Policies and standards; national security threat; rules. (1) The State Chief Information Officer shall adopt

ORS 276A.344 — under Chapter 276A.

ORS 276A.344

(a) Rules pertaining to the designation of a corporate entity as a covered vendor under ORS 276A.340 (3)(g); and

(b) Policies and standards for state agencies to implement the provisions of ORS 276A.342.

(2) The rules adopted under this section must include:

(a) The definition of “national security threat” for purposes of protecting state information technology assets;

(b) Criteria and a process for determining when a corporate entity poses a national security threat; and

(c) Criteria and a process for determining when a corporate entity no longer poses a national security threat.

(3) The policies and standards adopted under this section must include:

(a) The procedures for providing state agencies, the Secretary of State and the State Treasurer notice that a corporate entity is designated or no longer designated a covered vendor under ORS 276A.340 (3)(g);

(b) The time schedules for implementing the requirements under ORS 276A.342 with regard to a corporate entity that is designated a covered vendor by the State Chief Information Officer; and

(c) The time schedules for incorporating the requirements under ORS 276A.342 into a state agency’s information security plans, standards or measures. [2023 c.256 §3; 2025 c.396 §2]