Aligns state and local procurement laws with federal law prohibiting the procurement of certain information and communications technology and electronic parts or products which are determined to pose a risk to state and national security.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
BILL NUMBER: A2237
SPONSOR: Rajkumar TITLE OF BILL:
An act to amend the state finance law and the general municipal law, in
relation to prohibiting procurement of certain technology that poses
security threats
PURPOSE OR GENERAL IDEA OF BILL:
To prohibit the state and all municipalities from procuring technology
that poses a security threat.
SUMMARY OF PROVISIONS:
Section 1 amends the state finance law by adding a new section 163-e
prohibiting the state from procurement of technology from companies
prohibited from federal procurement under pursuant to Pub. L. 115-232 §
889, and directs the CIO to determine other companies to prohibit from
procurement in some or all applications, in consultation with
DODIG-2019-106 ; or a company for which procurement was determined to be
a national security threat by DODIG-2019-106; and designates entities
with waiver authority.
Section 2 amends the general municipal law by adding a new section 103-h
providing for the same for municipalities.
Section 3 directs the Office of General Services to promulgate rules and
regulations on state procurement, as well as guidance to local procure-
ment authorities.
Section 4 is the effective date.
DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE):
JUSTIFICATION:
Security experts in the federal government have determined that govern-
ment use of technology from certain international companies poses a
threat to national security, due to the companies' close ties to another
country's government. This technology has the genuine potential to
surreptitiously transmit sensitive data to another country, and act as a
"back door" for another country to engage in cyberattacks.
Section 889 of the John S. McCain National Defense Authorization Act for
Fiscal Year 2019 established a policy that the federal government would
actively maintain and update a list of prohibited international tech
products that posed a security threat.
Additionally, the Department of Defense Inspector General's report
"Audit of the DoD's Management of the Cybersecurity Risks for Government
Purchase Card Purchases of Commercial Off-the-Shelf Items" (DODIG-2019-
106) concluded that the procurement of technology from certain interna-
tional companies constituted a threat to national security.
Nonetheless, New York still procures technology from these companies,
with contracts worth tens of millions of dollars.
This bill allows the State to prohibit procurement of this technology,
protecting sensitive information and preventing cyberattacks. This will
also support the growing domestic semiconductor industry, including the
planned $100 billion semiconductor plant in Clay, New York.
PRIOR LEGISLATIVE HISTORY:
23-24 A9312 referred to rules.
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
Minimal.
EFFECTIVE DATE:
This act shall take effect two years after it shall have become a law.
Effective immediately, the office of general services is authorized to
promulgate rules and regulations and issue guidance to all state agen-
cies and local procurement authorities necessary for the implementation
of this act on its effective date, including providing updates on
prohibited or excluded entities for procurement contracts in conformity
with federal law, rules and regulations.
STATE OF NEW YORK
________________________________________________________________________
2237
2025-2026 Regular Sessions
IN ASSEMBLY
January 15, 2025
___________
Introduced by M. of A. RAJKUMAR, ALVAREZ, LEMONDES, K. BROWN, STERN --
read once and referred to the Committee on Governmental Operations
AN ACT to amend the state finance law and the general municipal law, in
relation to prohibiting procurement of certain technology that poses
security threats
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The state finance law is amended by adding a new section
2 163-e to read as follows:
3 § 163-e. Restriction on purchasing certain technology which poses a
4 security threat. 1. (a) Notwithstanding any inconsistent provision of
5 law, the state and any department, bureau, board, commission, authority,
6 and any other agency or instrumentality of the state shall not enter
7 into or renew any contract or agreement to procure information and
8 communications technology, including hardware, systems, devices, soft-
9 ware, or services that include embedded or incidental information tech-
10 nology, which are prohibited from federal procurement pursuant to
11 section 889 of Public Law 115-232 of 2018.
12 (b) The term "information and communications technology" means:
13 (i) information technology, as defined in section 11101 of title 40;
14 (ii) information systems, as defined in 44 U.S.C. 3502; and
15 (iii) telecommunications equipment and telecommunications services, as
16 those terms are defined in section 3 of the Communications Act of 1934
17 (47 U.S.C. 153).
18 (c) The term "information and communications technology" shall not
19 include automated-decision making systems.
20 2. The chief information officer shall, in consultation with the divi-
21 sion of homeland security and emergency services and the office of
22 general services, establish and update regularly a list of restricted
23 information and communications technology. Technology on this list shall
24 not be procured by any state agency, state or local authority, or poli-
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD01015-01-5
A. 2237 2
1 tical subdivision unless a waiver is issued pursuant to subdivision
2 three of this section or the chief information officer determines that
3 the technology shall only be restricted in limited circumstances.
4 The list shall:
5 (a) contain information and communications technologies that pose a
6 security risk to the state of New York or its political subdivisions. In
7 determining whether information and communications technology poses such
8 a risk, the chief information officer shall consult relevant federal
9 sources, including the department of defense inspector general report
10 no. DODIG-2019-106, as well as any other source that shall be determined
11 to be relevant;
12 (b) describe the scope of each restriction, such as whether it is
13 generally prohibited or prohibited in certain circumstances or from
14 certain entities;
15 (c) include an explanation as to why items were included on the list;
16 and
17 (d) be published online and communicated to all relevant procurement
18 officers in all state agencies, state authorities, and political subdi-
19 visions.
20 3. The commissioner of homeland security and emergency services, the
21 commissioner of the office of general services, the adjutant general,
22 the chief information officer, the chief cyber officer, the chief tech-
23 nology officer of the city of New York and any federal agency authorized
24 under section 889 of Public Law 115-232 of 2018, may provide a waiver
25 from this section if:
26 (a) any such entity determines the waiver is in the interests of the
27 state or political subdivision;
28 (b) no compliant product or service is available to be procured as,
29 and when, needed at United States market prices or a price that is not
30 considered prohibitively expensive; and
31 (c) such waiver could not reasonably be expected to compromise the
32 security or integrity of a computer network operated by an instrumental-
33 ity of the state.
34 4. Nothing in this section shall be construed:
35 (a) to require any information and communications technology resident
36 in equipment, systems, or services as of the day before the effective
37 date of this section to be removed or replaced;
38 (b) to prohibit or limit the utilization of such information and
39 communications technology throughout the lifecycle of such existing
40 equipment; or
41 (c) to require the recipient of a state contract, grant, loan, or loan
42 guarantee to replace information and communications technology resident
43 in equipment, systems, or services before the effective date of this
44 section.
45 § 2. The general municipal law is amended by adding a new section
46 103-h to read as follows:
47 § 103-h. Restriction on purchasing certain technology which poses a
48 security threat. 1. (a) Notwithstanding any inconsistent provision of
49 law a political subdivision shall not enter into or renew any contract
50 or agreement to procure information and communications technology,
51 including hardware, systems, devices, software, or services that include
52 embedded or incidental information technology, which are prohibited from
53 federal procurement pursuant to section 889 of Public Law 115-232 of
54 2018, or which are included on the list created pursuant to subdivision
55 two of section one hundred sixty-three-e of the state finance law.
56 (b) The term "information and communications technology" means:
A. 2237 3
1 (i) information technology, as defined in 40 U.S.C. 11101;
2 (ii) information systems, as defined in 44 U.S.C. 3502; and
3 (iii) telecommunications equipment and telecommunications services, as
4 those terms are defined in section 3 of the Communications Act of 1934
5 (47 U.S.C. 153).
6 2. The commissioner of homeland security and emergency services, the
7 commissioner of the office of general services, the adjutant general,
8 the chief information officer, the chief cyber officer, the chief tech-
9 nology officer of the city of New York and any federal agency authorized
10 under section 889 of Public Law 115-232 of 2018, may provide a waiver
11 from this section if:
12 (a) any such entity determines the waiver is in the interest of the
13 political subdivision;
14 (b) no compliant product or service is available to be procured as,
15 and when, needed at United States market prices or a price that is not
16 considered prohibitively expensive; and
17 (c) such waiver could not reasonably be expected to compromise the
18 security or integrity of a computer network operated by an instrumental-
19 ity of the state.
20 4. Nothing in this section shall be construed:
21 (a) to require any information and communications technology resident
22 in equipment, systems, or services as of the day before the effective
23 date of this section to be removed or replaced;
24 (b) to prohibit or limit the utilization of such information and
25 communications technology throughout the lifecycle of such existing
26 equipment; or
27 (c) to require the recipient of a state contract, grant, loan, or loan
28 guarantee to replace information and communications technology resident
29 in equipment, systems, or services before the effective date of this
30 section.
31 § 3. No later than the effective date of this act, the office of
32 general services shall promulgate rules and regulations and issue guid-
33 ance to all state agencies and local procurement authorities necessary,
34 including providing updates on prohibited or excluded entities for
35 procurement contracts in conformity with federal law, rules and regu-
36 lations, no later than sixty days after any entity is prohibited or
37 excluded.
38 § 4. This act shall take effect two years after it shall have become a
39 law. Effective immediately, the office of general services is authorized
40 to promulgate rules and regulations and issue guidance to all state
41 agencies and local procurement authorities necessary for the implementa-
42 tion of this act on its effective date, including providing updates on
43 prohibited or excluded entities for procurement contracts in conformity
44 with federal law, rules and regulations.
