[V]ermontโs Agency of Digital Services is prohibiting state offices from using technology created by some Russian and Chinese firms with close ties to the governments in those countries, citing what it says is a data security risk.
In a pair of memos sent out to state agencies on Tuesday, Digital Services Secretary John Quinn requested that agencies take stock of their own technology use, and that of vendors, within the next month and then set in motion a plan to stop using that technology within 90 days.
โThe ever-evolving nature of cyber threats has continued to prove that the State of Vermont and the valuable data that we hold for our citizens is a priority target for cyber criminals and hackers alike,โ Quinn writes in explaining the order.
The directive โ first reported on by the Burlington Free Press โ targets products or services from Russian anti-virus company Kaspersky and Chinese companies Huawei, ZTE Corp., Hytera, Hangzhou Hikvision and Dahua.
Quinn points to the conclusion by the U.S. intelligence community regarding the risk posed by these companies, mostly because of the ability of the governments in their countries to request information or intercept communications from their customers, potentially acting as โespionage platforms against the United States and allies.”
In an email Wednesday, Quinn said it was unclear how much state agencies currently rely on technology made by these companies.
โWe do not expect to find any large deployments of the equipment/software listed in the directive, but this ban is part of our approach to mitigating our cybersecurity risk,โ he wrote. โIt’s important to understand whether or not we, and our IT vendors use these technologies.โ
The memos lay out a monthly timeline to get rid of the newly prohibited software.
Within 30 days of Feb. 19, agencies must identify telecommunications equipment covered by the prohibition, and report back to Vermontโs chief information security officer, Nicholas Andersen.
Within 60 days, agency IT leaders must report to the CISO with any additional information since the first report, along with a rundown of the impact, relevant contracts, removal timeline, proposed replacement products, estimated time and associated costs.
Within 90 days, agencies must put their plans to replace equipment into action and report back every 30 days on their progress. Agencies must not purchase new products or enter into new contracts using prohibited technology โ unless they receive a waiver from ADS.
