|
BILL # HB 2809 |
TITLE: statewide cybersecurity encryption system; requirements |
|
SPONSOR: Gillette |
|
|
PREPARED BY: Destin Moss |
STATUS: As Amended by House ST |
The bill outlines requirements and regulations for the adoption of a statewide cybersecurity system that utilizes post-quantum encryption (PQE) for any state agency that processes, stores or transmits specified types of information. The bill tasks the Auditor General with managing encryption keys for the system and auditing the system at the request of the legislature. For context, most cybersecurity and encryption technologies designed for traditional computer systems will soon be easily bypassed using new quantum computer systems. PQE cybersecurity systems are designed to withstand the security challenges posed by the deployment of quantum computers.
Estimated Impact
We are unable to estimate the cost of the bill in advance. While the bill does not specify which agency would be responsible for the planning and development of the new PQE cybersecurity system, the Arizona Department of Homeland Security (DOHS) is typically responsible for managing state cybersecurity initiatives. We requested DOHS's estimate of the cost of implementing the bill, which would factor in whether any of the state's current cybersecurity systems already meet the criteria outlined in the bill, but we have not yet received a response.
In addition to the cost of developing and maintaining the new cybersecurity system, the Auditor General would also incur costs associated with the bill's auditing requirements. We belatedly requested feedback from the Auditor General regarding the bill, but they have not yet had sufficient time to provide a response. If either agency provides a response that impacts our analysis, we will update this memo accordingly.
While we are currently unable to estimate the cost of the bill, it may be useful to note that the federal government anticipates spending approximately $710.0 million per year over the next 10 years to implement PQE across most federal systems. This estimate doesn't include the cost of transitioning many classified cybersecurity systems run by the U.S. Department of Defense and other intelligence agencies. Arizona's cost would likely be a small fraction of the federal cost, but we lack a methodology to translate the federal cost into an Arizona-specific dollar value.
2/20/26