Federal agencies largely are complying with White House orders to remove Kaspersky Labs anti-virus software from government networks, according to a top Homeland Security Department official.

After a binding operational directive was issued earlier this year to remove the Russian-backed software products from federal networks amid security worries, roughly 96 of 102 agencies have done so, DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra told the House Science, Space and Technology Committee’s oversight subcommittee on Nov. 14.

She would not name the six non-compliant agencies, citing concerns that it would expose potential vulnerabilities and harm the relationship between DHS and those agencies. She said DHS is working with the six agencies to identify potential Kaspersky presence on their networks, and would work with the Office of Management and Budget if necessary to determine the appropriate response.

“These are very small agencies, some with only six to 10 people, that do not currently have the resources and we are working with them to identify” solutions, Manfra said.

While lawmakers in the hearing pressed officials to determine who exactly was responsible for Kaspersky products ending up on federal systems, the officials said it wasn’t so easy to pinpoint.

“The government has been aware of increasing concerns [about] Kaspersky…the agencies with that information did engage other agencies with procurement responsibilities,” Manfra said, noting that supply chain risk management processes in the federal government badly need to be modernized. “In the end it is the responsibility of each of the agency heads to determine the way forward in risk management strategy, including in the supply chain.”

Agencies originally were given 30 days to identify whether Kaspersky software was on their networks and 90 days to get rid of it. Manfra said there is “no conclusive evidence” that any breaches have occurred as a result of the use of Kaspersky products, though 15 percent of agencies did find Kaspersky software on their systems.

It is safe to say that none of the agencies was the Defense Department, where Kaspersky products were not approved for use after intelligence indicated potential risks, according to Essye Miller, DoD deputy CIO for cybersecurity and chief information security officer.

The biggest concern, Miller and Manfra agreed, is that outside vendors bundle products and offerings together in providing contracted services – meaning federal agencies don’t always know what’s being used on their networks. The resulting supply chain security concerns underscore the serious need for risk management strategies, the officials said.

“We have a responsibility to work with vendors to ensure there are risk management processes in place to ensure [what they’re bringing into the supply chain is secure]…and avoid risk introduced by industry partners,” Miller said, adding that DoD is communicating with the defense industrial base to get across the security concerns. “We’re working with our unclassified vendors through the [Defense Federal Acquisition Regulation supplement] to help them not only understand the risk, but understand the products they’re using and their responsibility to protect government information and the government network.”