Official Summary Text
HB2809 - 572R - Senate Fact Sheet
Assigned to
ATT�������������������������������������������������������������������������������������������������������������������� FOR
COMMITTEE
ARIZONA STATE SENATE
Fifty-Seventh
Legislature, Second Regular Session
FACT SHEET FOR
H.B. 2809
statewide
cybersecurity encryption system; requirements
Purpose
Requires the state to implement a statewide cybersecurity system that
uses post-quantum encryption for each state agency that processes outlined
information.
Background
The Auditor General (OAG) is appointed to a five-year term by the Joint
Legislative Audit Committee (JLAC), upon approval of a concurrent resolution of
the Legislature. The OAG is charged with several powers and duties, including:
1) preparing an audit plan for approval by JLAC; 2) conducting audits relating
to the finances and performance of state agencies, government functions and
school districts; 3) performing special research requests, special audits and
investigations of state agencies as requested by JLAC; 4) reporting the results
of each audit, investigation or review to JLAC; and 5) establishing a uniform
expenditure reporting system for political subdivisions (
A.R.S.
� 41-1279.03
).
Post-quantum encryption is an advanced encryption algorithm that protects
against cyberattacks from quantum computers. These computers contain
counterintuitive properties which enable a bit of data to act as a 0 and a 1 at
the same time, which makes calculations more difficult or impossible to read on
a conventional computer (
NIST
).
The Joint Legislative Budget Committee (JLBC) fiscal note on H.B. 2809
determined that JLBC cannot determine the estimated cost in advance (
JLBC
).�
Provisions
1.
Requires
the state to implement a statewide cybersecurity system that uses post-quantum
encryption that meets or surpasses a completed initial cybersecurity maturity
model certification (CMMC) 2.0 validation.
2.
Requires
the statewide post-quantum cybersecurity system to be deployed across each
state agency that processes, stores or transmits any of the following:
a)
personal identification information;
b)
sensitive state data;
c)
data related to elections, public safety, public benefits, finance or
infrastructure; or
d)
any data that is designated as confidential by a state or federal law.
3.
Requires
the procurement of the statewide post-quantum cybersecurity system to be
conducted in accordance with the Arizona Procurement Code.
4.
Requires
any eligible vendor to:
a)
be a 100 percent U.S. based company;
b)
use software, hardware and cryptographic components that are developed,
manufactured and maintained exclusively in the United States;
c)
meet or exceed the U.S. Department of Defense cybersecurity standards;
and
d)
not
have a parent company, subsidiary, development partner or data dependency that
is located outside the United States.
5.
Stipulates that, any application that is developed by, partnered with or
dependent on a foreign entity, is not eligible to be part of the statewide
post-quantum cybersecurity system.
6.
Specifies
that a state agency is not:
a)
required to connect any system to the internet or make any system
capable of receiving information from the internet; or
b)
authorized
to impose requirements as to any other governmental device or system.
7.
Designates the OAG as the independent custodian of the master encryption
keys for the statewide post-quantum cybersecurity system.�
8.
Requires
the OAG to:
a)
establish secure key management, storage and access control procedures;
b)
conduct periodic audits of encryption compliance and integrity;
c)
certify the installation and operational validation for each state
agency that uses the statewide post-quantum cybersecurity system;
d)
report any instance of noncompliance to the Governor, Legislature and
Attorney General; and
e)
on
request from the Legislature and subject to available monies, conduct a
cybersecurity audit of any state agency.
9.
Allows
the OAG cybersecurity audit to include:
a)
verification that the state agency's statewide post-quantum
cybersecurity system encryption is properly installed, configured and
validated;
b)
an assessment of the state agency's compliance with CMMC 2.0 or higher
cybersecurity standards;
c)
a review of the state agency's encryption key management, access
controls and custody procedures;
d)
an evaluation of the state agency's adherence to the U.S. Department of
Defense risk management framework principles;
e)
the identification of any vulnerabilities, deficiencies or noncompliant
practices; and
f)
recommendations
for corrective action and a remediation timeline.
10.
Allows
the Arizona Department of Homeland Security to be advised and consulted on
implementation of the statewide post-quantum cybersecurity system
11.
Requires
the OAG to submit the audit results to the Governor, the Legislature, the
President of the Seante, the Speaker of the House of Representatives and the
chairpersons of the Senate and House of Representatives committees with
jurisdiction over information technology issues.
12.
Allows
the Legislature to use the audit findings for legislative oversight hearings, to
determine a state agency's appropriation, corrective action directives and
enforcing compliance with the cybersecurity requirements.
13.
Requires
a state agency to be given that agency's key but prohibits the agency from
retaining sole custody or unilateral control of the statewide post-quantum
cybersecurity system encryption keys.
14.
Requires each state agency
that uses the statewide post-quantum cybersecurity system to:
a)
install the statewide post-quantum cybersecurity encryption system on
all the state agency's systems;
b)
validate the operational effectiveness in coordination with the OAG; and
c)
maintain
continuous compliance with the system's security requirements.
15.
Requires
a state agency's installation and validation of the statewide post-quantum
cybersecurity system to follow the U.S. Department of Defense risk management
framework principles that include continuous monitoring and threat assessments.
16.
Requires any vendor that is
awarded a contract that works with the statewide post-quantum cybersecurity
system to:
a)
provide technical training and operational support to the OAG and
designated state personnel;
b)
support the required installation, validation and audit activities;
c)
provide documentation that demonstrates compliance with CMMC 2.0 or
higher standards; and
d)
cooperate
fully with all statewide cybersecurity audits.�
17.
Allows
the OAG to recommend suspension, remediation or contract termination if a
vendor does not comply with a requirement for the statewide post-quantum
cybersecurity system.
18.
Subjects a state agency that
does not comply with the requirements for the statewide
post-quantum cybersecurity system to a:
a)
mandatory corrective action plan imposed by joint resolution;
b)
legislative oversight hearing; and
c)
restriction
of the state agency's budget for information technology expenditures.
19.
Defines
CMMC 2.0
,
post-quantum encryption
,
state agency
and
vendor
.
20.
Contains
a statement of legislative findings.
21.
Becomes
effective on the general effective date.
House Action
ST������������������� 2/11/26����� DPA��� 9-0-0-0
3
rd
Read��������� 2/26/26����������������� 39-14-7
Prepared by Senate Research
March 13, 2026
LMM/ci
Current Bill Text
Read the full stored bill text
HB2809 - 572R - H Ver
House Engrossed
statewide
cybersecurity encryption system; requirements
State of Arizona
House of Representatives
Fifty-seventh Legislature
Second Regular Session
2026
HOUSE BILL 2809
AN
ACT
amending title 18, chapter 5, Arizona
Revised Statutes, by adding article 5; relating to network security.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it
enacted by the Legislature of the State of Arizona:
Section 1. Title 18, chapter 5, Arizona Revised
Statutes, is amended by adding article 5, to read:
ARTICLE
5. POST-QUANTUM ENCRYPTION SYSTEMS
START_STATUTE
18-561.
Definitions
In this article, unless the context otherwise
requires:
1. "CMMC 2.0" means the
cybersecurity maturity model certification version 2.0 that is established by
the United States department of defense.
2. "Post-quantum
encryption" means cryptographic ALGORITHMS that are designed to be secure
against both classical and quantum computational attacks, including algorithms
that exceed standards identified by the national institute of standards and
technology in the United States department of commerce.
3. "state agency" has the
same meaning prescribed in section 18-422.
4. "Vendor" means a private
entity that provides cybersecurity software, hardware or services pursuant to a
contract with this state.
END_STATUTE
START_STATUTE
18-562.
Statewide post-quantum cybersecurity system; implementation;
procurement
A. This state shall implement a
statewide cybersecurity system that uses post-quantum encryption that
meets or surpasses a completed initial CMMC 2.0 validation.
B. The statewide post-quantum
cybersecurity system shall be deployed across each state agency that processes,
stores or transmits any of the following:
1. Personal identifying information.
2. Sensitive state data.
3. Data related to elections, public
safety, public benefits, finance or infrastructure.
4. Any data that is designated as
confidential by a state or federal law.
C. The PROCUREMENT of the statewide
post-quantum cybersecurity system must be conducted in accordance with
title 41, chapter 23.� Any eligible vendor must meet all of the following
qualifications:
1. Be a one hundred percent United
States-based company.
2. Use software, hardware and
cryptographic components that are developed, manufactured and maintained
exclusively in the United States.
3. Meet or exceed the United States
department of defense cybersecurity standards.
4. Not have a parent company,
subsidiary, development partner or data dependency that is located outside of
the United States.
D. Any application that is developed
by, partnered with or dependent on a foreign entity is not eligible to be part
of the statewide post-quantum cybersecurity system.
E. This section does not require an
agency to connect any system to the internet or make any system capable of
receiving information from the internet.� Nor does this section authorize any
agency to impose such requirements as to any other governmental device or
system.
END_STATUTE
START_STATUTE
18-563.
Auditor general; custodian; audits; findings
A. The auditor general is designated
as the independent custodian of the master encryption keys for the statewide
post-quantum cybersecurity system.
B. The auditor general shall do all
of the following:
1. Establish secure key management,
storage and access control procedures.
2. conduct periodic audits of
encryption compliance and integrity.
3. Certify the installation and
operational validation for each state agency that uses the statewide post-quantum
cybersecurity system.
4. Report any instance of
noncompliance to the Governor, legislature and attorney general.
C. On the request of the LEGISLATURE
and subject to available monies, the auditor general shall conduct a
cybersecurity audit of any state agency that may include any of the following:
1. Verification that the state
agency's statewide post-quantum cybersecurity system encryption is
properly installed, configured and validated.
2. An assessment of the state
agency's compliance with CMMC 2.0 or higher cybersecurity standards.� The
Arizona department of homeland security may be advised and consulted on the
implementation of the statewide post-quantum cybersecurity system but may
not change product or installation guidance.
3. A review of the state agency's
encryption key management, access controls and custody procedures.
4. an Evaluation of the state
agency's ADHERENCE to the United States department of defense risk management
framework principles.
5. The Identification of any
vulnerabilities, deficiencies or noncompliant practices.
6. Recommendations for corrective
action and a remediation timeline.
D. The auditor general shall submit
the results of an audit conducted pursuant to subsection C of this section to
all of the following:
1. The governor.
2. The legislature.
3. The president of the senate.
4. The speaker of the house of
representatives.
5. The chairpersons of the senate and
house of representatives committees with jurisdiction over information
technology issues.
E. The legislature may use the audit
findings for any of the following purposes:
1. Legislative oversight hearings.
2. To determine a state agency's
appropriation.
3. Corrective action directives.
4. Enforcing compliance with the
requirements prescribed in this article.
END_STATUTE
START_STATUTE
18-564.
State agencies; vendors
A. A state agency
shall be given that agency's key but may not retain sole custody or
unilateral control of the statewide post-quantum cybersecurity system
encryption keys.
B. Each state agency that uses the
statewide post-quantum cybersecurity system shall do all of the
following:
1. Install the statewide post-quantum
cybersecurity encryption system
on all of the state
agency's systems.
2. Validate the operational
effectiveness in coordination with the auditor general.
3. Maintain continuous compliance
with the system's security requirements.
C. A state agency's installation and
validation of the statewide post-quantum cybersecurity system must follow the
United States department of defense risk management framework principles,
including continuous monitoring and threat assessments.
D. Any vendor that is awarded a
contract that works with the statewide post-quantum cybersecurity system
shall do all of the following:
1. Provide technical training and
operational support to the auditor general and designated state personnel.
2. Support the installation,
validation and audit activities required by this section.
3. Provide documentation that
demonstrates compliance with CMMC 2.0 or higher standards.
4. Cooperate fully with all state
cybersecurity audits.
E. The auditor general may recommend
suspension, remediation or contract termination if a vendor does not comply
with a requirement for the statewide post-quantum cybersecurity system.
F. A state agency that does not
comply with a requirement for the statewide post-quantum cybersecurity
system is subject to all of the following:
1. A mandatory corrective action plan
imposed by joint resolution.
2. A Legislative oversight hearing.
3. A restriction on the state
agency's budget that is related to information technology expenditures.
G. This section does not require an
agency to connect any system to the internet or make any system capable of
receiving information from the internet. Nor does this section
authorize any agency to impose such requirements as to any other governmental
device or system.
END_STATUTE
Sec. 2.
Legislative findings
The legislature finds:
1. Cybersecurity threats
posed by nation-state adversaries, criminal organizations and nonstate
actors constitute a clear and present risk to the confidentiality, integrity
and availability of this state's data and critical systems.
2. Advances in quantum
computing pose a threat to legacy cryptographic standards currently used to
protect sensitive government information.
3. The United States
department of defense has established cybersecurity maturity model
certification (CMMC) 2.0 as a baseline for protecting controlled unclassified
information (CUI) and defense-related systems.
4. Due to recent
cyberattacks on state agencies, this state must proactively adopt post-quantum
cryptographic protections that meet or exceed federal defense standards to
ensure long-term security, continuity of government operations and public
trust.
5. It is the policy of this
state to do all of the following:
(
a
) Implement
a statewide cybersecurity architecture using post-quantum encryption.
(
b
) Align
state cybersecurity practices with the United States department of defense risk-management
and certification standards.
(
c
) Ensure
that encryption key custody and oversight for post-quantum cybersecurity
systems in this state are independent, auditable and secure.
(
d
) Restrict
procurement of cybersecurity systems to trusted United States-based
companies.