(1) The State Chief Information Officer shall adopt:\n(a) Rules pertaining to the designation of a corporate entity as a covered vendor under ORS 276A.340 (2)(g); and\n(b) Policies and standards for state agencies to implement the provisions of ORS 276A.342.\n(2) The rules adopted under this section must include:\n(a) The definition of 'national security threat' for purposes of protecting state information technology assets;\n(b) Criteria and a process for determining when a corporate entity poses a national security threat; and\n(c) Criteria and a process for determining when a corporate entity no longer poses a national security threat.\n(3) The policies and standards adopted under this section must include:\n(a) The procedures for providing state agencies, the Secretary of State and the State Treasurer notice that a corporate entity is designated or no longer designated a covered vendor under ORS 276A.340 (2)(g);\n(b) The time schedules for implementing the requirements under ORS 276A.342 with regard to a corporate entity that is designated a covered vendor by the State Chief Information Officer; and\n(c) The time schedules for incorporating the requirements under ORS 276A.342 76A.342 with regard to a corporate entity that is designated a covered vendor by the State Chief Information Officer; and\n(c) The time schedules for incorporating the requirements under ORS 276A.342 into a state agency’s information security plans, standards or measures. [2023 c.256 §3]
Oregon Legal Code