STATE OF NEW YORK ________________________________________________________________________ 2237 2025-2026 Regular Sessions IN ASSEMBLY January 15, 2025 ___________ Introduced by M. of A. RAJKUMAR, ALVAREZ, LEMONDES, K. BROWN, STERN -- read once and referred to the Committee on Governmental Operations AN ACT to amend the state finance law and the general municipal law, in relation to prohibiting procurement of certain technology that poses security threats The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The state finance law is amended by adding a new section 2 163-e to read as follows: 3 § 163-e. Restriction on purchasing certain technology which poses a 4 security threat. 1. (a) Notwithstanding any inconsistent provision of 5 law, the state and any department, bureau, board, commission, authority, 6 and any other agency or instrumentality of the state shall not enter 7 into or renew any contract or agreement to procure information and 8 communications technology, including hardware, systems, devices, soft- 9 ware, or services that include embedded or incidental information tech- 10 nology, which are prohibited from federal procurement pursuant to 11 section 889 of Public Law 115-232 of 2018. 12 (b) The term "information and communications technology" means: 13 (i) information technology, as defined in section 11101 of title 40; 14 (ii) information systems, as defined in 44 U.S.C. 3502; and 15 (iii) telecommunications equipment and telecommunications services, as 16 those terms are defined in section 3 of the Communications Act of 1934 17 (47 U.S.C. 153). 18 (c) The term "information and communications technology" shall not 19 include automated-decision making systems. 20 2. The chief information officer shall, in consultation with the divi- 21 sion of homeland security and emergency services and the office of 22 general services, establish and update regularly a list of restricted 23 information and communications technology. Technology on this list shall 24 not be procured by any state agency, state or local authority, or poli- EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD01015-01-5
A. 2237 2 1 tical subdivision unless a waiver is issued pursuant to subdivision 2 three of this section or the chief information officer determines that 3 the technology shall only be restricted in limited circumstances. 4 The list shall: 5 (a) contain information and communications technologies that pose a 6 security risk to the state of New York or its political subdivisions. In 7 determining whether information and communications technology poses such 8 a risk, the chief information officer shall consult relevant federal 9 sources, including the department of defense inspector general report 10 no. DODIG-2019-106, as well as any other source that shall be determined 11 to be relevant; 12 (b) describe the scope of each restriction, such as whether it is 13 generally prohibited or prohibited in certain circumstances or from 14 certain entities; 15 (c) include an explanation as to why items were included on the list; 16 and 17 (d) be published online and communicated to all relevant procurement 18 officers in all state agencies, state authorities, and political subdi- 19 visions. 20 3. The commissioner of homeland security and emergency services, the 21 commissioner of the office of general services, the adjutant general, 22 the chief information officer, the chief cyber officer, the chief tech- 23 nology officer of the city of New York and any federal agency authorized 24 under section 889 of Public Law 115-232 of 2018, may provide a waiver 25 from this section if: 26 (a) any such entity determines the waiver is in the interests of the 27 state or political subdivision; 28 (b) no compliant product or service is available to be procured as, 29 and when, needed at United States market prices or a price that is not 30 considered prohibitively expensive; and 31 (c) such waiver could not reasonably be expected to compromise the 32 security or integrity of a computer network operated by an instrumental- 33 ity of the state. 34 4. Nothing in this section shall be construed: 35 (a) to require any information and communications technology resident 36 in equipment, systems, or services as of the day before the effective 37 date of this section to be removed or replaced; 38 (b) to prohibit or limit the utilization of such information and 39 communications technology throughout the lifecycle of such existing 40 equipment; or 41 (c) to require the recipient of a state contract, grant, loan, or loan 42 guarantee to replace information and communications technology resident 43 in equipment, systems, or services before the effective date of this 44 section. 45 § 2. The general municipal law is amended by adding a new section 46 103-h to read as follows: 47 § 103-h. Restriction on purchasing certain technology which poses a 48 security threat. 1. (a) Notwithstanding any inconsistent provision of 49 law a political subdivision shall not enter into or renew any contract 50 or agreement to procure information and communications technology, 51 including hardware, systems, devices, software, or services that include 52 embedded or incidental information technology, which are prohibited from 53 federal procurement pursuant to section 889 of Public Law 115-232 of 54 2018, or which are included on the list created pursuant to subdivision 55 two of section one hundred sixty-three-e of the state finance law. 56 (b) The term "information and communications technology" means:
A. 2237 3 1 (i) information technology, as defined in 40 U.S.C. 11101; 2 (ii) information systems, as defined in 44 U.S.C. 3502; and 3 (iii) telecommunications equipment and telecommunications services, as 4 those terms are defined in section 3 of the Communications Act of 1934 5 (47 U.S.C. 153). 6 2. The commissioner of homeland security and emergency services, the 7 commissioner of the office of general services, the adjutant general, 8 the chief information officer, the chief cyber officer, the chief tech- 9 nology officer of the city of New York and any federal agency authorized 10 under section 889 of Public Law 115-232 of 2018, may provide a waiver 11 from this section if: 12 (a) any such entity determines the waiver is in the interest of the 13 political subdivision; 14 (b) no compliant product or service is available to be procured as, 15 and when, needed at United States market prices or a price that is not 16 considered prohibitively expensive; and 17 (c) such waiver could not reasonably be expected to compromise the 18 security or integrity of a computer network operated by an instrumental- 19 ity of the state. 20 4. Nothing in this section shall be construed: 21 (a) to require any information and communications technology resident 22 in equipment, systems, or services as of the day before the effective 23 date of this section to be removed or replaced; 24 (b) to prohibit or limit the utilization of such information and 25 communications technology throughout the lifecycle of such existing 26 equipment; or 27 (c) to require the recipient of a state contract, grant, loan, or loan 28 guarantee to replace information and communications technology resident 29 in equipment, systems, or services before the effective date of this 30 section. 31 § 3. No later than the effective date of this act, the office of 32 general services shall promulgate rules and regulations and issue guid- 33 ance to all state agencies and local procurement authorities necessary, 34 including providing updates on prohibited or excluded entities for 35 procurement contracts in conformity with federal law, rules and regu- 36 lations, no later than sixty days after any entity is prohibited or 37 excluded. 38 § 4. This act shall take effect two years after it shall have become a 39 law. Effective immediately, the office of general services is authorized 40 to promulgate rules and regulations and issue guidance to all state 41 agencies and local procurement authorities necessary for the implementa- 42 tion of this act on its effective date, including providing updates on 43 prohibited or excluded entities for procurement contracts in conformity 44 with federal law, rules and regulations.