HB2809 - 572R

Be it enacted by the Legislature of the State of Arizona:

Section 1. Title 18, chapter 5, Arizona Revised Statutes, is amended by adding article 5, to read:

ARTICLE 5. POST-QUANTUM ENCRYPTION SYSTEMS

START_STATUTE18-561. Definitions

In this article, unless the context otherwise requires:

1. "CMMC 2.0" means the cybersecurity maturity model certification version 2.0 that is established by the United States department of defense.

2. "Post-quantum encryption" means cryptographic ALGORITHMS that are designed to be secure against both classical and quantum computational attacks, including algorithms that exceed standards identified by the national institute of standards and technology in the United States department of commerce.

3. "state agency" has the same meaning prescribed in section 18-422.

4. "Vendor" means a private entity that provides cybersecurity software, hardware or services pursuant to a contract with this state. END_STATUTE

START_STATUTE18-562. Statewide post-quantum cybersecurity system; implementation; procurement

A. This state shall implement a statewide cybersecurity system that uses post-quantum encryption that meets or surpasses a completed initial CMMC 2.0 validation.

B. The statewide post-quantum cybersecurity system shall be deployed across each state agency that processes, stores or transmits any of the following:

1. Personal identifying information.

2. Sensitive state data.

3. Data related to elections, public safety, public benefits, finance or infrastructure.

4. Any data that is designated as confidential by a state or federal law.

C. The PROCUREMENT of the statewide post-quantum cybersecurity system must be conducted in accordance with title 41, chapter 23. Any eligible vendor must meet all of the following qualifications:

1. Be a one hundred percent United States-based company.

2. Use software, hardware and cryptographic components that are developed, manufactured and maintained exclusively in the United States.

3. Meet or exceed the United States department of defense cybersecurity standards.

4. Not have a parent company, subsidiary, development partner or data dependency that is located outside of the United States.

D. Any application that is developed by, partnered with or dependent on a foreign entity is not eligible to be part of the statewide post-quantum cybersecurity system.

E. This section does not require an agency to connect any system to the internet or make any system capable of receiving information from the internet. Nor does this section authorize any agency to impose such requirements as to any other governmental device or system. END_STATUTE

START_STATUTE18-563. Auditor general; custodian; audits; findings

A. The auditor general is designated as the independent custodian of the master encryption keys for the statewide post-quantum cybersecurity system.

B. The auditor general shall do all of the following:

1. Establish secure key management, storage and access control procedures.

2. conduct periodic audits of encryption compliance and integrity.

3. Certify the installation and operational validation for each state agency that uses the statewide post-quantum cybersecurity system.

4. Report any instance of noncompliance to the Governor, legislature and attorney general.

C. On the request of the LEGISLATURE and subject to available monies, the auditor general shall conduct a cybersecurity audit of any state agency that may include any of the following:

1. Verification that the state agency's statewide post-quantum cybersecurity system encryption is properly installed, configured and validated.

2. An assessment of the state agency's compliance with CMMC 2.0 or higher cybersecurity standards. The Arizona department of homeland security may be advised and consulted on the implementation of the statewide post-quantum cybersecurity system but may not change product or installation guidance.

3. A review of the state agency's encryption key management, access controls and custody procedures.

4. an Evaluation of the state agency's ADHERENCE to the United States department of defense risk management framework principles.

5. The Identification of any vulnerabilities, deficiencies or noncompliant practices.

6. Recommendations for corrective action and a remediation timeline.

D. The auditor general shall submit the results of an audit conducted pursuant to subsection C of this section to all of the following:

1. The governor.

2. The legislature.

3. The president of the senate.

4. The speaker of the house of representatives.

5. The chairpersons of the senate and house of representatives committees with jurisdiction over information technology issues.

E. The legislature may use the audit findings for any of the following purposes:

1. Legislative oversight hearings.

2. To determine a state agency's appropriation.

3. Corrective action directives.

4. Enforcing compliance with the requirements prescribed in this article. END_STATUTE

START_STATUTE18-564. State agencies; vendors

A. A state agency shall be given that agency's key but may not retain sole custody or unilateral control of the statewide post-quantum cybersecurity system encryption keys.

B. Each state agency that uses the statewide post-quantum cybersecurity system shall do all of the following:

1. Install the statewide post-quantum cybersecurity encryption system on all of the state agency's systems.

2. Validate the operational effectiveness in coordination with the auditor general.

3. Maintain continuous compliance with the system's security requirements.

C. A state agency's installation and validation of the statewide post-quantum cybersecurity system must follow the United States department of defense risk management framework principles, including continuous monitoring and threat assessments.

D. Any vendor that is awarded a contract that works with the statewide post-quantum cybersecurity system shall do all of the following:

1. Provide technical training and operational support to the auditor general and designated state personnel.

2. Support the installation, validation and audit activities required by this section.

3. Provide documentation that demonstrates compliance with CMMC 2.0 or higher standards.

4. Cooperate fully with all state cybersecurity audits.

E. The auditor general may recommend suspension, remediation or contract termination if a vendor does not comply with a requirement for the statewide post-quantum cybersecurity system.

F. A state agency that does not comply with a requirement for the statewide post-quantum cybersecurity system is subject to all of the following:

1. A mandatory corrective action plan imposed by joint resolution.

2. A Legislative oversight hearing.

3. A restriction on the state agency's budget that is related to information technology expenditures.

G. This section does not require an agency to connect any system to the internet or make any system capable of receiving information from the internet. Nor does this section authorize any agency to impose such requirements as to any other governmental device or system. END_STATUTE

Sec. 2. Legislative findings

The legislature finds:

1. Cybersecurity threats posed by nation-state adversaries, criminal organizations and nonstate actors constitute a clear and present risk to the confidentiality, integrity and availability of this state's data and critical systems.

2. Advances in quantum computing pose a threat to legacy cryptographic standards currently used to protect sensitive government information.

3. The United States department of defense has established cybersecurity maturity model certification (CMMC) 2.0 as a baseline for protecting controlled unclassified information (CUI) and defense-related systems.

4. Due to recent cyberattacks on state agencies, this state must proactively adopt post-quantum cryptographic protections that meet or exceed federal defense standards to ensure long-term security, continuity of government operations and public trust.

5. It is the policy of this state to do all of the following:

(a) Implement a statewide cybersecurity architecture using post-quantum encryption.

(b) Align state cybersecurity practices with the United States department of defense risk-management and certification standards.

(c) Ensure that encryption key custody and oversight for post-quantum cybersecurity systems in this state are independent, auditable and secure.

(d) Restrict procurement of cybersecurity systems to trusted United States-based companies.