HB 2416
Initials FK Page 1 House Engrossed
ARIZONA HOUSE OF REPRESENTATIVES
Fifty-sixth Legislature
First Regular Session
House: GOV DPA/SE 8-0-0-1
HB 2416: technical correction; sports facilities account
NOW: electronic applications; government employees; prohibition
Sponsor: Representative Gress, LD 4
House Engrossed
Overview
Requires ADOA to develop standards, guidelines and practices (Standards) for state agencies,
contractors of this state and public institutions of higher education (Agencies) for use of covered
applications (Applications) on state information technology (IT) systems.
History
ADOA is responsible for government IT functions (A.R.S. 18-102).
Currently, ADOA must develop, implement and maintain a coordinated state wide plan for IT
systems including adopting statewide technical and coordination standards for IT (A.R.S. 18-104).
Provisions
1. Requires ADOA, not more than 30 after the effective date, to develop Standards for Agencies
that do the following:
a) Require the removal of any Applications from state IT systems;
b) Address the use of personal electronic devices by state employees and contractors of this
state to conduct state business, including Application-enabled cell phones with remote
access to an employee's state email account; and
c) Identify sensitive locations, meetings or personnel within a state agency that could be
exposed to covered applications-enable personal devices and develop restrictions on the
use of personal cell phones, tablets or laptops in a designated sensitive location. (Sec. 1)
2. Requires each Agency to develop policies to support the implementation of IT standards and
report the policy to ADOA. (Sec. 1)
3. Stipulates state employees and contractors may not:
a) Conduct state business on any personal electronic device that has an Application;
b) Use any communications equipment and services (Equipment) that are included on
the Federal Communications Commission's covered communications equipment or
services list in accordance with the Secure and Trusted Communications Network Act
of 2019;
c) Use any Equipment that are deemed to pose an unacceptable risk to the national
security of the United States. (Sec. 1)
4. Requires each Agency to implement network-based restrictions to prevent the use of
prohibited technologies on agency networks by any electronic device and strictly enforce
these restrictions. (Sec. 1)
5. Requires each state employee to sign a document annually confirming the employee
understands the IT systems Standards. (Sec. 1)
☐ Prop 105 (45 votes) ☐ Prop 108 (40 votes) ☐ Emergency (40 votes) ☐ Fiscal Note HB 2416
Initials FK Page 2 House Engrossed
6. Stipulates a state employee who violates the Standards may be subject to disciplinary action,
including termination of employment. (Sec. 1)
7. States ADOA must require all state agencies and public institutions of higher education to
implement security controls on state IT systems that does all of the following:
a) Restrict access to application stores or unauthorized software repositories to prevent the
installation of unauthorized applications;
b) Have the ability to remotely disable noncompliant or compromised state IT systems;
c) Have the ability to remotely uninstall unauthorized software from state IT systems;
d) As necessary, deploy secure baseline configuration for state IT systems;
e) Restrict access to any Application on all agency technology infrastructures and networks;
and
f) Restrict any personal electronic device that has an Application from connecting to agency
technology infrastructures or state data. (Sec. 1)
8. Allows ADOA to grant exemptions to the Standards to enable law enforcement investigations
and other appropriate uses of Applications on state-issued devices if the state agency or
public institution of higher education requesting access establishes a separate network. (Sec.
1)
9. States all exceptions to the information technology standards and guidelines must be reported
to AZDOHS. (Sec. 1)
10. Outlines permissible exceptions to the IT Standards. (Sec. 1)
11. States a public institution of higher education may include an exception to accommodate
students use of a state email address on a device owned by the student or the student's
immediate family. (Sec. 1)
12. Requires ADOA to annually update and publish a list of applications, service, hardware and
software (IT system) that may be banned if the IT system presents a cybersecurity threat to
Arizona. (Sec. 1)
13. Requires ADOA to notify each state agency, public institution of higher education, the directors
of JLBC and OSPB of any IT system, including communications equipment and services, that
is added to or removed from the list of potential cyber security threats. (Sec. 1)
14. Defines the following:
a) Company;
b) Confidential or sensitive information;
c) Country of concern
d) Covered application;
e) Public institution of higher education;
f) Sensitive location;
g) State business;
h) State employee; and
i) State information technology. (Sec. 1)