Oregon Administrative Rules
Chapter 128 - DEPARTMENT OF ADMINISTRATIVE SERVICES, OFFICE OF THE STATE CHIEF INFORMATION OFFICER
Division 20 - STATE INFORMATION TECHNOLOGY ASSET PROTECTION - COVERED VENDORS
Section 128-020-0020 - Designation Criteria

(1) The corporate entity owns or otherwise provides a product or service that was developed or provided by a covered vendor.

(2) The extent to which the corporate entity is affiliated with a covered vendor.

(3) The corporate entity owns or otherwise provides a product or service that collects user data, including but not limited to personal information, browsing history, and location history, that is not required for or grossly exceeds the minimum necessary user data for the product or service.

(4) The corporate entity owns or otherwise provides a product or service that collects user data, such as biometric data, contact information, GPS locations, chat logs, photos and browser histories, personal information, browsing history, and location history, that is potentially or currently accessible by foreign governments or foreign state actors.

(5) The corporate entity owns or otherwise provides a product or service that has security vulnerabilities that, if unresolved, could expose state information technology assets to malicious actors.

(6) The corporate entity owns or otherwise provides a product or service developed or provided by a corporate entity that has been designated a national security threat or otherwise meets the criteria of a covered vendor under OAR 128-020-0010.

(7) The corporate entity owns or otherwise provides a product or service that supports the administrative use of algorithmic modifications to conduct misinformation, disinformation, or malinformation campaigns.

(8) The corporate entity owns or otherwise provides a product or service that has the potential to control or compromise state information technology assets.