 |
ARIZONA STATE SENATE
Fifty-Seventh Legislature, Second Regular Session
critical infrastructure; foreign adversaries; prohibition
Purpose
Establishes the Arizona Critical Infrastructure Protection Act which prohibits critical infrastructure software and critical communications infrastructure equipment that is produced by a Chinese company, preempts contracts and agreements that would allow for the access or control of critical infrastructure in Arizona, prescribes certification, reporting and publishing requirements and outlines related exceptions and penalties for noncompliance.
Background
The federal Committee on Foreign Investment in the United States (CFIUS) is charged with conducting investigations of the effects of covered transactions on national security if the transaction would result in the control of any critical infrastructure of or within the United States by or on behalf of any foreign person. If CFIUS determines that the transaction could impair national security, and that such impairment has not been mitigated, CFIUS must take necessary actions in connection with the transaction to protect the national security of the United States. Covered transactions include investments by a foreign person in any unaffiliated U.S. business that owns, operates, manufactures, supplies or services critical infrastructure (50 U.S.C. § 4565).
The federal Secure and Trusted Communications Networks Reimbursement Program (federal Program) is administered by the Federal Communications Commission to reimburse providers of advanced communications services with up to 10 million customers for the removal, replacement and disposal of communications equipment and services produced by Huawei Technologies Company or ZTE Corporation that was obtained on or before June 30, 2020, from the Company's or Corporation's network. Advanced communication service providers must annually certify possession of advanced communication equipment and services and report on the location, type, original cost, estimated replacement cost and any replacement plans, date of acquisition and a detailed justification for obtaining the covered equipment or services (FCC).
The Arizona Corporation Commission (ACC) consists of five elected commissioners and is responsible for regulating public utilities, facilitating incorporation of businesses and organizations, granting or denying rate adjustments, enforcing safety and public service requirements and approving securities matters (A.R.S. Title 40, Chapters 1 and 2).
There is no anticipated fiscal impact to the state General Fund associated with this legislation.
Provisions
1. Prohibits any software that is used for critical infrastructure in Arizona from being produced by a Chinese company.
2. Requires, by January 1 of each year, a critical communications infrastructure provider that is a participant in the federal Program to certify to the ACC any instance of prohibited critical communications infrastructure equipment use, along with the geographic coordinates of the areas served by the prohibited equipment.
3. Requires a critical communications infrastructure provider that is certified by the ACC to submit a status report to the ACC at the same time that any report is sent to the federal government in compliance with the federal Program.
4. Precludes any critical communications infrastructure provider that removes, discontinues or replaces any prohibited equipment from being required to obtain an additional permit from any state agency or political subdivision of the state for the removal, discontinuance or replacement.
5. Prohibits a governmental entity or a critical infrastructure service provider in Arizona from entering into or renewing a contract with a Chinese company if the contract provides the company with direct or indirect access to the critical infrastructure.
6. Requires, by March 31, 2027, and each year thereafter, each governmental entity and critical infrastructure service provider in Arizona to certify to the ACC that the provider has not attached to the critical infrastructure or connected to any operating system that is used by the provider any additional equipment that is prohibited by the ACC and that was not in use in Arizona before the general effective date.
7. Requires the ACC, by December 31, 2026, and each year thereafter, to publish a list of all equipment that is prohibited from being attached to the critical infrastructure or connected to any operating system that is used by the critical infrastructure and post the list on the ACC's website.
8. Stipulates that the list of prohibited equipment must include, at a minimum, the following produced by a Chinese company:
a) any wi-fi router and modem system;
b) any camera-based school bus infraction detection system, speed detection system, traffic infraction detector system and other camera system,
c) battery technology or smart meter technology,
d) solar inverters; and
e) any product that contains cellular internet-of-things modules.
9. Directs, if monies are appropriated and distributed to facilitate the removal, each governmental entity and critical infrastructure service provider in Arizona to remove any prohibited equipment on the ACC's list.
10. Allows a government entity or critical infrastructure service provider in Arizona to continue to purchase and use any prohibited equipment, if:
a) there are no other reasonable providers of the prohibited equipment;
b) the purchase or use of the prohibited equipment is preapproved by the ACC; and
c) not purchasing or using the prohibited equipment would pose a greater threat to the state than the threat associated with the prohibited equipment.
11. Asserts that the ACC is not required to inspect all critical infrastructure and equipment or conduct continuous monitoring or universal physical inspections of critical infrastructure and equipment in Arizona.
12. Requires the ACC to implement a Risk-Based Oversight Program that includes:
a) a requirement that each governmental entity and critical infrastructure service provider has completed the required self-certification in the form of a sworn statement under penalty of perjury;
b) a requirement for a randomized audit that is conducted on a statistically significant sample of critical infrastructure service and critical communications infrastructure providers each year;
c) a targeted audit if the ACC receives credible intelligence, a complaint, a federal advisory or an identified risk factor;
d) a provision that allows the ACC to rely on determinations, advisories or prohibitions that are issued by a federal agency that has jurisdiction over national security or communications equipment and cybersecurity in the United States; and
e) a provision for safe harbor protections for critical infrastructure service and critical communications infrastructure providers that reasonably rely on manufacturer certifications and supply-chain disclosures if there is not evidence of willful misrepresentation.
14. Allows a governmental entity or publicly regulated utility in Arizona to enter into an agreement or contract involving critical infrastructure in Arizona with China if:
a) no other reasonable option exists for addressing a need that is relevant to critical infrastructure in Arizona;
b) the agreement or contract is approved by the ACC; or
c) not entering into the agreement or contract would pose a greater threat to the state than the threat associated with entering into the agreement or contract.
15. Requires the Department of Emergency and Military Affairs (DEMA) to establish a secure and dedicated communications channel for critical infrastructure providers and military installations across the state to connect with DEMA and the Governor's Office in the event of an emergency that damages critical communications infrastructure.
16. Defines a Chinese company as any company, other than a U.S. person or subsidiary, that:
a) is domiciled, incorporated, issued or listed in China;
b) is headquartered in China;
c) has its principal place of business in China;
d) is controlled, or majority-owned by an entity controlled, by the government of China, the Chinese communist party or the Chinese military, or any instrumentality thereof, including the State-owned Assets Supervision and Administration Commission of the State Council or the National Social Security Fund.
17. Excludes, from the definition of a Chinese company, a parent, subsidiary or affiliate company of a Chinese company if the parent, subsidiary or affiliate company:
a) does not meet the criteria of a Chinese company; and
b) does not recognize more than 50 percent of the parent's, subsidiary's or affiliate company's total annual global revenue from China and Hong Kong combined
18. Defines critical infrastructure as infrastructure that is owned or operated by the state, a political subdivision of the state or a publicly regulated utility and that is:
a) a gas and oil production, storage or delivery system;
b) a water supply refinement, storage or delivery system;
c) an electrical power delivery system;
d) a telecommunications network;
e) a transportation system and service, excluding passenger vehicles;
f) a personal data storage system, including cybersecurity; or
g) an emergency service.
19. Defines critical communications infrastructure as all physical broadband infrastructure and equipment that supports the transmission of information and that allows the user to engage in communications, including service provided directly to the public.
20. Defines a school bus infraction detection system as an automated system installed on a school bus that consists of cameras, sensors and software designed to detect, record and document traffic violations, including illegally passing the bus when its stop arm is extended and warning lights are activated, to enhance student safety and enforce compliance with traffic laws.
21. Defines domiciled as located in a country where either the company is registered, the company's affairs are primarily completed or the majority of the company's ownership shares are held.
22. Designates this legislation as the Arizona Critical Infrastructure Protection Act.
23. Becomes effective on the general effective date.
House Action
ST 1/28/26 DP 5-4-0-0
3rd Read 3/3/26 37-19-3-0-1
Prepared by Senate Research
March 16, 2026
KJA/hk