AZ HB2809

Requires Arizona to implement a statewide post-quantum encryption cybersecurity system that meets or exceeds Department of Defense CMMC 2.0 certification standards across all state agencies handling personal information, election data, public safety, finance, or confidential data.

Restricts cybersecurity system procurement to 100% U.S.-based vendors with software, hardware, and cryptographic components developed, manufactured, and maintained exclusively in the United States, excluding any companies with foreign parent companies, subsidiaries, or data dependencies.

Designates the Auditor General as independent custodian of master encryption keys, responsible for establishing secure key management procedures, conducting periodic compliance audits, certifying system installations, and reporting noncompliance to the Governor, legislature, and Attorney General.

State agencies must install the post-quantum encryption system, validate operational effectiveness with the Auditor General, and maintain continuous compliance; noncompliant agencies face mandatory corrective action plans, legislative oversight hearings, and potential IT budget restrictions.

Vendors awarded contracts must provide technical training, support installation and audit activities, demonstrate CMMC 2.0 compliance, and may face suspension or contract termination for noncompliance.