An Act

amending title 18, chapter 1, article 1, Arizona Revised Statutes, by adding section 18-105; relating to state information technology.

(TEXT OF BILL BEGINS ON NEXT PAGE)

Be it enacted by the Legislature of the State of Arizona:

Section 1. Title 18, chapter 1, article 1, Arizona Revised Statutes, is amended by adding section 18-105, to read:

START_STATUTE18-105. Cybersecurity threats; state information technology; standards; state employees and contractors; prohibition; exceptions; definitions

A. Not more than thirty days after the effective date of this section, the department shall develop standards, guidelines and practices for state agencies, CONTRACTORS of this state and public INSTITUTIONS of higher education that do all of the following:

1. Require the removal of any covered application from state information technology.

2. Address the use of personal electronic devices by state employees and contractors of this state to conduct state business, including covered application-enabled cell phones with remote access to an employee's state email account.

3. Identify sensitive locations, meetings or personnel within a state agency that could be exposed to covered application-enabled personal devices and develop restrictions on the use of personal cell phones, tablets or laptops in a designated sensitive location.

B. Each state agency, contractor of this state and public institution of higher education shall develop policies to support the implementation of this section and report the policy to the Department.

C. State employees and contractors of this state may not:

1. Conduct state business on any personal electronic device that has a covered application.

2. Use any communications equipment and services that are included on the federal communications commission's covered communications equipment or services list published pursuant to the secure and trusted communications networks act of 2019 (P.L. 116-124; 134 Stat. 158; 47 United states code section 1601) and that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States citizens.

D. Each state agency, CONTRACTOR of this state and public INSTITUTION of higher education shall implement network-based restrictions to prevent the use of prohibited technologies on agency networks by any electronic device. Each state agency, CONTRACTOR of this state and public INSTITUTION of higher education shall strictly enforce this section.

E. Each state employee shall sign a document annually confirming that the state employee understands the standards, guidelines and practices adopted pursuant to this section. A state employee who is found to have violated this section may be subject to disciplinary action, including termination of employment.

F. The Department shall require all state agencies and public institutions of higher education to implement security controls on state information technology that do all of the following:

1. Restrict access to application stores or unauthorized software repositories to prevent the installation of unauthorized applications.

2. Have the ability to remotely disable noncompliant or compromised State Information Technology.

3. Have the ability to remotely uninstall unauthorized software from State Information Technology.

4. As necessary, Deploy secure baseline configuration for State Information Technology.

5. Restrict access to any covered application on all agency technology infrastructures, including local networks, Wide area networks, and Virtual Private Network connections.

6. Restrict any personal electronic device that has a covered application from connecting to agency technology infrastructures or state data.

G. The Department may grant exceptions to this section to enable law enforcement investigations and other appropriate uses of covered applications on state-issued devices if the state agency or public institution of higher education requesting access establishes a separate network with the approval of the head of the agency or public institution of higher education. This authority may not be delegated. The exceptions described in this subsection must be reported to the Arizona department of Homeland Security. Exceptions may include any of the following:

1. accomplishing a specific business need, such as enabling a criminal or civil investigation or sharing information to the public during an emergency.

2. For personal electronic devices, extenuating circumstances granted for a predetermined period of time. To the extent practicable, exception-based usage should be performed only on personal electronic devices that are not used for other state business and on nonstate networks. Cameras and microphones must be disabled on personal electronic devices for exception-based use.

H. A public institution of higher education may include in the policy submitted to the Department an exception to accommodate the use by students of a state email address provided by the public institution of higher education. Any exception shall be restricted to the student's use of a personal electronic device that is privately owned or leased by the student or a member of the student's immediate family and shall include network security considerations to protect the public institution of higher education's network and data from traffic related to covered applications.

I. The department shall develop, annually update and publish a list of applications, services, communications equipment and services, and software that may be banned if the application, service, communications equipment and services, or software presents a cybersecurity threat to this state or the United States. The department shall notify each state agency and public institution of higher education and the Directors of the Joint Legislative Budget Committee and governor's Office of Strategic Planning and Budgeting of any application, service, communications equipment and services, or software that is added to or removed from the list.

J. For the purposes of this section:

1. "Company" means An entity that meets any of the following:

(a) directly or indirectly owns or operates a platform that is directly or indirectly owned or operated by a country of concern or is domiciled in, has its principal place of business in, is headquartered in or is organized under the laws of a country of concern.

(b) is subjected to substantial control or influence, directly or indirectly, from a country of concern, including the content moderation practices of the entity that directly or indirectly owns or operates such a platform.

(c) is directly or indirectly compelled to share data regarding United states Citizens with a country of concern.

(d) uses software, communications equipment and services or an algorithm that is directly or indirectly controlled or monitored by a country of concern.

2. "Confidential or sensitive information" includes information technology configurations, criminal justice information, financial data, personally identifiable data, sensitive personal information or any data protected by federal or state law.

3. "Country of concern" includes:

(a) China.

(b) Cuba.

(c) Eritrea.

(d) Iran.

(e) MYANMAR.

(f) North Korea.

(g) Nicaragua.

(h) Pakistan.

(i) Russia.

(j) Saudi Arabia.

(k) Tajikistan.

(l) Turkmenistan.

4. "Covered application" means A social networking SERVICE and any current or future successor application or service developed or provided by A private company or any entity owned or operated by A private company that is founded, headquartered or located in a country of concern.

5. "Public institution of higher education" means a university under the jurisdiction of the Arizona board of regents or a community college as defined in section 15-1401.

6. "SENSITIVE location":

(a) Means any location, whether physical or electronic, that is used to discuss confidential or sensitive information.

(b) Includes video conferencing and electronic meetings rooms.

7. "State business" includes the act of accessing any state-owned data, state-owned application, state email account, nonpublic facing communication, Voice over internet protocol, Short message service, videoconferencing and any other state database or application.

8. "State employee":

(a) Includes:

(i) Any full-time or part-time employee of this state.

(ii) A contractor of this state.

(iii) A paid or unpaid intern of this state.

(iv) Any user of a state network.

(b) does not INCLUDE a County, city or town employee.

9. "State information technology" includes all state-issued and owned cell phones, laptops, tablets and desktop computers and any other state-issued and owned electronic devices that are capable of internet connectivity. END_STATUTE