OR HB3684

State agencies may apply to the State Chief Information Officer for a limited waiver from prohibitions on installing, downloading, using, or accessing "covered products" on state IT assets

Waivers must be granted if the agency demonstrates the waiver is needed for the agency or its contractor to perform their duties

Existing law already allows exceptions for investigatory, regulatory, or law enforcement purposes, with required risk mitigation standards

Amends ORS 276A.342 to add the new waiver provision while maintaining the State CIO's coordination and oversight role

Takes effect on the 91st day after the 2025 regular legislative session adjourns