Written by Patrick Howell O'Neill and Greg Otto

The recent order to remove Kaspersky Lab products from federal networks commands almost every government agency to act within the next 90 days, while also carving out a big hole for the Department of Defense and the U.S. intelligence community which are unaffected by the DHS action.

The directive, which will be published in the Federal Register on Tuesday, lays out exactly which products are banned and which are exempt.

The binding operational directive obtained by CyberScoop “does not address Kaspersky code embedded in the products of other companies.”

That could potentially refer to Kaspersky products being used in other companies’ products, which are used widely across Pentagon and civilian agencies. Kaspersky is a multi-national company with a wide array of products, with many agencies harnessing tech that uses Kaspersky Cloud Security for enterprise.

It’s not yet clear how many machines the directive will impact, but DHS should know within the next 30 days when agencies are required to submit a report outlining the full list of Kaspersky-branded products found on agency information systems, how many endpoints are impacted and the methodologies used to find the products.

In 60 days, agencies are told to submit a report outlining a plan of action and in 90 days the removal will begin.

Although DHS binding operational directives don’t apply to “National Security Systems” or some systems operated by the DOD and U.S. intelligence community, a draft of the 2018 National Defense Authorization Act prohibits the DOD to use of any software developed, in whole or in part, by Kaspersky Lab by Oct. 1, 2018.

The full list of Kaspersky products banned by the DHS directive are:

Kaspersky Anti-Virus

Kaspersky Internet Security

Kaspersky Total Security

Kaspersky Small Office Security

Kaspersky Anti Targeted Attack

Kaspersky Endpoint Security

Kaspersky Cloud Security (Enterprise)

Kaspersky Cybersecurity Services

Kaspersky Private Security Network

Kaspersky Embedded Systems Security

You can read the full directive below:

Greg Otto contributed to this report.