Legislation
SECTION 163-E
Restriction on purchasing certain technology which poses a security threat
State Finance (STF) CHAPTER 56, ARTICLE 11
* § 163-e. Restriction on purchasing certain technology which poses a
security threat. 1. (a) Notwithstanding any inconsistent provision of
law, the state and any department, bureau, board, commission, authority,
and any other agency or instrumentality of the state shall not enter
into or renew any contract or agreement to procure information and
communications technology, including hardware, systems, devices,
software, or services that include embedded or incidental information
technology, which are prohibited from federal procurement pursuant to
section 889 of Public Law 115-232 of 2018.
(b) The term "information and communications technology" means:
(i) information technology, as defined in section 11101 of title 40;
(ii) information systems, as defined in 44 U.S.C. 3502; and
(iii) telecommunications equipment and telecommunications services, as
those terms are defined in section 3 of the Communications Act of 1934
(47 U.S.C. 153).
(c) The term "information and communications technology" shall not
include automated-decision making systems.
2. The chief information officer shall, in consultation with the
division of homeland security and emergency services and the office of
general services, establish and update regularly a list of restricted
information and communications technology. Technology on this list shall
not be procured by any state agency, state or local authority, or
political subdivision unless a waiver is issued pursuant to subdivision
three of this section or the chief information officer determines that
the technology shall only be restricted in limited circumstances.
The list shall:
(a) contain information and communications technologies that pose a
security risk to the state of New York or its political subdivisions. In
determining whether information and communications technology poses such
a risk, the chief information officer shall consult relevant federal
sources, including the department of defense inspector general report
no. DODIG-2019-106, as well as any other source that shall be determined
to be relevant;
(b) describe the scope of each restriction, such as whether it is
generally prohibited or prohibited in certain circumstances or from
certain entities;
(c) include an explanation as to why items were included on the list;
and
(d) be published online and communicated to all relevant procurement
officers in all state agencies, state authorities, and political
subdivisions.
3. The commissioner of homeland security and emergency services, the
commissioner of the office of general services, the adjutant general,
the chief information officer, the chief cyber officer, the chief
technology officer of the city of New York and any federal agency
authorized under section 889 of Public Law 115-232 of 2018, may provide
a waiver from this section if:
(a) any such entity determines the waiver is in the interests of the
state or political subdivision;
(b) no compliant product or service is available to be procured as,
and when, needed at United States market prices or a price that is not
considered prohibitively expensive; and
(c) such waiver could not reasonably be expected to compromise the
security or integrity of a computer network operated by an
instrumentality of the state.
4. Nothing in this section shall be construed:
(a) to require any information and communications technology resident
in equipment, systems, or services as of the day before the effective
date of this section to be removed or replaced;
(b) to prohibit or limit the utilization of such information and
communications technology throughout the lifecycle of such existing
equipment; or
(c) to require the recipient of a state contract, grant, loan, or loan
guarantee to replace information and communications technology resident
in equipment, systems, or services before the effective date of this
section.
* NB Effective December 19, 2028
security threat. 1. (a) Notwithstanding any inconsistent provision of
law, the state and any department, bureau, board, commission, authority,
and any other agency or instrumentality of the state shall not enter
into or renew any contract or agreement to procure information and
communications technology, including hardware, systems, devices,
software, or services that include embedded or incidental information
technology, which are prohibited from federal procurement pursuant to
section 889 of Public Law 115-232 of 2018.
(b) The term "information and communications technology" means:
(i) information technology, as defined in section 11101 of title 40;
(ii) information systems, as defined in 44 U.S.C. 3502; and
(iii) telecommunications equipment and telecommunications services, as
those terms are defined in section 3 of the Communications Act of 1934
(47 U.S.C. 153).
(c) The term "information and communications technology" shall not
include automated-decision making systems.
2. The chief information officer shall, in consultation with the
division of homeland security and emergency services and the office of
general services, establish and update regularly a list of restricted
information and communications technology. Technology on this list shall
not be procured by any state agency, state or local authority, or
political subdivision unless a waiver is issued pursuant to subdivision
three of this section or the chief information officer determines that
the technology shall only be restricted in limited circumstances.
The list shall:
(a) contain information and communications technologies that pose a
security risk to the state of New York or its political subdivisions. In
determining whether information and communications technology poses such
a risk, the chief information officer shall consult relevant federal
sources, including the department of defense inspector general report
no. DODIG-2019-106, as well as any other source that shall be determined
to be relevant;
(b) describe the scope of each restriction, such as whether it is
generally prohibited or prohibited in certain circumstances or from
certain entities;
(c) include an explanation as to why items were included on the list;
and
(d) be published online and communicated to all relevant procurement
officers in all state agencies, state authorities, and political
subdivisions.
3. The commissioner of homeland security and emergency services, the
commissioner of the office of general services, the adjutant general,
the chief information officer, the chief cyber officer, the chief
technology officer of the city of New York and any federal agency
authorized under section 889 of Public Law 115-232 of 2018, may provide
a waiver from this section if:
(a) any such entity determines the waiver is in the interests of the
state or political subdivision;
(b) no compliant product or service is available to be procured as,
and when, needed at United States market prices or a price that is not
considered prohibitively expensive; and
(c) such waiver could not reasonably be expected to compromise the
security or integrity of a computer network operated by an
instrumentality of the state.
4. Nothing in this section shall be construed:
(a) to require any information and communications technology resident
in equipment, systems, or services as of the day before the effective
date of this section to be removed or replaced;
(b) to prohibit or limit the utilization of such information and
communications technology throughout the lifecycle of such existing
equipment; or
(c) to require the recipient of a state contract, grant, loan, or loan
guarantee to replace information and communications technology resident
in equipment, systems, or services before the effective date of this
section.
* NB Effective December 19, 2028