(1) A covered product may not be:

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

(a) Installed or downloaded onto a state information technology asset; or

(b) Used or accessed by a state information technology asset.

(2) A state agency shall:

(a) Remove any covered product that is installed or downloaded onto a state information technology asset that is under the management or control of the state agency; and

(b) Implement all measures necessary to prevent the:

(A) Installation or download of a covered product onto a state information technology asset that is under the management or control of the state agency; or

(B) Use or access of a covered product by a state information technology asset that is under the management or control of the state agency.

(3)(a) Notwithstanding subsections (1) and (2) of this section, a state agency may, for investigatory, regulatory or law enforcement purposes, permit the:

(A) Installation or download of a covered product onto a state information technology asset; or

(B) Use or access of a covered product by a state information technology asset.

(b) A state agency that permits the installation, download, use or access of a covered product under this subsection shall adopt risk mitigation standards and procedures related to the installation, download, use or access of the covered product.

(4) The State Chief Information Officer shall coordinate with and oversee state agencies to implement the provisions of this section in accordance with the policies and standards adopted under ORS § 276A.344 (3). [2023 c.256 § 2]