Skip to main content

Oregon State Flag An official website of the State of Oregon »

Covered Vendors

Covered Vendors in Oregon

The State Chief Information Officer (CIO) has responsibility for and authority over executive department information systems security in accordance with ORS 276A.300, including responsibility for taking all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems. 


OAR 128-020 establishes the criteria and processes by which the State CIO will determine when a corporate entity poses a national security threat, and when a corporate entity no longer poses a national security threat. These rules define “national security threat” for purposes of protecting state information technology assets. 

Subject to allowable investigatory, regulatory, or law enforcement exceptions, and all applicable policies and procedures, no covered products of a corporate entity listed as a covered vendor on the list maintained under this rule may be installed or downloaded onto a state information technology asset that is under the management or control of a state agency, or used or access by a state information technology asset. 


Definitions

In accordance with OAR 128-020, definitions are as follows:

Corporate entity: Any type of organization or legal entity other than an individual natural person, such as a corporation, partnership, limited liability company, or other organization, whether incorporated or unincorporated.

Agency leadership: State agency Chief Information Officers, and state agency directors for those state agencies without a Chief Information Officer.

Covered product: Any form of hardware, software or service provided by a covered vendor.

Covered vendor: Any of the following corporate entities, or any parent, subsidiary, affiliate, or successor entity of the following corporate entities:

  • Entities defined in Oregon Laws Chapter 256 Section 1(2)/OAR 128-020;
  • Any other corporate entity designated by the State Chief Information Officer as a covered vendor because it is a national security threat (see designations below); and
  • Any corporate entity that has been prohibited or had its products or services prohibited from use by a federal agency pursuant to the Secure and Trusted Communications Networks Act of 2019, 47 USC 1601, et seq, including as amended. (Please see the federal covered list for more information)

National security threat: For purposes of protecting state information technology assets, a corporate entity that has been designated as a covered vendor because its covered product(s) pose(s) an unacceptable risk of harm to the operations of government, business entities, or the economy, or an unacceptable risk of harm to the rights and privacy of individuals, because of its engagement in a pattern or serious instance(s) of conduct significantly adverse to the security of federal or state infrastructure, government operations or systems, public and private institutions, law enforcement or military intelligence, individuals’ personal information, or other sensitive or protected information.

State agency: Any board, commission, department, division, office, or other entity of state government, as defined in ORS 174.111, except that state government does not include the Secretary of State or State Treasurer.

State information technology asset: Any form of hardware, software or service for data processing, office automation, or telecommunications that is used directly by a state agency or used to a significant extent by a contractor in the performance of a contract with a state agency.




Covered Vendor Policy and Procedures

Additionally, see the Covered Products and Vendors policy (107-004-155) and related procedures on the DAS policy site for time-based requirements and process. The policy requires the implementation of protective measures within 30 days, and the establishment of comprehensive organizational policies in 120 days.


Covered Vendor Designations

Below are the current and historical designations of entities that have been deemed Covered Vendors by the State CIO in accordance with OAR 128-020.