Prohibited Hardware and Software
CivicActions has established a list of hardware and software that is prohibited to use for CivicActions activities in order to comply with requirements for work on federal contracts.
The following is the list of hardware and software that is prohibited to use based on FAR requirements:
- FAR 52.204-23 - Prohibition of hardware, software, and services provided by Kaspersky Lab; Kaspersky is primarily known for making antivirus software.
- FAR 52.204-24 - Prohibition of telecommunications (such as mobile phones) and video surveillance services or equipment manufactured by:
- Huawei Technologies Company
- ZTE Corporation
- Hytera Communications
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
- Any subsidiary or affiliate
- FAR 52.204-27 - Prohibition of ByteDance application, including social-media service and application TikTok.
CivicActions employees will not use any hardware or software listed in the requirements section for any CivicActions activities or to access CivicActions resources such as CivicActions email, Slack, GitHub, GitLab, or client project resources. Specifically, this includes:
- Installing Kaspersky antivirus software on devices used for CivicActions activities
- Using Huawei or ZTE mobile devices to access CivicActions resources
- Using camera systems branded as Hikvision, Dahua, or Hytera on the same network as devices used to access CivicActions resources
- Installing or accessing TikTok on devices (including mobile devices such as cell phones) used for CivicActions activities or accessing CivicActions resources.
An exception are personal devices that are not used for CivicActions activities but may be used for two-factor authentication such as phone call or SMS code. These devices should not have any access to CivicActions and/or client resources.
In the event of the discovery of prohibited hardware or software being used for CivicActions activities, CivicActions will follow each individual FAR reporting requirement and if appropriate follow CivicActions sanction policy to address the finding.
As part of the CivicActions onboarding process, and periodically thereafter, all CivicActions employees must complete the Security Questionnaire to document the current state of compliance to the requirements and to address any gaps in compliance.