LAW WITHOUT
GOVERNOR'S CHAPTER
SIGNATURE
681
MAY 1, 2024 PUBLIC LAW
STATE OF MAINE
_____
IN THE YEAR OF OUR LORD
TWO THOUSAND TWENTY-FOUR
_____
S.P. 374 - L.D. 877
An Act to Increase Cybersecurity in Maine
Be it enacted by the People of the State of Maine as follows:
Sec. 1. 5 MRSA c. 164 is enacted to read:
CHAPTER 164
CYBERSECURITY AND PROTECTION OF CRITICAL INFRASTRUCTURE
§2021. Definitions
As used in this chapter, unless the context otherwise indicates, the following terms
have the following meanings.
1. Chief Information Officer. "Chief Information Officer" has the same meaning as
in section 1972, subsection 2.
2. Foreign adversary. "Foreign adversary" means a foreign government or foreign
nongovernment person whom the United States Secretary of Commerce has determined,
pursuant to 15 Code of Federal Regulations, Section 7.4 (2024), has engaged in a long-
term pattern or serious instances of conduct significantly adverse to the national security
of the United States or the security and safety of United States persons.
3. Foreign adversary business entity. "Foreign adversary business entity" means
any type of organization, entity or enterprise engaged in commerce, whether operated for
profit, that is organized under the laws or rules of a foreign adversary, directly or indirectly
owned or controlled by a foreign adversary or domiciled within the geographic borders of
a foreign adversary.
4. Local governmental entity. "Local governmental entity" means any local
government, political subdivision or school district and any other public or private agency,
person, partnership, corporation or business entity acting on behalf of any local
governmental entity.
Page 1 - 131LR1814(03)
5. State agency. "State agency" means the State, or any department, agency, board,
commission or other body of State Government, including publicly funded institutions of
higher education.
§2022. Chief Information Officer to establish lists
The Chief Information Officer shall establish and maintain:
1. List of prohibited companies. A list of companies, including foreign adversary
business entities, that pose a national security risk or a risk to the security and safety of
persons of the United States. The list must include, but is not limited to, all companies
identified by statute, regulation or official guidance from the United States Department of
Commerce, the Federal Communications Commission, the United States Department of
Homeland Security or any other appropriate federal agency as posing a national security
risk or a risk to the security and safety of persons of the United States; and
2. List of prohibited information and communications technology and services.
A list of information and communications technology and services that pose a national
security risk or a risk to the security and safety of persons of the United States. The list
must include, but is not limited to, all information and communications technology and
services identified by statute, regulation or official guidance from the United States
Department of Commerce, the Federal Communications Commission, the United States
Department of Homeland Security or any other appropriate federal agency as posing a
national security risk or a risk to the security and safety of persons of the United States.
The lists must be published on the publicly accessible website of the Department of
Administrative and Financial Services, Office of Information Technology and updated at
least annually.
§2023. Prohibited contract, use or purchase by state agency
Except as provided in sections 2027 and 2028, a state agency may not contract with a
company included on the list of prohibited companies established and maintained by the
Chief Information Officer pursuant to section 2022, subsection 1 or use, obtain or purchase
any information or communications technology or services included on the list of
prohibited information and communications technology and services established and
maintained by the Chief Information Officer pursuant to section 2022, subsection 2.
§2024. Prohibited contract, use or purchase by local governmental entity
Except as provided in section 2027, a local governmental entity may not use state funds
in a contract with a company included on the list of prohibited companies established and
maintained by the Chief Information Officer pursuant to section 2022, subsection 1 or use,
obtain or purchase any information or communications technology or services included on
the list of prohibited information and communications technology and services established
and maintained by the Chief Information Officer pursuant to section 2022, subsection 2.
§2025. Indirect transfer of state funds
A local governmental entity, when purchasing information or communications
technology or services or entering into a contract for goods or services, shall take all
reasonable steps to ensure state funds are not indirectly transferred to a company on the list
of prohibited companies maintained by the Chief Information Officer pursuant to section
2022, subsection 1.
Page 2 - 131LR1814(03)
§2026. Prohibited contract, use or purchase by judicial branch and legislative branch
Except as provided in sections 2027, 2029 and 2030, an office of the legislative branch
or judicial branch may not contract with a company included on the list of prohibited
companies established and maintained by the Chief Information Officer pursuant to section
2022, subsection 1 or use, obtain or purchase any information or communications
technology or services included on the list of prohibited information and communications
technology and services established and maintained by the Chief Information Officer
pursuant to section 2022, subsection 2.
§2027. Exemption; law enforcement
The prohibitions in sections 2023 and 2024 do not apply to law enforcement entities,
such as the State Police, a county sheriff's office and local law enforcement departments,
to the extent the prohibitions restrict a law enforcement entity's ability to protect the public
or investigate criminal activity.
§2028. Waiver of prohibitions; executive branch
Upon written request from a state agency, the Chief Information Officer may waive the
prohibitions imposed in sections 2023 and 2024 as long as the waiver does not pose a
national security risk or a risk to the security and safety of persons of the United States.
§2029. Waiver of prohibitions; legislative branch
The Legislative Council, established in Title 3, section 161, or its designee, may waive
the prohibitions imposed in sections 2023 and 2024 as long as the waiver does not pose a
national security risk or a risk to the security and safety of persons of the United States.
§2030. Waiver of prohibitions; judicial branch
The State Court Administrator under Title 4, section 15, or the State Court
Administrator's designee, may waive the prohibitions imposed in sections 2023 and 2024
as long as the waiver does not pose a national security risk or a risk to the security and
safety of persons of the United States.
§2030-A. Certification required; civil violation
A person that submits a bid or proposal for a contract with the State for goods or
services shall certify that the person is not a foreign adversary business entity. A person
that submits a false certification under this section commits a civil violation for which a
fine may be adjudged in an amount that is twice the amount of the contract for which the
bid or proposal was submitted or $250,000, whichever is greater.
§2030-B. Contracts void
The following contracts entered into by a state agency on or after the effective date of
this chapter are void:
1. Foreign adversary business entity. A contract with a foreign adversary business
entity;
2. Prohibited company. A contract with a company included on the list of prohibited
companies established and maintained by the Chief Information Officer pursuant to section
2022, subsection 1 that was not granted a waiver under section 2028; and
Page 3 - 131LR1814(03)
3. Prohibited information or communications technology or services. A contract
to purchase information or communications technology or services included on the list of
prohibited information or communications technology or services established and
maintained by the Chief Information Officer pursuant to section 2022, subsection 2 that
was not granted a waiver under section 2028.
§2030-C. Rules
The department may adopt rules to implement this chapter. Rules adopted pursuant to
this section are routine technical rules as defined in chapter 375, subchapter 2-A.
Page 4 - 131LR1814(03)