|
|
ARIZONA HOUSE OF REPRESENTATIVES57th Legislature, 2nd Regular Session |
|
|
HB 2809: statewide cybersecurity encryption system; requirements
Sponsor: Representative Gillette, LD 30
Committee on Science & Technology
Overview
Outlines requirements and regulations for the adoption of a statewide cybersecurity system that utilizes post-quantum encryption (PQE) for any state agency that processes, stores or transmits data, personal information or considered confidential by state or federal law.
History
The United States Department of War (DoW) developed the Cybersecurity Maturity Model Certification (CMMC) Program to protect defense industrial base from cyberattacks. CMMC assesses defense contractor compliance with existing information safeguarding requirements for federal contract information and controlled unclassified information. There are three levels to the CMMC program which include self-assessment and annual affirmation of compliance with security requirements listed in the Federal Acquisition Regulation (FAR), assessment done by an authorized third-party assessment organization (DoW).
PQE is an advanced encryption algorithm that protects against cyberattacks from quantum computers. These computers contain counterintuitive properties which enable a bit of data to act as a 0 and a 1 at the same time, which makes calculations more difficult or impossible to read on a conventional computer (NIST).
Executive Order (E.O.) 14144 was introduced by the Biden Administration in January of 2025. This set forward policies to improve agency adoption of post-quantum encryption, mandated private sectors to attest to secure software development practices when selling IT to the federal government and required federal agencies to improve their own cybersecurity systems. During Trump's Administration, E.O.14306 kept several polices from E.O. 14144 but changed the requirements to adopt post-quantum cryptography, limited cyber sanctions to foreign actors and removed mandatory secure-software attestations for government contractors in favor of voluntary NIST guidelines (Congress).
Provisions
1. Requires a statewide cybersecurity system (system) that uses post-quantum encryption that meets or surpasses an initial CMMC 2.0 validation. (Sec. 1)
2. Mandates the System be implemented for any state agency that processes, stores or transmits any of the following:
a. personal identifying information;
b. sensitive state data;
c. data relating to elections, public safety, public benefits, finance or infrastructure; and
d. any data that is designated as confidential by state or federal law. (Sec. 1)
3. Required the System be implemented in accordance with existing state law. (Sec. 1)
4. Outlines qualification requirements that a vendor must meet, including:
a. be one hundred percent a United States-based company;
b. only use software, hardware and cryptographic components that are developed, manufactured and maintained in the United States;
c. meet or exceed the United States Department of Defense cybersecurity standards; and
d. cannot have a parent company, subsidiary, development partner or data dependency that is located outside of the United States. (Sec. 1)
5. Restricts an application that is developed by, partnered with or dependent on a foreign entity from eligibility to be part of the System. (Sec. 1)
6. Designates the Auditor General as the independent custodian of the master encryption key for the System. (Sec. 1)
7. Tasks the Auditor General to:
a. establish secure key management, storage and access control procedures;
b. conduct periodic audits of encryption compliance and integrity;
c. certify the installation and operational validation for each state agency that uses the System; and
d. report any instance of noncompliance to the Governor, Legislature and Attorney General. (Sec. 1)
8. Requires the Attorney General to conduct a cybersecurity audit of any state agency, at the request of the Legislature, that contains any of the following:
a. verification that the System is properly installed, configured and validated;
b. an assessment of the state agency's compliance with CMMC 2.0 or higher security standards;
c. a review of the state agency encryption key management, access controls and custody procedures;
d. an evaluation of the state agency adherence to the United States Department of Defense risk management framework principles; and
e. the identification of any vulnerabilities, deficiencies or noncompliant practices. (Sec. 1)
9. Directs the Auditor General to submit the results of an audit to specified individuals. (Sec. 1)
10. Allows the Legislature to use the audit findings for any of the following:
a. legislative oversight hearings;
b. to determine a state agency's appropriation;
c. corrective action directives; and
d. enforcing compliance with requirements. (Sec. 1)
11. Prohibits a state agency from retaining sole custody or control of the System encryption keys. (Sec. 1)
12. Instructs each state agency that uses the System to:
a. install the System on all state agency systems;
b. validate the operational effectiveness in coordination with the Auditor General; and
c. maintain constant compliance with the System's security requirements. (Sec. 1)
13. Requires a state agency installation and validation for the System to follow the United States Department of Defense risk management framework principles, including continuous monitoring and threat assessments. (Sec. 1)
14. Instructs any vendor that is contracted to work with the System to;
a. provide technical training and operational support to the Auditor General and state personnel;
b. support the installation, validation and audit activities;
c. provide documentation that demonstrates compliance with CMMC 2.0 or higher; and
d. cooperate fully with all state cybersecurity audits. (Sec. 1)
15. Allows the Auditor General to recommend suspension, remediation or contract termination if a vendor does not comply with the listed requirements. (Sec. 1)
16. Lists enforcement measures for noncompliant state agencies. (Sec. 1)
17. Defines pertinent terms. (Sec. 1)
18. Contains a legislative findings clause. (Sec. 2)
---------- DOCUMENT FOOTER ---------
Initials TM HB 2809
2/3/2026 Page 0 Science & Technology
---------- DOCUMENT FOOTER ---------