Back to Oregon

HB3684 • 2025

Allows a state agency to apply for and obtain a limited waiver to the prohibitions or requirements regarding state information technology assets and covered products if the state agency shows that a waiver is needed for the state agency or a contractor of the state agency to perform their duties.

Allows a state agency to apply for and obtain a limited waiver to the prohibitions or requirements regarding state information technology assets and covered products if the state agency shows that a waiver is needed for the state agency or a contractor of the state agency to perform their duties.

Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Representative Hartman, Representative Mannix
Last action
2025-06-27
Official status
In House Committee
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Allows a state agency to apply for and obtain a limited waiver to the prohibitions or requirements regarding state information technology assets and covered products if the state agency shows that a waiver is needed for the state agency or a contractor of the state agency to perform their duties.

Digest: Lets a state agency get a waiver to the law that restricts the use of covered products on IT assets if the waiver is needed to perform its duties.

What This Bill Does

  • Digest: Lets a state agency get a waiver to the law that restricts the use of covered products on IT assets if the waiver is needed to perform its duties.
  • (Flesch Readability Score: 60.7).
  • Allows a state agency to apply for and obtain a limited waiver to the prohibitions or requirements regarding state information technology assets and covered products if the state agency shows that a waiver is needed for the state agency or a contractor of the state agency to perform their duties.
  • Takes effect on the 91st day following adjournment sine die.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2025-06-27 House

    In committee upon adjournment.

  2. 2025-04-18 House

    Public Hearing held.

  3. 2025-02-27 House

    Referred to Information Management and Technology.

  4. 2025-02-25 House

    First reading. Referred to Speaker's desk.

Official Summary Text

Digest: Lets a state agency get a waiver to the law that restricts the use of covered products on IT assets if the waiver is needed to perform its duties. (Flesch Readability Score: 60.7).
Allows a state agency to apply for and obtain a limited waiver to the prohibitions or requirements regarding state information technology assets and covered products if the state agency shows that a waiver is needed for the state agency or a contractor of the state agency to perform their duties.
Takes effect on the 91st day following adjournment sine die.
Relating to: Relating to the security of state information technology assets; prescribing an effective date.
Current location: In House Committee

Current Bill Text

Read the full stored bill text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
83rd OREGON LEGISLATIVE ASSEMBLY--2025 Regular Session
House Bill 3684
Sponsored by Representative HARTMAN
SUMMARY
The following summary is not prepared by the sponsors of the measure and is not a part of the body thereof subject
to consideration by the Legislative Assembly. It is an editor’s brief statement of the essential features of the
measure as introduced. The statement includes a measure digest written in compliance with applicable readability
standards.
Digest: Lets a state agency get a waiver to the law that restricts the use of covered products
on IT assets if the waiver is needed to perform its duties. (Flesch Readability Score: 60.7).
Allows a state agency to apply for and obtain a limited waiver to the prohibitions or require-
ments regarding state information technology assets and covered products if the state agency shows
that a waiver is needed for the state agency or a contractor of the state agency to perform their
duties.
Takes effect on the 91st day following adjournment sine die.
A BILL FOR AN ACT
Relating to the security of state information technology assets; amending ORS 276A.342; and pre-
scribing an effective date.
Be It Enacted by the People of the State of Oregon:
SECTION 1.
ORS 276A.342 is amended to read:
276A.342. (1) A covered product may not be:
(a) Installed or downloaded onto a state information technology asset; or
(b) Used or accessed by a state information technology asset.
(2) A state agency shall:
(a) Remove any covered product that is installed or downloaded onto a state information tech-
nology asset that is under the management or control of the state agency; and
(b) Implement all measures necessary to prevent the:
(A) Installation or download of a covered product onto a state information technology asset that
is under the management or control of the state agency; or
(B) Use or access of a covered product by a state information technology asset that is under the
management or control of the state agency.
(3)(a) Notwithstanding subsections (1) and (2) of this section, a state agency may, for
investigatory, regulatory or law enforcement purposes, permit the:
(A) Installation or download of a covered product onto a state information technology asset; or
(B) Use or access of a covered product by a state information technology asset.
(b) A state agency that permits the installation, download, use or access of a covered product
under this subsection shall adopt risk mitigation standards and procedures related to the installa-
tion, download, use or access of the covered product.
(4) A state agency may apply to the State Chief Information Officer for a limited waiver
to the prohibitions or requirements under subsections (1) and (2) of this section. The officer
shall grant a limited waiver if the state agency shows that a waiver is needed for the state
agency, or a contractor of the state agency, to perform the duties of the state agency or
contractor of the state agency.
NOTE:Matter in boldfaced type in an amended section is new; matter [ italic and bracketed] is existing law to be omitted.
New sections are in boldfaced type.
LC 4198
HB 3684
1
2
3
4
5
6
[(4)] (5) The State Chief Information Officer shall coordinate with and oversee state agencies to
implement the provisions of this section in accordance with the policies and standards adopted un-
der ORS 276A.344 (3).
SECTION 2.
This 2025 Act takes effect on the 91st day after the date on which the 2025
regular session of the Eighty-third Legislative Assembly adjourns sine die.
[2]