 |
ARIZONA STATE SENATE
Fifty-Seventh Legislature, Second Regular Session
statewide cybersecurity encryption system; requirements
Purpose
Requires the state to implement a statewide cybersecurity system that uses post-quantum encryption for each state agency that processes outlined information.
Background
The Auditor General (OAG) is appointed to a five-year term by the Joint Legislative Audit Committee (JLAC), upon approval of a concurrent resolution of the Legislature. The OAG is charged with several powers and duties, including: 1) preparing an audit plan for approval by JLAC; 2) conducting audits relating to the finances and performance of state agencies, government functions and school districts; 3) performing special research requests, special audits and investigations of state agencies as requested by JLAC; 4) reporting the results of each audit, investigation or review to JLAC; and 5) establishing a uniform expenditure reporting system for political subdivisions (A.R.S. § 41-1279.03).
Post-quantum encryption is an advanced encryption algorithm that protects against cyberattacks from quantum computers. These computers contain counterintuitive properties which enable a bit of data to act as a 0 and a 1 at the same time, which makes calculations more difficult or impossible to read on a conventional computer (NIST).
The Joint Legislative Budget Committee (JLBC) fiscal note on H.B. 2809 determined that JLBC cannot determine the estimated cost in advance (JLBC).
Provisions
1. Requires the state to implement a statewide cybersecurity system that uses post-quantum encryption that meets or surpasses a completed initial cybersecurity maturity model certification (CMMC) 2.0 validation.
2. Requires the statewide post-quantum cybersecurity system to be deployed across each state agency that processes, stores or transmits any of the following:
a) personal identification information;
b) sensitive state data;
c) data related to elections, public safety, public benefits, finance or infrastructure; or
d) any data that is designated as confidential by a state or federal law.
3. Requires the procurement of the statewide post-quantum cybersecurity system to be conducted in accordance with the Arizona Procurement Code.
4. Requires any eligible vendor to:
a) be a 100 percent U.S. based company;
b) use software, hardware and cryptographic components that are developed, manufactured and maintained exclusively in the United States;
c) meet or exceed the U.S. Department of Defense cybersecurity standards; and
d) not have a parent company, subsidiary, development partner or data dependency that is located outside the United States.
5. Stipulates that, any application that is developed by, partnered with or dependent on a foreign entity, is not eligible to be part of the statewide post-quantum cybersecurity system.
6. Specifies that a state agency is not:
a) required to connect any system to the internet or make any system capable of receiving information from the internet; or
b) authorized to impose requirements as to any other governmental device or system.
7. Designates the OAG as the independent custodian of the master encryption keys for the statewide post-quantum cybersecurity system.
8. Requires the OAG to:
a) establish secure key management, storage and access control procedures;
b) conduct periodic audits of encryption compliance and integrity;
c) certify the installation and operational validation for each state agency that uses the statewide post-quantum cybersecurity system;
d) report any instance of noncompliance to the Governor, Legislature and Attorney General; and
e) on request from the Legislature and subject to available monies, conduct a cybersecurity audit of any state agency.
9. Allows the OAG cybersecurity audit to include:
a) verification that the state agency's statewide post-quantum cybersecurity system encryption is properly installed, configured and validated;
b) an assessment of the state agency's compliance with CMMC 2.0 or higher cybersecurity standards;
c) a review of the state agency's encryption key management, access controls and custody procedures;
d) an evaluation of the state agency's adherence to the U.S. Department of Defense risk management framework principles;
e) the identification of any vulnerabilities, deficiencies or noncompliant practices; and
f) recommendations for corrective action and a remediation timeline.
10. Allows the Arizona Department of Homeland Security to be advised and consulted on implementation of the statewide post-quantum cybersecurity system
11. Requires the OAG to submit the audit results to the Governor, the Legislature, the President of the Seante, the Speaker of the House of Representatives and the chairpersons of the Senate and House of Representatives committees with jurisdiction over information technology issues.
12. Allows the Legislature to use the audit findings for legislative oversight hearings, to determine a state agency's appropriation, corrective action directives and enforcing compliance with the cybersecurity requirements.
13. Requires a state agency to be given that agency's key but prohibits the agency from retaining sole custody or unilateral control of the statewide post-quantum cybersecurity system encryption keys.
14. Requires each state agency that uses the statewide post-quantum cybersecurity system to:
a) install the statewide post-quantum cybersecurity encryption system on all the state agency's systems;
b) validate the operational effectiveness in coordination with the OAG; and
c) maintain continuous compliance with the system's security requirements.
15. Requires a state agency's installation and validation of the statewide post-quantum cybersecurity system to follow the U.S. Department of Defense risk management framework principles that include continuous monitoring and threat assessments.
16. Requires any vendor that is awarded a contract that works with the statewide post-quantum cybersecurity system to:
a) provide technical training and operational support to the OAG and designated state personnel;
b) support the required installation, validation and audit activities;
c) provide documentation that demonstrates compliance with CMMC 2.0 or higher standards; and
d) cooperate fully with all statewide cybersecurity audits.
17. Allows the OAG to recommend suspension, remediation or contract termination if a vendor does not comply with a requirement for the statewide post-quantum cybersecurity system.
18. Subjects a state agency that
does not comply with the requirements for the statewide
post-quantum cybersecurity system to a:
a) mandatory corrective action plan imposed by joint resolution;
b) legislative oversight hearing; and
c) restriction of the state agency's budget for information technology expenditures.
19. Defines CMMC 2.0, post-quantum encryption, state agency and vendor.
20. Contains a statement of legislative findings.
21. Becomes effective on the general effective date.
House Action
ST 2/11/26 DPA 9-0-0-0
3rd Read 2/26/26 39-14-7
Prepared by Senate Research
March 13, 2026
LMM/ci