(1) The State Chief Information Officer shall adopt:

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

(a) Rules pertaining to the designation of a corporate entity as a covered vendor under ORS § 276A.340 (2)(g); and

(b) Policies and standards for state agencies to implement the provisions of ORS § 276A.342.

(2) The rules adopted under this section must include:

(a) The definition of ‘national security threat’ for purposes of protecting state information technology assets;

(b) Criteria and a process for determining when a corporate entity poses a national security threat; and

(c) Criteria and a process for determining when a corporate entity no longer poses a national security threat.

(3) The policies and standards adopted under this section must include:

(a) The procedures for providing state agencies, the Secretary of State and the State Treasurer notice that a corporate entity is designated or no longer designated a covered vendor under ORS § 276A.340 (2)(g);

(b) The time schedules for implementing the requirements under ORS § 276A.342 with regard to a corporate entity that is designated a covered vendor by the State Chief Information Officer; and

(c) The time schedules for incorporating the requirements under ORS § 276A.342 into a state agency’s information security plans, standards or measures. [2023 c.256 § 3]