Statutes, codes, and regulations
Oregon Revised Statutes
Title 26 - PUBLIC FACILITIES, CONTRACTING AND INSURANCEChapter 276A - INFORMATION TECHNOLOGY
USE OF COVERED PRODUCTS ON STATE INFORMATION TECHNOLOGY ASSETS
Section 276A.348 - State Treasurer prohibited from using covered products; risk mitigation; exceptions

ORS § 276A.348

Download
PDF
Current through 2024 Regular Session legislation effective June 6, 2024
Section 276A.348 - State Treasurer prohibited from using covered products; risk mitigation; exceptions
(1) As used in this section:
(a) "Covered product" means any form of hardware, software or service provided by a covered vendor.
(b) "Covered vendor" means any of the following corporate entities, or any parent, subsidiary, affiliate or successor entity of the following corporate entities:
(A) Ant Group Co., Limited.
(B) ByteDance Limited.
(C) Huawei Technologies Company Limited.
(D) Kaspersky Lab.
(E) Tencent Holdings Limited.
(F) ZTE Corporation.
(c) "State information technology asset" means any form of hardware, software or service for data processing, office automation or telecommunications used directly by the office of the State Treasurer or used to a significant extent by a contractor in the performance of a contract with the office of the State Treasurer.
(2) Except as provided in subsection (4) of this section, the State Treasurer shall:
(a) Prohibit a covered product from being:
(A) Installed or downloaded onto a state information technology asset; or
(B) Used or accessed by a state information technology asset;
(b) Remove any covered product that is installed or downloaded onto a state information technology asset; and
(c) Implement all measures necessary to prevent the:
(A) Installation or download of a covered product onto a state information technology asset; or
(B) Use or access of a covered product by a state information technology asset.
(3) For any corporate entity that the State Chief Information Officer designates as a covered vendor under ORS 276A.344, the State Treasurer may:
(a) Prohibit a covered product from being:
(A) Installed or downloaded onto a state information technology asset; or
(B) Used or accessed by a state information technology asset;
(b) Remove any covered product that is installed or downloaded onto a state information technology asset; and
(c) Implement all measures necessary to prevent the:
(A) Installation or download of a covered product onto a state information technology asset; or
(B) Use or access of a covered product by a state information technology asset.
(4) If the State Treasurer adopts risk mitigation standards and procedures related to the installation, download, use or access of a covered product, the State Treasurer may, for investigatory, regulatory or law enforcement purposes, permit the:
(a) Installation or download of the covered product onto a state information technology asset; or
(b) Use or access of the covered product by a state information technology asset.

ORS 276A.348

Added by 2023 Ch. 256, § 5