 |
ARIZONA STATE SENATE
Fifty-Seventh Legislature, First Regular Session
AMENDED
cybersecurity; data encryption; pilot program
Purpose
Allows the National Guard of Arizona's cyberattack prevention, response and support activities to include an assessment that performs testing on the state's technology systems to determine vulnerabilities in cybersecurity. Outlines a multi-year plan to review the state's current cybersecurity technologies and develop statewide plans to implement new cybersecurity technology.
Background
The Arizona Department of Military Affairs (DEMA) consists of the Division of Emergency Management and other divisions or offices as determined by the Adjutant General, who serves as the head of the department. The Adjutant General is responsible to the Governor for executing all orders relating to the militia, organizing, managing and allocating units, recruiting personnel, public relations and disciplining and training the National Guard of Arizona and those members of the militia inducted into the service of the state as prescribed. The Adjutant General also acts as military chief of staff to the Governor and as the commanding general of all branches of the militia. The Adjutant General, with permission of the Governor, may delegate powers and duties to the various divisions within DEMA (A.R.S. §§ 26-101 and 26-102).
The National Guard of Arizona may engage in cyberattack prevention, response and support activities for the state and political subdivisions of the state. Additionally, the National Guard of Arizona may enter into mutual aid agreements pertaining to cyber response and protection activities with state agencies and political subdivisions of the state. The National Guard Cyber Response Fund is administered by DEMA, and must be used for cyberattack prevention and response activity costs incurred by the state (A.R.S. § 26-183).
There is no anticipated fiscal impact to the state General Fund associated with this legislation.
Provisions
1. Allows, subject to available monies, the National Guard of Arizona's cyberattack prevention, response and support activities to include conducting an assessment of a technological product that is or may be purchased by the state or a political subdivision of the state.
2. Allows the assessment to include:
a) penetration testing to identify vulnerabilities and assess the robustness of cybersecurity defenses;
b) hardware nondestructive testing to evaluate the integrity and security compliance of physical security components; and
c) vendor-capability verification to confirm that a vendor that contracts with the state or a political subdivision of the state is able to meet a contract's technical obligations and cybersecurity standards.
3. Includes, in the Adjutant General's annual report, a generalized report on the cyberattack prevention, response and support activities performed by the National Guard of Arizona.
4.
Requires the Arizona Department of Homeland Security (AZDOHS) to
implement a
seven-year data encryption and cybersecurity study that is designed to protect
information technology data against unauthorized access through the use of a
software and hardware solution and to upgrade the cybersecurity infrastructure
of information technology systems in Arizona.
5. Requires the AZDOHS in FY 2026, if monies are appropriated for the data encryption and cybersecurity study (study), to create a plan, choose a vendor and begin the seven-year study.
6. Requires the assessing entity to perform a study of the cybersecurity needs of:
a) the Secretary of State's office in FY 2027 and prepare a report with proposed solutions, cost estimates and model implementing legislation for review by the Senate President, Speaker of the House (House) and Senate committees with jurisdiction over elections;
b) the Department of Revenue in FY 2028 and prepare a report with proposed solutions, cost estimates and model implementing legislation for review by the Senate President, Speaker of the House and Senate committee with jurisdiction over taxation;
c) the Arizona Department of Administration in FY 2029 and prepare a report with proposed solutions, cost estimates and model implementing legislation for review by the Senate President, Speaker of the House and Senate committees with jurisdiction over state government; and
d) the Legislature in FY 2030 and prepare a report with proposed solutions, cost estimates and model implementing legislation for review by the Senate President and Speaker of the House.
7. Requires any proposed data encryption system to:
a) have source code that is only accessible for review and audit by the Office of the Auditor General (OAG);
b) be owned by the state;
c) be created and maintained by a company located in the United States that is only owned by U.S. citizens and has no foreign owners or investors;
d) have a shareable code for transparency and audit purposes that is accessible for review and audit by the OAG;
e) have a key-connected password system that is quantum encryption proof or future proof to other encryption breaking methodologies;
f) be encryption agnostic;
g) be able to reset, including password resets, without having to go to a third party for key resetting;
h) have an audit trail for any key reset;
i) have a master key that can be exchanged or recreated on demand with a signed and encrypted audit trail for all changes;
j) allow each key package to contain a signed and encrypted audit trail;
k) use technology that is protected by a unique U.S. patent;
l) have U.S. Department of Defense-level security that is evidenced by penetration testing; and
m) be purchased from a vendor that:
i. collaborates with the state agency that is implementing the encryption system to ensure seamless integration and compliance with all state and federal cybersecurity standards;
ii. provides a United States-sourced encryption system;
iii. is located and managed in the United States by U.S. citizens and that does not have any foreign owners or investors; and
iv. possesses a unique U.S. patent for the encryption system.
8. Defines encryption agnostic as the system can use any encryption as long as the encryption can follow key-connected passwords.
9. Defines penetration testing as a simulated cyber-attack that is authorized to evaluate the security of the system.
10. Allows the OAG to audit the encryption system at each stage of the implementation and operation of the data encryption system.
11. Requires the OAG after the implementation of the data encryption system is complete to conduct an annual audit for seven years beginning in FY 2027 to ensure ongoing compliance with security standards and to identify potential security vulnerabilities with the data encryption system.
12. Requires the AZDOHS to submit an annual report to the Legislature beginning FY 2027 and continuing for five additional FYs.
13. Requires the AZDOHS annual report to include:
a) the status of the data encryption system implementation; and
b) the results of any security assessments that were completed and whether any implementation or operation issues were encountered in the previous year.
14. Requires the AZDOHS, in FY 2032, to submit a final report to the Legislature that summarizes the overall effectiveness and security of the data encryption system.
15. Repeals the data encryption and cyber security study requirements on July 1, 2034.
16. Becomes effective on the general effective date.
Amendments Adopted by Committee
1. Removes the requirement that DEMA's Cyber Security Team conduct outlined cybersecurity assessments and transfers the cyberattack prevention, response and support activities from the DEMA Cybersecurity Team to the National Guard of Arizona.
2. Requires the Adjutant General's annual report to include a generalized report on cyberattack prevention, response and support activities performed by the National Guard of Arizona.
3. Makes technical changes.
House Action Senate Action
ST 2/19/25 DP 9-0-0-0 FED 3/24/25 DPA 7-0-0
3rd Read 3/11/25 35-22-3
Prepared by Senate Research
March 26, 2025
AN/DL/slp