ARIZONA HOUSE OF REPRESENTATIVES

Fifty-seventh Legislature

First Regular Session

House: TI DPA 4-2-1-0

☐ Prop 105 (45 votes) ☐ Prop 108 (40 votes) ☐ Emergency (40 votes) ☐ Fiscal Note

HB2696: critical Infrastructure; foreign adversary; prohibition

Sponsor: Representative Kupper, LD 25

House Engrossed

Overview

Prohibits any software used for critical infrastructure in this state from being produced by a company that is headquartered in the People's Republic of China (China) or that is under the control of China. Directs an owner of critical infrastructure to notify the attorney general (AG) of any proposed sale to, transfer of ownership to or investment in critical infrastructure by China or an entity domiciled in China. Mandates requirements on critical infrastructure for the AG, the court, governmental entities, companies and the Arizona Corporation Commission (ACC).

History

The Arizona Department of Administration (ADOA) must develop, implement and maintain a coordinated statewide plan for information technology, including evaluating specific information technology projects relating to the approved budget unit and statewide information technology plans in consultation with the statewide information security and privacy office in the Arizona Department of Homeland Security (AZDOHS). ADOA must manage enterprise-level information technology infrastructure, except that the information security and privacy office in the AZDOHS must manage the information security aspects of the infrastructure, and temporarily suspend access to information technology infrastructure when directed by AZDOHS and consult with AZDOHS regarding security policies, standards and procedures (A.R.S. § 18-104).

Critical infrastructure means systems and assets, whether physical or virtual, that are so vital to this state and the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, economic security, public health or safety (A.R.S § 41-1801).

The United States Secretary of Secretary of Commerce has determined that the following foreign governments or foreign non-government persons have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons and constitute foreign adversaries:

1)   The People's Republic of China, including the Hong Kong Special Administrative Region;

2)   Republic of Cuba;

3)   Islamic Republic of Iran;

4)   Democratic People's Republic of Korea;

5)   Russian Federation; and

6)   Venezuelan politician Nicolás Maduro (15 C.F.R. § 791.4).

Provisions

Critical Communications Infrastructure Software

1.   Prohibits any software that is used for critical infrastructure in this state from being produced by a company that is headquartered in China or that is under the control of China. (Sec. 1)

2.   Mandates that any critical communications infrastructure within this state may not include any equipment that is manufactured by a corporation domiciled in China. (Sec. 1)

3.   Requires any equipment of critical communications infrastructure in this state currently manufactured by a corporation domiciled in China to be replaced with equipment not manufactured by a corporation domiciled in China. (Sec. 1)

4.   Requires, by January 1st of each year, a critical communications infrastructure provider (provider) participating in the Secure and Trusted Communications Networks Reimbursement program, to certify to the ACC any instances of prohibited critical communications infrastructure equipment use, along with the geographic coordinates of the areas served by the prohibited equipment. (Sec. 1)

5.   Directs the certified provider to submit a status report to the ACC every quarter detailing compliance with the Secure and Trusted Communications Networks Reimbursement program. (Sec. 1)

6.   Requires the ACC to produce, each quarter, a map of this state detailing the areas that are serviced by critical communications infrastructure that includes equipment manufactured by a corporation domiciled in China. (Sec. 1)

7.   Stipulates that any communications provider that removes, discontinues or replaces any prohibited communications equipment, is not required to obtain an additional permit from any state agency or political subdivision of this state for the removal, discontinuance or replacement of the prohibited equipment. (Sec. 1)

8.   Prohibits a governmental entity or critical infrastructure service provider in this state from entering into or renewing a contract with a vendor of wi-fi routers, modem systems, lidar technology, camera-based school bus infraction detection system, speed detection system, traffic infraction detector system or any other camera system, battery technology or smart meter technology, or a vendor of any other technology if:

a)   The vendor is owned by the government of China;

b)   The government of a China has a controlling interest in the vendor;

c) The vendor is selling a product produced by the government China or a company domiciled in China;

d)   The vendor's product includes cellular internet-of-things (IoTs) modules from China; or

e)   The vendor's product includes a product produced by a Chinese military company operating in the United States as identified by the William M. Thornberry National Defense Authorization Act for FY2021. (Sec. 1)

9.   Requires a critical infrastructure service provider, on or before March 31, 2026, and each year thereafter, to certify to the ACC that the provider does not use any technology that includes cellular IoTs modules or any wi-fi router or modem system, lidar technology, camera-based school bus infraction detection system, speed detection system, traffic infraction detector system or any other camera system, battery technology or smart meter technology produced by any of the following:

a)   A company owned by the government of China;

b)   A company in which China has a controlling interest; or

c) The government of China a company domiciled in China. (Sec. 1)

10.  Mandates that each governmental entity and critical infrastructure service provider in this state must remove any technology included by the ACC on the prohibited technologies list within 90 days after the ACC publishes the list. (Sec. 1)

11.  Allows a government entity or critical infrastructure provider to continue to purchase and use any prohibited technology if:

a)   There are no other reasonable providers of the prohibited technology;

b)   The purchase or use of the prohibited technology is preapproved by the ACC; and

c) Not purchasing or using the prohibited technology would pose a greater threat to this state than the threat associated with the prohibited technology. (Sec. 1)

12.  Directs each critical infrastructure service provider in this state to certify to the ACC that the provider does not use any specified technology produced by:

a)   A company owned by the government of a China;

b)   A company in which China has a controlling interest; or

c) The government of China or a company domiciled in China. (Sec. 1)

13.  Requires the ACC, by December 31, 2025, and each year thereafter, to publish a list of all technologies prohibited relating to software regulation and to post the list on the ACC's website. (Sec. 1)

Prohibited Agreements, Contracts And Exceptions

14.  Prohibits a company or a governmental entity or a publicly regulated utility in this state from entering into an agreement or contract involving critical infrastructure with China if under the agreement or contract China, directly or remotely, would be able to access or control critical infrastructure. (Sec. 2)

15.  Permits a governmental entity or a publicly regulated utility in this state from entering into an agreement or contract involving critical infrastructure with China, if:

a)   No other reasonable option exists for addressing a need that is relevant to critical infrastructure;

b)   The agreement or contract is preapproved by ACC; or

c) Not entering into the agreement would pose a greater threat to this state than the threat associated with entering into the agreement or contract. (Sec. 2)

16.  Directs the ACC to establish a secure and dedicated communications channel for critical infrastructure providers and military installations across this state to connect with the ACC and the Office of the Governor in the event of an emergency that damages critical communications infrastructure. (Sec. 2)

Miscellaneous

17.  States this act may be cited as the "Arizona Critical Infrastructure Protection Act." (Sec. 4)

18.  Defines pertinent terms. (Sec. 1-2)

19.  Makes conforming and technical changes. (Sec. 1)

 

 

 

---------- DOCUMENT FOOTER ---------

                        HB 2696

Initials LM     Page 0 House Engrossed

 

---------- DOCUMENT FOOTER ---------