Sonoran Desert Security (SDSUG) Research — Governance, Policy & Institutional Resilience
Post‑Quantum Cryptography (PQC) Modernization Series — Report No. 4 (2026)
Author: Hunter Storm (https://hunterstorm.com)
Version 1.0 — Published April 2026
About This Report
This report is published by Sonoran Desert Security (SDSUG) as part of its formal research publication series. It supports cybersecurity awareness, resilience, and informed decision‑making across Arizona, reflecting SDSUG’s role as a trusted institutional resource for clear, accessible guidance. The analysis is openly accessible for reading, learning, and citation by practitioners, policymakers, and community members, and is intended for full search engine indexing. All content on this page is non‑sensitive.
All materials remain the sole intellectual property of the author and may not be presented, republished, or redistributed as original work. Proper attribution is required under the Citation & Usage Policy.
By Hunter Storm
Summary
Arizona HB2809 is a 2026 bill requiring all Arizona state agencies to adopt post‑quantum encryption (PQC) and implement a statewide cybersecurity encryption system that meets or exceeds CMMC 2.0 validation standards. It includes strict U.S.‑origin vendor requirements, supply‑chain sovereignty rules, and independent oversight by the Arizona Auditor General.
Post-Quantum Cryptography (PQC) Modernization Series
Arizona’s transition to post‑quantum cryptography requires clear governance, statutory alignment, and sector‑ready implementation guidance. As part of the Sonoran Desert Security (SDSUG) Governance, Policy & Institutional Resilience domain, the Post-Quantum Cryptography (PQC) Modernization Series provides a structured, practitioner‑driven framework for interpreting federal mandates, integrating statewide requirements, and preparing Arizona’s public‑ and private‑sector institutions for cryptographic modernization at scale. These reports translate national expectations into actionable state‑level pathways, ensuring that Arizona’s agencies, critical‑infrastructure operators, and governance bodies can move decisively as PQC standards evolve.
Key Provisions
- Mandatory PQC adoption across all state agencies
- CMMC 2.0‑aligned encryption for sensitive and confidential data
- U.S.‑only vendors for software, hardware, and cryptographic components
- No foreign development, ownership, or data dependencies
- Auditor General as custodian of master encryption keys
- Applies to all agencies handling PII, infrastructure, elections, public safety, and financial data
Governance Implications
- Establishes Arizona as an early adopter of statewide PQC requirements
- Creates a de facto statewide cybersecurity baseline
- Forces modernization of legacy systems
- Introduces strict supply‑chain controls
- Aligns state systems with federal PQC mandates (Dec 2025)
Implementation Risks
- Vendor scarcity due to U.S.‑origin restrictions
- Legacy system incompatibility
- High transition costs
- Workforce readiness gaps
- Inter‑agency coordination challenges
Recommended Actions for Agencies
- Begin PQC readiness assessments
- Inventory cryptographic dependencies
- Identify non‑compliant vendors
- Develop migration timelines
- Coordinate with Auditor General’s office
Conclusion
Arizona HB2809 represents one of the first statewide statutory mandates for post‑quantum cybersecurity in the United States. By requiring PQC‑aligned encryption, enforcing strict U.S.‑origin vendor rules, and centralizing oversight under the Auditor General, the bill establishes a new statewide cybersecurity baseline. HB2809 positions Arizona as an early mover in quantum‑resilient modernization and creates a framework that aligns closely with the December 2025 federal PQC mandate. Successful implementation will require coordinated action across agencies, modernization of legacy systems, and careful management of supply‑chain constraints.
About This Report
Arizona HB2809 — Statewide Post‑Quantum Cybersecurity Requirements (2026) is published as part of Sonoran Desert Security (SDSUG) Research to provide practitioner‑driven intelligence for Arizona’s cybersecurity, governance, and critical‑infrastructure communities. This report contributes to the Post‑Quantum Cryptography (PQC) Modernization Series, which delivers statewide guidance on statutory alignment, governance readiness, and quantum‑resilient modernization.
For additional publications and analysis, visit the Sonoran Desert Security (SDSUG) Research hub.
By Hunter Storm
President, Sonoran Desert Security (SDSUG)
CISO | Advisory Board Member | SOC Black Ops Team | Systems Architect | QED-C TAC Relationship Leader | Originator of Human-Layer Security
© 2026 Hunter Storm. All rights reserved.
Related Reports
These companion reports are part of the Sonoran Desert Security (SDSUG) Research Series. For the full collection, visit the Sonoran Desert Security (SDSUG) Research hub.
- Arizona Cybersecurity Ecosystem Map — 2026 Edition
- Arizona Cybersecurity Material Weaknesses Audit — 2026
- Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026)
- Arizona HB2809 — Statewide Post‑Quantum Cybersecurity Requirements (2026): Executive Summary
- How Arizona Can Execute PQC Migration at Scale
- National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework
- Post-Quantum Cryptography (PQC) Statewide Alignment Framework — HB2809 and the National PQC Mandate
- Recommendations and Roadmap — Arizona Cybersecurity Material Weaknesses Audit 2026
- State of Cybersecurity in Arizona — 2026 Annual Report
- Statewide Action Plan — Arizona Cybersecurity Material Weaknesses Audit 2026
Version
Version 1.0 — Published April 2026
How to Cite This Report
Storm, Hunter. Arizona HB2809 — Statewide Post‑Quantum Cybersecurity Requirements (2026): Executive Summary. Sonoran Desert Security (SDSUG), Version 1.0, 2026.
For full citation standards and usage permissions, see the Sonoran Desert Security (SDSUG) Citation and Usage Policy.
Disclaimer
This report is provided for educational and informational purposes only. Sonoran Desert Security (SDSUG) does not provide legal, regulatory, or compliance advice. All analysis reflects practitioner‑level interpretation of publicly available information at the time of publication.
Sonoran Desert Security (SDSUG) is Arizona’s longest‑running cybersecurity community and a central institution in the region’s security ecosystem. Established in 2001 and operating continuously for more than 25 years, Sonoran Desert Security (SDSUG) provides practitioner‑led leadership, vendor‑neutral governance, and trusted peer collaboration across the Southwest. Through its annual research, ecosystem mapping, and community programs, Sonoran Desert Security (SDSUG) strengthens regional resilience and serves as a stable anchor for Arizona’s cybersecurity practitioners, organizations, and critical infrastructure partners. Sonoran Desert Security (SDSUG) also publishes independent research used by organizations and policymakers across Arizona, the broader Southwest, and national and international security, technology, and governance communities.
Explore Sonoran Desert Security (SDSUG)
Start Here
Guided introduction to SDSUG.
Membership
Join SDSUG for trusted peer collaboration and professional networking.
Leadership
Meet the team guiding SDSUG’s direction.
About SDSUG
Our mission, history, and values.
Events & Meetings
Upcoming topics, speakers, certification prep, and education.
Sponsors
Organizations supporting SDSUG’s.
SDSUG at a Glance
Overview and orientation FAQ.
Safety & Incident Response
Standards, trained officers, and incident‑response protocols.
Site Index
A full directory of SDSUG web pages and resources.
Last Updated: April 2026