 |
ARIZONA STATE SENATE
Fifty-Seventh Legislature, First Regular Session
cybersecurity; data encryption; pilot program
Purpose
Requires the Department of Emergency and Military Affairs (DEMA) Cyber Security Team, on request of the Legislature, to perform an assessment of any technology product that may be purchased by a government agency to determine potential vulnerabilities in the technology's cybersecurity. Outlines a multi-year plan to review the state's current cybersecurity technologies and develop statewide plans to implement new cybersecurity technology.
Background
DEMA consists of the Division of Emergency Management and other divisions or offices as determined by the Adjutant General, who serves as the head of the department. The Adjutant General is responsible to the Governor for executing all orders relating to the militia, organizing, managing and allocating units, recruiting personnel, public relations and disciplining and training the National Guard and those members of the militia inducted into the service of Arizona as prescribed. The Adjutant General also acts as military chief of staff to the Governor and as the commanding general of all branches of the militia. Except for the authority expressly reserved for the Governor, the Adjutant General is responsible for emergency management, and all emergency activities are subject to the approval of the Adjutant General. The Adjutant General, with permission of the Governor, may delegate powers and duties to the various divisions within DEMA (A.R.S. §§ 26-101 and 26-102).
The Arizona Department of Homeland Security (AZDOHS) must: 1) formulate policies, plans and programs to enhance the ability of Arizona to prevent and respond to acts of terrorism, cybersecurity threats and other critical hazards; 2) adhere to all federal grant terms and conditions; 3) request appropriations or grants of monies for homeland security purposes; 4) receive all awards granted to Arizona by the federal government for homeland security purposes; and 5) distribute monies to local jurisdictions and other organizations eligible under federal regulations based on criteria in the federal grant guidelines (A.R.S. § 41-4254).
There is no anticipated fiscal impact to the state General Fund associated with this legislation.
Provisions
1. Requires, on request of the Legislature, the DEMA Cybersecurity Team (Cybersecurity Team) to conduct an assessment of any technology product that is or may be purchased by a government agency.
2. Allows the Cybersecurity Team, during the prescribed assessment, to perform:
a) penetration testing to identify vulnerabilities and assess the robustness of cybersecurity defenses;
b) hardware nondestructive testing to evaluate the integrity and security compliance of physical technology components; and
c) vendor-capability verification to confirm that a vendor that contracts with the government agency is able to meet a contract's technical obligations and cybersecurity standards.
3. Allows the Cybersecurity Team to conduct an audit, security review and compliance verification for the government agency before the agency makes a procurement determination to purchase a technology product.
4. Allows the government agency to have the Cybersecurity Team conduct an audit to assess the cost for the entity to purchase and use a data encryption system on all of the entity's information technology systems.
5. Requires the results of the audit to be made available to the public on DEMA's website within 48 hours after the audit's completion.
6. Requires the AZDOHS to implement a seven-year data encryption and cybersecurity study that is designed to protect information technology data against unauthorized access through the use of a software and hardware solution and to upgrade the cybersecurity infrastructure of information technology systems in Arizona.
7. Requires the AZDOHS in FY 2026, if monies are appropriated for the data encryption and cybersecurity study (study), to create a plan, choose a vendor and begin the seven-year study.
8. Requires the assessing entity to perform a study of the cybersecurity needs of:
a) the Secretary of State's office in FY 2027 and prepare a report with proposed solutions, cost estimates and model implementing legislation for review by the Senate President, Speaker of the House (House) and Senate committees with jurisdiction over elections;
b) the Department of Revenue in FY 2028 and prepare a report with proposed solutions, cost estimates and model implementing legislation for review by the Senate President, Speaker of the House and Senate committee with jurisdiction over taxation;
c) the Arizona Department of Administration in FY 2029 and prepare a report with proposed solutions, cost estimates and model implementing legislation for review by the Senate President, Speaker of the House and Senate committees with jurisdiction over state government; and
d) the Legislature in FY 2030 and prepare a report with proposed solutions, cost estimates and model implementing legislation for review by the Senate President and Speaker of the House.
9. Requires any proposed data encryption system to:
a) have source code that is only accessible for review and audit by the Office of the Auditor General (OAG);
b) be owned by the state;
c) be created and maintained by a company located in the United States that is only owned by U.S. citizens and has no foreign owners or investors;
d) have a shareable code for transparency and audit purposes that is accessible for review and audit by the OAG;
e) have a key-connected password system that is quantum encryption proof or future proof to other encryption breaking methodologies;
f) be encryption agnostic;
g) be able to reset, including password resets, without having to go to a third party for key resetting;
h) have an audit trail for any key reset;
i) have a master key that can be exchanged or recreated on demand with a signed and encrypted audit trail for all changes;
j) allow each key package to contain a signed and encrypted audit trail;
k) use technology that is protected by a unique U.S. patent;
l) have U.S. Department of Defense-level security that is evidenced by penetration testing; and
m) be purchased from a vendor that:
i. collaborates with the state agency that is implementing the encryption system to ensure seamless integration and compliance with all state and federal cybersecurity standards;
ii. provides a United States-sourced encryption system;
iii. is located and managed in the United States by U.S. citizens and that does not have any foreign owners or investors; and
iv. possesses a unique U.S. patent for the encryption system.
10. Defines encryption agnostic as the system can use any encryption as long as the encryption can follow key-connected passwords.
11. Defines penetration testing as a simulated cyber-attack that is authorized to evaluate the security of the system.
12. Allows the OAG to audit the encryption system at each stage of the implementation and operation of the data encryption system.
13. Requires the OAG after the implementation of the data encryption system is complete to conduct an annual audit for seven years beginning in FY 2027 to ensure ongoing compliance with security standards and to identify potential security vulnerabilities with the data encryption system.
14. Requires the AZDOHS to submit an annual report to the Legislature beginning FY 2027 and continuing for five additional FYs.
15. Requires the AZDOHS annual report to include:
a) the status of the data encryption system implementation; and
b) the results of any security assessments that were completed and whether any implementation or operation issues were encountered in the previous year.
16. Requires the AZDOHS, in FY 2032, to submit a final report to the Legislature that summarizes the overall effectiveness and security of the data encryption system.
17. Repeals the data encryption and cyber security study requirements on July 1, 2034.
18. Becomes effective on the general effective date.
House Action
ST 2/19/25 DP 9-0-0-0
3rd Read 3/11/25 35-22-3
Prepared by Senate Research
March 20, 2025
AN/DL/ci