SDSUG Research — Governance, Policy & Institutional Resilience
Post‑Quantum Cryptography (PQC) Modernization Series — Report No. 4 (2026)
Prepared by: Hunter Storm (https://hunterstorm.com/), President, SDSUG
Version 1.0 — Published April 2026
Summary
Arizona HB2809 is a 2026 bill requiring all Arizona state agencies to adopt post‑quantum encryption (PQC) and implement a statewide cybersecurity encryption system that meets or exceeds CMMC 2.0 validation standards. It includes strict U.S.‑origin vendor requirements, supply‑chain sovereignty rules, and independent oversight by the Arizona Auditor General.
Post-Quantum Cryptography (PQC) Modernization Series
Arizona’s transition to post‑quantum cryptography requires clear governance, statutory alignment, and sector‑ready implementation guidance. As part of SDSUG’s Governance, Policy & Institutional Resilience domain, the Post-Quantum Cryptography (PQC) Modernization Series provides a structured, practitioner‑driven framework for interpreting federal mandates, integrating statewide requirements, and preparing Arizona’s public‑ and private‑sector institutions for cryptographic modernization at scale. These reports translate national expectations into actionable state‑level pathways, ensuring that Arizona’s agencies, critical‑infrastructure operators, and governance bodies can move decisively as PQC standards evolve.
Key Provisions
- Mandatory PQC adoption across all state agencies
- CMMC 2.0‑aligned encryption for sensitive and confidential data
- U.S.‑only vendors for software, hardware, and cryptographic components
- No foreign development, ownership, or data dependencies
- Auditor General as custodian of master encryption keys
- Applies to all agencies handling PII, infrastructure, elections, public safety, and financial data
Governance Implications
- Establishes Arizona as an early adopter of statewide PQC requirements
- Creates a de facto statewide cybersecurity baseline
- Forces modernization of legacy systems
- Introduces strict supply‑chain controls
- Aligns state systems with federal PQC mandates (Dec 2025)
Implementation Risks
- Vendor scarcity due to U.S.‑origin restrictions
- Legacy system incompatibility
- High transition costs
- Workforce readiness gaps
- Inter‑agency coordination challenges
Recommended Actions for Agencies
- Begin PQC readiness assessments
- Inventory cryptographic dependencies
- Identify non‑compliant vendors
- Develop migration timelines
- Coordinate with Auditor General’s office
Conclusion
Arizona HB2809 represents one of the first statewide statutory mandates for post‑quantum cybersecurity in the United States. By requiring PQC‑aligned encryption, enforcing strict U.S.‑origin vendor rules, and centralizing oversight under the Auditor General, the bill establishes a new statewide cybersecurity baseline. HB2809 positions Arizona as an early mover in quantum‑resilient modernization and creates a framework that aligns closely with the December 2025 federal PQC mandate. Successful implementation will require coordinated action across agencies, modernization of legacy systems, and careful management of supply‑chain constraints.
About This Report
Arizona HB2809 — Statewide Post‑Quantum Cybersecurity Requirements (2026) is published as part of SDSUG Research to provide practitioner‑driven intelligence for Arizona’s cybersecurity, governance, and critical‑infrastructure communities. This report contributes to the Post‑Quantum Cryptography (PQC) Modernization Series, which delivers statewide guidance on statutory alignment, governance readiness, and quantum‑resilient modernization.
For additional publications and analysis, visit the SDSUG Research hub.
By Hunter Storm
CISO | Advisory Board Member | SOC Black Ops Team | Systems Architect | QED-C TAC Relationship Leader | Originator of Human-Layer Security
© 2026 Hunter Storm. All rights reserved.
Related Reports
These companion reports are part of the SDSUG Research Series. For the full collection, visit the SDSUG Research hub.
- Arizona Cybersecurity Ecosystem Map — 2026 Edition
- Arizona Cybersecurity Material Weaknesses Audit — 2026
- Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026)
- Arizona HB2809 — Statewide Post‑Quantum Cybersecurity Requirements (2026): Executive Summary
- How Arizona Can Execute PQC Migration at Scale
- National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework
- Post-Quantum Cryptography (PQC) Statewide Alignment Framework — HB2809 and the National PQC Mandate
- Recommendations and Roadmap — Arizona Cybersecurity Material Weaknesses Audit 2026
- State of Cybersecurity in Arizona — 2026 Annual Report
- Statewide Action Plan — Arizona Cybersecurity Material Weaknesses Audit 2026
Version
Version 1.0 — Published April 2026
How to Cite This Report
Storm, Hunter. Arizona HB2809 — Statewide Post‑Quantum Cybersecurity Requirements (2026): Executive Summary. SDSUG, Version 1.0, 2026.
For full citation standards and usage permissions, see SDSUG’s Citation and Usage Policy.
Disclaimer
This report is provided for educational and informational purposes only. SDSUG does not provide legal, regulatory, or compliance advice. All analysis reflects practitioner‑level interpretation of publicly available information at the time of publication.
SDSUG is Arizona’s longest‑running cybersecurity community and a central institution in the region’s security ecosystem. Established in 2001 and operating continuously for more than 25 years, SDSUG provides practitioner‑led leadership, vendor‑neutral governance, and trusted peer collaboration across the Southwest. Through its annual research, ecosystem mapping, and community programs, SDSUG strengthens regional resilience and serves as a stable anchor for Arizona’s cybersecurity practitioners, organizations, and critical infrastructure partners. SDSUG also produces independent research used by organizations and policymakers across Arizona, the broader Southwest, and national and international security, technology, and governance communities.
Explore SDSUG
Start Here
Your guided introduction to SDSUG.
Membership
Join SDSUG for trusted peer collaboration and professional networking.
Leadership
Meet the team guiding SDSUG’s direction.
About SDSUG
Our mission, history, and values.
Events & Meetings
Upcoming topics, speakers, and educational sessions.
Sponsors
Organizations supporting SDSUG’s mission and practitioner community.
SDSUG at a Glance
Overview and FAQ.
Safety & Incident Response
Standards, trained officers, and incident‑response protocols.
Site Index
A full directory of SDSUG pages.
Last Updated: April 2026