Back to Utah

HB0165 • 2026

Critical Infrastructure Amendments

Critical Infrastructure Amendments

Enacted

This bill passed the Legislature and reached final enactment based on the latest official action.

Sponsor
Rep. Brooks, Walt
Last action
2026-03-17
Official status
Governor Signed
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Critical Infrastructure Amendments

This bill enacts provisions regarding foreign adversary threats to critical infrastructure.

What This Bill Does

  • This bill enacts provisions regarding foreign adversary threats to critical infrastructure.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-03-17 Lieutenant Governor's office for filing

    Governor Signed

  2. 2026-03-11 Clerk of the House

    House/ received enrolled bill from Printing

  3. 2026-03-11 Executive Branch - Governor

    House/ to Governor

  4. 2026-03-06 Clerk of the House

    Enrolled Bill Returned to House or Senate

  5. 2026-03-06 Clerk of the House

    House/ enrolled bill to Printing

  6. 2026-03-04 Legislative Research and General Counsel / Enrolling

    Bill Received from House for Enrolling

  7. 2026-03-04 Legislative Research and General Counsel / Enrolling

    Draft of Enrolled Bill Prepared

  8. 2026-03-03 House Speaker

    House/ received from Senate

  9. 2026-03-03 Legislative Research and General Counsel / Enrolling

    House/ signed by Speaker/ sent for enrolling

  10. 2026-03-03 Released

    LFA/ fiscal note publicly available for HB0165S04

  11. 2026-03-03 Version Sponsor

    LFA/ fiscal note sent to sponsor for HB0165S04

  12. 2026-03-02 Senate President

    House Conference Committee - Final Passage

  13. 2026-03-02 Conference Committee

    House Motion to Adopt Joint Conference Comm Rpt

  14. 2026-03-02 Conference Committee

    House/ received from Senate

  15. 2026-03-02 Senate President

    House/ to Senate

  16. 2026-03-02 Senate President

    Senate/ received from House

  17. 2026-03-02 House Speaker

    Senate/ signed by President/ returned to House

  18. 2026-03-02 House Speaker

    Senate/ to House

  19. 2026-02-27 Conference Committee

    Bill Substituted by Conference Committee

  20. 2026-02-27 Conference Committee

    Conference Committee Report

  21. 2026-02-27 Conference Committee

    House Conference Committee Appointed

  22. 2026-02-27 Conference Committee

    House/ received from Senate

  23. 2026-02-27 Senate Secretary

    House/ refuse to concur with Senate amendment

  24. 2026-02-27 Senate Secretary

    House/ to Senate

  25. 2026-02-27 Conference Committee

    House/ to Senate

  26. 2026-02-27 Legislative Fiscal Analyst

    LFA/ bill assigned to staff for fiscal analysis for HB0165S04

  27. 2026-02-27 Legislative Fiscal Agency

    LFA/ bill sent to agencies for fiscal input for HB0165S04

  28. 2026-02-27 Conference Committee

    Senate Conference Committee - Final Passage

  29. 2026-02-27 Conference Committee

    Senate Conference Committee Appointed

  30. 2026-02-27 Conference Committee

    Senate Motion to Adopt Joint Conference Comm Rpt

  31. 2026-02-27 Conference Committee

    Senate/ received from House

  32. 2026-02-27 Senate Secretary

    Senate/ refused to recede from Senate amendments

  33. 2026-02-27 Conference Committee

    Senate/ to House

  34. 2026-02-27 Conference Committee

    Senate/ to House

  35. 2026-02-26 House Concurrence Calendar

    House/ placed on Concurrence Calendar

  36. 2026-02-26 Clerk of the House

    House/ received from Senate

  37. 2026-02-26 Senate 3rd Reading Calendar

    Senate/ 3rd reading

  38. 2026-02-26 Clerk of the House

    Senate/ passed 3rd reading

  39. 2026-02-26 Clerk of the House

    Senate/ to House with amendments

  40. 2026-02-25 Senate 2nd Reading Calendar

    Senate/ 2nd reading

  41. 2026-02-25 Senate 3rd Reading Calendar

    Senate/ passed 2nd reading

  42. 2026-02-19 Senate Transportation, Public Utilities, Energy, and Technology Committee

    Senate/ comm rpt/ substituted

  43. 2026-02-19 Senate 2nd Reading Calendar

    Senate/ placed on 2nd Reading Calendar

  44. 2026-02-18 Released

    LFA/ fiscal note publicly available for HB0165S03

  45. 2026-02-18 Version Sponsor

    LFA/ fiscal note sent to sponsor for HB0165S03

  46. 2026-02-18 Senate Transportation, Public Utilities, Energy, and Technology Committee

    Senate Comm - Favorable Recommendation

  47. 2026-02-18 Senate Transportation, Public Utilities, Energy, and Technology Committee

    Senate Comm - Substitute Recommendation

  48. 2026-02-17 Legislative Fiscal Analyst

    LFA/ bill assigned to staff for fiscal analysis for HB0165S03

  49. 2026-02-17 Legislative Fiscal Agency

    LFA/ bill sent to agencies for fiscal input for HB0165S03

  50. 2026-02-17 Senate Rules Committee

    Senate/ 1st reading (Introduced)

  51. 2026-02-17 Senate Transportation, Public Utilities, Energy, and Technology Committee

    Senate/ to standing committee

  52. 2026-02-12 Waiting for Introduction in the Senate

    Senate/ received from House

  53. 2026-02-10 House 3rd Reading Calendar for House bills

    House/ 3rd reading

  54. 2026-02-10 Senate Secretary

    House/ passed 3rd reading

  55. 2026-02-10 Senate Secretary

    House/ to Senate

  56. 2026-02-06 Released

    LFA/ fiscal note publicly available for HB0165S02

  57. 2026-02-06 Version Sponsor

    LFA/ fiscal note sent to sponsor for HB0165S02

  58. 2026-02-05 Legislative Fiscal Analyst

    LFA/ bill assigned to staff for fiscal analysis for HB0165S02

  59. 2026-02-05 Legislative Fiscal Agency

    LFA/ bill sent to agencies for fiscal input for HB0165S02

  60. 2026-02-03 House 3rd Reading Calendar for House bills

    House/ 2nd reading

  61. 2026-02-03 House Law Enforcement and Criminal Justice Committee

    House/ committee report favorable

  62. 2026-02-02 House Law Enforcement and Criminal Justice Committee

    House Comm - Favorable Recommendation

  63. 2026-01-30 House Law Enforcement and Criminal Justice Committee

    House/ to standing committee

  64. 2026-01-28 House Rules Committee

    Bill Substituted by Sponsor in House Rules Comm

  65. 2026-01-28 Released

    LFA/ fiscal note publicly available for HB0165S01

  66. 2026-01-28 Version Sponsor

    LFA/ fiscal note sent to sponsor for HB0165S01

  67. 2026-01-23 Legislative Fiscal Analyst

    LFA/ bill assigned to staff for fiscal analysis for HB0165S01

  68. 2026-01-23 Legislative Fiscal Agency

    LFA/ bill sent to agencies for fiscal input for HB0165S01

  69. 2026-01-20 House Rules Committee

    House/ 1st reading (Introduced)

  70. 2026-01-14 Clerk of the House

    House/ received bill from Legislative Research

  71. 2026-01-07 Legislative Research and General Counsel

    Bill Numbered but not Distributed

  72. 2026-01-07 Legislative Fiscal Analyst

    LFA/ bill assigned to staff for fiscal analysis for HB0165

  73. 2026-01-07 Legislative Fiscal Agency

    LFA/ bill sent to agencies for fiscal input for HB0165

  74. 2026-01-07 Legislative Research and General Counsel

    Numbered Bill Publicly Distributed

Official Summary Text

This bill enacts provisions regarding foreign adversary threats to critical infrastructure.

Current Bill Text

Read the full stored bill text
6
63A-16-1301
63A-16-1302
63A-16-1303
0
Critical Infrastructure Amendments
2026 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: Walt Brooks
Senate Sponsor: Keven J. Stratton
LONG TITLE
General Description:
This bill enacts provisions regarding foreign adversary threats to critical infrastructure.
Highlighted Provisions:
This bill:
defines terms;
directs the Utah Cyber Center to develop guidance on foreign adversary threats to critical
infrastructure;
prohibits use of federally banned equipment in critical infrastructure;
authorizes voluntary security assessments for critical infrastructure involving foreign
adversary technology;
provides for coordination between the Utah Cyber Center and governmental entities on
critical infrastructure security;
prohibits governmental entities and critical infrastructure providers from contracting for
or deploying technology included on a prohibited list maintained by the Utah Cyber
Center;
requires the Utah Cyber Center to publish and maintain a prohibited list of foreign
adversary technologies that pose a risk to critical infrastructure;
prohibits entities with access to critical infrastructure from entering into agreements with
foreign principals that would allow remote access to or control of critical infrastructure;
and
authorizes the Utah Cyber Center to approve exceptions to the prohibitions under
specified circumstances.
Money Appropriated in this Bill:
None
Other Special Clauses:
None
Utah Code Sections Affected:
ENACTS:
63A-16-1301
, Utah Code Annotated 1953
63A-16-1302
, Utah Code Annotated 1953
63A-16-1303
, Utah Code Annotated 1953
Be it enacted by the Legislature of the state of Utah:
Section 1. Section
63A-16-1301
is enacted to read:
13. Critical Infrastructure Cyber Security
63A-16-1301
. Definitions.
As used in this part:
(1)
"Critical infrastructure" means systems and assets operated or maintained by a
governmental entity that are vital to the governmental entity's jurisdiction such that the
incapacity or destruction of the systems and assets would have a debilitating impact on
security, economic security, or public health, including:
(a)
emergency services communications systems;
(b)
electrical power systems;
(c)
water and wastewater systems;
(d)
transportation management systems;
(e)
data centers and networks; and
(f)
systems that store or process sensitive data or classified information.
(2)
"Cyber Center" means the Utah Cyber Center created in Section
63A-16-1102
.
(3)
"Foreign adversary" means a country listed in 15 C.F.R. Sec. 791.4 as that regulation
existed on January 1, 2026.
(4)
"Foreign principal" means:
(a)
the government or an official of the government of a foreign adversary;
(b)
a political party or member of a political party or subdivision of a political party of a
foreign adversary;
(c)
an entity, including a partnership, association, corporation, organization, or other
combination of persons organized under the laws of or having a principal place of
business in a foreign adversary, or a subsidiary of the entity;
(d)
an individual who is domiciled in a foreign adversary and is not a citizen or lawful
permanent resident of the United States; or
(e)
an individual, entity, or collection of individuals or entities described in Subsections
(4)(a)
through (d) having a controlling interest in a partnership, association,
corporation, organization, trust, or other legal entity or subsidiary formed for the
purpose of owning real property.
(5)
"Governmental entity" means the same as that term is defined in Section
63G-2-103
.
(6)
"Information and communications technology" means any technology, system, device,
application, or service used to create, collect, store, process, transmit, receive, display, or
exchange information by electronic or digital means, including computers, software,
networks, telecommunications systems, and related infrastructure.
Section 2. Section
63A-16-1302
is enacted to read:
63A-16-1302
. Foreign adversary threats to critical infrastructure -- Guidance
and assessments.
(1)
The Cyber Center shall, within available resources and in coordination with federal
agencies, develop and maintain guidance for governmental entities on protecting critical
infrastructure from foreign adversary cybersecurity threats.
(2)
The guidance described in Subsection
(1)
shall include:
(a)
best practices for identifying and assessing security risks when foreign adversary
technology, software, or services are used in connection with critical infrastructure;
(b)
recommended security controls and monitoring procedures for critical infrastructure
that utilizes foreign adversary technology;
(c)
procedures for limiting foreign adversary access to critical infrastructure systems and
data;
(d)
methods for assessing and documenting risks associated with foreign adversary
involvement in critical infrastructure;
(e)
recommendations for transitioning away from foreign adversary technology in
critical infrastructure when feasible and cost effective;
(f)
identification of categories of critical infrastructure that present heightened security
concerns if foreign adversary technology is involved; and
(g)
recommendations for a comprehensive manual operations contingency plan for
critical infrastructure that:
(i)
details non-networked, non-automated, and manually executable procedures; and
(ii)
is sufficient to sustain core operational functions of the critical infrastructure in
the event of a significant cyber incident that renders automated or networked
control systems unreliable or inoperable.
(3)
The Cyber Center shall:
(a)
review and update the guidance described in Subsection
(1)
at least annually;
(b)
make the guidance readily accessible to governmental entities through the division's
website; and
(c)
include information on foreign adversary threats to critical infrastructure in briefings
and materials provided to governmental entities on cybersecurity matters.
(4)
A governmental entity that operates or maintains critical infrastructure may request a
security assessment from the Cyber Center if the governmental entity:
(a)
is considering procurement of technology, software, or services from a foreign
adversary for use in critical infrastructure; or
(b)
identifies that critical infrastructure currently utilizes technology, software, or
services from a foreign adversary.
(5)
The Cyber Center shall prioritize security assessment requests under Subsection
(4)

based on:
(a)
the sensitivity of the data or systems involved;
(b)
the potential impact of a compromise on security, economic security, or public health;
(c)
available Cyber Center resources; and
(d)
other relevant factors determined by the Cyber Center.
(6)
A security assessment conducted under Subsection
(4)
may include:
(a)
an evaluation of potential security vulnerabilities associated with the foreign
adversary technology, software, or services;
(b)
an assessment of potential risks to critical infrastructure systems and data;
(c)
an analysis of the potential impact of a compromise of the critical infrastructure on
the governmental entity's operations, public safety, or economic security;
(d)
recommendations for security measures or contract provisions to mitigate identified
risks; and
(e)
identification of alternative technology, software, or services that may present lower
security risks.
(7)
In conducting a security assessment under Subsection
(4)
, the Cyber Center may:
(a)
coordinate with the Department of Public Safety and other relevant governmental
entities; and
(b)
coordinate with and utilize resources from federal agencies, including the
Cybersecurity and Infrastructure Security Agency, as available.
(8)
If the Cyber Center identifies significant security risks associated with foreign adversary
technology in critical infrastructure, the Cyber Center may:
(a)
notify the chief information officer and the affected governmental entity of the
identified risks;
(b)
recommend that the governmental entity implement enhanced security monitoring or
controls;
(c)
recommend that the governmental entity develop a plan to transition to alternative
technology; or
(d)
recommend that the matter be referred to appropriate state or federal law
enforcement or security agencies.
(9)
A governmental entity that operates or maintains critical infrastructure shall, when
reporting a data breach to the Cyber Center under Section
63A-19-405
, indicate whether
the data breach involved technology, software, or services from a foreign adversary.
(10)
Except as provided in Subsecti
on
(12)
,
a security assessment or recommendation
provided under this section is advisory only and does not:
(a)
prohibit a governmental entity from entering into a contract or making a procurement
decision; or
(b)
require a governmental entity to transition away from existing technology, software,
or services.
(11)
Information obtained by the Cyber Center in conducting a security assessment under
this section is protected in accordance with Title 63G, Chapter 2, Government Records
Access and Management Act.
(12)
On or after July 1, 2026, a governmental entity or critical infrastructure provider may
not:
(a)
enter into or renew a contract with a vendor for information and communications
technology that the Cyber Center has included on the prohibited list described in
Subsection
(13)
; or
(b)
otherwise place into service any additional information and communications
technology that the Cyber Center has included on the prohibited list described in
Subsection
(13)
.
(13)
(a)
On or after July 1, 2026, the Cyber Center shall publish and maintain a list of
prohibited companies and information and communications technologies that the
Cyber Center has assessed pose a risk of providing a foreign adversary with remote
access to or control of critical infrastructure.
(b)
The prohibited list shall include, at a minimum, companies and technologies that:
(i)
appear on the Pentagon 1260H list;
(ii)
appear on the Federal Communications Commission Covered List; or
(iii)
are a re-labeled version of, or are produced by a subsidiary of a company
included
in

a technology described in Subsection
(13)(b)(i)
or
(ii)
, and for which
the Cyber Center has identified that a reasonable alternative provider exists.
(14)
Notwithstanding Subsection
(12)
, a governmental entity or critical infrastructure
provider may use a technology included on the prohibited list described in Subsection
(13)
if no reasonable alternative exists to address the need relevant to state critical
infrastructure.
Section 3. Section
63A-16-1303
is enacted to read:
63A-16-1303
. Foreign adversary prohibition in critical infrastructure.
(1)
A company, governmental entity, or other entity that constructs, repairs, maintains, or
operates critical infrastructure, or that otherwise has significant access to critical
infrastructure, may not enter into a contract or other agreement relating to critical
infrastructure in this state with a foreign principal from a foreign adversary if the
agreement would allow the foreign principal to directly or remotely access or control
critical infrastructure in this state.
(2)
Notwithstanding Subsection
(1)
, a company, governmental entity, or other entity may
enter into a contract described in Subsection
(1)
with a foreign principal from a foreign
adversary if no reasonable alternative exists to address the need relevant to state critical
infrastructure.
Section 4.
Effective Date.
This bill takes effect on
May 6, 2026
.
3-4-26 8:07 AM