|
|
ARIZONA HOUSE OF REPRESENTATIVESFifty-seventh Legislature First Regular Session |
House: ST DP 9-0-0-0 |
HB 2736: cybersecurity; data encryption; pilot program
Sponsor: Representative Gillette, LD 30
House Engrossed
Overview
Charges the Department of Emergency and Military Affairs (DEMA) Cybersecurity Team to assess technology products and instructs the Arizona Department of Homeland Security (AZDOHS) to implement a seven-year Data Encryption and Cybersecurity Study.
History
AZDOHS is responsible for creating plans to respond to terrorism, cybersecurity threats and other critical hazards and to distribute state and federal monies for homeland security (A.R.S. § 41-4254). AZDOHS has three main roles in fulfilling its responsibilities: 1) serving as an advisory agency to the Governor and her staff; 2) being a grant administrative agency responsible for managing various Homeland Security grant programs; and 3) operating the Statewide Information Security and Privacy Office (A.R.S. § 41-4282).
Provisions
1. Instructs the DEMA Cybersecurity Team to assess technology products upon request by the legislative branch. (Sec. 1)
2. Permits the DEMA Cybersecurity Team to conduct:
a) Penetration testing to find security vulnerabilities;
b) Hardware nondestructive testing to check physical technology security; and
c) Vendor capability verification to ensure vendors meet contract cybersecurity requirements. (Sec. 1)
3. Authorizes the DEMA Cybersecurity Team to conduct audits and compliance verifications before a government agency procures a technology product. (Sec. 1)
4. Mandates that audit results must be published online within 48 hours of completion. (Sec. 1)
5. Instructs AZDOHS to implement a seven-year Data Encryption and Cybersecurity Study to protect information technology data against unauthorized access, through the use of a software and hardware solution and to upgrade the cybersecurity infrastructure of information technology systems in Arizona. (Sec. 2)
6. Directs AZDOHS, if monies are appropriated for this Study, to create a plan, select a vendor and implement the Study. (Sec. 2)
7. Outlines that the Study is to be implemented for various government agencies in the following order:
a) In 2026-2027, the Secretary of State’s Office;
b) In 2027-2028, the Department of Revenue;
c) In 2028-2029, the Department of Administration; and
d) In 2029-2030, the Arizona Legislature. (Sec. 2)
8. Outlines specified members of the legislative branch who are to receive certain reports at each stage of the Study. (Sec. 2)
9. Requires the proposed data encryption system to meet various outlined criteria, including the following:
a) Having source code accessible only to the Arizona Auditor General;
b) Being state-owned and developed by a US-based company with only US citizens as owners;
c) Having a key-connected password system that is quantum encryption proof or future proof to other encryption breaking methodologies;
d) Allowing key resets without third-party involvement;
e) Maintaining audit trails for key resets and master key changes;
f) Using US Department of Defense-level security as verified through penetration testing; and
g) Being supplied by a US-based vendor with no foreign investors and a US patent. (Sec. 2)
10. Authorizes the Auditor General to audit the encryption system at each stage of the implementation and operation for the data encryption system, and requires the Auditor General to conduct an annual audit of the system for seven years beginning in FY 2027. (Sec. 2)
11. Directs AZDOHS to submit annual reports to the Legislature, detailing system security and implementation progress. (Sec. 2)
12. Directs AZDOHS to submit a final report to the Legislature that summarizes the overall effectiveness and security of the data encryption system in FY 2032. (Sec. 2)
13. Repeals the Data Encryption and Cybersecurity Study on July 1, 2034. (Sec. 2)
---------- DOCUMENT FOOTER ---------
HB 2736
Initials NM/TM Page 0 House Engrossed
---------- DOCUMENT FOOTER ---------