House Engrossed cybersecurity; data encryption; pilot program State of Arizona House of Representatives Fifty-seventh Legislature First Regular Session 2025 HOUSE BILL 2736 An Act amending title 26, chapter 1, article 1, Arizona Revised Statutes, by adding section 26-108; relATING TO CYBERSECURITY. (TEXT OF BILL BEGINS ON NEXT PAGE)
House Engrossed cybersecurity; data encryption; pilot program
State of Arizona House of Representatives Fifty-seventh Legislature First Regular Session 2025
HOUSE BILL 2736
House Engrossed
cybersecurity; data encryption; pilot program
State of Arizona
House of Representatives
Fifty-seventh Legislature
First Regular Session
2025
HOUSE BILL 2736
An Act
amending title 26, chapter 1, article 1, Arizona Revised Statutes, by adding section 26-108; relATING TO CYBERSECURITY.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona: Section 1. Title 26, chapter 1, article 1, Arizona Revised Statutes, is amended by adding section 26-108, to read: 26-108. Cybersecurity assessments; audits; requests; authorization; procedures A. On request of the Department of administration or any agency that is part of the executive branch of government or on the request of the legislative branch of government, the department of emergency and military affairs cybersecurity team shall conduct an assessment of any technology product that is or may be purchased by the requesting entity. B. The cybersecurity team may perform the following security evaluation during an assessment pursuant to subsection A of this section: 1. Penetration testing to identify vulnerabilities and assess the robustness of cybersecurity defenses. 2. Hardware nondestructive testing to evaluate the integrity and security compliance of physical TECHNOLOGY components. 3. Vendor-capability verification to confirm that a vendor that contracts with the requesting entity is able to meet a contract's technical obligations and cybersecurity standards. C. Before the requesting entity makes a PROCUREMENT determination to purchase a technology product, the cybersecurity team may conduct an audit, security review and compliance verification for the entity. The requesting entity may have the cybersecurity team conduct an audit to assess the cost for the ENTITY to purchase and use a data encryption system on all of the entity's information TECHNOLOGY systems. D. A cybersecurity audit must be conducted in accordance with both of the following: 1. All state and federal laws, including the United States department of defense instruction 1100.24, that allow the United States department of defense and the department of emergency and military affairs to interface with a civilian entity for infrastructure and technology support. 2. All cybersecurity policies and budget considerations that ensure that the department of emergency and military affairs ensures that resources are allocated efficiently to support the security and integrity of procuring technology in this state. Sec. 2. Data encryption and cybersecurity pilot program; implementation and system requirements; audit and testing; reports; delayed repeal A. The Arizona department of homeland security shall implement a seven-year data encryption and cybersecurity pilot program that is designed to protect information technology data against unauthorized access through the use of a software and hardware solution and to upgrade the cybersecurity infrastructure of information technology systems in this state. B. In fiscal year 2025-2026, if monies are appropriated for this pilot program, the Arizona department of homeland security shall create a plan, choose a vendor and begin the seven-year pilot program. The pilot program shall be implemented by the following entities in the following fiscal years: 1. In fiscal year 2026-2027, the secretary of state shall implement a data encryption system and upgrade the cybersecurity infrastructure of the secretary of state's office. 2. In fiscal year 2027-2028, the department of revenue shall implement a data encryption system and upgrade the cybersecurity infrastructure of the department. 3. In fiscal year 2028-2029, the department of administration shall implement a data encryption system and upgrade the cybersecurity infrastructure of the department. 4. In fiscal year 2029-2030, the legislature shall implement a data encryption system and upgrade the cybersecurity infrastructure of the legislature. C. The data encryption system must meet all of the following criteria: 1. Have source code that is accessible for review and audit by the auditor general. 2. Be owned by this state. 3. Be created and maintained by a company located in the United States that is only owned by United States citizens and has no foreign owners or investors. 4. Have a shareable code for transparency and audit purposes. 5. Have a key-connected password system that is quantum encryption proof or future proof to other encryption breaking methodologies. 6. Be encryption agnostic. For the purposes of this paragraph, "encryption agnostic" means the system can use any encryption as long as the encryption can follow key-connected passwords. 7. Be able to reset, including password resets, without having to go to a third party for key resetting. 8. Have an audit trail for any key reset. 9. Have a master key that can be exchanged or recreated on demand with a signed and encrypted audit trail for all changes. 10. Allow each key package to contain a signed and encrypted audit trail. 11. Use technology that is protected by a unique United States patent. 12. Have United States department of defense-level security that is evidenced by penetration testing. For the purposes of this paragraph, "penetration testing" means a simulated cyber attack that is authorized to evaluate the security of the system. 13. Be purchased from a vendor that: (a) Collaborates with the state agency that is implementing the encryption system to ensure seamless integration and compliance with all state and federal cybersecurity standards. (b) Provides a United States-sourced encryption system. (c) Is located and managed in the United States by United States citizens and that does not have any foreign owners or investors. (d) Possesses a unique United States patent for the encryption system. D. The auditor general may audit the encryption system at each stage of the implementation and operation of the data encryption system. After the implementation of the data encryption system is complete, the auditor general shall conduct an annual audit for seven years beginning in fiscal year 2026-2027 to ensure ongoing compliance with security standards and to identify potential security vulnerabilities with the data encryption system. E. The Arizona department of homeland security shall submit to the legislature an annual report beginning in fiscal year 2026-2027 and continuing for five additional fiscal years. The report must include the status of the data encryption system implementation, the results of any security assessments that were completed and whether any implementation or operation issues were encountered in the previous year. In fiscal year 2031-2032, the Arizona department of homeland security shall submit a final report to the legislature that summarizes the overall effectiveness and security of the data encryption system. F. This section is repealed from and after June 30, 2034.
Be it enacted by the Legislature of the State of Arizona:
Section 1. Title 26, chapter 1, article 1, Arizona Revised Statutes, is amended by adding section 26-108, to read:
26-108. Cybersecurity assessments; audits; requests; authorization; procedures
A. On request of the Department of administration or any agency that is part of the executive branch of government or on the request of the legislative branch of government, the department of emergency and military affairs cybersecurity team shall conduct an assessment of any technology product that is or may be purchased by the requesting entity.
B. The cybersecurity team may perform the following security evaluation during an assessment pursuant to subsection A of this section:
1. Penetration testing to identify vulnerabilities and assess the robustness of cybersecurity defenses.
2. Hardware nondestructive testing to evaluate the integrity and security compliance of physical TECHNOLOGY components.
3. Vendor-capability verification to confirm that a vendor that contracts with the requesting entity is able to meet a contract's technical obligations and cybersecurity standards.
C. Before the requesting entity makes a PROCUREMENT determination to purchase a technology product, the cybersecurity team may conduct an audit, security review and compliance verification for the entity. The requesting entity may have the cybersecurity team conduct an audit to assess the cost for the ENTITY to purchase and use a data encryption system on all of the entity's information TECHNOLOGY systems.
D. A cybersecurity audit must be conducted in accordance with both of the following:
1. All state and federal laws, including the United States department of defense instruction 1100.24, that allow the United States department of defense and the department of emergency and military affairs to interface with a civilian entity for infrastructure and technology support.
2. All cybersecurity policies and budget considerations that ensure that the department of emergency and military affairs ensures that resources are allocated efficiently to support the security and integrity of procuring technology in this state.
Sec. 2. Data encryption and cybersecurity pilot program; implementation and system requirements; audit and testing; reports; delayed repeal
A. The Arizona department of homeland security shall implement a seven-year data encryption and cybersecurity pilot program that is designed to protect information technology data against unauthorized access through the use of a software and hardware solution and to upgrade the cybersecurity infrastructure of information technology systems in this state.
B. In fiscal year 2025-2026, if monies are appropriated for this pilot program, the Arizona department of homeland security shall create a plan, choose a vendor and begin the seven-year pilot program. The pilot program shall be implemented by the following entities in the following fiscal years:
1. In fiscal year 2026-2027, the secretary of state shall implement a data encryption system and upgrade the cybersecurity infrastructure of the secretary of state's office.
2. In fiscal year 2027-2028, the department of revenue shall implement a data encryption system and upgrade the cybersecurity infrastructure of the department.
3. In fiscal year 2028-2029, the department of administration shall implement a data encryption system and upgrade the cybersecurity infrastructure of the department.
4. In fiscal year 2029-2030, the legislature shall implement a data encryption system and upgrade the cybersecurity infrastructure of the legislature.
C. The data encryption system must meet all of the following criteria:
1. Have source code that is accessible for review and audit by the auditor general.
2. Be owned by this state.
3. Be created and maintained by a company located in the United States that is only owned by United States citizens and has no foreign owners or investors.
4. Have a shareable code for transparency and audit purposes.
5. Have a key-connected password system that is quantum encryption proof or future proof to other encryption breaking methodologies.
6. Be encryption agnostic. For the purposes of this paragraph, "encryption agnostic" means the system can use any encryption as long as the encryption can follow key-connected passwords.
7. Be able to reset, including password resets, without having to go to a third party for key resetting.
8. Have an audit trail for any key reset.
9. Have a master key that can be exchanged or recreated on demand with a signed and encrypted audit trail for all changes.
10. Allow each key package to contain a signed and encrypted audit trail.
11. Use technology that is protected by a unique United States patent.
12. Have United States department of defense-level security that is evidenced by penetration testing. For the purposes of this paragraph, "penetration testing" means a simulated cyber attack that is authorized to evaluate the security of the system.
13. Be purchased from a vendor that:
(a) Collaborates with the state agency that is implementing the encryption system to ensure seamless integration and compliance with all state and federal cybersecurity standards.
(b) Provides a United States-sourced encryption system.
(c) Is located and managed in the United States by United States citizens and that does not have any foreign owners or investors.
(d) Possesses a unique United States patent for the encryption system.
D. The auditor general may audit the encryption system at each stage of the implementation and operation of the data encryption system. After the implementation of the data encryption system is complete, the auditor general shall conduct an annual audit for seven years beginning in fiscal year 2026-2027 to ensure ongoing compliance with security standards and to identify potential security vulnerabilities with the data encryption system.
E. The Arizona department of homeland security shall submit to the legislature an annual report beginning in fiscal year 2026-2027 and continuing for five additional fiscal years. The report must include the status of the data encryption system implementation, the results of any security assessments that were completed and whether any implementation or operation issues were encountered in the previous year. In fiscal year 2031-2032, the Arizona department of homeland security shall submit a final report to the legislature that summarizes the overall effectiveness and security of the data encryption system.
F. This section is repealed from and after June 30, 2034.