Citizen Portal
Sign In

Arizona committee backs bill requiring post‑quantum encryption for sensitive state systems

Committee on Science and Technology, Arizona House of Representatives · February 11, 2026

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The House Science and Technology Committee unanimously adopted an amendment and voted 9–0 to return House Bill 2809 with a due‑pass recommendation; the bill would require state agencies handling sensitive data to implement post‑quantum encryption with the Auditor General holding master keys.

The Arizona House Science and Technology Committee returned House Bill 2809 with a due‑pass recommendation on Feb. 11 after adopting an amendment that clarifies implementation for offline systems.

The bill would require any state agency that processes, stores or transmits personally identifiable information, sensitive state data related to elections, public safety, benefits, finance or infrastructure to implement post‑quantum encryption that meets or surpasses the initial Cybersecurity Maturity Model Certification (CMMC) 2 validation. Staff told the committee the law would limit approved vendors to United States companies and require software, hardware and geographic components to be developed, manufactured and maintained inside the U.S. The Auditor General would serve as the independent custodian of the master encryption key, with procedures for the Auditor General and Attorney General specified in the bill.

Sponsor Representative Gillette told the committee the Pingarelli amendment (dated Feb. 11, 2026) is intended to prevent agencies from having to connect devices that are not Internet‑enabled in order to encrypt them. Under the amendment, an agency may apply encryption using removable media or other offline processes instead of placing formerly offline systems online. The amendment also adds a mandatory corrective‑action plan for agencies that fail to comply and specifies that any budget restrictions imposed on an agency for noncompliance must be enacted by joint resolution.

Gillette cited a cybersecurity breach of the candidate portal last summer to explain the bill’s urgency and said penetration testing of candidate post‑quantum solutions showed the tested systems were not broken. He said the bill is designed to secure legacy systems that still hold critical personal data and that full operational details such as procurement, vendor service levels and long‑term maintenance will be handled through contracts and agency procurement processes.

Committee members asked whether the Auditor General has the technical capacity to hold the key and whether the new requirements would create recurring costs. Gillette said the Auditor General can store the key material (for example, on hardened drives and thumb drives) but that day‑to‑day operations and technical work would remain with ADOA, DHS or other designated agencies; he suggested staggered agency rollouts and procurement contracts that include warranties and vendor service. Representative Aguilar and others said they support the concept but want broader stakeholder engagement before final passage.

After adopting the amendment by voice, the committee moved the amended bill and the roll call produced 9 ayes, 0 nays, 0 present, 0 absent; the committee returned HB 2809 with a due‑pass recommendation. The committee then adjourned.