N.Y.
State Finance Law Section 163-E
Restriction on purchasing certain technology which poses a security threat
1.
(a) Notwithstanding any inconsistent provision of law, the state and any department, bureau, board, commission, authority, and any other agency or instrumentality of the state shall not enter into or renew any contract or agreement to procure information and communications technology, including hardware, systems, devices, software, or services that include embedded or incidental information technology, which are prohibited from federal procurement pursuant to section 889 of Public Law 115-232 of 2018.(b)
The term “information and communications technology” means:(i)
information technology, as defined in section 11101 of title 40;(ii)
information systems, as defined in 44 U.S.C. 3502; and(iii)
telecommunications equipment and telecommunications services, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153).(c)
The term “information and communications technology” shall not include automated-decision making systems.2.
The chief information officer shall, in consultation with the division of homeland security and emergency services and the office of general services, establish and update regularly a list of restricted information and communications technology. Technology on this list shall not be procured by any state agency, state or local authority, or political subdivision unless a waiver is issued pursuant to subdivision three of this section or the chief information officer determines that the technology shall only be restricted in limited circumstances. The list shall:(a)
contain information and communications technologies that pose a security risk to the state of New York or its political subdivisions. In determining whether information and communications technology poses such a risk, the chief information officer shall consult relevant federal sources, including the department of defense inspector general report no. DODIG-2019-106, as well as any other source that shall be determined to be relevant;(b)
describe the scope of each restriction, such as whether it is generally prohibited or prohibited in certain circumstances or from certain entities;(c)
include an explanation as to why items were included on the list; and(d)
be published online and communicated to all relevant procurement officers in all state agencies, state authorities, and political subdivisions.3.
The commissioner of homeland security and emergency services, the commissioner of the office of general services, the adjutant general, the chief information officer, the chief cyber officer, the chief technology officer of the city of New York and any federal agency authorized under section 889 of Public Law 115-232 of 2018, may provide a waiver from this section if:(a)
any such entity determines the waiver is in the interests of the state or political subdivision;(b)
no compliant product or service is available to be procured as, and when, needed at United States market prices or a price that is not considered prohibitively expensive; and(c)
such waiver could not reasonably be expected to compromise the security or integrity of a computer network operated by an instrumentality of the state.4.
Nothing in this section shall be construed:(a)
to require any information and communications technology resident in equipment, systems, or services as of the day before the effective date of this section to be removed or replaced;(b)
to prohibit or limit the utilization of such information and communications technology throughout the lifecycle of such existing equipment; or(c)
to require the recipient of a state contract, grant, loan, or loan guarantee to replace information and communications technology resident in equipment, systems, or services before the effective date of this section. * NB Effective December 19, 2028
Source:
Section 163-E — Restriction on purchasing certain technology which poses a security threat, https://www.nysenate.gov/legislation/laws/STF/163-E (updated Dec. 26, 2025; accessed Jan. 3, 2026).
