Chapter 276A — Information Technology

2023 EDITION

INFORMATION TECHNOLOGY

PUBLIC FACILITIES, CONTRACTING & INSURANCE

OFFICE OF ENTERPRISE INFORMATION SERVICES

(State Chief Information Officer)

276A.200 Legislative findings on information resources

276A.203 State Chief Information Officer; qualifications; duties; Enterprise Information Resources Management Strategy; rules

276A.206 Oversight of state information and telecommunications technology by State Chief Information Officer; policy; rules; application for designation as community of interest

276A.209 State Information Technology Operating Fund

(Technical Services and Information Technology Management)

276A.223 Requirement that state agency or public corporation obtain quality management services when implementing information technology initiative; reports; exceptions

276A.230 Definitions

276A.233 Information technology portfolio-based management; inventory; standards; rules; exception

276A.236 Enterprise information resources management; adoption and implementation of strategy; state agency information technology initiatives costing more than $1 million

276A.239 Portfolio-based management of information technology resources for Secretary of State

276A.242 Portfolio-based management of information technology resources for State Treasurer

(Oregon Transparency Website)

276A.250 Definitions

276A.253 Oregon transparency website

276A.256 Reports of tax expenditures connected to economic development

276A.259 Transparency Oregon Advisory Commission; members; duties; terms; reports

276A.262 Transparency Oregon Advisory Commission Fund

(Electronic Government Portal)

276A.270 Definitions

276A.273 Electronic Government Portal Advisory Board

276A.276 Ability to offer government services through portal; portal provider fee; rules

INFORMATION SECURITY

276A.300 Information systems security in executive department; rules

276A.303 Information systems security for Secretary of State, State Treasurer and Attorney General

276A.306 Information security incidents and assessments; reports

276A.323 State agency coordination

276A.332 Authority of State Chief Information Officer to enter into agreements

276A.335 Moneys from federal government and other sources

USE OF COVERED PRODUCTS ON STATE INFORMATION TECHNOLOGY ASSETS

276A.340 Definitions

276A.342 State agencies prohibited from using covered products; risk mitigation; exceptions

276A.344 Policies and standards; national security threat; rules

276A.346 Secretary of State prohibited from using covered products; risk mitigation; exceptions

276A.348 State Treasurer prohibited from using covered products; risk mitigation; exceptions

OPEN DATA STANDARD

276A.350 Definitions

276A.353 Chief Data Officer; duties; rules

276A.356 Open data standard

276A.359 Technical standards manual

276A.362 Release of publishable data on web portal; exemptions; rules

276A.365 Information management by state agencies

276A.368 Purpose of data; limitation of liability; publishable data in public domain

276A.371 Obligations of state agency under public records law

276A.374 Application to Secretary of State and State Treasurer; rules

TELECOMMUNICATIONS AND BROADBAND INTERNET ACCESS SERVICES

276A.400 Policy

276A.403 Coordination of telecommunications systems

276A.406 Acquisition of broadband and communications services

276A.409 Use of agency travel and transportation funds for telecommunications services

276A.412 Contracts for telecommunications equipment and services not to exceed 10 years; exception for broadband infrastructure; contract benefits for designated communities of interest

276A.415 Agreements to fund or acquire telecommunications equipment and services

276A.418 Public contracts for broadband Internet access service; prohibitions; exceptions; rules

276A.421 Provision of broadband services that compete with services of private telecommunications provider; circumstances of competition; broadband services advisory committee; rules

276A.424 Connecting Oregon Schools Fund; rules

OREGON GEOGRAPHIC INFORMATION COUNCIL

276A.500 Definitions

276A.503 Oregon Geographic Information Council; establishment; purposes; membership; terms of office

276A.506 Powers of council; advisory committees

276A.509 Public body duty to share geospatial framework data with council; conditions and exceptions; methods for sharing; limitations of liability

276A.512 Oregon Geographic Information Council Fund; records and reports

276A.515 State geographic information officer; qualifications; duties

OREGON CYBERSECURITY CENTER OF EXCELLENCE

276A.550 Definitions

276A.555 Oregon Cybersecurity Center of Excellence; purpose; operating agreement; strategic plan; biennial report

276A.560 Oregon Cybersecurity Advisory Council

276A.565 Oregon Cybersecurity Center of Excellence Operating Fund; biennial report

276A.570 Oregon Cybersecurity Workforce Development Fund; biennial report

276A.575 Oregon Cybersecurity Grant Program Fund; standards and requirements; biennial report

OFFICE OF ENTERPRISE INFORMATION SERVICES

(State Chief Information Officer)

276A.200 Legislative findings on information resources. The Legislative Assembly finds and declares that:

(1) Information is a strategic asset of the state that must be managed as a valuable state resource.

(2) The expanding need, use and importance of information resources in this state require strong and effective management by both individual agencies and the state as a whole.

(3) The state must establish management procedures to ensure a framework for the review, improvement, integration, development, security and use of information resources. Principal objectives for information resources management are improved productivity of state workers, better public access to public information, increased effectiveness in the delivery of services provided by the various agencies and enhancing development of the telecommunication infrastructure available to the public.

(4) Effective information resources management requires:

(a) An Enterprise Information Resources Management Strategy, including management and technical policy, that is developed, maintained or updated each biennium;

(b) Comprehensive planning of the design, acquisition, security and use of information resources;

(c) The operation of communications systems and information resources that respond to the management information needs of agencies and programs; and

(d) Consideration of the impact of information resources management activities on the development and vitality of telecommunications infrastructure available to the public.

(5) Although each agency is responsible for the agency’s information resources, centralized information resource management must also exist to:

(a) Provide statewide rules and standards;

(b) Monitor and ensure compliance with those rules and standards;

(d) Ensure that the information resources management needs of state government and state government programs are addressed along with the needs of the individual agencies. [Formerly 291.037]

276A.203 State Chief Information Officer; qualifications; duties; Enterprise Information Resources Management Strategy; rules. (1) The office of Enterprise Information Services is established in the Oregon Department of Administrative Services. The office shall be managed by the State Chief Information Officer. The office shall direct, coordinate and oversee state information technology and telecommunications in accordance with ORS 276A.206 and other statutes, rules and policies that govern the state’s or state agencies’ budgeting, planning, acquiring, managing, overseeing and using telecommunications and information technology.

(2) The Governor shall appoint the State Chief Information Officer, who serves at the pleasure of the Governor. The State Chief Information Officer may adopt rules in accordance with ORS chapter 183 to exercise and carry out the duties, functions and powers committed to the State Chief Information Officer under ORS 276A.206 and other statutes, rules or policies that commit functions to the State Chief Information Officer.

(3) The State Chief Information Officer must be a person who, by training and experience, is well qualified to:

(a) Perform the duties that the Governor specifies; and

(b) Carry out the functions specified in ORS 276A.206 and in other statutes, rules or policies that commit functions to the State Chief Information Officer.

(4)(a) The State Chief Information Officer shall:

(A) Serve as the Governor’s chief advisor concerning information resources, information technology, information systems, geographic information systems, information systems security and telecommunications.

(B) Implement and maintain an information technology governance program for the executive department.

(C) Adopt rules, policies and standards for budgeting, planning, acquiring, installing, operating and overseeing telecommunications and information technology for the executive department.

(D) Review and make recommendations to the Governor and the Legislative Assembly concerning state agency information technology budget requests.

(E) Adopt plans, rules, policies and standards for the executive department concerning geographic information systems and geographic data.

(F) Adopt state information systems security plans, rules, policies and standards for the executive department.

(G) Assess state agencies each biennium to evaluate compliance with the State Chief Information Officer’s rules, policies and standards and provide results of the assessments to the Governor and to the Joint Legislative Committee on Information Management and Technology.

(H) Develop and promote training programs in information technology, information systems security, geographic information systems, enterprise architecture and project and portfolio management.

(I) Enhance sharing and coordination among federal, tribal, regional, state government and local government entities in this state with respect to geographic information systems and geographic data.

(J) Oversee information technology and telecommunications procurements as provided in ORS 279A.050 (7).

(K) Conduct a market analysis each biennium to determine whether the state data center is the most effective and efficient method for providing information technology and information resources to state agencies and other users. In conducting the market analysis, the State Chief Information Officer shall consider best practices and trends among federal, state and local government entities and the extent to which new or emerging technologies affect how the state provides information technology and information resources. The State Chief Information Officer shall provide the results of the analysis to the Governor and to the Joint Legislative Committee on Information Management and Technology and may recommend changes in the information technology and information resources that the state data center provides or in methods that the state data center uses to provide information technology and information resources.

(L) Identify information technology services that the State Chief Information Officer recommends for design, delivery and management as enterprise or shared information technology services and, each biennium, report to the Governor and the Joint Legislative Committee on Information Management and Technology concerning the status of new enterprise or shared information technology services.

(M) Adopt or update each biennium an Enterprise Information Resources Management Strategy for the state. In addition to the functions described in ORS 276A.236, the Enterprise Information Resources Management Strategy must provide for integrating statewide technology initiatives, ensuring compliance with information technology rules, policies and standards, promoting coordination, consolidation and alignment of information resources and technologies and effectively managing the state’s and state agencies’ information technology portfolios. In developing the Enterprise Information Resources Management Strategy, the State Chief Information Officer shall consult with and consider advice and suggestions from the department, state agencies and local governments, from private sector information technology experts, from the Legislative Fiscal Officer, from the Joint Legislative Committee on Information Management and Technology or from individual members of the Legislative Assembly that the President of the Senate and the Speaker of the House of Representatives appoint for the purpose of consulting with the State Chief Information Officer under this subsection.

(N) Identify and recommend to the Governor, within the State Chief Information Officer’s biennial budget request, resources that are necessary to implement the Enterprise Information Resources Management Strategy.

(O) Develop standards, protocols and procedures for executive department agencies to use in searching for and identifying requested public records that are retained in electronic form and to use in fulfilling public records requests that seek records in electronic form.

(b) As used in this subsection:

(A) “Executive department” has the meaning given that term in ORS 174.112, except that “executive department” does not include the Secretary of State in performing the duties of the constitutional office of Secretary of State or the State Treasurer in performing the duties of the constitutional office of State Treasurer.

(B) “Geographic data” means digital data that consist of geographic or projected map coordinate values, identification codes and associated descriptive data to locate and describe boundaries or features on, above or below the surface of the earth, demographic data or related data.

(C) “Geographic information system” means hardware, software, and data for capturing, managing, analyzing and displaying geographic data.

(D) “Information system” means computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information within, or with any access beyond ordinary public access to, the state’s shared computing and network infrastructure.

(E) “State government” has the meaning given that term in ORS 174.111.

(5) The State Chief Information Officer may:

(a) Organize and reorganize the office of Enterprise Information Services in the manner the State Chief Information Officer considers necessary to conduct the work of the office of Enterprise Information Services properly.

(b) Divide the office of Enterprise Information Services into administrative programs, units or sections and appoint an individual to administer each program, unit or section that the State Chief Information Officer establishes under this subsection. The individual the State Chief Information Officer appoints serves at the pleasure of the State Chief Information Officer and must be well qualified by technical training and experience in the functions the individual will perform. The State Chief Information Officer’s actions under this paragraph are subject to ORS chapter 240.

(c) Appoint subordinate officers and employees of the office of Enterprise Information Services, prescribe the officers’ and employees’ duties and fix compensation for the officers and employees. The State Chief Information Officer’s actions under this paragraph are subject to ORS chapter 240.

(d) Delegate to an employee of the office of Enterprise Information Services or to another individual any duty, function or power that the State Chief Information Officer may exercise or perform under ORS 276A.206 or under other statutes, rules or policies that commit functions to the State Chief Information Officer. For the purpose of performing an official act in the State Chief Information Officer’s name, the State Chief Information Officer may delegate a duty, function or power by means of an interagency agreement, an intergovernmental agreement in accordance with ORS chapter 190 or a contract. An official act that an individual performs in the name of the State Chief Information Officer under a delegation from the State Chief Information Officer under this paragraph is an official act of the State Chief Information Officer. [Formerly 291.039; 2021 c.17 §1]

276A.206 Oversight of state information and telecommunications technology by State Chief Information Officer; policy; rules; application for designation as community of interest. (1)(a) The State Chief Information Officer shall oversee and coordinate the planning, budgeting, architecture and standardization, consolidation, acquisition and oversight of all information and telecommunications technology by state government and agencies of state government so that statewide and individual state agencies’ plans and activities are addressed in the most integrated, economic and efficient manner, in a manner that minimizes duplication, fragmentation, redundancy and cost in state government operations and in a manner that most effectively meets state government and state agency program needs.

(b)(A) Except as otherwise provided by law, the office of the Secretary of State and the office of the State Treasurer, in collaboration with the State Chief Information Officer, shall develop and adopt plans, policies, standards and procedures for budgeting, planning, procuring, managing, overseeing and using information technology and telecommunications for the Secretary of State or the State Treasurer, as appropriate. Each office shall ensure that the office’s plans, policies, standards and procedures are, to the extent possible, compatible with the plans, policies, standards and procedures that the State Chief Information Officer develops and adopts for other state agencies within the executive department.

(B) The Secretary of State and the State Treasurer shall submit to the Legislative Fiscal Office:

(i) Copies of plans, policies, standards and procedures that the Secretary of State and the State Treasurer develop and adopt under subparagraph (A) of this paragraph. The Secretary of State and the State Treasurer shall submit copies of the plans, policies, standards and procedures within 30 calendar days after adopting or amending the plans, policies, standards or procedures.

(ii) Copies of any independent information technology audits or quality assurance reports that are public records and are not exempt from disclosure under ORS 192.311 to 192.478. The Secretary of State and the State Treasurer shall submit copies of the audits or reports within 30 calendar days after receiving the audits or reports.

(iii) An annual report on all information technology initiatives, as defined in ORS 276A.223, and all procurements with an estimated contract price that exceeds $1 million. The Secretary of State and the State Treasurer shall submit the report not later than December 31 of each calendar year.

(2) To facilitate accomplishment of the purpose set forth in subsection (1)(a) of this section, the State Chief Information Officer shall:

(a) Adopt rules, policies and standards to plan for, develop architecture for and standardize the state’s information resources and technologies. In developing rules, policies and standards, the State Chief Information Officer shall consult with state agencies that have needs that information resources may satisfy. State agencies shall cooperate with the State Chief Information Officer in preparing and complying with rules, policies and standards that the State Chief Information Officer adopts.

(b) Formulate rules, policies and standards to promote electronic communication and information sharing among state agencies and programs, between state and local governments and with the public where appropriate.

(c) Formulate rules, policies, plans, standards and specifications to ensure that information resources and technologies fit together in a statewide system capable of providing ready access to information, information technology or telecommunication resources. Plans and specifications that the State Chief Information Officer adopts must be based on industry standards for open systems to the greatest extent possible.

(3) Before adopting rules described in subsection (2) of this section, the State Chief Information Officer shall present the proposed rules to the Joint Legislative Committee on Information Management and Technology.

(4) The State Chief Information Officer has the responsibility to review, oversee and ensure that state agencies’ rules and planning, acquisition and implementation activities related to information technology and telecommunications align with and support the Enterprise Information Resources Management Strategy. State agencies shall cooperate with the State Chief Information Officer to ensure that the state agencies’ rules and planning, acquisition and implementation activities align with and support the Enterprise Information Resources Management Strategy. If the Oregon Department of Administrative Services procures information technology or the Director of the Oregon Department of Administrative Services delegates authority under ORS 279A.075 to procure information technology, the department and a state contracting agency, as defined in ORS 279A.010, shall procure information technology fairly, competitively and in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards.

(5)(a) The policy of the State of Oregon is that state government telecommunications networks should be designed to provide state-of-the-art services where economically and technically feasible, using shared, rather than dedicated, lines and facilities.

(b) The State Chief Information Officer shall, when procuring telecommunications network services, consider the goals and objectives outlined within the Enterprise Information Resources Management Strategy and the policy, acquisition, coordination and consolidation objectives for information technology that are specified in ORS 276A.400 to 276A.412 and 276A.415.

(6)(a) The State Chief Information Officer, upon request, may furnish and deliver statewide integrated videoconferencing and statewide online access service to a public or private entity that primarily conducts activities for the direct good or benefit of the public or community at large in providing educational, economic development, health care, human services, public safety, library or other public services. The State Chief Information Officer shall adopt rules with respect to the State Chief Information Officer’s furnishing of the service.

(b) The State Chief Information Officer shall establish statewide integrated videoconferencing and statewide online access user fees, services, delivery, rates and long range plans. The rates must reflect the State Chief Information Officer’s cost in providing the service.

(c) The State Chief Information Officer by rule shall restrict the Internet access service that the State Chief Information Officer furnishes or delivers to private entities if the service would directly compete with two or more local established providers of Internet access services within the local exchange telecommunications service area.

(d) The rates and services established and provided under this section are not subject to the Public Utility Commission’s regulation or authority.

(7) An organization or organizations recognized as tax exempt under section 501(c)(3) of the Internal Revenue Code that primarily conduct activities for the direct good or benefit of the public or community at large in providing educational, economic development, health care, human services, public safety, library or other public services and that have formed an affiliation with one or more federal, state or local governmental units within this state may apply to the State Chief Information Officer for designation as a community of interest. The application must be in the form that the State Chief Information Officer prescribes and contain information about the governmental affiliation relationship, the tax exempt status of each organization and the public benefit services the organization provides or intends to provide. The State Chief Information Officer shall establish an application review and appeal process to ensure that designating the organizations as a community of interest for the purposes of including the organization in telecommunications contracts under ORS 276A.412 will result in providing educational, medical, library or other services for public benefit.

(8) This section does not apply to any public university listed in ORS 352.002.

(9) As used in this section and ORS 276A.203:

(a) “Information resources” means media, instruments, plans and methods for collecting, processing, transmitting and storing data and information, including telecommunications.

(b) “Information technology” means present and future forms of hardware, software and services for data processing, office automation and telecommunications.

(d) “Open systems” means systems that allow state agencies freedom of choice by providing a vendor-neutral operating environment where different computers, applications, system software and networks operate together easily and reliably.

(e) “State-of-the-art services” means the highest level at which equipment, facilities and the capability to distribute digital communication signals that transmit voice, data, video and images over a distance have developed at the time during which the equipment, facility or capability was installed or operating.

(f) “Statewide integrated videoconferencing” means a statewide electronic system capable of transmitting video, voice and data communications.

(g) “Statewide online access” means electronic connectivity to information resources such as computer conferencing, electronic mail, databases and Internet access.

(h) “Telecommunications” means hardware, software and services for transmitting voice, data, video and images over a distance. [Formerly 291.038]

276A.209 State Information Technology Operating Fund. (1) There is established the State Information Technology Operating Fund in the State Treasury, separate and distinct from the General Fund. The moneys in the State Information Technology Operating Fund may be invested as provided in ORS 293.701 to 293.857. Interest earnings on the fund assets must be credited to the fund.

(2) The Director of the Oregon Department of Administrative Services shall deposit into the State Information Technology Operating Fund moneys for enterprise information technology and telecommunications that are appropriated to the Oregon Department of Administrative Services and that are necessary for the State Chief Information Officer to fulfill the duties, implement the functions and exercise the powers imposed upon, transferred to and vested in the State Chief Information Officer under section 1, chapter 807, Oregon Laws 2015.

(3) The State Information Technology Operating Fund consists of:

(a) Moneys deposited into the fund under subsection (2) of this section and ORS 276A.323 and 276A.335.

(b) Amounts donated to the fund.

(d) Other amounts deposited into the fund from any source.

(4) Amounts in the fund are continuously appropriated to the State Chief Information Officer for the purposes authorized by law. [Formerly 291.041]

(Technical Services and Information Technology Management)

276A.223 Requirement that state agency or public corporation obtain quality management services when implementing information technology initiative; reports; exceptions. (1) As used in this section:

(a)(A) “Information technology initiative” means a project to develop or provide, with a state contracting agency’s or public corporation’s own personnel and resources, or to obtain by means of a procurement or set of related procurements:

(i) New hardware, software or services for data processing, office automation or telecommunications;

(ii) An overhaul, upgrade or replacement of a substantial portion of the hardware or software in an existing data processing, office automation or telecommunications system; or

(iii) A substantial expansion of existing data processing, office automation or telecommunications services.

(B) “Information technology initiative” does not include:

(i) A procurement for preliminary quality assurance services or quality management services;

(ii) A routine update to or purchase of hardware or software within an existing data processing, office automation or telecommunications system;

(iii) A renewal of an existing contract for data processing, office automation or telecommunications services under terms and conditions that are substantially the same as in the existing contract; or

(iv) A replacement of a component of an existing data processing, office automation or telecommunications system that is not essential for the system to function as designed or that occurs at the end of the component’s anticipated life cycle.

(b) “Preliminary quality assurance services” means a set of services in which a contractor provides an independent and objective review of a state contracting agency’s or a public corporation’s plans, specifications, estimates, documentation, available resources and overall purpose for an information technology initiative, including services in which the contractor evaluates a proposed information technology initiative against applicable quality standards and best practices from private industry and other sources.

(d)(A) “Public corporation” means a corporation:

(i) The operations of which are subject to control by this state or by an agency or instrumentality of this state, or by officers of this state or of an agency or instrumentality of this state;

(ii) That is organized, at least in part, to serve a public purpose; and

(iii) That receives public funds or other support from an entity described in sub-subparagraph (i) of this subparagraph.

(B) “Public corporation” does not include:

(i) A person or entity described in ORS 174.108 (3);

(ii) A city, county, local service district, school district, education service district, community college district or community college service district or a public university listed in ORS 352.002; or

(iii) An administrative subdivision of an entity described in sub-subparagraph (ii) of this subparagraph.

(e) “Quality management services” means a set of services in which a contractor provides an independent and objective review and evaluation of a state contracting agency’s, a public corporation’s or another contractor’s performance with respect to an information technology initiative, such as services in which the contractor:

(A) Identifies quality standards that apply or should apply to the information technology initiative;

(B) Suggests methods and means by which the state contracting agency, the public corporation or the other contractor may meet quality standards identified in subparagraph (A) of this paragraph;

(C) Reviews and evaluates the state contracting agency’s, the public corporation’s or the other contractor’s performance regularly as the information technology initiative progresses from start to finish;

(D) Identifies omissions or gaps in the state contracting agency’s, the public corporation’s or the other contractor’s planning, execution, control, methodology, communication or reporting as the information technology initiative progresses from start to finish;

(E) Identifies risks in the state contracting agency’s, the public corporation’s or the other contractor’s plans or approach to designing, developing or implementing the information technology initiative and suggests methods to reduce, mitigate or eliminate the risks;

(F) Assists the state contracting agency or the public corporation in testing or otherwise evaluating the hardware, software or services that are developed, provided or obtained as part of an information technology initiative to determine whether the hardware, software or services conform with the quality standards identified in subparagraph (A) of this paragraph;

(G) Advises the State Chief Information Officer, the state contracting agency or the public corporation as to whether the hardware, software or services that are developed, provided or obtained as part of an information technology initiative meet the contracting agency’s or the public corporation’s needs, specifications or expectations and otherwise enable the state contracting agency or the public corporation to achieve the objectives for the information technology initiative; or

(H) Identifies unsatisfactory performance and suggests methods the State Chief Information Officer, the state contracting agency, the public corporation or the other contractor might use to eliminate the causes of unsatisfactory performance.

(f) “State contracting agency” has the meaning given that term in ORS 279A.010.

(2)(a) A state contracting agency or a public corporation that implements an information technology initiative shall obtain quality management services from a qualified contractor if the value of the information technology initiative exceeds $5 million, unless the State Chief Information Officer determines that the quality management services are not necessary. The State Chief Information Officer may require quality management services for an information technology initiative the value of which does not exceed $5 million if the information technology initiative meets criteria or standards that the State Chief Information Officer specifies in rule or policy. The State Chief Information Officer not later than December 31 of each year shall submit to the Legislative Fiscal Officer a report that identifies information technology initiatives for which:

(A) The value exceeds $5 million; and

(B) The State Chief Information Officer determines that quality management services are not necessary.

(b) A state contracting agency or public corporation may, subject to ORS 279B.040, procure preliminary quality assurance services from a contractor if the information technology initiative meets the criteria set forth in paragraph (a) of this subsection or if the state contracting agency or public corporation otherwise believes that the preliminary quality assurance services will enable the contracting agency or public corporation to implement an information technology initiative successfully.

(3) A state contracting agency or public corporation may not artificially divide or fragment an information technology initiative so as to avoid the application of this section.

(4) Notwithstanding any procurement authority that a state contracting agency or a public corporation has that is not subject to the authority of the Director of the Oregon Department of Administrative Services or the State Chief Information Officer under ORS 279A.050 (2) or (7), the state contracting agency or public corporation is subject to the provisions of subsection (2) of this section and shall consult with and follow the rules, policies and procedures of the State Chief Information Officer in determining the extent of preliminary quality assurance services or quality management services that the state contracting agency or public corporation will require for an information technology initiative.

(5)(a) If a state contracting agency or a public corporation awards a contract for preliminary quality assurance services or quality management services, the contract must provide that at the same time a contractor provides a preliminary or final report to the contract administrator, the contractor shall also provide a copy of the report to:

(A) The State Chief Information Officer;

(B) The Director of the Oregon Department of Administrative Services;

(D) As appropriate for the specific information technology initiative, to:

(i) The director of the state contracting agency or, if a board or commission sets policy for the state contracting agency, to the board or commission; or

(ii) The governing body of the public corporation.

(b) The state contracting agency or public corporation shall provide the contractor with names, addresses and other contact information the contractor needs to comply with paragraph (a) of this subsection.

(6) This section does not apply to the Secretary of State or the State Treasurer. [Formerly 291.035]

276A.230 Definitions. As used in ORS 276A.233 and 276A.236:

(1) “Executive department” has the meaning given that term in ORS 174.112.

(2) “Information technology” includes, but is not limited to, all present and future forms of hardware, software and services for data processing, office automation and telecommunications.

(3) “State agency” means a board, commission, department, division, office or other entity within the executive department of state government, except:

(a) The Secretary of State;

(b) The State Treasurer;

(d) A public university that is listed in ORS 352.002. [Formerly 184.473]

276A.233 Information technology portfolio-based management; inventory; standards; rules; exception. (1) The purposes of information technology portfolio-based management are to:

(a) Ensure that state agencies link the state agencies’ information technology investments with business plans;

(b) Facilitate risk assessment of information technology projects and investments;

(d) Ensure that state agencies facilitate development and review of information technology performance related to business operations;

(e) Identify projects that can cross agency and program lines to leverage resources; and

(f) Assist in state government-wide planning for common, shared information technology infrastructure.

(2) The State Chief Information Officer shall integrate state agency strategic and business planning, technology planning and budgeting and project expenditure processes into the State Chief Information Officer’s portfolio-based management and oversight of state information technology resources.

(3) The State Chief Information Officer shall conduct and maintain a continuous inventory of each state agency’s current and planned investments in information technology, a compilation of information about the current and planned investments and the total life cycle cost of the current and planned investments. Each state agency shall cooperate with the State Chief Information Officer in conducting and maintaining the inventory. The State Chief Information Officer shall develop and implement state government-wide rules, policies and standards for conducting and maintaining the required inventory and for managing the state government-wide information technology portfolio. State agencies shall participate in the State Chief Information Officer’s information technology portfolio-based management program and shall comply with the rules, policies and standards that the State Chief Information Officer establishes under this subsection. The provisions of this subsection do not relieve any state agency from accountability for equipment, materials, supplies and tangible and intangible personal property under the state agency’s control.

(4) The State Chief Information Officer shall ensure that state agencies implement portfolio-based management of information technology resources in accordance with this section and with rules, policies and standards that the State Chief Information Officer adopts.

(5) Before adopting rules to implement the provisions of this section, the State Chief Information Officer shall present the proposed rules to the Joint Legislative Committee on Information Management and Technology. [Formerly 184.475]

276A.236 Enterprise information resources management; adoption and implementation of strategy; state agency information technology initiatives costing more than $1 million. (1) The purpose of enterprise information resources management is to create a plan and implement a state government-wide approach for managing distributed information technology assets to minimize total ownership costs from acquisition through retirement, while realizing maximum benefits for transacting the state’s business and delivering services to the residents of this state.

(2) With input and recommendations from state agencies, the State Chief Information Officer each biennium shall adopt an Enterprise Information Resources Management Strategy in accordance with ORS 276A.203. The Enterprise Information Resources Management Strategy must, among other functions, enable the State Chief Information Officer to manage and oversee distributed information technology assets throughout state government. The Enterprise Information Resources Management Strategy shall prescribe the state government-wide infrastructure and services for managing these assets. The State Chief Information Officer shall submit the Enterprise Information Resources Management Strategy to the Joint Legislative Committee on Information Management and Technology for review.

(3) Following review by the Joint Legislative Committee on Information Management and Technology, the State Chief Information Officer shall ensure state agency implementation of the Enterprise Information Resources Management Strategy, including the development of appropriate rules, policies and standards along with budget, resource and management plans that are necessary to implement the Enterprise Information Resources Management Strategy.

(4) State agencies shall participate in managing information technology assets in accordance with the Enterprise Information Resources Management Strategy and shall comply with the rules, policies and standards of the State Chief Information Officer.

(5) A state agency that implements an information technology initiative, as defined in ORS 276A.223, that the State Chief Information Officer estimates will cost more than $1 million shall implement the information technology initiative under rules, policies and standards that the State Chief Information Officer develops, sets or adopts. The information technology initiative is subject to the State Chief Information Officer’s oversight and the State Chief Information Officer may require the state agency to obtain approval to implement the information technology initiative or may direct the state agency to stop or modify the implementation, cancel or modify a procurement related to the information technology initiative, modify the scope of the information technology initiative or take another action before awarding a public contract. After a state agency executes a public contract related to the information technology initiative, the State Chief Information Officer may direct the state agency to take any action in accordance with the terms and conditions of the public contract that the State Chief Information Officer deems necessary or advisable to administer and enforce the public contract, including directing the state agency to suspend performance or terminate the public contract in whole or in part. [Formerly 184.477]

276A.239 Portfolio-based management of information technology resources for Secretary of State. (1) The Secretary of State shall implement portfolio-based management of information technology resources, as described in this section, to:

(a) Ensure that the Office of the Secretary of State links its information technology investments with business plans;

(b) Facilitate risk assessment of information technology projects and investments;

(d) Ensure that the office facilitates development and review of information technology performance related to business operations;

(e) Identify projects that can cross agency and program lines to leverage resources; and

(f) Assist in state government-wide planning for common, shared information technology infrastructure.

(2) The Secretary of State shall integrate strategic and business planning, technology planning and budgeting and project expenditure processes into the Secretary of State’s information technology portfolio-based management.

(3) The Secretary of State shall conduct and maintain a continuous inventory of current and planned investments in information technology, a compilation of information about those assets and the total life cycle cost of those assets.

(4) The Secretary of State shall develop and implement standards, processes and procedures for the required inventory and for the management of the information technology portfolio.

(5) As used in this section, “information technology” has the meaning given that term in ORS 276A.230. [Formerly 177.200]

276A.242 Portfolio-based management of information technology resources for State Treasurer. (1) The State Treasurer shall implement portfolio-based management of information technology resources, as described in this section, to:

(a) Ensure that the office of the State Treasurer links its information technology investments with business plans;

(b) Facilitate risk assessment of information technology projects and investments;

(d) Ensure that the office facilitates development and review of information technology performance related to business operations;

(e) Identify projects that can cross agency and program lines to leverage resources; and

(f) Assist in state government-wide planning for common, shared information technology infrastructure.

(2) The State Treasurer shall integrate strategic and business planning, technology planning and budgeting and project expenditure processes into the State Treasurer’s information technology portfolio-based management.

(3) The State Treasurer shall conduct and maintain a continuous inventory of current and planned investments in information technology, a compilation of information about those assets and the total life cycle cost of those assets.

(4) The State Treasurer shall develop and implement standards, processes and procedures for the required inventory and for the management of the information technology portfolio.

(5) As used in this section, “information technology” has the meaning given that term in ORS 276A.230. [Formerly 178.100]

(Oregon Transparency Website)

276A.250 Definitions. As used in ORS 276A.250 to 276A.262, “state agency” means any officer, board, commission, department, division or institution of state government, as defined in ORS 174.111. [Formerly 184.480]

276A.253 Oregon transparency website. (1)(a) The State Chief Information Officer shall maintain and make available an Oregon transparency website. The website must allow any person to view information that is a public record and is not exempt from disclosure under ORS 192.311 to 192.478, including but not limited to information described in subsection (3) of this section. The State Chief Information Officer shall provide on the home page of the website a method for users to offer suggestions regarding the form or content of the website.

(b) The Oregon Department of Administrative Services shall assist the State Chief Information Officer in performing duties under paragraph (a) of this subsection to the extent the State Chief Information Officer deems the assistance necessary.

(2) State agencies and education service districts, to the extent practicable and subject to laws relating to confidentiality, when at no additional cost, using existing data and existing resources of the state agency or education service district and without reallocation of resources, shall:

(a) Furnish information to the Oregon transparency website by posting reports and providing links to existing information system applications in accordance with standards that the State Chief Information Officer establishes; and

(b) Provide the information in the format and manner that the State Chief Information Officer requires.

(3) To the extent practicable and subject to laws relating to confidentiality, when at no additional cost, using existing data and existing resources of the state agency or education service district and without reallocation of resources, the Oregon transparency website must contain information about each state agency and education service district, including but not limited to:

(a) Annual revenues of state agencies and education service districts;

(b) Annual expenditures of state agencies and education service districts;

(d) Annual tax expenditures of state agencies, including, when possible, the identity of the recipients of each tax expenditure;

(e) For each state agency, a description of the percentage of expenditures made in this state and the percentage of expenditures made outside this state under all contracts for goods or services the state agency enters into during each biennium;

(f) A prominently placed graphic representation of the primary funding categories and approximate number of individuals that the state agency or the education service district serves;

(g) A description of the mission, function and program categories of the state agency or education service district;

(h) A copy of any audit report that the Secretary of State issues for the state agency or the education service district;

(i) The local service plans of the education service districts;

(j) A copy of each report required by statute for education service districts; and

(k) A copy of all notices of public meetings of the education service districts.

(4) In addition to the information described in subsection (3) of this section:

(a) The State Chief Information Officer shall post on the Oregon transparency website notices of public meetings the state agency must provide under ORS 192.640. If the state agency maintains a website where minutes or summaries of the public meetings are available, the state agency shall provide the State Chief Information Officer with the link to the state agency website for posting on the Oregon transparency website.

(b) The State Chief Information Officer shall post on the Oregon transparency website a link for the website that the Secretary of State maintains for rules that the state agency adopts. If the state agency maintains a website where the state agency posts the rules, or where any information relating to the rules of the agency is posted, the state agency shall provide the State Chief Information Officer with the link to the website for posting on the Oregon transparency website.

(c) The State Chief Information Officer shall provide links on the Oregon transparency website for information that the State Chief Information Officer receives concerning contracts and subcontracts that a state agency or education service district enters into, to the extent that disclosing the information is allowed by law and the information is already available on websites that the state agency or education service district maintains. To the extent available, the information to which the State Chief Information Officer links under this section must include:

(A) Information on professional, personal and material contracts;

(B) The date of each contract and the amount payable under the contract;

(D) The names and addresses of vendors.

(d) The State Chief Information Officer shall provide an economic development section on the Oregon transparency website for posting of information submitted to the State Chief Information Officer by state agencies responsible for administering specific economic development programs. The section shall include, but not be limited to, the following information, if it is already collected or available within an existing database maintained by the state agency in the course of administering the economic development program:

(A) The names of filmmakers or companies that have received reimbursements from the Oregon Production Investment Fund under ORS 284.368 and the amount of each reimbursement;

(B) The amount of revenue bonds issued under ORS 285A.430 for the Beginning and Expanding Farmer Loan Program, the names of persons who received loans under the program and the amount of the loan;

(C) The names of persons who received grants, loans or equity investments from the Oregon Innovation Council under ORS 284.742 and the purpose and amount of the grant, loan or equity investment;

(D) Copies of, or links to, annual reports required to be filed under ORS 285C.615 under the strategic investment program;

(E) Copies of, or links to, annual certifications required to be filed under ORS 285C.506 for the business development income tax exemption; and

(F) Information required to be posted on the Oregon transparency website under ORS 276A.256.

(e) The information reported under paragraph (d) of this subsection:

(A) May not include proprietary information; and

(B) Shall be provided to the State Chief Information Officer by the state agency in the format and manner required by the State Chief Information Officer.

(f) The State Chief Information Officer shall post on the Oregon transparency website information describing the process for requesting copies of public records from a public body, including a link to the public records section of the Department of Justice webpage. At the request of a state agency or education service district, the State Chief Information Officer shall include a link to a location on the webpage of the agency or district that describes the process for requesting public records from the agency or district.

(5) In operating, refining and recommending enhancements to the Oregon transparency website, the State Chief Information Officer and the Transparency Oregon Advisory Commission created in ORS 276A.259 shall consider and, to the extent practicable, adhere to the following principles:

(a) The website must be accessible without cost and be easy to use;

(b) Information included on the Oregon transparency website must be presented using plain, easily understandable language; and

(c) The website should teach users about how state government and education service districts work and provide users with the opportunity to learn something about how state government and education service districts raise and spend revenue.

(6) If a state agency or an education service district is not able to include information described in this section on the Oregon transparency website because of the lack of availability of information or cost in acquiring information, the Transparency Oregon Advisory Commission created in ORS 276A.259 shall list the information that is not included for the state agency or education service district in the commission’s report to the Legislative Assembly required under ORS 276A.259.

(7)(a) For the purpose of providing transparency in the revenues, expenditures and budgets of the following entities, the State Chief Information Officer shall include on the Oregon transparency website a page that provides links to websites established by:

(A) Local governments, as defined in ORS 174.116.

(B) Special government bodies, as defined in ORS 174.117.

(D) Public universities listed in ORS 352.002.

(E) Public university statewide programs operated by a public university listed in ORS 352.002.

(F) The Oregon Health and Science University.

(G) The Oregon Tourism Commission.

(H) The Oregon Film and Video Office.

(I) The Travel Information Council.

(J) The Children’s Trust Fund of Oregon Foundation.

(K) Oregon Corrections Enterprises.

(L) The State Accident Insurance Fund Corporation.

(M) The Oregon Utility Notification Center.

(N) Any public corporation created under a statute of this state and specifically designated as a public corporation.

(b) The State Chief Information Officer shall include a link to an entity’s website after receiving a request from the entity and shall consider recommendations from the Transparency Oregon Advisory Commission for including other links to websites of the entities listed in paragraph (a) of this subsection.

(c) At the request of any local government, as defined in ORS 174.116, or special government body, as defined in ORS 174.117, the State Chief Information Officer shall include on the Oregon transparency website notices of public meetings required to be provided under ORS 192.640 by the local government or special government body. The local government or special government body must submit public meeting notice information in the format and manner required by the State Chief Information Officer.

(d) The office of Enterprise Information Services shall include a prominent link on the home page of the Oregon transparency website for information posted to the page described in paragraph (a) of this subsection.

(8) Nothing in this section prohibits the State Chief Information Officer or the Oregon Department of Administrative Services from incurring costs or requesting additional resources to develop, maintain or enhance the Oregon transparency website. [Formerly 184.483; 2019 c.131 §11; 2020 s.s.2 c.10 §5; 2021 c.17 §2]

276A.256 Reports of tax expenditures connected to economic development. (1) For each statute that authorizes a tax expenditure with a purpose connected to economic development and that is listed in subsection (2) of this section, the state agency charged with certifying or otherwise administering the tax expenditure shall submit a report to the State Chief Information Officer. If a statute does not exist to authorize a state agency to certify or otherwise administer the tax expenditure, or if a statute does not provide for certification or administration of the tax expenditure, the Department of Revenue shall submit the report.

(2) This section applies to:

(a) ORS 285C.175, 285C.362, 285C.409, 307.123, 307.455, 315.141, 315.331, 315.336, 315.341, 315.506, 315.507, 315.514, 315.533, 316.698, 316.778, 317.124, 317.391 and 317.394 and sections 1 to 5, chapter 112, Oregon Laws 2016.

(b) Grants awarded under ORS 469B.256 in any tax year in which certified renewable energy contributions are received as provided in ORS 315.326.

(d) ORS 316.116, if the allowed credit exceeds $2,000.

(3) The following information, if the information is already available in an existing database the state agency maintains, must be included in the report required under this section:

(a) The name of each taxpayer or applicant approved for the allowance of a tax expenditure or a grant award under ORS 469B.256.

(b) The address of each taxpayer or applicant.

(c) The total amount of credit against tax liability, reduction in taxable income or exemption from property taxation granted to each taxpayer or applicant.

(d) Specific outcomes or results required by the tax expenditure program and information about whether the taxpayer or applicant meets those requirements. This information must be based on data the state agency has already collected and analyzed in the course of administering the tax expenditure. Statistics must be accompanied by a description of the methodology employed in the statistics.

(e) An explanation of the state agency’s certification decision for each taxpayer or applicant, if applicable.

(f) Any additional information that the taxpayer or applicant submits and that the state agency relies on in certifying the determination.

(g) Any other information that state agency personnel deem valuable as providing context for the information described in this subsection.

(4) The information reported under subsection (3) of this section may not include proprietary information or information that is exempt from disclosure under ORS 192.311 to 192.478 or 314.835.

(5) No later than September 30 of each year, a state agency described in subsection (1) of this section shall submit to the State Chief Information Officer the information required under subsection (3) of this section as applicable to applications for allowance of tax expenditures the state agency approved during the agency fiscal year ending during the current calendar year. The information must then be posted on the Oregon transparency website described in ORS 276A.253 no later than December 31 of the same year.

(6)(a) In addition to the information described in subsection (3) of this section, the State Chief Information Officer shall post on the Oregon transparency website:

(A) Copies of all reports that the State Chief Information Officer, the Department of Revenue or the Oregon Business Development Department receives from counties and other local governments relating to properties in enterprise zones that have received tax exemptions under ORS 285C.170, 285C.175 or 285C.409, or that are eligible for tax exemptions under ORS 315.506, 315.507 or 317.124 by reason of being in an enterprise zone; and

(B) Copies of any annual reports that agencies described in subsection (1) of this section are required by law to produce regarding the administration of statutes listed in subsection (2) of this section.

(b) The reports must be submitted to the State Chief Information Officer in a manner and format that the State Chief Information Officer prescribes.

(7) The information described in this section that is available on the Oregon transparency website must be accessible in the format and manner required by the State Chief Information Officer.

(8) The information described in this section must be provided to the Oregon transparency website by posting reports and providing links to existing information systems applications in accordance with standards established by the State Chief Information Officer. [Formerly 184.484; 2023 c.298 §19]

Note: 276A.256 was enacted into law by the Legislative Assembly but was not added to or made a part of ORS chapter 276A or any series therein by legislative action. See Preface to Oregon Revised Statutes for further explanation.

276A.259 Transparency Oregon Advisory Commission; members; duties; terms; reports. (1) There is created the Transparency Oregon Advisory Commission consisting of nine members appointed as follows:

(a) The President of the Senate shall appoint two members from among members of the Senate, one from the majority party and one from the minority party.

(b) The Speaker of the House of Representatives shall appoint two members from among members of the House of Representatives, one from the majority party and one from the minority party.

(d) The State Chief Information Officer shall appoint one member.

(e) The Legislative Fiscal Officer shall appoint one member.

(f) The President of the Senate and the Speaker of the House of Representatives shall each appoint one member of the public with experience or interest in public finance, public relations, measurement of performance outcomes or technology.

(2) The commission shall advise and make recommendations to the State Chief Information Officer regarding the creation, contents and operation of, and enhancements to, the Oregon transparency website.

(3) A majority of the members of the commission constitutes a quorum for transacting business.

(4) A majority of the members of the commission must approve official action by the commission.

(5) The commission shall elect one of the commission’s members to serve as chairperson not later than October 1 of each odd-numbered year.

(6) If there is a vacancy for any cause, the appointing authority shall make an appointment that becomes immediately effective.

(7) The commission shall meet at times and places that the chairperson or a majority of the members of the commission specifies.

(8) The commission may adopt rules necessary to operate the commission.

(9) The commission shall use the services of permanent staff of the Legislative Fiscal Office to the greatest extent practicable to staff the commission. The State Chief Information Officer may provide additional assistance.

(10) Notwithstanding ORS 171.072, members of the commission who are members of the Legislative Assembly are not entitled to mileage expenses or a per diem and serve as volunteers on the commission.

(11) Members of the commission who are not members of the Legislative Assembly are not entitled to compensation or reimbursement for expenses and serve as volunteers on the commission.

(12) All agencies of state government, as defined in ORS 174.111, shall assist the commission in performing the commission’s duties and, to the extent permitted by laws relating to confidentiality, to furnish such information and advice as the members of the commission consider necessary to perform the members’ duties.

(13) The commission shall report to the Legislative Assembly not later than February 15 of each odd-numbered year. The report must describe:

(a) Enhancements made to the Oregon transparency website during the previous two calendar years;

(b) Possible future enhancements to the website, including but not limited to including information that relates to:

(A) Performance outcomes that measure the success of state agency programs in achieving goals;

(B) State agency bond debt;

(D) Numbers and descriptions of jobs created through state agency contracts and subcontracts;

(E) Lists of businesses and individuals that receive tax credits, deductions, refunds, rebates and other subsidies from a state agency;

(F) Lists of the names of contractors that received a contract from a state agency, including the number of contracts and compensation the contractors received; and

(G) Lists of the number of contracts that each state agency entered into during a biennium and the amount of moneys each state agency spent on the contracts; and

(c) The feasibility of including an interactive application where citizens can simulate balancing a biennial budget for the state.

(14) The term of office of each member is four years, but a member serves at the pleasure of the appointing authority. Before a member’s term expires, the appointing authority shall appoint a successor whose term begins on January 1 next following. A member is eligible for reappointment. If there is a vacancy for any cause, the appointing authority shall make an appointment that becomes immediately effective for the unexpired term. [Formerly 184.486]

276A.262 Transparency Oregon Advisory Commission Fund. (1) The Transparency Oregon Advisory Commission may accept contributions of moneys and assistance from the United States Government or its agencies or from any other source, public or private, and agree to conditions placed on the moneys not inconsistent with the duties of the commission.

(2) There is established in the State Treasury, separate and distinct from the General Fund, the Transparency Oregon Advisory Commission Fund. The fund consists of moneys received by the commission under this section and such other moneys as may otherwise be made available by law. Interest earned on the fund shall be credited to the fund. Moneys in the fund are continuously appropriated to the commission and may be used only for the performance of the functions of the commission. [Formerly 184.488]

(Electronic Government Portal)

276A.270 Definitions. As used in this section and ORS 276A.273 and 276A.276:

(1) “Electronic government portal” means an electronic information delivery system accessible by means of the Internet that a state agency designates officially as a means by which the state agency delivers information, products or services.

(2) “Electronic government portal provider” means a person that on behalf of a state agency provides facilities, goods or services necessary to develop, host, operate, maintain or otherwise implement an electronic government portal or provides facilities, goods or services that assist a state agency in designing, developing, hosting, operating, maintaining or otherwise implementing an electronic government portal.

(3) “Portal provider fee” means a fee for using an electronic government portal or governmental services available by means of an electronic government portal that the State Chief Information Officer charges, or authorizes an electronic government portal provider to charge, under ORS 276A.276 (3).

(4) “State agency” means the executive department, as defined in ORS 174.112. [Formerly 182.126]

276A.273 Electronic Government Portal Advisory Board. (1) There is created the Electronic Government Portal Advisory Board consisting of 13 members appointed as follows:

(a) The President of the Senate shall appoint two nonvoting members from among members of the Senate.

(b) The Speaker of the House of Representatives shall appoint two nonvoting members from among members of the House of Representatives.

(A) Three members who represent state agencies;

(B) Two members who represent the public; and

(d) The State Chief Information Officer shall appoint two members as follows:

(A) A representative of the State Chief Information Officer; and

(B) A representative of the Oregon Department of Administrative Services.

(e) The State Treasurer shall appoint one member who represents the State Treasurer.

(2) Members of the Legislative Assembly who are members of the advisory board are nonvoting members and may act only in an advisory capacity.

(3) The advisory board shall:

(a) Advise the State Chief Information Officer and the Oregon Department of Administrative Services concerning:

(A) The development of electronic government portals for the State Chief Information Officer, the department and other state agencies;

(B) The amount, collection methods or other aspects of a portal provider fee that the State Chief Information Officer or an electronic government portal provider collects;

(C) The priority of new governmental service applications that may be provided by means of an electronic government portal;

(D) Terms and conditions of contracts between state agencies and electronic government portal providers; and

(E) Rules necessary to implement electronic government portals.

(b) Monitor the layout, content and usability of electronic government portals and advise the State Chief Information Officer and the department on ways to improve the delivery of government services by means of electronic government portals, the accountability of state agencies’ use of electronic government portals to provide government services and user satisfaction with electronic government portals.

(A) Consider the needs of residents of this state;

(B) Evaluate the performance and transparency of state agency delivery of government services; and

(i) Electronic government portals; and

(ii) State agencies’ performance and accountability in using electronic government portals to provide government services.

(4) A majority of the voting members of the advisory board constitutes a quorum for transacting business.

(5) A majority of the voting members of the advisory board must approve official action by the advisory board.

(6) The advisory board shall elect one of the members of the advisory board to serve as chairperson.

(7) If a vacancy on the advisory board occurs for any cause, the appointing authority shall make an appointment that becomes immediately effective.

(8) The advisory board shall meet at times and places that the chairperson or a majority of the voting members of the advisory board specifies.

(9) The advisory board may adopt rules necessary to operate the advisory board.

(10) The Oregon Department of Administrative Services shall provide staff support to the advisory board.

(11) Members of the advisory board who are not members of the Legislative Assembly may not receive compensation, but may be reimbursed for actual and necessary travel and other expenses the members incur in the performance of the members’ official duties in the manner and amounts provided for in ORS 292.495. Claims for expenses the members incur in performing functions of the advisory board shall be paid out of funds appropriated to the Oregon Department of Administrative Services for purposes of the advisory board.

(12) All state agencies shall assist the advisory board in the advisory board’s performance of the advisory board’s duties and, to the extent permitted by laws relating to confidentiality, to furnish information and advice as the members of the advisory board consider necessary to perform the duties of the advisory board. [Formerly 182.128]

276A.276 Ability to offer government services through portal; portal provider fee; rules. (1) The State Chief Information Officer, with the advice of the Electronic Government Portal Advisory Board, shall provide the ability for state agencies to offer government services by means of an electronic government portal. The electronic government portal must be secure and must comply with the information security rules, policies and standards that the State Chief Information Officer adopts under ORS 276A.300 and meet the usability standards developed in cooperation with the advisory board.

(2) For the purposes of subsection (1) of this section, the State Chief Information Officer, under the provisions of the Public Contracting Code, may contract with an electronic government portal provider in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards.

(3)(a) The State Chief Information Officer may charge members of the public a portal provider fee, or may authorize an electronic government portal provider to charge a portal provider fee, for an electronic government service if the advisory board recommends that the State Chief Information Officer charge or authorize a portal provider fee for the electronic government service. The portal provider fee must reflect the costs incurred in hosting, operating, maintaining or implementing the electronic government portal.

(b) The State Chief Information Officer shall cooperate with the advisory board to identify the electronic government portals or governmental services to which the portal provider fee applies.

(4) The State Chief Information Officer may adopt rules to implement the provisions of this section.

(5) Not later than the beginning of each odd-numbered year regular legislative session, the State Chief Information Officer shall prepare and submit to the Legislative Assembly a report in the manner provided in ORS 192.245 that summarizes the State Chief Information Officer’s activities under the provisions of this section. [Formerly 182.132]

INFORMATION SECURITY

276A.300 Information systems security in executive department; rules. (1) As used in this section:

(a) “Executive department” has the meaning given that term in ORS 174.112.

(b) “Information systems” means computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information within, or with any access beyond ordinary public access to, the state’s shared computing and network infrastructure.

(2) The State Chief Information Officer has responsibility for and authority over information systems security in the executive department, including responsibility for taking all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall, after consultation and collaborative development with agencies, establish a state information systems security plan and associated standards, policies and procedures. The plan must align with and support the Enterprise Information Resources Management Strategy described in ORS 276A.203.

(3) The State Chief Information Officer may coordinate with the Oregon Department of Administrative Services to:

(a) Review and verify the security of information systems operated by or on behalf of state agencies;

(b) Monitor state network traffic to identify and react to security threats; and

(c) Conduct vulnerability assessments of state agency information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems.

(4) The State Chief Information Officer shall contract with qualified, independent consultants for the purpose of conducting vulnerability assessments under subsection (3) of this section.

(5) In collaboration with appropriate agencies, the State Chief Information Officer shall develop and implement policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. In the policies, the State Chief Information Officer shall prescribe actions reasonably necessary to:

(a) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

(b) Promptly alert other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

(d) Evaluate the event for the purpose of possible improvements to the security of information systems; and

(e) Communicate and share information with appropriate agencies, using preexisting incident response capabilities.

(6) After consultation and collaborative development with appropriate agencies and the Oregon Department of Administrative Services, the State Chief Information Officer shall implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. The techniques and controls must include using specialized expertise, tools and methodologies to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall consult with the Oregon State Police, the Oregon Department of Emergency Management, the Governor and others as necessary in developing forensic techniques and controls under this section.

(7) The State Chief Information Officer shall ensure that reasonably appropriate remedial actions are undertaken when the State Chief Information Officer finds that such actions are reasonably necessary by reason of vulnerability assessments of information systems under subsection (3) of this section, evaluation of events under subsection (5) of this section and other evaluations and audits.

(8)(a) State agencies are responsible for securing computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information outside the state’s shared computing and network infrastructure, following information security standards, policies and procedures established by the State Chief Information Officer and developed collaboratively with the agencies. Agencies may establish plans, standards and measures that are more stringent than the standards established by the State Chief Information Officer to address specific agency needs if the plans, standards and measures do not contradict or contravene the state information systems security plan. Independent agency security plans must be developed within the framework of the state information systems security plan.

(b) A state agency shall report the results of any vulnerability assessment, evaluation or audit conducted by the agency to the State Chief Information Officer for the purposes of consolidating statewide security reporting and, when appropriate, to prompt a state incident response.

(9) This section does not apply to:

(a) Research and student computer systems used by or in conjunction with any public university listed in ORS 352.002; and

(b)(A) Gaming systems and networks operated by the Oregon State Lottery or contractors of the State Lottery; or

(B) The results of Oregon State Lottery reviews, evaluations and vulnerability assessments of computer systems outside the state’s shared computing and network infrastructure.

(10) The State Chief Information Officer shall adopt rules to implement the provisions of this section. [Formerly 182.122; 2021 c.539 §28]

276A.303 Information systems security for Secretary of State, State Treasurer and Attorney General. (1) Notwithstanding ORS 276A.300, the Secretary of State, the State Treasurer and the Attorney General have sole discretion and authority over information systems security in their respective agencies, including the discretion and authority to take all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems.

(2) The Secretary of State, the State Treasurer and the Attorney General shall each establish an information systems security plan and associated standards, policies and procedures in collaboration with the State Chief Information Officer as provided in ORS 276A.300.

(3) The plan established under subsection (2) of this section, at a minimum, must:

(a) Be compatible with the state information systems security plan and associated standards, policies and procedures established by the State Chief Information Officer under ORS 276A.300 (2);

(b) Assign responsibility for:

(A) Reviewing, monitoring and verifying the security of the Secretary of State’s, the State Treasurer’s and the Attorney General’s information systems; and

(B) Conducting vulnerability assessments of information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems;

(c) Contain policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether the systems are within, interoperable with or outside the state’s shared computing and network infrastructure;

(d) Prescribe actions reasonably necessary to:

(A) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

(B) Promptly alert the State Chief Information Officer and other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

(D) Evaluate the event for the purpose of possible improvements to the security of information systems; and

(E) Communicate and share information with agencies, using preexisting incident response capabilities; and

(e) Describe and implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure, including the use of specialized expertise, tools and methodologies, to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems.

(4) The Secretary of State, the State Treasurer and the Attorney General shall participate in the planning process that the State Chief Information Officer conducts under ORS 276A.300 (2).

(5) If the State Chief Information Officer cannot agree with the Secretary of State, the State Treasurer or the Attorney General on a joint information systems security plan and associated operational standards and policies, the State Chief Information Officer, in collaboration with the Oregon Department of Administrative Services, may take steps reasonably necessary to condition, limit or preclude electronic traffic or other vulnerabilities between information systems for which the Secretary of State, State Treasurer or Attorney General has authority under subsection (1) of this section and the information systems for which the State Chief Information Officer has authority under ORS 276A.300 (2). [Formerly 182.124]

276A.306 Information security incidents and assessments; reports. (1) As used in this section:

(a) “Information resources” means data and the means for storing, retrieving, connecting or using data, including but not limited to records, files, databases, documents, software, equipment and facilities that a state agency owns or leases.

(b) “Information security assessment” means:

(A) An organized method to determine a risk to or a vulnerability of a state agency’s information system or a third party information service to which a state agency subscribes; and

(B) An independent examination and review of records, logs, policies, activities and practices to:

(i) Assess whether a state agency’s information system is vulnerable to an information security incident;

(ii) Ensure compliance with rules, policies, standards and procedures that the State Chief Information Officer or a state agency, under the state agency’s independent authority, adopts or otherwise promulgates; and

(iii) Recommend necessary changes to a state agency’s rules, policies, standards and procedures to ensure compliance and prevent information security incidents.

(c) “Information security incident” means an incident that creates a risk of harm to a state agency or the state agency’s operations and in which:

(A) Access to, or viewing, copying, transmission, theft or usage of, a state agency’s sensitive, protected or confidential information occurs without authorization from the state agency;

(B) A failure of compliance with a state agency’s security or acceptable use policies or practices occurs that results in access to a state agency’s information system or information resources for viewing, copying, transmission, theft or use without the state agency’s authorization; or

(C) A state agency’s information system or information resources or a third party information service to which a state agency subscribes becomes unavailable in a reliable and timely manner to authorized individuals or organizations, or is modified or deleted under circumstances that the state agency does not intend, plan or initiate.

(d)(A) “Information system” means a system of computers and related hardware, software, storage media and networks and any other means by which a state agency collects, uses or manages the state agency’s information resources.

(B) “Information system” does not include a third party information service to which a state agency subscribes if the third party information service incorporates or uses hardware, software, storage media and networks that the state agency does not own or lease or that the state agency does not have the legal authority to directly monitor or control.

(e) “State agency” means an officer, board, commission, department, agency or institute of state government, as defined in ORS 174.111, except:

(A) Public universities listed in ORS 352.002; and

(B) The Oregon State Lottery and entities with which the Oregon State Lottery has a contract or agreement with respect to the Oregon State Lottery’s gaming systems or networks.

(2) A state agency shall promptly notify the Legislative Fiscal Office of an information security incident and describe the actions the state agency has taken or must reasonably take to prevent, mitigate or recover from damage to, unauthorized access to, unauthorized modifications or deletions of or other impairments of the integrity of the state agency’s information system or information resources.

(3) Each state agency shall periodically conduct or contract for an information security assessment of the state agency’s information system and information resources and shall request results from a third party’s information security assessment of an information service that the third party provides and to which the state agency subscribes. Each state agency shall notify the Legislative Fiscal Office of the information security assessment after the state agency receives the results of the information security assessment.

(4)(a) The State Chief Information Officer, the Secretary of State, the State Treasurer, the Attorney General, the State Court Administrator and the Legislative Administrator shall each submit to, and present in an appropriate hearing or other proceeding before, the Joint Legislative Committee on Information Management and Technology an annual report concerning the security of the information systems and information resources over which the State Chief Information Officer, the Secretary of State, the State Treasurer, the Attorney General, the State Court Administrator or the Legislative Administrator has direct or supervisory control.

(b) The annual report described in paragraph (a) of this subsection may not include information security information or other materials that are exempt from disclosure under ORS 192.311 to 192.478.

(5)(a) The Legislative Fiscal Office shall use the notifications the office receives under subsections (2) and (3) of this section, and any other information about an information security assessment or an information security incident that a state agency provides to the office, via a method and at a level of detail to which the state agency and the office agree, solely for the purpose of providing support and assistance to the Joint Legislative Committee on Information Management and Technology, the Joint Committee on Ways and Means and the Joint Legislative Audit Committee.

(b)(A) Except as provided in subparagraph (B) of this paragraph, the Legislative Fiscal Officer or an employee of the Legislative Fiscal Office may not disclose to any other person the nature or contents of the notifications that the office receives under subsections (2) and (3) of this section or any other information described in paragraph (a) of this subsection to the extent that the notifications or the information are exempt from disclosure under ORS 192.311 to 192.478.

(B) The Legislative Fiscal Officer or an employee of the Legislative Fiscal Office may disclose the nature or contents of the notifications or information described in subparagraph (A) of this paragraph if the officer or employee obtains the written consent of:

(i) The State Chief Information Officer, with respect to notifications and information that a state agency within the executive department, as defined in ORS 174.112, provided;

(ii) The Secretary of State, with respect to notifications and information that the office of the Secretary of State provided;

(iii) The State Treasurer, with respect to notifications and information that the office of the State Treasurer provided;

(iv) The Attorney General, with respect to notifications and information that the Department of Justice provided;

(v) The State Court Administrator, with respect to notifications and information that a court or a state agency within the judicial department, as defined in ORS 174.113, provided; or

(vi) The Legislative Administrator, with respect to notifications and information that a state agency within the legislative department, as defined in ORS 174.114, provided. [2016 c.110 §1]

276A.323 State agency coordination. (1) As used in this section:

(a) “Executive department” has the meaning given that term in ORS 174.112, except that “executive department” does not include:

(A) The Secretary of State.

(B) The State Treasurer.

(D) The Oregon State Lottery.

(E) Public universities listed in ORS 352.002.

(b) “State agency” means an agency, as defined in ORS 183.310, in the executive department.

(2) All state agencies shall:

(a) Cooperate with the office of Enterprise Information Services in the implementation of a continuing statewide agency-by-agency risk-based information technology security assessment and remediation program.

(b) Cooperate in the development of, and follow, the plans, rules, policies and standards adopted by the State Chief Information Officer with regard to the unification of agency information technology security functions in this state.

(c) Conduct and document the completion of annual information technology security awareness training for all agency employees.

(d) Report security metrics using methodologies developed by the office of Enterprise Information Services.

(e) Participate in activities coordinated by the office of Enterprise Information Services in order to better understand and address security incidents and critical cybersecurity threats to the state.

(3) The State Chief Information Officer shall determine and allocate the costs to state agencies associated with providing information technology services, third-party security evaluations, vulnerability assessments and remediation measures. State agencies shall pay the costs to the State Chief Information Officer in the same manner as the state agency pays other claims. The State Chief Information Officer shall deposit into the State Information Technology Operating Fund established under ORS 276A.209 all moneys that the State Chief Information Officer receives from state agencies for purposes of providing information technology services and administering and enforcing the duties, functions and powers under this section. [2017 c.513 §2; 2021 c.17 §3]

276A.326 [2017 c.513 §3; 2021 c.17 §4; 2021 c.539 §29; repealed by 2023 c.489 §2 (276A.560 enacted in lieu of 276A.326)]

276A.329 [2017 c.513 §4; repealed by 2023 c.489 §6 (276A.555 enacted in lieu of 276A.329)]

276A.332 Authority of State Chief Information Officer to enter into agreements. Notwithstanding any other provision of law, the State Chief Information Officer may:

(1) Enter into any agreement, or any configuration of agreements, relating to state cybersecurity with any private entity or unit of government, or with any configuration of private entities and units of government. The subject of agreements entered into under this section may include, but need not be limited to, cybersecurity training and awareness, information technology security assessments and vulnerability testing, cyber disruption and incident response, risk-based remediation measures and application life cycle maintenance.

(2) Include in any agreement entered into under this section any financing mechanisms, including but not limited to the imposition and collection of franchise fees or user fees and the development or use of other revenue sources. [2017 c.513 §5]

276A.335 Moneys from federal government and other sources. (1) The State Chief Information Officer may accept from the United States Government or any of its agencies any funds that are made available to the state for carrying out the purposes of ORS 276A.323 to 276A.335, 276A.555 and 276A.560, regardless of whether the funds are made available by grant, loan or other financing arrangement. Under the authority granted by ORS chapter 190, the State Chief Information Officer may enter into agreements and other arrangements with the United States Government or any of its agencies as may be necessary, proper and convenient for carrying out the purposes of ORS 276A.323 to 276A.335, 276A.555 and 276A.560.

(2) The office of Enterprise Information Services may accept from any source any grant, donation, gift or other form of conveyance of land, money, real or personal property or other valuable thing made to the state or the office of Enterprise Information Services for carrying out the purposes of ORS 276A.323 to 276A.335, 276A.555 and 276A.560.

(3) Any cybersecurity initiative, consistent with the purposes of ORS 276A.323 to 276A.335, 276A.555 and 276A.560, may be financed in whole or in part by contributions of any funds or property made by any private entity or unit of government that is a party to any agreement entered into under the authority of the office of Enterprise Information Services.

(4) The State Chief Information Officer shall deposit into the State Information Technology Operating Fund established under ORS 276A.209 all moneys received under this section. [2017 c.513 §6; 2021 c.17 §5]

USE OF COVERED PRODUCTS ON STATE INFORMATION TECHNOLOGY ASSETS

276A.340 Definitions. As used in ORS 276A.340 to 276A.344:

(1) “Covered product” means any form of hardware, software or service provided by a covered vendor.

(2) “Covered vendor” means any of the following corporate entities, or any parent, subsidiary, affiliate or successor entity of the following corporate entities:

(a) Ant Group Co., Limited.

(b) ByteDance Limited.

(d) Kaspersky Lab.

(e) Tencent Holdings Limited.

(f) ZTE Corporation.

(g) Any other corporate entity designated a covered vendor by the State Chief Information Officer under ORS 276A.344.

(3) “State agency” means any board, commission, department, division, office or other entity of state government, as defined in ORS 174.111, except that state government does not include the Secretary of State or State Treasurer.

(4) “State information technology asset” means any form of hardware, software or service for data processing, office automation or telecommunications used directly by a state agency or used to a significant extent by a contractor in the performance of a contract with a state agency. [2023 c.256 §1]

276A.342 State agencies prohibited from using covered products; risk mitigation; exceptions. (1) A covered product may not be:

(a) Installed or downloaded onto a state information technology asset; or

(b) Used or accessed by a state information technology asset.

(2) A state agency shall:

(a) Remove any covered product that is installed or downloaded onto a state information technology asset that is under the management or control of the state agency; and

(b) Implement all measures necessary to prevent the:

(A) Installation or download of a covered product onto a state information technology asset that is under the management or control of the state agency; or

(B) Use or access of a covered product by a state information technology asset that is under the management or control of the state agency.

(3)(a) Notwithstanding subsections (1) and (2) of this section, a state agency may, for investigatory, regulatory or law enforcement purposes, permit the:

(A) Installation or download of a covered product onto a state information technology asset; or

(B) Use or access of a covered product by a state information technology asset.

(b) A state agency that permits the installation, download, use or access of a covered product under this subsection shall adopt risk mitigation standards and procedures related to the installation, download, use or access of the covered product.

(4) The State Chief Information Officer shall coordinate with and oversee state agencies to implement the provisions of this section in accordance with the policies and standards adopted under ORS 276A.344 (3). [2023 c.256 §2]

276A.344 Policies and standards; national security threat; rules. (1) The State Chief Information Officer shall adopt:

(a) Rules pertaining to the designation of a corporate entity as a covered vendor under ORS 276A.340 (2)(g); and

(b) Policies and standards for state agencies to implement the provisions of ORS 276A.342.

(2) The rules adopted under this section must include:

(a) The definition of “national security threat” for purposes of protecting state information technology assets;

(b) Criteria and a process for determining when a corporate entity poses a national security threat; and

(3) The policies and standards adopted under this section must include:

(a) The procedures for providing state agencies, the Secretary of State and the State Treasurer notice that a corporate entity is designated or no longer designated a covered vendor under ORS 276A.340 (2)(g);

(b) The time schedules for implementing the requirements under ORS 276A.342 with regard to a corporate entity that is designated a covered vendor by the State Chief Information Officer; and

(c) The time schedules for incorporating the requirements under ORS 276A.342 into a state agency’s information security plans, standards or measures. [2023 c.256 §3]

276A.346 Secretary of State prohibited from using covered products; risk mitigation; exceptions. (1) As used in this section:

(a) “Covered product” means any form of hardware, software or service provided by a covered vendor.

(b) “Covered vendor” means any of the following corporate entities, or any parent, subsidiary, affiliate or successor entity of the following corporate entities:

(A) Ant Group Co., Limited.

(B) ByteDance Limited.

(D) Kaspersky Lab.

(E) Tencent Holdings Limited.

(F) ZTE Corporation.

(c) “State information technology asset” means any form of hardware, software or service for data processing, office automation or telecommunications used directly by the office of the Secretary of State or used to a significant extent by a contractor in the performance of a contract with the office of the Secretary of State.

(2) Except as provided in subsection (4) of this section, the Secretary of State shall:

(a) Prohibit a covered product from being:

(A) Installed or downloaded onto a state information technology asset; or

(B) Used or accessed by a state information technology asset;

(b) Remove any covered product that is installed or downloaded onto a state information technology asset; and

(A) Installation or download of a covered product onto a state information technology asset; or

(B) Use or access of a covered product by a state information technology asset.

(3) For any corporate entity that the State Chief Information Officer designates as a covered vendor under ORS 276A.344, the secretary may:

(a) Prohibit a covered product from being:

(A) Installed or downloaded onto a state information technology asset; or

(B) Used or accessed by a state information technology asset;

(b) Remove any covered product that is installed or downloaded onto a state information technology asset; and

(A) Installation or download of a covered product onto a state information technology asset; or

(B) Use or access of a covered product by a state information technology asset.

(4) If the secretary adopts risk mitigation standards and procedures related to the installation, download, use or access of a covered product, the secretary may, for investigatory, regulatory or law enforcement purposes, permit the:

(a) Installation or download of the covered product onto a state information technology asset; or

(b) Use or access of the covered product by a state information technology asset. [2023 c.256 §4]

276A.348 State Treasurer prohibited from using covered products; risk mitigation; exceptions. (1) As used in this section:

(a) “Covered product” means any form of hardware, software or service provided by a covered vendor.

(b) “Covered vendor” means any of the following corporate entities, or any parent, subsidiary, affiliate or successor entity of the following corporate entities:

(A) Ant Group Co., Limited.

(B) ByteDance Limited.

(D) Kaspersky Lab.

(E) Tencent Holdings Limited.

(F) ZTE Corporation.

(c) “State information technology asset” means any form of hardware, software or service for data processing, office automation or telecommunications used directly by the office of the State Treasurer or used to a significant extent by a contractor in the performance of a contract with the office of the State Treasurer.

(2) Except as provided in subsection (4) of this section, the State Treasurer shall:

(a) Prohibit a covered product from being:

(A) Installed or downloaded onto a state information technology asset; or

(B) Used or accessed by a state information technology asset;

(b) Remove any covered product that is installed or downloaded onto a state information technology asset; and

(A) Installation or download of a covered product onto a state information technology asset; or

(B) Use or access of a covered product by a state information technology asset.

(3) For any corporate entity that the State Chief Information Officer designates as a covered vendor under ORS 276A.344, the State Treasurer may:

(a) Prohibit a covered product from being:

(A) Installed or downloaded onto a state information technology asset; or

(B) Used or accessed by a state information technology asset;

(b) Remove any covered product that is installed or downloaded onto a state information technology asset; and

(A) Installation or download of a covered product onto a state information technology asset; or

(B) Use or access of a covered product by a state information technology asset.

(4) If the State Treasurer adopts risk mitigation standards and procedures related to the installation, download, use or access of a covered product, the State Treasurer may, for investigatory, regulatory or law enforcement purposes, permit the:

(a) Installation or download of the covered product onto a state information technology asset; or

(b) Use or access of the covered product by a state information technology asset. [2023 c.256 §5]

OPEN DATA STANDARD

276A.350 Definitions. As used in ORS 276A.350 to 276A.371:

(1)(a) “Data” means final versions of statistical or factual information, including statistical or factual data about image files, that:

(A) Is in alphanumeric form reflected in a list, table, graph, chart or other nonnarrative form that can be digitally transmitted or processed;

(B) Is controlled by and regularly created or maintained by, or on behalf of, a state agency; and

(b) “Data” does not include image files, including but not limited to designs, drawings, photos and scanned copies of original documents.

(2) “Dataset” means a named collection of related records, maintained on a storage device, that contains data organized, formatted or structured in a specific or prescribed way.

(3) “Mosaic effect” means a situation in which information in an individual dataset, in isolation, may not pose a risk of identifying an individual, but when combined with other available information could pose such a risk.

(4)(a) “Publishable data” means all data and datasets collected by a state agency.

(b) “Publishable data” does not include:

(A) Data to which a state agency may deny access pursuant to any provision of a federal, state or local law, rule or regulation, or another applicable policy or restriction.

(B) Data that contain a significant amount of information to which a state agency may deny access pursuant to any provision of a federal, state or local law, rule or regulation.

(C) Data that reflect the internal deliberative process of a state agency, including but not limited to negotiating positions, future procurements or pending or reasonably anticipated legal or administrative proceedings.

(D) Data stored on a personal computing device owned by a state agency, or data stored on a portion of a network that has been exclusively assigned to a single agency employee or to a single computing device owned or controlled by a state agency.

(E) Materials subject to copyright, patent, trademark, confidentiality agreements or trade secret protection.

(F) Materials that have commercial value or the disclosure of which could reduce a state agency’s competitive advantage.

(G) Proprietary applications, computer code, software, operating systems and similar materials.

(H) Employment records, internal employee directories or lists, facilities data, information technology and other data related to internal state agency administration.

(I) Any other data the publication of which is prohibited by law.

(5) “State agency” means the executive department, as defined in ORS 174.112, except that “state agency” does not include the Secretary of State or the State Treasurer. [2017 c.720 §1]

276A.353 Chief Data Officer; duties; rules. (1) The State Chief Information Officer shall appoint a Chief Data Officer.

(2) The Chief Data Officer shall:

(a) Maintain a central web portal for the publication of publishable data under ORS 276A.362.

(b) Establish the open data standard as provided in ORS 276A.356.

(d) Create an enterprise data inventory that accounts for all datasets used within agency information systems and that indicates whether each dataset may be made publicly available and if the dataset is currently available to the public. The enterprise data inventory is a public record.

(e) Provide information protection and privacy guidance for state agencies.

(f) Establish an enterprise data and information strategy.

(g) Identify ways to use and share existing data for business intelligence and predictive analytic opportunities.

(h) Identify strategies to combine internal and external data sources.

(i) Establish statewide data governance and policy area data governance and provide guidance for agencies about data governance efforts.

(j) Oversee the delivery of education and standards to state agencies regarding data quality, master data management and data life cycle management.

(k) Form an advisory group to assist the Chief Data Officer in carrying out the duties described in this section and in establishing an enterprise memorandum of understanding for interagency data sharing.

(L) Submit a biennial report to a committee or interim committee of the Legislative Assembly related to information management and technology on:

(A) The status of agency posting of publishable data; and

(B) The status of data sharing within and between agencies, enabling cross-agency analysis to provide information for public purposes, including but not limited to program design and budgeting decisions.

(3) The Chief Data Officer may establish and maintain an online forum to solicit feedback from the public and to encourage discussion on the open data standard and publishable data available on the web portal.

(4) The State Chief Information Officer may adopt rules necessary to implement ORS 276A.350 to 276A.371. [2017 c.720 §2]

276A.356 Open data standard. (1) The Chief Data Officer appointed under ORS 276A.353 shall establish an open data standard for state agencies publishing publishable data on the web portal maintained under ORS 276A.353. A local or tribal government may adopt the standard. The standard must include:

(a) A format that permits public notification of updates whenever possible.

(b) Requirements to update publishable data as often as is necessary to preserve the integrity and usefulness of publishable data.

(c) The availability of publishable data without registration or license requirements or restrictions on the use of publishable data. As used in this paragraph, “registration or license requirements or restrictions on the use of publishable data” does not include measures designed or required to ensure access to publishable data, to protect the web portal from abuse or attempts to damage or impair the use of the web portal, or to analyze the types of publishable data being accessed to improve service delivery.

(d) The ability to electronically search publishable data using external information technology.

(2) In establishing the open data standard, the Chief Data Officer shall consult with subject matter experts from state agencies, organizations specializing in technology and innovation, the academic community and other interested groups designated by the Chief Data Officer. Whenever feasible, the Chief Data Officer shall consult with these entities in the development of technical and open standards.

(3) The Chief Data Officer may adopt rules to implement the open data standard. [2017 c.720 §3]

276A.359 Technical standards manual. (1) The Chief Data Officer appointed under ORS 276A.353 shall prepare and publish a technical standards manual for publishing data through the web portal maintained under ORS 276A.353. The manual must:

(a) Enable state agencies to make publishable data available to the greatest number of users and for the greatest number of applications and emphasize that state agencies must, whenever practicable, use open data standards for web publishing in a machine-readable format.

(b) Identify the policy for each technical standard and specify which types of data the standard applies to, and may recommend or require that publishable data be published in more than one technical standard.

(c) Include a plan to adopt or utilize a web application programming interface that permits application programs to request and receive publishable data directly from the web portal.

(2) The Chief Data Officer shall update the manual as necessary. [2017 c.720 §4]

276A.362 Release of publishable data on web portal; exemptions; rules. (1) A state agency that releases publishable data shall release the data on the web portal maintained under ORS 276A.353 in accordance with the open data standard and technical standards manual established by the Chief Data Officer under ORS 276A.356 and 276A.359. If a state agency cannot make all publishable data available on the web portal, the state agency shall report to the Chief Data Officer all publishable data that the agency is unable to make available and state the reasons why the agency is unable to make the data available and the date by which the agency expects the publishable data to be made available on the portal.

(2) The State Chief Information Officer shall adopt rules allowing a state agency to request an exemption from the requirements of subsection (1) of this section when:

(a) The release of publishable data would subject the agency’s information systems to a substantial risk of cyberattack; or

(b) The state agency is purchasing software or vendor services and industry practices do not support downstream processing and dissemination activities. [2017 c.720 §5]

276A.365 Information management by state agencies. (1) A state agency shall manage information as a strategic asset throughout the information’s life cycle. To improve the management of information resources and reinforce the state’s presumption of openness, an agency shall:

(a) Collect or create information in a way that supports downstream processing and dissemination activities, including:

(A) Using machine-readable and open formats;

(B) Using data standards approved by the Chief Data Officer in the collection and creation of information in order to promote data interoperability and openness;

(D) Using common core and extensible metadata.

(b) Build information systems to support interoperability and information accessibility.

(c) Strengthen data management and release practices to ensure agency data assets are managed and maintained throughout the assets’ life cycle by:

(A) Adopting effective data asset portfolio management approaches.

(B) Creating and maintaining an inventory of agency information resources to be included in the enterprise data inventory.

(C) Creating and maintaining a public data listing, including datasets that can be made publicly available but that have not yet been released.

(D) Establishing a process to engage with customers and the public to help facilitate and prioritize data release.

(E) Clarifying roles and responsibilities for promoting efficient and effective data release practices.

(d) Strengthen measures to ensure that privacy and confidentiality are fully protected and that data are properly secured.

(e) Account for the mosaic effect of data aggregation.

(f) Incorporate new interoperability and openness requirements into core agency processes.

(2) A state agency shall integrate the following minimum requirements into the project planning documentation and technical design for all new information systems and systems preparing for modernization, as appropriate:

(a) System designs must be scalable and flexible and must facilitate the extraction of data in multiple formats, using standards and specifications in the system design that promote industry best practices for data sharing, and separation of data from the application layer to maximize data reuse opportunities;

(b) All data outputs of the associated system must meet the requirements described in paragraph (a) of this subsection; and

(c) Data schemata and dictionaries must be documented and shared with internal partners and the State Chief Information Officer.

(3)(a) A state agency’s use of proprietary software may not diminish the ability of the public to inspect and copy a public record.

(b) A state agency may not enter into a contract for the creation of a public records database that impairs the ability of the public to inspect or copy the public records of the state agency, including but not limited to the documentation described in subsection (2)(c) of this section. [2017 c.720 §6]

276A.368 Purpose of data; limitation of liability; publishable data in public domain. (1) Publishable data available on the web portal maintained under ORS 276A.353 is provided for informational purposes only. The state does not warrant the completeness, accuracy, content or fitness for any particular purpose or use of publishable data made available on the web portal. No warranties may be implied or inferred with respect to the publishable data made available on the web portal.

(2) The state is not liable for any deficiencies in the completeness, accuracy, content or fitness for any particular purpose or use of publishable data made available on the web portal or by any third-party application utilizing publishable data.

(3) All publishable data is in the public domain for purposes of applicable copyright laws.

(4) The Chief Data Officer shall post the text of subsections (1) to (3) of this section on the web portal home page. [2017 c.720 §7]

276A.371 Obligations of state agency under public records law. ORS 276A.350 to 276A.371 do not supersede any obligation imposed on a state agency by ORS 192.311 to 192.478. [2017 c.720 §8]

276A.374 Application to Secretary of State and State Treasurer; rules. The Secretary of State and the State Treasurer shall by rule adopt for each respective office requirements related to data that are the same as, or are similar to, the requirements established by ORS 276A.350 to 276A.371 and by rules adopted by the State Chief Information Officer or the Chief Data Officer under ORS 276A.350 to 276A.371. [2017 c.720 §9]

TELECOMMUNICATIONS AND BROADBAND INTERNET ACCESS SERVICES

276A.400 Policy. The Legislative Assembly declares it to be the policy of the State of Oregon:

(1) To use information technology in education, health care, economic development and government services to improve economic opportunities and quality of life for all Oregonians regardless of location or income.

(2) To stimulate demand to encourage and enable long-term infrastructure innovation and improvement.

(3) That telecommunications planning process shall:

(a) Organize users in new ways to aggregate demand, reduce costs and create support networks;

(b) Encourage collaboration between communities of interest by geographic area and economic sector; and

276A.403 Coordination of telecommunications systems.

(1) The State Chief Information Officer shall coordinate, in a manner that is consistent with plans, standards, policies, goals, directives and rules that the State Chief Information Officer sets, specifies or adopts, the consolidation and operation of all telecommunications systems, including emergency telecommunications systems, that the state and state agencies use. Notwithstanding any other provision of law, an agent or agency of the state may not construct, purchase or otherwise gain access to a telecommunications system without the prior approval of the State Chief Information Officer.

(2) The provisions of this section do not require emergency service providers, as defined by the State Chief Information Officer, to consolidate telecommunications systems that emergency service providers use into nonemergency networks. [Formerly 283.505]

276A.406 Acquisition of broadband and communications services. (1) As used in this section and ORS 276A.412 and 276A.421:

(a) “Broadband” means wide bandwidth communications transmissions over coaxial cable, optical fiber, radio or twisted pair with an ability to simultaneously transport multiple signals and traffic types at a minimum transmission speed established by the State Chief Information Officer by rule, but in no event less than 25 megabits per second for downloads and three megabits per second for uploads.

(b) “Communications” means media that communicate voice, data, text or video over a distance using electrical, electronic or light wave transmissions.

(d) “Telecommunications provider” means any person that is capable of providing broadband and communications services including, but not limited to, a telecommunications utility as defined in ORS 759.005, a competitive telecommunications provider as defined in ORS 759.005, a cable television provider or an interstate telecommunications provider.

(2) Notwithstanding ORS chapters 279A, 279B and 279C, the State Chief Information Officer:

(a) Shall provide broadband and communications services and operations for the state and state agencies; and

(b) Subject to ORS 276A.421 and notwithstanding ORS 276A.206 (6)(c), may provide broadband services and operations in unserved or underserved areas to any other public body, as defined in ORS 174.109, any federally recognized Indian tribe in Oregon or any nonprofit organization that the State Chief Information Officer designates as a community of interest under ORS 276A.206.

(3) The State Chief Information Officer provides the services and operations under subsection (2) of this section if the State Chief Information Officer:

(a) Provides the services directly;

(b) Enters into an interagency or intergovernmental agreement under ORS chapter 190 to have another state agency or governmental agency provide the services; or

(c) Acquires the services by entering into contracts with telecommunications providers or a consortium of telecommunications providers in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards.

(4) The State Chief Information Officer may not enter into any contract or agreement under subsection (3) of this section or approve the procurement of any broadband or communications system or equipment that is incompatible with the network or that is inconsistent with the State Chief Information Officer’s rules, policies and standards. [Formerly 283.510; 2018 c.51 §4]

276A.409 Use of agency travel and transportation funds for telecommunications services. The State Chief Information Officer annually shall review each state agency’s budget, in conjunction with the state agency, to identify funds that the state agency uses for travel and transportation that the state agency could instead use for telecommunications. If the State Chief Information Officer determines that a state agency could use a portion of the state agency’s travel and transportation funds more effectively by instead using telecommunications, without diminishing the affected agency’s existing internal and external communications, the State Chief Information Officer shall recommend to the Emergency Board as described in ORS 291.326 action that the State Chief Information Officer determines is necessary to dedicate the identified state agency travel and transportation funds for use in telecommunications. The State Chief Information Officer shall make the recommendations to the Emergency Board not later than January 1. [Formerly 283.515]

276A.412 Contracts for telecommunications equipment and services not to exceed 10 years; exception for broadband infrastructure; contract benefits for designated communities of interest. (1) For the purposes of ORS 276A.400 to 276A.412, the State Chief Information Officer may, in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards, enter into a contract or contracts with telecommunications providers and equipment manufacturers for purchasing, using or operating telecommunications equipment and services for a period not to exceed 10 years.

(2) Notwithstanding subsection (1) of this section, the State Chief Information Officer may enter into a contract or a configuration of agreements related to broadband infrastructure, including leases, maintenance and operations of broadband transmission equipment, for a period that exceeds 10 years.

(3) For purposes of ORS 276A.206, the State Chief Information Officer may extend the benefits of telecommunications contracts for broadband networks, communications systems, equipment and services to nonprofit organizations that the State Chief Information Officer designates as communities of interest under ORS 276A.206. [Formerly 283.520; 2018 c.51 §6]

276A.415 Agreements to fund or acquire telecommunications equipment and services. The State Chief Information Officer may, in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards, enter into an agreement or agreements to fund or otherwise acquire telecommunications equipment and services by installment purchase or lease purchase contracts. [Formerly 283.524]

276A.418 Public contracts for broadband Internet access service; prohibitions; exceptions; rules. (1) As used in this section:

(a)(A) “Broadband Internet access service” means:

(i) A mass-market retail Internet access service provided by wire or radio that enables a person to transmit data to or receive data between the person’s customer premises equipment, including mobile devices, and all, or substantially all, Internet endpoints;

(ii) Any service that the Public Utility Commission finds is providing a service that is the functional equivalent of the service described in sub-subparagraph (i) of this subparagraph; or

(iii) Any service that is incidental to or that enables the operation of the service described in sub-subparagraph (i) of this subparagraph.

(B) “Broadband Internet access service” does not include dial-up Internet access service.

(b) “Broadband Internet access service provider” means a person or public body that provides broadband Internet access service.

(c) “Content, applications or services” means all traffic transmitted to or from end users of a broadband Internet access service.

(d) “Edge provider” means any person that provides content, applications or services over the Internet, and any person that provides a device used for accessing content, applications or services over the Internet.

(e) “End user” means any person that uses a broadband Internet access service.

(f) “Fixed broadband Internet access service” means broadband Internet access service that serves end users primarily at fixed endpoints using stationary equipment, including fixed satellite services and licensed and unlicensed fixed wireless services.

(g) “Mobile broadband Internet access service” means broadband Internet access service that serves end users primarily using mobile stations.

(h) “Nonharmful device” means a device the Public Utility Commission determines by rule to be nonharmful to broadband Internet access services.

(i) “Paid prioritization” means a broadband Internet access service provider’s management of its network to directly or indirectly favor some traffic over other traffic, including through traffic shaping, prioritization, resource reservation or other forms of preferential traffic management, either in exchange for consideration from a third party or to benefit an affiliated entity.

(j) “Public body” means a public body, as defined in ORS 174.109, in this state.

(2) For the purposes of this section, a public body contracts with a broadband Internet access service provider if the public body procures, or provides funding for the procurement of, broadband Internet access service, including fixed broadband Internet access service or mobile broadband Internet access service, from the broadband Internet access service provider.

(3) A public body may not contract with a broadband Internet access service provider that, at any time on or after January 1, 2019:

(a) Engages in paid prioritization;

(b) Blocks lawful content, applications or services or nonharmful devices;

(c) Impairs or degrades lawful Internet traffic for the purpose of discriminating against or favoring certain Internet content, applications or services or the use of nonharmful devices;

(d) Unreasonably interferes with or unreasonably disadvantages an end user’s ability to select, access and use the broadband Internet access service or lawful Internet content, applications or services or devices of the end user’s choice; or

(e) Unreasonably interferes with or unreasonably disadvantages an edge provider’s ability to make devices or lawful content, applications or services available to end users.

(4) Notwithstanding subsection (3) of this section, a public body may contract with a broadband Internet access service provider that:

(a) Is the sole provider of fixed broadband Internet access service to the geographic location subject to the contract;

(b) Engages in any of the activities described in subsection (3) of this section in the process of addressing copyright infringement or other unlawful activity or the needs of emergency communications, law enforcement, public safety or national security authorities;

(c) Engages in paid prioritization if the Public Utility Commission determines that the broadband Internet access service provider’s paid prioritization provides significant public interest benefits and does not harm the open nature of the provided broadband Internet access service;

(d) Engages in any activities described in subsection (3)(b) to (d) of this section if the Public Utility Commission determines that the broadband Internet access service provider’s engagement in the activity is reasonable network management. An activity is reasonable network management if the activity:

(A) Has a technical network management justification;

(B) Does not include other business practices; and

(C) Is narrowly tailored to achieve a legitimate network management purpose, taking into account the particular network architecture and technology of the broadband Internet access service; or

(e) Engaged in any of the activities described in subsection (3) of this section at any time on or after January 1, 2019, if:

(A) The broadband Internet access service provider certifies that it has ceased engaging in all of the activities described in subsection (3) of this section; and

(B) The Public Utility Commission determines that allowing a public body to contract with the broadband Internet access service provider provides significant public interest benefits.

(5)(a) A broadband Internet access service provider engaged in the provision of broadband Internet access service to a public body shall publicly disclose information regarding the provider’s network management practices and performance characteristics and the commercial terms of the provider’s broadband Internet access service sufficient for end users to verify that the service is provided in compliance with subsections (3) and (4) of this section.

(b) The Public Utility Commission by rule shall specify the manner and form in which disclosures under this subsection shall be made. [2018 c.88 §1]

276A.421 Provision of broadband services that compete with services of private telecommunications provider; circumstances of competition; broadband services advisory committee; rules. (1)(a) If the State Chief Information Officer determines that the broadband services and operations proposed to be provided by the State Chief Information Officer under ORS 276A.406 (2)(b) would directly compete with services already offered by a telecommunications provider, the State Chief Information Officer may only provide those services pursuant to the rules described in subsection (2) of this section.

(b) For the purposes of this section, broadband services are considered to be already offered by a telecommunications provider if the provider can demonstrate its ability to provide the broadband services in the geographic area to be served within a reasonable time and for a reasonable cost.

(2) The State Chief Information Officer shall adopt rules governing how it provides the broadband services and operations under subsection (1)(a) of this section. The rules must:

(a) Describe the services that the State Chief Information Officer proposes to provide, including specifications for broadband services, such as minimum bandwidth, reliability, redundancy, deployment schedule and comparable cost;

(b) Describe the method by which the State Chief Information Officer will maintain and update its service offerings;

(c) Describe the process by which a telecommunications provider may demonstrate its ability to provide broadband services under subsection (1) of this section and to meet the specifications proposed by the State Chief Information Officer under paragraph (a) of this subsection; and

(d) Describe the situations in which the State Chief Information Officer may not provide the services.

(3) The State Chief Information Officer shall appoint an advisory committee no later than 60 days prior to rulemaking under this section to assist the State Chief Information Officer in the administration of this section.

(4) The advisory committee must include one representative from each of the following:

(a) A telecommunications provider in this state.

(b) A rural telecommunications consortium in this state.

(d) The League of Oregon Cities.

(e) A public school or education service district.

(f) A public university listed in ORS 352.002.

(g) The State Interoperability Executive Council established under ORS 403.450.

(h) The Oregon Broadband Advisory Council established under ORS 285A.154.

(i) The public with an interest in broadband service availability.

(j) A nonprofit entity with an interest in broadband service availability.

(k) Any other public, private or nonprofit entity that the State Chief Information Officer determines is necessary to assist the advisory committee in performing its duties under this section.

(5) Before adopting rules described in this section, the State Chief Information Officer shall present the proposed rules to the Joint Legislative Committee on Information Management and Technology. [2018 c.51 §5]

276A.424 Connecting Oregon Schools Fund; rules. (1) The Connecting Oregon Schools Fund is established in the State Treasury, separate and distinct from the General Fund. Interest earned by the Connecting Oregon Schools Fund shall be credited to the fund.

(2) The Connecting Oregon Schools Fund consists of any moneys deposited in the fund from whatever source and may include moneys appropriated, allocated, deposited or transferred to the fund by the Legislative Assembly or otherwise and interest earned on moneys in the fund.

(3) The moneys in the fund are continuously appropriated to the Department of Education for the purpose of providing matching funds for federal moneys received by school districts, education service districts, public charter schools or a consortium that is any combination of school districts, education service districts and public charter schools for the purpose of providing broadband access to eligible education facilities in this state.

(4) An education facility is eligible to receive matching funds under this section if the education facility:

(a) Receives federal moneys for the purpose of providing broadband access to the education facility;

(b) Takes steps to determine whether existing broadband infrastructure, including fiber-based broadband, may be integrated into the proposed broadband access project; and

(5)(a) Before the department may distribute any state moneys under this section, the board shall adopt rules to implement the provisions of this section, including rules setting criteria that govern the distribution of the moneys to eligible education facilities.

(b) Rules adopted under this section must take into consideration any eligibility requirements established by the federal program awarding federal moneys.

(6) As used in this section:

(a) “Education facility” means:

(A) A public school that offers education to students in kindergarten or grades 1 through 12, or any combination of those grade levels;

(B) A building owned by a school district, education service district or public charter school; or

(b) “Public charter school” has the meaning given that term in ORS 338.005. [2018 c.51 §3; 2019 c.648 §7]

OREGON GEOGRAPHIC INFORMATION COUNCIL

276A.500 Definitions. As used in ORS 276A.500 to 276A.515:

(1) “Critical infrastructure information” means information about infrastructure that is so vital to this state or the United States that the incapacity or destruction of the infrastructure would detrimentally affect the personal and economic security, health or safety of residents of this state, including information about the security of items listed in ORS 192.355 (33).

(2) “Custodian” has the meaning given that term in ORS 192.311 (2)(b).

(3) “Geographic information” means geographic data as that term is defined in ORS 276A.203 (4)(b).

(4) “Geographic information system” has the meaning given that term in ORS 276A.203 (4)(b).

(5) “Geospatial framework data” means geographic information that a public body, under applicable provisions of law or on the basis of scientific methodology, technical standards or technical expertise, creates, generates, provides or aggregates and that the Oregon Geographic Information Council, in consultation with the public body, identifies as necessary to support the business processes of a governmental agency.

(6) “Public body” has the meaning given that term in ORS 174.109. [2017 c.166 §1]

276A.503 Oregon Geographic Information Council; establishment; purposes; membership; terms of office. (1) The Oregon Geographic Information Council is established within the office of Enterprise Information Services. The State Chief Information Officer shall provide administrative and staff support and facilities that are necessary for the council to carry out the purposes set forth in this section. The purposes of the council are to:

(a) Serve as the statewide governing body for sharing and managing geospatial framework data;

(b) Oversee the preparation and maintenance of a plan to enhance geographic framework information sharing and management and to enhance coordination with respect to geographic framework information among public bodies within this state; and

(2) The membership of the council consists of:

(a) Two members of the Legislative Assembly appointed as follows:

(A) The President of the Senate shall appoint one member from the Senate who has an interest in geographic information systems and in enhancing geospatial framework data sharing among public bodies; and

(B) The Speaker of the House of Representatives shall appoint one member from the House of Representatives who has an interest in geographic information systems and in enhancing geospatial framework data sharing among public bodies.

(b) The following members appointed by the Governor:

(A) One member who represents Indian tribes, as defined in ORS 97.740;

(B) One member who represents the Association of Oregon Counties;

(D) One member who represents the Special Districts Association of Oregon;

(E) One member who represents regional governments or councils of government within this state;

(F) One member who represents the Oregon State Association of County Assessors;

(G) One member who represents a public safety answering point, as defined in ORS 403.105, within this state;

(H) One member who represents the public universities listed in ORS 352.002;

(I) One member who represents a federal agency that is concerned with collecting, managing or disseminating geospatial framework data;

(J) One member who represents a public utility within this state;

(K) One member who is a geographic information systems manager for a county or city in this state;

(L) One member who represents the public and who has an interest in geographic information systems and in enhancing geospatial framework data sharing among public bodies;

(M) The state geographic information officer that the State Chief Information Officer appoints under ORS 276A.515;

(N) One member who represents a nonprofit professional organization with an interest in geographic information systems and in enhancing geospatial data sharing among public bodies;

(O) Three members from state agencies with responsibility for water, land, air quality, natural resources or infrastructure;

(P) Two members from state agencies with responsibilities for public health, human services, education or economic or community development; and

(Q) Two members from state agencies with responsibility for public safety or emergency management.

(3) Each group or entity identified in subsection (2)(b) of this section may recommend an individual from the group or entity for membership on the council.

(4) Members of the Legislative Assembly appointed to the council are nonvoting members and may act in an advisory capacity only.

(5)(a) A majority of the voting members of the council constitutes a quorum for transacting business.

(b) A majority of the voting members of the council must approve the council’s official actions.

(6) The council shall elect one of the council’s members to serve as chairperson and one member to serve as vice chairperson. The council shall specify in the charter described in ORS 276A.506 (1)(e) a process by which the council selects the chairperson and vice chairperson and the terms of office for the chairperson and vice chairperson.

(7)(a) The term of office for each voting member of the council is four years, but the member serves at the pleasure of the Governor.

(b) Before a voting member’s term expires, the Governor shall appoint a successor. A voting member is eligible for reappointment.

(d) If a vacancy occurs on the council for any reason, the appointing authority shall make an appointment to become immediately effective and the new member shall serve:

(A) For a voting member, a new four-year term.

(B) For a nonvoting member, a new two-year term.

(8) The council shall meet at times and places that the chairperson or a majority of the voting members of the council specifies.

(9) Members of the council who are not members of the Legislative Assembly may not receive compensation, but the State Chief Information Officer, at the State Chief Information Officer’s discretion, may reimburse council members for actual and necessary travel and other expenses the members incur in performing the members’ official duties, in the manner and amounts provided for in ORS 292.495, from funds appropriated to the State Chief Information Officer for carrying out the council’s purposes.

(10) All agencies of state government, as defined in ORS 174.111, shall assist the council in performing the council’s duties and, to the extent permitted by laws relating to confidentiality, shall furnish information and advice the council considers necessary to perform the council’s duties. [2017 c.166 §2; 2021 c.17 §6; 2023 c.40 §1]

276A.506 Powers of council; advisory committees. (1) The Oregon Geographic Information Council has the exclusive power to:

(a) Serve as the statewide governing body for sharing and managing geospatial framework data that public bodies share under ORS 276A.500 to 276A.515;

(b) Develop and update every four years a strategic plan to manage geospatial framework data that aligns as closely as possible with the Enterprise Information Resources Management Strategy described in ORS 276A.203 and oversee the implementation of the plan;

(c) Adopt, in consultation with the State Chief Information Officer, rules, policies and standards that identify geospatial framework data that public bodies must share and that specify how frequently public bodies must share the geospatial framework data;

(d) Recommend an allocation of responsibilities among public bodies for collecting, using, managing, sharing and maintaining geospatial framework data and devise and recommend terms under which public bodies share geospatial framework data;

(e) Adopt charters, rules, policies and procedures for carrying out the council’s purposes under ORS 276A.503;

(f) Establish subcommittees, work groups and other bodies or methods of organization that the council deems necessary to carry out the council’s purposes under ORS 276A.503; and

(g) Establish and appoint members to advisory committees for the purposes described in subsection (3) of this section.

(2) The Oregon Geographic Information Council shall:

(a) Lead and coordinate efforts to accumulate, disseminate, analyze and manage geographic information, including efforts that:

(A) Provide a statewide forum for discussing and resolving issues related to geographic information management;

(B) Develop and maintain partnerships for managing geographic information among public bodies; and

(C) Identify best practices for managing geographic information and geographic information systems and determine whether and how to apply the best practices within this state.

(b) Recommend laws, rules, policies and strategies for improving geographic information collection, dissemination, analysis and management to the Legislative Assembly, the United States Congress, public bodies and other individuals and entities.

(c) Develop and submit each biennium to the State Chief Information Officer for approval a plan and a budget for collecting, using, managing, sharing and maintaining geospatial framework data and for maintaining a geospatial data library within the office of Enterprise Information Services.

(d) Work with public bodies to:

(A) Coordinate the activities of public bodies that relate to collecting, using, managing, sharing and maintaining geospatial framework data;

(B) Develop strategies to improve geospatial framework data sharing, to reduce duplication of effort and to improve the coordination described in subparagraph (A) of this paragraph;

(C) Identify the types, categories, forms and other classifications of geospatial framework data that public bodies, private entities and the public need;

(D) Disseminate information about projects that various public bodies are undertaking with respect to geospatial framework data and other geographic information;

(E) Invite participation in developing, reviewing and updating the strategic plan described in subsection (1)(b) of this section;

(F) Recommend legislation to enhance geospatial framework data management and sharing among public bodies; and

(G) Recommend to the Legislative Assembly strategies for eliminating the fees that public bodies charge to other public bodies for geospatial framework data under ORS 190.050 or 192.324.

(e) Review periodically plans, grant proposals and budget requests that public bodies make for the purpose of digital mapping and identify opportunities for collaboration and shared investment that reduce unnecessary duplication of effort.

(f) Report on the plan described in paragraph (c) of this subsection and the council’s other activities to the State Chief Information Officer, the Governor and the Joint Legislative Committee on Information Management and Technology on or before March 1 of each odd-numbered year.

(3)(a) The council may establish an advisory committee for any purpose, and, subject to paragraph (b) of this subsection, membership on an advisory committee is open to any person.

(b) If the council establishes one or more advisory committees for the purpose of advising the council concerning the development, collection, sharing or aggregation of geospatial framework data, the council shall establish each advisory committee with reference to the committee members’ expertise or ability to advise the council concerning a particular category of geospatial framework data.

(A) Identify particular geospatial framework data that public bodies should share;

(B) Recommend a schedule for sharing the geospatial framework data that the committee identifies in subparagraph (A) of this paragraph;

(C) Recommend processes, work flow, procedures and necessary funding for collecting, using, managing, sharing and maintaining geospatial framework data; and

(D)(i) Recommend and coordinate recommendations from other sources for data formats, security standards and other standards for collecting, storing, transferring, maintaining and managing geospatial framework data;

(ii) Submit the recommendations to the council and the State Chief Information Officer; and

(iii) Update and revise the recommendations periodically to account for new circumstances.

(d) Members of an advisory committee may not receive compensation, but the State Chief Information Officer, at the State Chief Information Officer’s discretion, may reimburse members of an advisory committee for actual and necessary travel and other expenses the members incur in performing the members’ duties, in the manner and amounts provided for in ORS 292.495, from funds appropriated to the State Chief Information Officer for the carrying out the council’s purposes. [2017 c.166 §3; 2021 c.17 §7]

276A.509 Public body duty to share geospatial framework data with council; conditions and exceptions; methods for sharing; limitations of liability. (1)(a) Subject to ORS 192.311 to 192.478 and except as provided in paragraph (b) of this subsection, a public body shall share all geospatial framework data that the Oregon Geographic Information Council designates for sharing if:

(A) The public body does not incur costs other than the costs that the public body would incur as a custodian of the geospatial framework data; and

(B) The public body uses existing data and existing resources to share the geospatial framework data.

(b) Critical infrastructure information is not subject to the requirement under paragraph (a) of this subsection to share geospatial framework data, but a public body may choose to share with other public bodies critical infrastructure information of which the public body is a custodian under conditions the public body specifies.

(2)(a) A public body that shares geospatial framework data in accordance with subsection (1) of this section shall:

(A) Share the geospatial framework data in compliance with standards for data interchange, data formatting and data storage that the Oregon Geographic Information Council adopts by rule. If the council has not adopted standards or if the public body does not ordinarily maintain the geospatial framework data in accordance with the standards the council adopts, the public body shall share the geospatial framework data in the format in which the public body ordinarily maintains the geospatial framework data.

(B) Share the geospatial framework data at intervals that the council specifies by rule or, if the council does not specify an interval by rule, share the geospatial framework data annually.

(b) A public body that shares geospatial framework data in accordance with subsection (1) of this section may:

(A) Transfer copies of the geospatial framework data to the State Chief Information Officer for storage in the geospatial data library described in ORS 276A.506 (2)(c) and direct requests for the geospatial framework data to the individual that the State Chief Information Officer appoints under ORS 276A.515.

(B) Share the geospatial framework data without entering into a written agreement with another public body.

(C) Prohibit the sharing or redistribution of the public body’s geospatial framework data if the public body notifies the Oregon Geographic Information Council in writing that the geospatial framework data is exempt from disclosure under ORS 192.311 to 192.478 because the public body claims a copyright or other proprietary interest in the geospatial framework data or for another reason the public body specifies in the notice.

(D) Withhold from public disclosure geospatial framework data that the council designates by rule as critical infrastructure information.

(c) A public body that receives geospatial framework data from another public body may not redistribute the geospatial framework data without specific authorization from the public body that shared the geospatial framework data.

(3) A public body that shares geospatial framework data in accordance with subsection (1) of this section is not liable for:

(a) Omissions, inaccuracies or other errors or defects in the geospatial framework data; or

(b) Damages, losses or claims that arise from receiving or using the geospatial framework data.

(4) The individual that the State Chief Information Officer appoints under ORS 276A.515 shall:

(a) Take all reasonably necessary measures to:

(A) Secure information in the geospatial data library described in ORS 276A.506 (2)(c) in accordance with standards, policies and procedures established or rules adopted by the State Chief Information Officer under ORS 276A.300;

(B) Protect the availability, integrity and confidentiality of the geospatial data library; and

(C) Ensure that a recipient of geospatial framework data complies with the prohibitions a public body places on sharing or redistributing the geospatial framework data under subsection (2)(b)(C) of this section.

(b) Provide secure electronic means by which a public body may transmit geospatial framework data to and obtain geospatial framework data from the geospatial data library. [2017 c.166 §4]

276A.512 Oregon Geographic Information Council Fund; records and reports. (1) The Oregon Geographic Information Council Fund is established in the State Treasury, separate and distinct from the General Fund. All moneys that the State Chief Information Officer collects or receives for the purposes set forth in ORS 276A.500 to 276A.515 must be paid into the State Treasury and credited to the Oregon Geographic Information Council Fund. Moneys in the fund may be invested in the same manner as other state moneys and the earnings of any investments must be credited to the fund.

(2) The State Chief Information Officer shall keep a record of all moneys deposited into the fund that indicates, by separate account, the source from which the moneys are derived, the interest earned and the activity or program against which any withdrawal is charged.

(3) Moneys in the fund are continuously appropriated to the State Chief Information Officer for:

(a) Developing, acquiring and maintaining geospatial framework data and activities related to sharing geospatial framework data among public bodies; and

(b) Paying the costs associated with the Oregon Geographic Information Council.

(4) The State Chief Information Officer may accept gifts, grants, donations and contributions from the federal government or agencies of the federal government or from any other public or private source and may agree to any conditions placed on the gift, grant, donation or contribution that is in accordance with applicable law and ORS 276A.500 to 276A.515.

(5) The State Chief Information Officer and the Oregon Geographic Information Council shall submit to the Legislative Assembly and the Governor by December 31 of each even-numbered year a report that summarizes the balance in the fund, lists the deposits into and expenditures from the fund and provides such other details as are necessary to enable the Legislative Assembly and the Governor to understand the operations of the fund. [2017 c.166 §5]

276A.515 State geographic information officer; qualifications; duties. (1) The State Chief Information Officer shall establish and appoint an individual as a state geographic information officer to fill a full-time equivalent position that manages and oversees the daily operations of the office of Enterprise Information Services that concern or are related to geographic information and geospatial framework data.

(2) The individual that the State Chief Information Officer appoints under subsection (1) of this section must be, by training and experience, well qualified for and capable of performing the following duties:

(a) Serving as the State Chief Information Officer’s principal advisor concerning geographic information systems, geospatial framework data and other programs and issues that concern geographic information;

(b) Communicating and coordinating with tribal, regional and local governments in this state, state agencies, the federal government and other public bodies on issues that concern geospatial framework data and sharing geospatial framework data;

(d) Taking a leading role in coordinating the council’s development and maintenance of the strategic plan described in ORS 276A.506 (1)(b), in overseeing the implementation of the plan and in conducting the council’s activities, as described in ORS 276A.503 and 276A.506;

(e) Taking responsibility for and directing the efforts described in ORS 276A.509 (4);

(f) Coordinating with the Federal Geographic Data Committee, the United States Geological Survey and other federal agencies in developing geospatial framework data in this state;

(g) Serving as the State Chief Information Officer’s liaison for existing or proposed federal programs that relate to creating or maintaining geospatial framework data in this state;

(h) Representing the state on the National States Geographic Information Council and in local, regional and national programs and efforts that are related to geographic information systems and managing geographic information;

(i) Overseeing compliance with rules adopted and policies, standards and plans established by the State Chief Information Officer or the Oregon Geographic Information Council with respect to geographic framework data and geographic information systems;

(j) Consulting and collaborating with, supporting and providing services to public bodies and other stakeholders on projects that are related to geospatial framework data or other geographic information;

(k) Leading development and deployment for, and overseeing the continuing operation, maintenance, support and enhancement of, the geospatial data library described in ORS 276A.506 (2)(c) on behalf of public bodies in this state; and

(L) Performing other duties that the State Chief Information Officer specifies. [2017 c.166 §6; 2021 c.17 §8]

OREGON CYBERSECURITY CENTER OF EXCELLENCE

276A.550 Definitions. As used in this section and ORS 276A.555, 276A.560 and 276A.575:

(1) “Education service district” means a district created under ORS 334.010 that provides regional educational services to component school districts.

(2) “Library” means a public agency that provides free and equal access to library and information services that are suitable for persons of all ages.

(3) “Local government” means a city or county.

(4) “Public body” has the meaning given that term in ORS 174.109.

(5) “Regional government” means:

(a) A metropolitan service district formed under ORS chapter 268.

(b) An intergovernmental entity created by an intergovernmental agreement under ORS 190.010.

(6) “School district” has the meaning given that term in ORS 330.003.

(7) “Special district” means a district as defined in ORS 198.010. [2023 c.489 §1]

276A.555 Oregon Cybersecurity Center of Excellence; purpose; operating agreement; strategic plan; biennial report. (1) The Oregon Cybersecurity Center of Excellence is established at Portland State University. The center shall operate under the joint direction and control of Portland State University, Oregon State University and the University of Oregon. A director shall be appointed to oversee the center pursuant to procedures set forth in the charter developed and adopted under subsection (5) of this section.

(2) The purpose of the center is to supplement the activities of the State Chief Information Officer regarding cybersecurity in this state by coordinating, funding or providing:

(a) Awareness, education and training about cybersecurity and cybersecurity-related issues for public, private and nonprofit sectors;

(b) Cybersecurity workforce development programs in coordination with:

(A) Public universities listed in ORS 352.002;

(B) Community colleges operated under ORS chapter 341; and

(d) Research and development of cybersecurity technologies, tools, policies and processes; and

(e) Cybersecurity-related goods and services to Oregon public bodies, with priority given to local governments, regional governments, special districts, education service districts, school districts and libraries.

(3) The center shall:

(a) Serve as the statewide advisory body to the Legislative Assembly, Governor and State Chief Information Officer on cybersecurity and cybersecurity-related issues for local governments, regional governments, special districts, education service districts, school districts and libraries.

(b) Provide to public, private and nonprofit sectors in this state information and recommend best practices concerning cybersecurity, cyber resilience and recovery measures, including legal, insurance and other topics.

(c) Coordinate the sharing of information related to cybersecurity threats, risks, warnings and incidents, and promote public awareness and shared, real-time situational awareness among public, private and nonprofit sector entities.

(d) Provide cybersecurity assessment, scanning and analysis, monitoring and incident response services to public bodies, with priority given to public bodies with the greatest need for services, including local governments, regional governments, special districts, education service districts, school districts and libraries.

(e) Collaborate with public bodies to coordinate cybersecurity efforts with ongoing information technology modernization and resilience projects.

(f) Identify and participate in appropriate federal, multistate, regional, state, local or private sector programs and efforts that support or complement the center’s purpose.

(g) Pursue and leverage federal sources of cybersecurity and cyber resilience funding to achieve state goals related to cybersecurity and cyber resilience.

(h) Manage and award funds distributed to the center for cybersecurity and cyber resilience initiatives.

(i) Encourage the development of Oregon’s cybersecurity workforce by, at a minimum:

(A) Identifying gaps and needs in workforce programs.

(B) Fostering the growth and development of cybersecurity workforce development programs and career and technical education in school districts, community colleges operated under ORS chapter 341, and public universities listed in ORS 352.002.

(D) Fostering industry involvement in internships, mentorship and apprenticeship programs and experiential learning programs.

(E) Building awareness of industry and career opportunities to recruit students into cyber-related educational tracks.

(4)(a) Portland State University, Oregon State University and the University of Oregon shall enter into an operating agreement for administering the center, including the provision of administrative and staff support and facilities.

(b) A public university listed in ORS 352.002, or a community college operated under ORS chapter 341, not listed in paragraph (a) of this subsection may join the operating agreement and provide administrative and staff support and facilities. The process for joining the operating agreement shall be described in the operating agreement or the charter developed under subsection (5) of this section.

(5) Portland State University, Oregon State University and the University of Oregon, in consultation with the Oregon Cybersecurity Advisory Council, shall develop and adopt a charter to serve as the governing document for the center. The charter must contain provisions regarding the center’s operations, budget and any funds administered by the center and the procedures for appointing the director to oversee the center. Portland State University, Oregon State University and the University of Oregon shall annually review and, as necessary, update the charter.

(6) The center shall, in consultation with the council:

(a) Develop and update every four years a strategic plan, including goals and objectives, for the center.

(b) Develop and submit a report on the center’s strategic goals and objectives, operations and funding requests for continued operations and funds administered by the center, to the Governor and to the appropriate committees of the Legislative Assembly, in the manner required by ORS 192.245, by February 1 of each odd-numbered year. The report must identify any grants, donations, gifts or other forms of conveyances of land, money, real or personal property or other valuable thing made to the state or the center for carrying out the purposes of the center.

(7)(a) All agencies of state government are directed to assist the center in the performance of the center’s duties and, to the extent permitted by laws relating to confidentiality, shall furnish information and advice the center considers necessary to perform the center’s duties.

(b) As used in this subsection, “state government” has the meaning given that term in ORS 174.111, except that “state government” does not include the Secretary of State or State Treasurer. [2023 c.489 §7 (enacted in lieu of 276A.329)]

276A.560 Oregon Cybersecurity Advisory Council. (1) The Oregon Cybersecurity Advisory Council is established within the Oregon Cybersecurity Center of Excellence. The council consists of 21 members appointed as follows:

(a) The Governor, after consultation with the State Chief Information Officer and the director of the Oregon Cybersecurity Center of Excellence or the director’s designee, shall appoint 15 voting members.

(b) The Speaker of the House of Representatives shall appoint one nonvoting member who is a member of the House of Representatives.

(d) The Secretary of State shall appoint one ex officio, nonvoting member to represent the Secretary of State.

(e) The State Treasurer shall appoint one ex officio, nonvoting member to represent the State Treasurer.

(f) The Attorney General shall appoint one ex officio, nonvoting member to represent the Attorney General.

(g) The Director of the Oregon Department of Emergency Management shall appoint one ex officio, nonvoting member to represent the Oregon Department of Emergency Management.

(2)(a) The voting members of the council shall consist of:

(A) One member who represents Indian tribes, as defined in ORS 97.740;

(B) One member who represents the Association of Oregon Counties;

(D) One member who represents the Special Districts Association of Oregon;

(E) One member who represents regional governments;

(F) One member who represents the Oregon Association of Education Service Districts;

(G) One member who represents the Oregon School Boards Association;

(H) One member who represents the Coalition of Oregon School Administrators;

(I) One member who represents public universities listed in ORS 352.002;

(J) One member who represents community colleges;

(K) One member who represents the office of Enterprise Information Services;

(L) One member who represents a critical infrastructure sector in Oregon as defined by the Cybersecurity and Infrastructure Security Agency of the United States Department of Homeland Security;

(M) One member who represents cyber-related industries in Oregon;

(N) One member who represents a public sector information technology association in Oregon; and

(O) One member who represents a private sector information technology or telecommunications association in Oregon.

(b) A majority of the council’s voting members must be geographically diverse representatives of public universities listed in ORS 352.002, local governments, regional governments, special districts, education service districts, school districts or libraries.

(3) The council shall elect one voting member of the council to serve as chairperson and one voting member of the council to serve as vice chairperson.

(4)(a) A majority of the voting members of the council constitutes a quorum for the transaction of business.

(b) Official action by the council requires the approval of a majority of the voting members of the council.

(5)(a) The term of office of each voting member of the council is four years, but a member serves at the pleasure of the Governor.

(b) Before the expiration of the term of a voting member, the Governor, after consultation with the State Chief Information Officer and the director of Oregon Cybersecurity Center of Excellence or the director’s designee, shall appoint a successor whose term begins on July 1 following the appointment. A voting member is eligible for reappointment.

(c) If there is a vacancy for any cause, the Governor, after consultation with the State Chief Information Officer and the director of Oregon Cybersecurity Center of Excellence or the director’s designee, shall make an appointment to become immediately effective for the unexpired term.

(6) The nonvoting legislative members of the council shall serve two-year terms and are eligible for reappointment.

(7) The council shall meet at times and places specified by the call of the chairperson or a majority of the voting members of the council.

(8) Members of the council who are not members of the Legislative Assembly are not entitled to compensation, but the Oregon Cybersecurity Center of Excellence may reimburse a member of the council who is not a member of the Legislative Assembly for actual and necessary travel and other expenses incurred in performing the member’s official duties, in the manner and amounts provided for in ORS 292.495, from funds appropriated to the Higher Education Coordinating Commission for purposes of the council.

(9) Members of the council who are members of the Legislative Assembly are entitled to compensation and expense reimbursement as provided in ORS 171.072.

(10) The council may:

(a) Adopt rules, policies and procedures necessary for the operation of the council.

(b) Establish subcommittees, advisory committees or other work groups necessary to assist the council in performing its duties.

(11) All agencies of state government, as defined in ORS 174.111, are directed to assist the council in the performance of the council’s duties and, to the extent permitted by laws relating to confidentiality, shall furnish information and advice the council considers necessary to perform the council’s duties. [2023 c.489 §3 (enacted in lieu of 276A.326)]

Note: Section 4, chapter 489, Oregon Laws 2023, provides:

Sec. 4. Notwithstanding the term of office specified in section 3 of this 2023 Act [276A.560], of the voting members appointed to the Oregon Cybersecurity Advisory Council under section 3 of this 2023 Act:

(1) One-third shall serve for a term ending July 1, 2025.

(2) One-third shall serve for a term ending July 1, 2026.

(3) The remaining voting members shall serve for a term ending July 1, 2027. [2023 c.489 §4]

276A.565 Oregon Cybersecurity Center of Excellence Operating Fund; biennial report. (1) The Oregon Cybersecurity Center of Excellence Operating Fund is established in the State Treasury, separate and distinct from the General Fund. Interest earned by the Oregon Cybersecurity Center of Excellence Operating Fund must be credited to the fund.

(2) Moneys in the fund shall consist of:

(a) Amounts donated to the fund;

(b) Amounts appropriated or otherwise transferred to the fund by the Legislative Assembly; and

(4) The center shall submit to the Governor and to the appropriate committees of the Legislative Assembly, in the manner provided under ORS 192.245, a biennial report that summarizes the balance of the fund, lists the deposits into and expenditures from the fund and provides such other details as necessary regarding the operation of the fund. [2023 c.489 §8]

Note: Sections 11 and 12, chapter 489, Oregon Laws 2023, provide:

Sec. 11. The biennial reports described in sections 8 [276A.565], 9 [276A.570] and 10 [276A.575] of this 2023 Act are first due no later than December 31, 2025. [2023 c.489 §11]

Sec. 12. Section 11 of this 2023 Act is repealed on January 2, 2026. [2023 c.489 §12]

276A.570 Oregon Cybersecurity Workforce Development Fund; biennial report. (1) The Oregon Cybersecurity Workforce Development Fund is established in the State Treasury, separate and distinct from the General Fund. Interest earned by the Oregon Cybersecurity Workforce Development Fund must be credited to the fund.

(2) Moneys in the fund shall consist of:

(a) Amounts donated to the fund;

(b) Amounts appropriated or otherwise transferred to the fund by the Legislative Assembly; and

(3) Moneys in the fund are continuously appropriated to the Higher Education Coordinating Commission for distribution to the Oregon Cybersecurity Center of Excellence for the purposes of making targeted investments in workforce development programs designed to accelerate the growth, qualifications and availability of Oregon’s cybersecurity workforce.

Note: See note under 276A.565.

276A.575 Oregon Cybersecurity Grant Program Fund; standards and requirements; biennial report. (1) The Oregon Cybersecurity Grant Program Fund is established in the State Treasury, separate and distinct from the General Fund. Interest earned by the Oregon Cybersecurity Grant Program Fund must be credited to the fund.

(2) Moneys in the fund shall consist of:

(a) Amounts donated to the fund;

(b) Amounts appropriated or otherwise transferred to the fund by the Legislative Assembly; and

(3) Moneys in the fund are continuously appropriated to the Higher Education Coordinating Commission for distribution to the Oregon Cybersecurity Center of Excellence for the purposes of providing:

(a) Cybersecurity assessment, scanning and analysis, monitoring, incident response and technical assistance and other cybersecurity-related goods and services to Oregon public bodies on a competitive basis with specific emphasis on serving the unmet needs of local governments, regional governments, special districts, education service districts, school districts and libraries.

(b) Matching funds for federal moneys related to cybersecurity received by public bodies.

(4) The center shall adopt standards, objectives, criteria and eligibility requirements for the use of moneys distributed from the fund. In developing criteria and eligibility standards, the center shall take into consideration any requirements of federal programs awarding moneys related to cybersecurity.

(5) The center shall submit to the Governor and to the appropriate committees of the Legislative Assembly, in the manner provided under ORS 192.245, a biennial report that summarizes the balance of the fund, lists the deposits into and expenditures from the fund and provides such other details as necessary regarding the operation of the fund. [2023 c.489 §10]

Note: See note under 276A.565.

CHAPTER 277 [Reserved for expansion]

_______________