ARIZONA HOUSE OF REPRESENTATIVES

Fifty-seventh Legislature

First Regular Session

House: ST DP 9-0-0-0

☐ Prop 105 (45 votes) ☐ Prop 108 (40 votes) ☐ Emergency (40 votes) ☐ Fiscal Note

HB 2736: cybersecurity; data encryption; pilot program

Sponsor: Representative Gillette, LD 30

Caucus & COW

Overview

Establishes a pilot program through the Department of Administration (ADOA) to create data encryption systems and improve cybersecurity infrastructure.

History

The ADOA is the administrative and business operation center of the state of Arizona. The key function of the ADOA is to provide support for the operations of state government. The ADOA is run by a director who is appointed by the Governor with the advice and consent of the Senate (AZLibrary).

Provisions

1.   Establishes a data encryption and cybersecurity pilot program to protect information technology data and update the cybersecurity infrastructure of information technology systems in the state. (Sec .1)

2.   Requires the ADOA the pilot program do the following:  

a)   in FY 2026 the ADOA must create a plan and choose a vendor to begin the five-year program;

b)   in FY 2027 the Secretary of State must implement a data encryption system and upgrade the cybersecurity infrastructure of their office;

c) in FY 2028 the Department of Revenue must implement a data encryption system and upgrade their cybersecurity infrastructure;

d)   in FY 2029 the Department of Administration must implement a data encryption system and upgrade their cybersecurity infrastructure;

e)   in FY 2030 the legislature will implement a data encryption system and upgrade the cybersecurity infrastructure of the Legislature. (Sec. 1)

3.   Requires the guidelines for the data encryption system:

a)   have a source code that is accessible and able to be reviewed by the Auditor General;

b)   be owned in this state;

c) be created and maintained by a company located in the United States and owned by United States citizens with no foreign owners or investors;

d)   have a shareable code for transparency and audit purposes;

e)   have a key-connected password system that is quantum encryption proof or future proof to encryption breaking methodologies;

f) the system can use any encryption as longs as the encryption can follow key-connected passwords;

g)   allows  resets and password resets without the use of a third-party;

h)   has an audit trail for any key reset;

i) has a master key that can be exchanged or recreated on demand with a signed and encrypted audit trail for all changes;

j) allows each key package to contain a signed and encrypted audit trail;

k)   the technology is protected by a unique United States patent; and

l) has United States Department of Defense level security that is evident by a simulated cyber-attack authorized to test the security of the system. (Sec. 1)

4.   Lists the guidelines for purchase from a vendor include:

a)   collaborating with the state agency that is implementing the encryption system to ensure seamless integration and compliance with all state and federal cybersecurity standards;

b)   providing a United States sourced encryption system;

c) is located and managed in the United States by United States citizens and does not have any foreign investors or owners; and

d)   possesses a unique United States patent for the encryption system. (Sec. 1)

5.   Allows the Auditor General to audit the encryption system at each stage of the implementation and operation for the date encryption system and requires the Auditor General to conduct an annual audit for five years beginning in FY 27. (Sec.1 )

6.   Require the ADOA to send a annual report to the Legislature beginning in FY 27 and continuing for four additional fiscal years requiring:

a)   status of the data encryption implementation;

b)   results of any security assessments; and

c) results of any operation or implementation issues were encountered in the previous year. (Sec. 1)

7.   Instructs the ADOA to submit a final report to the Legislature that summarizes the overall effectiveness and security of the data encryption system in FY 2031. (Sec.1)

8.   Appropriates an undetermined sum from the state general fund for each of the FY's of 2025-2026, 2026-2027, 2027-2028, 2028-2029 and 2029-2030. (Sec.2)

9.    

10.   

11.  ---------- DOCUMENT FOOTER ---------

12.                    HB 2736

13.  Initials NM/TM   Page 0 Caucus & COW

14.   

15.  ---------- DOCUMENT FOOTER ---------