SDSUG

Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026)

A comprehensive, practitioner‑authored assessment of Arizona’s HB2809 post‑quantum cybersecurity requirements, statewide readiness indicators, and the modernization actions needed to prepare public sector agencies, critical infrastructure operators, and regulated industries for post-quantum cryptography (PQC) adoption.

SDSUG Research Series — Governance, Policy & Institutional Resilience

Post-Quantum Cryptography (PQC) Modernization Series — 2025–2026 — Report No. 6 (2026)

Prepared by: Hunter Storm (https://hunterstorm.com/), President, SDSUG

Version 1.0 — Published April 2026

Post-Quantum Cryptography (PQC) Modernization Series — 2025–2026

Arizona’s transition to post‑quantum cryptography requires clear governance, statutory alignment, and sector‑ready implementation guidance. As part of SDSUG’s Governance, Policy & Institutional Resilience domain, the Post-Quantum Cryptography (PQC) Modernization Series (2025–2026) provides a structured, practitioner‑driven framework for interpreting federal mandates, integrating statewide requirements, and preparing Arizona’s public and private sector institutions for cryptographic modernization at scale. These reports translate national expectations into actionable state‑level pathways, ensuring that Arizona’s agencies, critical infrastructure operators, and governance bodies can move decisively as PQC standards evolve.

Abstract

This report provides a detailed analysis of Arizona’s HB2809, the state’s first statutory framework addressing post‑quantum cybersecurity requirements. It evaluates the bill’s operational impact across public sector agencies, critical infrastructure operators, and private‑sector entities, and assesses statewide readiness for PQC migration. The report identifies governance gaps, implementation risks, and sector‑specific challenges, offering a structured roadmap to support Arizona’s transition toward quantum‑resilient architectures.

Purpose

The purpose of this report is to translate HB2809’s statutory language into actionable guidance for Arizona’s operational, regulatory, and governance communities. It aims to clarify statewide obligations, assess current readiness, and provide practitioners with a practical framework for planning, prioritizing, and executing PQC modernization efforts across diverse environments.

Executive Summary

Arizona House Bill 2809 (HB2809) represents one of the most consequential state‑level cybersecurity mandates in the United States, requiring a full transition to post‑quantum cryptography (PQC) across state agencies and mandating the use of U.S.-based vendors for cryptographic solutions. This report provides the first comprehensive, practitioner‑driven analysis of HB2809, its statewide implications, and its alignment with the December 2025 national PQC modernization mandate.

HB2809 arrives at a critical moment. Arizona’s cryptographic infrastructure is aging, fragmented, and unevenly distributed across agencies and municipalities. Critical infrastructure operators face escalating threats, and the state’s rapid growth in semiconductor manufacturing, defense, and high‑tech sectors increases exposure to quantum‑enabled adversaries.

This report evaluates statewide readiness, identifies governance and implementation gaps, and provides a phased roadmap for secure, coordinated PQC migration. It also includes the first crosswalk between HB2809 and the national PQC mandate, clarifying obligations for agencies, vendors, and critical infrastructure partners.

Introduction

Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026)

Arizona’s HB2809 represents one of the first state‑level cybersecurity statutes in the nation to explicitly incorporate post‑quantum security requirements, supply‑chain restrictions, and statewide governance obligations. As quantum‑resilient cryptography becomes a national priority, HB2809 positions Arizona at the forefront of state‑driven cybersecurity modernization — but it also introduces new operational, procurement, and compliance challenges that agencies and regulated sectors must navigate immediately.

This report provides the first comprehensive, practitioner‑driven analysis of HB2809 as a post‑quantum cybersecurity statute, interpreting its requirements through the lens of real‑world implementation rather than abstract policy. It examines how HB2809’s vendor‑origin restrictions, procurement controls, and statewide governance mandates intersect with the operational realities of cryptographic modernization, including inventory requirements, legacy system constraints, and the need for crypto‑agility across public sector systems. This is the first analysis of its kind globally; no other state, national, or international body has produced a comparable statutory‑grade PQC readiness assessment.

It is also the first statewide readiness assessment tied to a PQC‑related statute in the United States. By evaluating Arizona’s current posture, sector‑specific obligations, and operational gaps, the report establishes a baseline for statewide PQC preparedness and identifies the governance structures, inventories, and modernization pathways required for compliance. This analysis provides Arizona agencies, higher education institutions, and critical infrastructure operators with a clear, actionable understanding of what HB2809 demands — and what must change for the state to meet its statutory and operational obligations in the quantum era.

Legislative Overview: What HB2809 Actually Requires

HB2809 mandates:

  • Statewide transition to post‑quantum cryptography All state agencies must adopt NIST‑approved PQC algorithms for data‑at‑rest, data‑in‑transit, and identity systems.
  • U.S.-based vendor requirement All cryptographic solutions must be sourced from U.S.-based vendors, with supply‑chain transparency.
  • Mandatory inventory of cryptographic assets Agencies must identify all systems using classical cryptography.
  • Implementation timelines
    • Inventory: 12 months
    • Hybrid PQC deployment: 1–3 years
    • Full PQC transition: 3–5 years
  • Reporting and compliance Agencies must submit annual progress reports to the state.
  • Critical infrastructure encouragement While not mandated, operators are strongly encouraged to align with HB2809.

HB2809 is one of the first state‑level PQC mandates in the nation.

Post‑Quantum Cryptography (PQC) Background

The bill aligns with NIST’s 2022–2024 PQC standardization process, which selected:

  • CRYSTALS‑Kyber — Key establishment
  • CRYSTALS‑Dilithium — Digital signatures
  • SPHINCS+ — Stateless hash‑based signatures

Key considerations:

  • PQC algorithms have larger key sizes and different performance profiles.
  • Hybrid modes (classical + PQC) are recommended during transition.
  • Migration requires inventory, dependency mapping, and vendor coordination.
  • PQC affects identity systems, VPNs, TLS, PKI, cloud services, and OT networks.

Statewide Readiness Assessment

Arizona’s current posture shows:

Strengths

  • Strong defense and semiconductor sectors
  • University of Arizona’s cyber and quantum programs
  • Growing practitioner community
  • Increasing legislative attention

Weaknesses

  • Legacy systems across agencies
  • Fragmented cryptographic inventories
  • Limited PQC expertise in municipalities
  • Under‑resourced rural infrastructure
  • No statewide PQC governance body

Critical Infrastructure Exposure

Water, energy, transportation, and healthcare systems rely heavily on:

  • unsupported cryptographic libraries
  • legacy VPNs
  • outdated PKI
  • vendor‑managed OT systems with slow update cycles

Impact on State Agencies

HB2809 affects:

Identity & Access Systems

  • PKI
  • MFA
  • SSO
  • Directory services

Data‑in‑Transit

  • TLS
  • VPN
  • API gateways
  • Cloud interconnects

Data‑at‑Rest

  • Database encryption
  • File‑level encryption
  • Backup systems

Procurement

  • Vendor qualification
  • Contract updates
  • Supply‑chain verification

Agencies with legacy systems face the highest risk.

Impact on Critical Infrastructure

Critical infrastructure operators face:

  • long hardware refresh cycles
  • vendor‑locked cryptographic modules
  • OT systems incompatible with PQC
  • limited workforce capacity

Sectors most affected:

  • Water — SCADA systems with outdated crypto
  • Energy — grid telemetry and substation networks
  • Transportation — traffic control systems
  • Healthcare — medical devices and EHR systems
  • Manufacturing — semiconductor fabs with global supply chains

Impact on Private Sector & Vendors

HB2809 requires:

  • U.S.-based cryptographic vendors
  • PQC‑ready products
  • Transparent supply chains
  • Hybrid‑mode support

Small vendors may struggle with:

  • certification
  • compliance costs
  • migration timelines

Large vendors must update:

  • SDKs
  • APIs
  • firmware
  • cloud services

Governance & Coordination Gaps

Arizona currently lacks:

  • a statewide PQC governance body
  • a unified migration roadmap
  • a cryptographic asset inventory
  • cross‑sector coordination
  • vendor certification standards
  • municipal support structures

These gaps increase:

  • cost
  • risk
  • fragmentation
  • inconsistent implementation

Implementation Risks

Technical Risks

  • Misconfigured hybrid modes
  • Incompatible legacy systems
  • Performance degradation
  • Vendor delays

Operational Risks

  • Workforce shortages
  • Insufficient training
  • Incomplete inventories
  • Inconsistent adoption

Strategic Risks

  • Supply‑chain vulnerabilities
  • Non‑compliance with federal mandates
  • Increased exposure during transition

Recommended Statewide Roadmap

Phase 1 (0–12 Months): Foundation

  • Establish statewide PQC Governance Council
  • Conduct cryptographic inventory
  • Create procurement standards
  • Launch pilot migrations
  • Begin workforce upskilling

Phase 2 (1–3 Years): Hybrid Deployment

  • Deploy hybrid classical + PQC modes
  • Modernize critical infrastructure crypto
  • Certify vendors
  • Build regional support hubs
  • Expand training programs

Phase 3 (3–5 Years): Full Transition

  • Complete PQC migration
  • Validate statewide compliance
  • Conduct annual audits
  • Maintain continuous monitoring
  • Update governance frameworks

Alignment with the December 2025 National PQC Mandate

The national mandate requires:

  • PQC adoption across federal systems
  • NIST‑approved algorithms
  • Hybrid modes during transition
  • Procurement compliance
  • Reporting and validation

Crosswalk Summary

RequirementNational MandateHB2809Alignment
PQC adoptionRequiredRequiredStrong
Hybrid modesRequiredImpliedModerate
InventoryRequiredRequiredStrong
Vendor restrictionsNoneU.S.-onlyDivergent
Critical infrastructureEncouragedEncouragedStrong
TimelinesFederalStateParallel

Arizona must harmonize:

  • procurement
  • reporting
  • hybrid‑mode guidance
  • vendor certification

Findings

  • Statutory obligations require immediate planning across state agencies and regulated sectors, with several requirements taking effect before statewide readiness is fully established.
  • Current cryptographic inventories are incomplete, limiting the ability to prioritize PQC migration based on risk.
  • Critical infrastructure sectors show uneven preparedness, with utilities and healthcare lagging behind financial and higher‑education institutions.
  • Vendor ecosystems are not yet aligned with HB2809 requirements, creating procurement and compliance challenges.
  • Governance structures lack clear ownership, resulting in inconsistent implementation across agencies and sectors.

Conclusions

Arizona’s HB2809 establishes a necessary foundation for statewide PQC modernization, but significant gaps remain in readiness, governance, and operational execution. Coordinated action, standardized inventories, and sector‑specific implementation plans are required to ensure a smooth transition to quantum‑resilient systems. The state must accelerate planning and cross‑sector collaboration to meet statutory timelines and reduce long‑term risk.

Methodology (Quantum & PQC Modernization — 2019–2026 Longitudinal Practitioner Dataset)

This analysis is grounded in more than a decade of practitioner‑level experience in quantum technology research, post‑quantum cryptography, and large‑scale cryptographic‑modernization efforts across global financial institutions, advanced‑research ecosystems, and national‑level governance bodies. The methodology reflects long‑horizon exposure to quantum‑risk modeling, cryptographic‑lifecycle management, and the operational realities of migrating complex, multi‑sector environments toward NIST‑approved post‑quantum standards.

The dataset includes direct participation in early enterprise quantum‑technology programs, including service on Wells Fargo’s original Quantum Technology Research Team, selected by the program’s founder. This early exposure to quantum risk analysis, hybrid cryptography design, and enterprise‑scale modernization informs the longitudinal perspective applied throughout this series.

The analytic framework also incorporates contributions from national and international quantum‑technology communities, including leadership roles within the Quantum Economic Development Consortium (QED‑C), participation in technical advisory councils (TAC), and collaboration with cryptographic‑modernization experts across industry, academia, and government. This includes alignment with global‑grade PQC research, migration tooling, and governance frameworks.

The analysis was developed using a practitioner‑first, governance‑aligned methodology grounded in national standards, state legislative analysis, and cross‑sector threat modeling. It incorporates federal PQC guidance, NIST standards, Arizona legislative text, and statewide cybersecurity assessments.

The author, Hunter Storm, brings extensive expertise across emerging and disruptive technologies (EDTs), including post‑quantum cryptography (PQC), quantum technologies, and hybrid cyber‑physical‑psychological threat modeling. Her background includes:

  • involvement in PQC and quantum‑technology working groups
  • advisory work across financial, research, and critical infrastructure domains
  • leadership in enterprise architecture and cross‑domain governance
  • deep experience in Security Operations Center (SOC) design and operational architecture
  • research leadership in statewide cybersecurity posture assessments
  • authorship of Arizona’s 2026 Material Weaknesses Audit, Statewide Action Plan, and Cyber Fusion Center roadmap

Her work integrates EDT strategy, governance modernization, and practitioner‑layer security, with a focus on long‑horizon risk, cryptographic transition planning, and institutional resilience.

Data Sources

The findings draw from a uniquely broad and longitudinal set of practitioner‑derived inputs, including:

  • Enterprise quantum‑technology research (2019–2026) — direct involvement in Wells Fargo’s foundational Quantum Technology Research Team, including early quantum‑risk modeling, hybrid cryptography evaluation, and enterprise‑scale modernization planning.
  • QED‑C and national‑level PQC governance work — participation in technical advisory councils, quantum‑technology working groups, and cross‑sector modernization initiatives supporting U.S. PQC readiness.
  • PQC research and migration frameworks — exposure to industry‑leading PQC transition models, hybrid‑mode deployment patterns, and cryptographic‑inventory methodologies.
  • Cross‑sector cryptographic‑modernization engagements — practitioner‑level work supporting financial institutions, research organizations, public sector agencies, and critical infrastructure operators preparing for PQC transition.
  • Operational observations across cryptographic lifecycles — including key‑management evolution, certificate‑authority modernization, protocol migration, and dependency mapping across multi‑environment architectures.
  • Federal guidance and national frameworks — NIST PQC standards, CISA modernization advisories, federal cryptographic‑transition roadmaps, and cross‑sector risk‑management resources.
  • State‑level statutory and governance materials — including Arizona HB2809, statewide modernization plans, legislative analyses, and public sector cryptographic‑readiness assessments.
  • Practitioner interviews and SME consultations — with cryptographers, quantum researchers, security architects, public sector leaders, and critical infrastructure operators.
  • Review of federal PQC directives, including NIST standards, OMB memoranda, CISA guidance, and national‑level modernization expectations.
  • Analysis of Arizona’s statutory and regulatory landscape, with emphasis on HB2809, statewide cybersecurity governance structures, and sector‑specific obligations.
  • Cross‑sector practitioner interviews and operational insights from state agencies, critical‑infrastructure operators, and security leaders responsible for implementing cryptographic transitions.
  • Comparative assessment of state and federal requirements, identifying alignment points, gaps, dependencies, and areas requiring coordinated governance action.
  • Evaluation of implementation readiness, focusing on crypto‑agility, inventory maturity, risk exposure, and institutional capacity to execute PQC migration at scale.
  • SDSUG internal analysis and statewide PQC‑readiness modeling — integrating cross‑sector insight from Arizona’s practitioner community and institutional ecosystem.

These inputs provide a rare, multi‑era view of quantum‑risk evolution, cryptographic‑modernization patterns, and the operational constraints shaping PQC readiness across sectors.

Analytic Approach

The analysis applies a structured, practitioner‑driven lens that emphasizes:

  • Cryptographic‑lifecycle realism — assessing how long‑term key‑management, certificate‑authority, and protocol decisions shape PQC migration complexity.
  • Hybrid‑mode transition patterns — evaluating the operational viability of classical‑plus‑PQC deployments across diverse architectures.
  • Systemic dependency mapping — identifying how cryptographic weaknesses propagate across interconnected systems, supply chains, and multi‑sector environments.
  • Governance and statutory alignment — interpreting federal mandates, state requirements, and sector‑specific obligations through a modernization‑ready lens.
  • Quantum‑risk modeling — integrating long‑horizon analysis of quantum‑computing trajectories, algorithmic exposure, and cryptographic deprecation timelines.
  • Institutional memory and continuity — assessing how workforce stability, architectural lineage, and organizational maturity influence PQC readiness.

This approach reflects the realities of large‑scale cryptographic environments, where modernization is constrained not by algorithms alone but by governance structures, operational dependencies, and long‑term architectural drift.

Scope

The PQC Modernization Series assesses:

  • statewide PQC readiness
  • sector‑specific migration requirements
  • cryptographic‑inventory maturity
  • governance and statutory alignment
  • hybrid‑mode deployment feasibility
  • critical infrastructure exposure
  • public sector modernization constraints
  • enterprise‑scale migration patterns
  • supply‑chain and vendor‑dependency risks

Scope includes Arizona state agencies, public‑sector governance bodies, regulated entities, and critical‑infrastructure sectors with statutory or operational obligations related to cryptographic modernization. The analysis prioritizes clarity, implementability, and statewide resilience, emphasizing the decisions, timelines, and governance structures required to support Arizona’s transition to post‑quantum cryptography.

Limitations

The analysis is practitioner‑driven and qualitative. It does not rely on vendor‑reported metrics, marketing‑driven maturity models, or survey‑based scoring. Instead, it reflects:

  • longitudinal quantum technology experience
  • cryptographic lifecycle analysis
  • governance and statutory interpretation
  • cross‑sector modernization insight
  • SME‑level consultation
  • publicly available information
  • limited access to proprietary systems

Where quantitative data is unavailable or inconsistent, findings are presented using structured qualitative scoring consistent with industry‑standard risk assessment practices.

Why This Methodology Is Appropriate

PQC modernization is not a purely technical exercise. It is a governance, lifecycle, and dependency‑driven transformation shaped by:

  • cryptographic‑inventory complexity
  • architectural lineage
  • institutional memory
  • workforce readiness
  • statutory requirements
  • systemic dependencies

These conditions cannot be captured through short‑term surveys or tool‑generated metrics. They require long‑horizon, practitioner‑level exposure to quantum risk evolution, cryptographic modernization, and cross‑sector operational realities.

This methodology provides a grounded, accurate, and actionable foundation for statewide PQC transition.

Appendices

  • NIST PQC standards
  • HB2809 legislative summary
  • Migration templates
  • Glossary
  • Inventory worksheets

About This Report

Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026) is published periodically (statutory updates only) by SDSUG to provide clear, practitioner‑driven intelligence and a consistent baseline for assessing statewide cybersecurity risk.

This report is part of the SDSUG Research Series. For additional institutional publications and regional analysis, visit the SDSUG Research hub.

Hunter Storm, President of SDSUG smiling

By Hunter Storm

President, SDSUG

CISO | Advisory Board Member | SOC Black Ops Team | Systems Architect | QED-C TAC Relationship Leader | Originator of Human-Layer Security

https://hunterstorm.com/

© 2026 Hunter Storm. All rights reserved.

Related Reports

These companion reports are part of the SDSUG Research Series. For the full collection, visit the SDSUG Research hub.

State of Cybersecurity in Arizona — 2026 Annual Report

A comprehensive, practitioner‑driven analysis of Arizona’s cybersecurity landscape, including regional threats, workforce trends, governance maturity, and critical infrastructure exposure. Read the report → State of Cybersecurity in Arizona — 2026 Annual Report

Arizona Cybersecurity Ecosystem Map — 2026 Edition

A structured map of the institutions, communities, conferences, academic programs, and public sector partners that shape Arizona’s cybersecurity ecosystem. View the ecosystem map → Arizona Cybersecurity Ecosystem Map — 2026 Edition

Arizona Cybersecurity Material Weaknesses Audit — 2026

A statewide, practitioner‑authored audit identifying the most significant systemic cybersecurity weaknesses impacting Arizona’s public, private, and critical infrastructure sectors. View the audit → Arizona Cybersecurity Material Weaknesses Audit — 2026

Recommendations and Roadmap — Arizona Cybersecurity Material Weaknesses Audit 2026

A strategic, practitioner‑driven roadmap outlining the statewide actions required to remediate Arizona’s most significant cybersecurity material weaknesses and strengthen long‑term resilience.

View the roadmap → Recommendations and Roadmap — Arizona Cybersecurity Material Weaknesses Audit 2026

Statewide Action Plan — Arizona Cybersecurity Material Weaknesses Audit 2026

A unified, statewide strategy outlining the structural reforms, governance model, and cross‑sector actions required to address Arizona’s cybersecurity material weaknesses and prepare the state for global‑scale threats.

View the plan → Statewide Action Plan — Arizona Cybersecurity Material Weaknesses Audit 2026

Post-Quantum Cryptography (PQC) Modernization Series — 2025–2026

Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026)

SDSUG Research Series — Report No. 6

An analysis of Arizona’s HB2809 post‑quantum cybersecurity requirements, statewide readiness, and the modernization actions needed to meet statutory PQC obligations.

Read the report → Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026)

National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework

SDSUG Research Series — Report No. 7

A detailed framework aligning Arizona’s public and private sector institutions with the United States’ December 2025 national PQC modernization mandate.

View the framework → National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework

National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Sector‑Specific Requirements & Operational Guidance

SDSUG Research Series — Report No. 8

Sector‑specific operational guidance for implementing the national PQC modernization mandate across Arizona’s critical infrastructure, financial, healthcare, education, and public sector environments.

Read the guidance → National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Sector‑Specific Requirements & Operational Guidance

Version

Version 1.0 — Published April 2026

How to Cite This Report

Storm, Hunter. Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026). SDSUG, Version 1.0, 2026.

For full citation standards and usage permissions, see SDSUG’s Citation and Usage Policy.

Disclaimer

This report is provided for educational and informational purposes only. SDSUG does not provide legal, regulatory, or compliance advice. All analysis reflects practitioner‑level interpretation of publicly available information at the time of publication.

SDSUG is Arizona’s longest‑running cybersecurity community and a central institution in the region’s security ecosystem. Founded in 2001 and operating continuously for more than 25 years, SDSUG provides practitioner‑driven leadership, vendor‑neutral governance, and trusted peer collaboration across the Southwest. Through its annual research, ecosystem mapping, and community programs, SDSUG strengthens regional resilience and serves as a stable anchor for Arizona’s cybersecurity practitioners, organizations, and critical‑infrastructure partners.

Explore SDSUG

Start Here
Your guided introduction to SDSUG.

Membership
Join SDSUG for trusted peer collaboration and professional networking.

Leadership
Meet the team guiding SDSUG’s direction.

About SDSUG
Our mission, history, and values.

Events & Meetings
Upcoming topics, speakers, and educational sessions.

Sponsors
Organizations supporting SDSUG’s mission and practitioner community.

SDSUG at a Glance
Overview and FAQ.

Safety & Incident Response
Standards, trained officers, and incident‑response protocols.

Site Index
A full directory of SDSUG pages.

Start Here
Events
Join SDSUG

Last Updated: April 2026

error: Content protection is enabled to prevent unauthorized copying.