ARIZONA HOUSE OF REPRESENTATIVES

Fifty-seventh Legislature

First Regular Session

HB2696: critical Infrastructure; foreign adversary; prohibition

Sponsor: Representative Kupper, LD 25

Committee on Transportation & Infrastructure

Overview

Prohibits any software used for critical infrastructure in this state from being produced by a company that is headquartered in a foreign adversary or that is under the control of a foreign adversary. Directs an owner of critical infrastructure to notify the attorney general of any proposed sale to, transfer of ownership to or investment in critical infrastructure by a foreign adversary or an entity domiciled outside of the United States. Mandates requirements on critical infrastructure for the attorney general, the court, governmental entities and companies.

History

The Arizona Department of Administration (ADOA) must develop, implement and maintain a coordinated statewide plan for information technology, including evaluating specific information technology projects relating to the approved budget unit and statewide information technology plans in consultation with the statewide information security and privacy office in the Arizona Department of Homeland Security (AZDOHS). ADOA must manage enterprise-level information technology infrastructure, except that the information security and privacy office in the AZDOHS must manage the information security aspects of the infrastructure, and temporarily suspend access to information technology infrastructure when directed by AZDOHS and consult with AZDOHS regarding security policies, standards and procedures (A.R.S. § 18-104).

Critical infrastructure means systems and assets, whether physical or virtual, that are so vital to this state and the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, economic security, public health or safety (A.R.S § 41-1801).

The United States Secretary of Secretary of Commerce has determined that the following foreign governments or foreign non-government persons have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons and constitute foreign adversaries:

1) The People's Republic of China, including the Hong Kong Special Administrative Region;

2) Republic of Cuba;

3) Islamic Republic of Iran;

4) Democratic People's Republic of Korea;

5) Russian Federation; and

6) Venezuelan politician Nicolás Maduro (15 C.F.R. § 791.4).

Provisions

Critical Communications Infrastructure Software

1. Prohibits any software that is used for critical infrastructure in this state from being produced by a company that is headquartered in a foreign adversary or that is under the control of a foreign adversary. (Sec. 1)

2. Mandates that any critical communications infrastructure within this state may not include any equipment that is manufactured by a federally banned corporation. (Sec. 1)

3. Requires any equipment of critical communications infrastructure in this state currently manufactured by a federally banned corporation to be replaced with equipment manufactured in the United States. (Sec. 1)

4. States that any communications provider that removes, discontinues or replaces any communications equipment prohibited by software regulation is not required to obtain an additional permit from any state agency or political subdivision of this state for the removal, discontinuance or replacement of the prohibited equipment. (Sec.1)

5. Prohibits a governmental entity in this state from entering into or renewing a contract with a wi-fi router or modem system vendor if:

a) the vendor is owned by the government of a foreign adversary;

b) the government of a foreign adversary has a controlling interest in the vendor; or

c) the vendor is selling a product produced by the government of a foreign adversary, a company domiciled in a foreign adversary or a company owned or controlled by a company domiciled in a foreign adversary. (Sec. 1)

6. Directs each critical infrastructure service provider in this state to certify to the attorney general that the provider does not use any wi-fi router or modem produced by:

a) a company owned by the government of a foreign adversary;

b) a company in which a foreign adversary has a controlling interest; or

c) the government of a foreign adversary, a company domiciled in a foreign adversary or a company owned or controlled by a company domiciled in a foreign adversary. (Sec. 1)

7. Requires the attorney general, by December 31, 2025 and each year thereafter, to publish a list of all wi-fi routers and modems prohibited pursuant to software regulation and to post the list on the attorney general's website. (Sec. 1)

Attorney General and Court Requirements

8. Directs an owner of critical infrastructure in this state to notify the attorney general of any proposed sale to, transfer of ownership to or investment in critical infrastructure by a foreign adversary or an entity domiciled outside of the United States. (Sec. 2)

9. Stipulates that the attorney general must investigate the sale, transfer of ownership or investment in the critical infrastructure within 30 days after receiving the notice. (Sec. 2)

10. Requires the attorney general to file a request for an injunction opposing the proposed sale, transfer or investment if the attorney general finds that the proposed sale, transfer or investment threatens the security of critical infrastructure in this state, the economic security of this state or the public health or safety. (Sec. 2)

11. Mandates, if a court of competent jurisdiction finds that the sale, transfer of ownership or investment in the critical infrastructure poses a reasonable threat to this state, the court must deny the proposed sale, transfer or investment. (Sec. 2)

12. Directs the attorney general, by December 31, 2025 and each year thereafter, to publish a list of all prohibited traffic camera vendors and light detection and ranging technology vendors and to post the list on the attorney general's website. (Sec. 2)

Governmental Entities and Companies

13. Restricts a governmental entity in this state from entering into or renewing a contract, with a light detection and ranging technology vendor, with a vendor of a school bus infraction detection system, a speed detection system, a traffic infraction detector or any other vendor of camera equipment used for enforcing traffic laws if:

a) the vendor is owned by the government of a foreign adversary;

b) the government of a foreign adversary has a controlling interest in the vendor; or

14. Prohibits a company or a governmental entity in this state from entering into an agreement or contract involving critical infrastructure with a foreign principal from a foreign adversary if under the agreement or contract the foreign principal, directly or remotely, would be able to access or control critical infrastructure. (Sec. 3)

15. Permits a company or a governmental entity in this state from entering into an agreement or contract involving critical infrastructure with a foreign principal from a foreign adversary if:

a) no other reasonable option exists for addressing a need that is relevant to critical infrastructure;

b) the agreement or contract is preapproved by the Arizona Department of Administration; or

c) not entering into the agreement would pose a greater threat to this state than the threat associated with entering into the agreement or contract. (Sec. 3)

Miscellaneous

16. Stipulates that this act may be cited as the "Arizona Critical Infrastructure Protection Act". (Sec. 4)

17. Defines pertinent terms. (Sec. 1-3)

18.

19.

20. ---------- DOCUMENT FOOTER ---------

21. HB 2696

22. Initials LM Page 0 Transportation & Infrastructure

23.

24. ---------- DOCUMENT FOOTER ---------