resource that lists 16 questions. Many of the topics and related questions will be familiar. However, the subtleties of how the question is presented may address the issue from a slightly different and new perspective. Looking at the issue from a new perspective may help to confirm that all is good or just maybe will highlight a nuance that hadn’t previously been considered.


Prior issues of WPI’s Cybersecurity Newsletter have provided information on Table Top Exercises and outlined general scenarios and approaches. The following article addresses this important aspect related to evaluating readiness and capabilities of a company’s program and readiness.

Tabletop Exercises

Upcoming Cybersecurity Training

The following are three upcoming webinars designed to assist members of the DIB to improve their cybersecurity programs and align their programs with the requirements necessary for successful completion of CMMC.

Technical Assistance is always available from WPI on this critical topic and all other topics related to government contracting.

To coordinate Technical Assistance please contact the main office at 414-270-3600.

If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at, or Matt Frost, Government Contract Specialist at


The focus on this year’s series is Building a CMMC Ready Program.


Registration now available at

This series is intended as an information tool and resource for contract managers and those with a compliance function. 


Registration now available at

  • Be sure to follow WPI on social media (Facebook, LinkedIn, X) for regular updates on events, news and opportunities.
WPI 10437 Innovation Dr. Suite 320, Milwaukee, WI 53226 414-270-3600
Newsletter Editor: Doug Clemons, 
Facebook  Linkedin  X

Not currently a subscriber to WPI's Newsletters?

Click Here to Subscribe