ARIZONA HOUSE OF REPRESENTATIVES

Fifty-seventh Legislature

First Regular Session

House: TI DPA 4-2-1-0

☐ Prop 105 (45 votes) ☐ Prop 108 (40 votes) ☐ Emergency (40 votes) ☐ Fiscal Note

HB2696: critical Infrastructure; foreign adversary; prohibition

Sponsor: Representative Kupper, LD 25

Caucus & COW

Overview

Prohibits any software used for critical infrastructure in this state from being produced by a company that is headquartered in a foreign adversary or that is under the control of a foreign adversary. Directs an owner of critical infrastructure to notify the attorney general of any proposed sale to, transfer of ownership to or investment in critical infrastructure by a foreign adversary or an entity domiciled outside of the United States. Mandates requirements on critical infrastructure for the attorney general, the court, governmental entities and companies.

History

The Arizona Department of Administration (ADOA) must develop, implement and maintain a coordinated statewide plan for information technology, including evaluating specific information technology projects relating to the approved budget unit and statewide information technology plans in consultation with the statewide information security and privacy office in the Arizona Department of Homeland Security (AZDOHS). ADOA must manage enterprise-level information technology infrastructure, except that the information security and privacy office in the AZDOHS must manage the information security aspects of the infrastructure, and temporarily suspend access to information technology infrastructure when directed by AZDOHS and consult with AZDOHS regarding security policies, standards and procedures (A.R.S. § 18-104).

Critical infrastructure means systems and assets, whether physical or virtual, that are so vital to this state and the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, economic security, public health or safety (A.R.S § 41-1801).

The United States Secretary of Secretary of Commerce has determined that the following foreign governments or foreign non-government persons have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons and constitute foreign adversaries:

1)   The People's Republic of China, including the Hong Kong Special Administrative Region;

2)   Republic of Cuba;

3)   Islamic Republic of Iran;

4)   Democratic People's Republic of Korea;

5)   Russian Federation; and

6)   Venezuelan politician Nicolás Maduro (15 C.F.R. § 791.4).

Provisions

Critical Communications Infrastructure Software

1.   Prohibits any software that is used for critical infrastructure in this state from being produced by a company that is headquartered in a foreign adversary or that is under the control of a foreign adversary. (Sec. 1)

2.   Mandates that any critical communications infrastructure within this state may not include any equipment that is manufactured by a federally banned corporation. (Sec. 1)

3.   Requires any equipment of critical communications infrastructure in this state currently manufactured by a federally banned corporation to be replaced with equipment manufactured in the United States. (Sec. 1)

4.   States that any communications provider that removes, discontinues or replaces any communications equipment prohibited by software regulation is not required to obtain an additional permit from any state agency or political subdivision of this state for the removal, discontinuance or replacement of the prohibited equipment. (Sec.1)

5.   Prohibits a governmental entity in this state from entering into or renewing a contract with a wi-fi router or modem system vendor if:

a)   The vendor is owned by the government of a foreign adversary;

b)   The government of a foreign adversary has a controlling interest in the vendor; or

c) The vendor is selling a product produced by the government of a foreign adversary, a company domiciled in a foreign adversary or a company owned or controlled by a company domiciled in a foreign adversary. (Sec. 1)

6.   Directs each critical infrastructure service provider in this state to certify to the attorney general that the provider does not use any wi-fi router or modem produced by:

a)   A company owned by the government of a foreign adversary;

b)   A company in which a foreign adversary has a controlling interest; or

c) The government of a foreign adversary, a company domiciled in a foreign adversary or a company owned or controlled by a company domiciled in a foreign adversary. (Sec. 1)

7.   Requires the attorney general, by December 31, 2025 and each year thereafter, to publish a list of all wi-fi routers and modems prohibited pursuant to software regulation and to post the list on the attorney general's website. (Sec. 1)

Attorney General and Court Requirements

8.   Directs an owner of critical infrastructure in this state to notify the attorney general of any proposed sale to, transfer of ownership to or investment in critical infrastructure by a foreign adversary or an entity domiciled outside of the United States. (Sec. 2)

9.   Stipulates that the attorney general must investigate the sale, transfer of ownership or investment in the critical infrastructure within 30 days after receiving the notice. (Sec. 2)

10.  Requires the attorney general to file a request for an injunction opposing the proposed sale, transfer or investment if the attorney general finds that the proposed sale, transfer or investment threatens the security of critical infrastructure in this state, the economic security of this state or the public health or safety. (Sec. 2)

11.  Mandates, if a court of competent jurisdiction finds that the sale, transfer of ownership or investment in the critical infrastructure poses a reasonable threat to this state, the court must deny the proposed sale, transfer or investment. (Sec. 2)

12.  Directs the attorney general, by December 31, 2025 and each year thereafter, to publish a list of all prohibited traffic camera vendors and light detection and ranging technology vendors and to post the list on the attorney general's website. (Sec. 2)

Governmental Entities and Companies

13.  Restricts a governmental entity in this state from entering into or renewing a contract, with a light detection and ranging technology vendor, with a vendor of a school bus infraction detection system, a speed detection system, a traffic infraction detector or any other vendor of camera equipment used for enforcing traffic laws if:

a)   The vendor is owned by the government of a foreign adversary;

b)   The government of a foreign adversary has a controlling interest in the vendor; or

c) The vendor is selling a product produced by the government of a foreign adversary, a company domiciled in a foreign adversary or a company owned or controlled by a company domiciled in a foreign adversary. (Sec. 2)

14.  Prohibits a company or a governmental entity in this state from entering into an agreement or contract involving critical infrastructure with a foreign principal from a foreign adversary if under the agreement or contract the foreign principal, directly or remotely, would be able to access or control critical infrastructure. (Sec. 3)

15.  Permits a company or a governmental entity in this state from entering into an agreement or contract involving critical infrastructure with a foreign principal from a foreign adversary if:

a)   No other reasonable option exists for addressing a need that is relevant to critical infrastructure;

b)   The agreement or contract is preapproved by the Arizona Department of Administration; or

c) Not entering into the agreement would pose a greater threat to this state than the threat associated with entering into the agreement or contract. (Sec. 3)

Miscellaneous

16.  Stipulates that this act may be cited as the "Arizona Critical Infrastructure Protection Act". (Sec. 4)

17.  Defines pertinent terms. (Sec. 1-3)

Amendments

Committee on Transportation & Infrastructure

1.   Mandates that any equipment of critical communications infrastructure currently manufactured by a federally banned corporation must be replaced with equipment not manufactured by a federally banned corporation, rather than by equipment manufactured in the United States.

2.   Requires, by January 1st of each year, a critical communications infrastructure provider (provider) participating in the Secure and Trusted Communications Networks Reimbursement program, to certify to the Arizona Commerce Authority (ACA) any instances of prohibited critical communications infrastructure equipment use, along with the geographic coordinates of the areas served by the prohibited equipment.

3.   Directs the certified provider to submit a status report to the ACA every quarter detailing compliance with the Secure and Trusted Communications Networks Reimbursement program.

4.   Requires the ACA to produce, each quarter, a map of this state detailing the areas that are serviced by critical communications infrastructure that includes equipment manufactured by a federally banned corporation.

5.   Prohibits a governmental entity in this state from entering into or renewing a contract with a wi-fi router, modem, lidar, camera or battery systems, or smart meter vendor or a vendor of any other technology, if:

a)   the vendor is owned by the government of a foreign adversary;

b)   the government of a foreign adversary has a controlling interest in the vendor;

c) the vendor is selling a product produced by the government of a foreign adversary, a company domiciled in a foreign adversary or a company owned or controlled by a company domiciled in a foreign adversary;

d)   the vendor's product includes cellular internet-of-things modules from a foreign adversary; or

e)   the vendor's product includes a product produced by a Chinese military company operating in the United States as identified by the William M. Thornberry National Defense Authorization Act for FY2021.

6.   Requires a company to file an ACA-prescribed certification form and pay a certification fee to access critical infrastructure in this state.

7.   Prohibits a company from using cloud service providers or data centers that are foreign entities, to maintain registration as a company with access to critical infrastructure, and requires the company to:

a)   identify all employes of the company who have access to critical infrastructure;

b)   before hiring an employee or before allowing an employee to continue having access to critical infrastructure, obtain from a private entity any criminal history records information relating to the employee and any other background information necessary to protect critical infrastructure from infiltration or interference by a foreign adversary;

c) prohibit foreign nationals from a foreign adversary from accessing critical infrastructure;

d)   disclose any ownership of, partnerships with or control from any entity not domiciled in the United States;

e)   store and process all data generated by critical infrastructure domestic servers; and

f) immediately report any cyberattack, security breach or suspicious activity to the ACA.

8.   Directs the ACA to establish a secure and dedicated communications channel for critical infrastructure providers and military installations across this state to connect with the ACA and the Office of the Governor in the event of an emergency that damages critical communications infrastructure.

9.   Makes conforming and technical changes.

 

 

 

 

---------- DOCUMENT FOOTER ---------

                        HB 2696

Initials LM     Page 0 Caucus & COW

 

---------- DOCUMENT FOOTER ---------