Legislation
SECTION 163-E
Restriction on purchasing certain technology which poses a security threat
State Finance (STF) CHAPTER 56, ARTICLE 11
* § 163-e. Restriction on purchasing certain technology which poses a
security threat. 1. (a) Notwithstanding any inconsistent provision of
law, the state and any department, bureau, board, commission, authority,
and any other agency or instrumentality of the state shall not enter
into or renew any contract or agreement to procure technology, including
hardware, systems, devices, software, or services that include embedded
or incidental information technology, which are prohibited from federal
procurement pursuant to section 889 of Public Law 115-232 of 2018.
(b) The term "technology" shall have the same meaning as such term is
defined in subdivision ten of section one hundred sixty of this article.
2. The office of information technology services shall, in
consultation with the division of homeland security and emergency
services and the office of general services, establish and update
regularly a list of restricted technology. Technology on this list shall
not be procured by any state agency, state or local authority, or
political subdivision unless a waiver is issued pursuant to subdivision
three of this section or the office of information technology services
determines that the technology shall only be restricted in limited
circumstances.
The list shall:
(a) contain technologies that pose a security risk to the state of New
York or its political subdivisions. In determining whether technology
poses such a risk, the office of information technology services shall
consult relevant federal sources, including the department of defense
inspector general report no. DODIG-2019-106, as well as any other source
that shall be determined to be relevant; and
(b) be published online and communicated to all relevant procurement
officers in all state agencies, state authorities, and political
subdivisions.
3. The office of information technology services, in collaboration
with the division of homeland security and emergency services, the
office of general services, the division of military and naval affairs,
and the chief cyber officer, may provide a waiver from this section if:
(a) any such entity determines the waiver is in the interests of the
state or political subdivision;
(b) no compliant product or service is available to be procured as,
and when, needed at United States market prices or a price that is not
considered prohibitively expensive; and
(c) such waiver could not reasonably be expected to compromise the
security or integrity of a computer network operated by an
instrumentality of the state.
(d) Any state agency, state or local authority, or political
subdivision seeking a waiver from any federal agency authorized under
section 889 of Public Law 115-232 of 2018 must provide notice of any
such waiver granted to the office of information technology services
within thirty days of waiver approval.
4. An unmanned aerial vehicle or other equipment or service relating
to the operation of an unmanned aerial vehicle from a business or entity
that would otherwise be subject to restriction under subdivision one or
two of this section must be exempt from such restriction if:
(a) any photograph, image, recording or other information collected by
the state agency, state or local authority, or political subdivision
from the operation of the unmanned aerial vehicle or other equipment or
service relating to the operation of the unmanned aerial vehicle:
(i) is stored and maintained exclusively within the United States; and
(ii) is not accessible to the business or entity that would otherwise
be subject to restriction; or
(iii) is operated using software developed and maintained in the
United States.
(b) the provisions of this subdivision shall not be construed to
discourage the purchase or acquisition of any unmanned aerial vehicle or
other equipment or service relating to the operation of an unmanned
aerial vehicle that is manufactured in the United States.
5. Nothing in this section shall be construed:
(a) to require any technology resident in equipment, systems, or
services as of the day before the effective date of this section to be
removed or replaced;
(b) to prohibit or limit the utilization of such technology throughout
the lifecycle of such existing equipment; or
(c) to require the recipient of a state contract, grant, loan, or loan
guarantee to replace technology resident in equipment, systems, or
services before the effective date of this section.
* NB Effective December 19, 2027
security threat. 1. (a) Notwithstanding any inconsistent provision of
law, the state and any department, bureau, board, commission, authority,
and any other agency or instrumentality of the state shall not enter
into or renew any contract or agreement to procure technology, including
hardware, systems, devices, software, or services that include embedded
or incidental information technology, which are prohibited from federal
procurement pursuant to section 889 of Public Law 115-232 of 2018.
(b) The term "technology" shall have the same meaning as such term is
defined in subdivision ten of section one hundred sixty of this article.
2. The office of information technology services shall, in
consultation with the division of homeland security and emergency
services and the office of general services, establish and update
regularly a list of restricted technology. Technology on this list shall
not be procured by any state agency, state or local authority, or
political subdivision unless a waiver is issued pursuant to subdivision
three of this section or the office of information technology services
determines that the technology shall only be restricted in limited
circumstances.
The list shall:
(a) contain technologies that pose a security risk to the state of New
York or its political subdivisions. In determining whether technology
poses such a risk, the office of information technology services shall
consult relevant federal sources, including the department of defense
inspector general report no. DODIG-2019-106, as well as any other source
that shall be determined to be relevant; and
(b) be published online and communicated to all relevant procurement
officers in all state agencies, state authorities, and political
subdivisions.
3. The office of information technology services, in collaboration
with the division of homeland security and emergency services, the
office of general services, the division of military and naval affairs,
and the chief cyber officer, may provide a waiver from this section if:
(a) any such entity determines the waiver is in the interests of the
state or political subdivision;
(b) no compliant product or service is available to be procured as,
and when, needed at United States market prices or a price that is not
considered prohibitively expensive; and
(c) such waiver could not reasonably be expected to compromise the
security or integrity of a computer network operated by an
instrumentality of the state.
(d) Any state agency, state or local authority, or political
subdivision seeking a waiver from any federal agency authorized under
section 889 of Public Law 115-232 of 2018 must provide notice of any
such waiver granted to the office of information technology services
within thirty days of waiver approval.
4. An unmanned aerial vehicle or other equipment or service relating
to the operation of an unmanned aerial vehicle from a business or entity
that would otherwise be subject to restriction under subdivision one or
two of this section must be exempt from such restriction if:
(a) any photograph, image, recording or other information collected by
the state agency, state or local authority, or political subdivision
from the operation of the unmanned aerial vehicle or other equipment or
service relating to the operation of the unmanned aerial vehicle:
(i) is stored and maintained exclusively within the United States; and
(ii) is not accessible to the business or entity that would otherwise
be subject to restriction; or
(iii) is operated using software developed and maintained in the
United States.
(b) the provisions of this subdivision shall not be construed to
discourage the purchase or acquisition of any unmanned aerial vehicle or
other equipment or service relating to the operation of an unmanned
aerial vehicle that is manufactured in the United States.
5. Nothing in this section shall be construed:
(a) to require any technology resident in equipment, systems, or
services as of the day before the effective date of this section to be
removed or replaced;
(b) to prohibit or limit the utilization of such technology throughout
the lifecycle of such existing equipment; or
(c) to require the recipient of a state contract, grant, loan, or loan
guarantee to replace technology resident in equipment, systems, or
services before the effective date of this section.
* NB Effective December 19, 2027