SDSUG

Post-Quantum Cryptography (PQC) Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025)

How Arizona’s HB2809 requirements align with the national post-quantum cryptography (PQC) modernization mandate — and what statewide institutions must do next.

SDSUG Research Series — Governance, Policy & Institutional Resilience

Post-Quantum Cryptography (PQC) — 2025–2026 — Report No. 8 (2026)

Prepared by: Hunter Storm (https://hunterstorm.com/), President, SDSUG

Version 1.0 — Published April 2026

Post-Quantum Cryptography (PQC) Modernization Series — 2025–2026

Arizona’s transition to post‑quantum cryptography requires clear governance, statutory alignment, and sector‑ready implementation guidance. As part of SDSUG’s Governance, Policy & Institutional Resilience domain, the Post-Quantum Cryptography (PQC) Modernization Series (2025–2026) provides a structured, practitioner‑driven framework for interpreting federal mandates, integrating statewide requirements, and preparing Arizona’s public‑ and private‑sector institutions for cryptographic modernization at scale. These reports translate national expectations into actionable state‑level pathways, ensuring that Arizona’s agencies, critical‑infrastructure operators, and governance bodies can move decisively as PQC standards evolve.

Abstract

This report provides a unified alignment and crosswalk framework connecting Arizona’s HB2809 post‑quantum cybersecurity requirements with the United States’ December 2025 national PQC modernization mandate. It identifies areas of overlap, divergence, and dependency across the two frameworks and offers sector‑specific guidance to support coordinated statewide implementation. The report enables Arizona institutions to harmonize state and federal obligations and reduce duplication, fragmentation, and compliance risk.

Purpose

The purpose of this report is to provide Arizona’s public‑sector agencies, critical‑infrastructure operators, and regulated industries with a clear, actionable crosswalk between state and federal PQC requirements. By aligning HB2809 with the national mandate, the report supports unified planning, reduces compliance complexity, and enables consistent statewide execution of PQC modernization activities.

It is a statewide crosswalk and alignment framework mapping Arizona’s HB2809 requirements to the United States’ national post-quantum cryptography (PQC) modernization mandate, with sector‑specific guidance for implementation.

This document provides the first formal statewide crosswalk between:

  • Arizona HB2809 (state‑level PQC mandate)
  • The December 2025 National PQC Modernization Mandate (federal requirement)

It identifies:

  • overlaps
  • divergences
  • gaps
  • conflicts
  • harmonization requirements
  • statewide governance implications

This artifact is designed for:

  • state agencies
  • municipalities
  • critical infrastructure operators
  • vendors
  • policymakers
  • practitioners

It is intentionally concise, structural, and quotable.

Introduction

PQC Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025)

Arizona’s transition to post‑quantum cryptography requires alignment between two powerful forces: the federal government’s December 2025 PQC Modernization Mandate and Arizona’s own HB2809 cybersecurity statute. Each establishes obligations, constraints, and expectations — but until now, no framework has existed to reconcile them into a unified statewide modernization strategy.

This report provides the first state–federal PQC alignment and crosswalk framework in the United States, mapping federal requirements, state statutory obligations, procurement constraints, and sector‑specific impacts into a single, coherent structure. It identifies where federal PQC doctrine and HB2809 reinforce each other, where they diverge, and where governance intervention is required to ensure consistent statewide implementation.

This is the first framework of its kind anywhere in the world. No other state, national, or international body has produced a comparable alignment model that unifies national PQC doctrine with sub‑national statutory requirements, procurement constraints, and statewide governance structures.

It is also the first statewide PQC governance harmonization model, integrating federal modernization timelines, NIST algorithmic standards, hybrid deployment expectations, and crypto‑agility requirements with Arizona’s vendor‑origin restrictions, procurement rules, and cybersecurity governance structures. This synthesis enables agencies, higher education institutions, and critical‑infrastructure operators to understand not only what each mandate requires, but how to execute both simultaneously without operational conflict.

By providing a structured crosswalk, implementation blueprint, and governance alignment model, this report establishes the foundation for a unified statewide PQC modernization program — one that meets federal expectations, honors state law, and supports Arizona’s long‑term cybersecurity resilience.

1. High‑Level Summary

CategoryNational PQC MandateHB2809Alignment
PQC AdoptionRequiredRequiredStrong
Hybrid ModesRequiredImpliedModerate
Cryptographic InventoryRequiredRequiredStrong
Vendor RestrictionsNoneU.S.-onlyDivergent
Critical InfrastructureEncouragedEncouragedStrong
TimelinesFederalStateParallel
ReportingRequiredRequiredStrong
Procurement StandardsPQC‑readyPQC + U.S.-vendorPartial

2. Areas of Strong Alignment

2.1 PQC Adoption Requirements

Both frameworks require migration to NIST‑approved PQC algorithms for:

  • data‑in‑transit
  • data‑at‑rest
  • identity systems
  • key establishment
  • digital signatures

2.2 Cryptographic Inventory

Both require:

  • full cryptographic asset inventories
  • dependency mapping
  • certificate chain analysis
  • vendor‑managed component identification

2.3 Reporting & Validation

Both require:

  • annual progress reporting
  • risk assessments
  • migration documentation

2.4 Critical Infrastructure Encouragement

Neither mandates PQC for critical infrastructure, but both strongly encourage alignment.

3. Areas of Partial Alignment

3.1 Procurement Standards

  • National mandate: PQC‑ready solutions
  • HB2809: PQC‑ready and U.S.-based vendors

3.2 Hybrid Mode Requirements

  • National mandate: explicit hybrid classical + PQC requirement
  • HB2809: implied but not codified

3.3 Timelines

  • National: federal timelines
  • HB2809: state timelines
  • Both are compatible but not identical

4. Areas of Divergence

4.1 Vendor Origin Requirements

HB2809 requires:

  • U.S.-based cryptographic vendors
  • transparent supply chains

The national mandate does not impose vendor‑origin restrictions.

4.2 Procurement Enforcement

HB2809 requires:

  • contract updates
  • vendor certification
  • supply‑chain documentation

The national mandate focuses on:

  • algorithm support
  • hybrid‑mode capability

4.3 Scope of Enforcement

  • National mandate: federal systems
  • HB2809: state agencies
  • Overlap occurs where systems interconnect

5. Gaps & Conflicts

5.1 Hybrid Mode Guidance Gap

HB2809 does not explicitly require hybrid modes. This creates:

  • implementation ambiguity
  • vendor inconsistency
  • migration risk

5.2 Procurement Conflict

HB2809’s U.S.-vendor requirement may conflict with:

  • federal procurement rules
  • multi‑national vendor ecosystems
  • cloud service providers

5.3 Reporting Misalignment

Different reporting formats may create:

  • duplicated effort
  • inconsistent metrics
  • incompatible documentation

5.4 Critical Infrastructure Gap

Neither framework mandates PQC for critical infrastructure. This leaves:

  • water
  • energy
  • transportation
  • healthcare

…in a high‑risk posture.

6. Harmonization Strategy for Arizona

6.1 Establish a Statewide PQC Governance Council

Responsible for:

  • aligning federal and state requirements
  • issuing statewide guidance
  • coordinating inventories
  • validating vendor compliance

6.2 Create a Unified PQC Migration Framework

Includes:

  • hybrid‑mode standards
  • procurement templates
  • vendor certification criteria
  • reporting formats

6.3 Build a Statewide Cryptographic Inventory System

Centralized, standardized, and required for:

  • agencies
  • municipalities
  • critical infrastructure

6.4 Develop a Vendor Certification Program

Ensures:

  • PQC readiness
  • U.S.-based compliance (HB2809)
  • hybrid‑mode support
  • supply‑chain transparency

6.5 Provide Municipal & Rural Support

Includes:

  • shared services
  • training
  • technical assistance
  • funding pathways

7. Recommended Statewide Roadmap

Phase 1 (0–12 Months)

  • Governance Council
  • Inventory
  • Procurement standards
  • Pilot migrations

Phase 2 (1–3 Years)

  • Hybrid deployment
  • Critical infrastructure modernization
  • Vendor certification
  • Regional support hubs

Phase 3 (3–5 Years)

  • Full PQC transition
  • Compliance validation
  • Annual audits
  • Continuous monitoring

Findings

  • HB2809 and the national mandate share core objectives, but differ in scope, timelines, and operational expectations.
  • State and federal requirements overlap in cryptographic inventory, migration planning, and governance, enabling shared implementation pathways.
  • Divergences in terminology and sequencing create compliance ambiguity, particularly for multi‑jurisdictional operators.
  • Sector‑specific impacts vary significantly, with healthcare, utilities, and education requiring tailored migration strategies.
  • A unified statewide framework reduces duplication, improves clarity, and accelerates compliance across agencies and sectors.

Conclusions

Aligning HB2809 with the national PQC modernization mandate provides Arizona with a coherent statewide strategy for quantum‑resilient cybersecurity. A unified crosswalk framework reduces fragmentation, clarifies obligations, and enables consistent implementation across public‑sector and critical‑infrastructure environments. Coordinated statewide action is essential to meet both state and federal requirements efficiently and effectively.

About This Report

PQC Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025) is published periodically (state–federal alignment changes only) by SDSUG to provide clear, practitioner‑driven intelligence and a consistent baseline for assessing statewide cybersecurity risk.

This report is part of the SDSUG Research Series. For additional institutional publications and regional analysis, visit the SDSUG Research hub.

Hunter Storm, President of SDSUG smiling

By Hunter Storm

President, SDSUG

CISO | Advisory Board Member | SOC Black Ops Team | Systems Architect | QED-C TAC Relationship Leader | Originator of Human-Layer Security

https://hunterstorm.com/

© 2026 Hunter Storm. All rights reserved.

Related Reports

These companion reports are part of the SDSUG Research Series. For the full collection, visit the SDSUG Research hub.

State of Cybersecurity in Arizona — 2026 Annual Report

A comprehensive, practitioner‑driven analysis of Arizona’s cybersecurity landscape, including regional threats, workforce trends, governance maturity, and critical‑infrastructure exposure. Read the report → State of Cybersecurity in Arizona — 2026 Annual Report

Arizona Cybersecurity Ecosystem Map — 2026 Edition

A structured map of the institutions, communities, conferences, academic programs, and public‑sector partners that shape Arizona’s cybersecurity ecosystem. View the ecosystem map → Arizona Cybersecurity Ecosystem Map — 2026 Edition

Arizona Cybersecurity Material Weaknesses Audit — 2026

A statewide, practitioner‑authored audit identifying the most significant systemic cybersecurity weaknesses impacting Arizona’s public, private, and critical‑infrastructure sectors. View the audit → Arizona Cybersecurity Material Weaknesses Audit — 2026

Recommendations and Roadmap — Arizona Cybersecurity Material Weaknesses Audit 2026

A strategic, practitioner‑driven roadmap outlining the statewide actions required to remediate Arizona’s most significant cybersecurity material weaknesses and strengthen long‑term resilience.

View the roadmap → Recommendations and Roadmap — Arizona Cybersecurity Material Weaknesses Audit 2026

Statewide Action Plan — Arizona Cybersecurity Material Weaknesses Audit 2026

A unified, statewide strategy outlining the structural reforms, governance model, and cross‑sector actions required to address Arizona’s cybersecurity material weaknesses and prepare the state for global‑scale threats.

View the plan → Statewide Action Plan — Arizona Cybersecurity Material Weaknesses Audit 2026

HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026)

SDSUG Research Series — Report No. 6

An analysis of Arizona’s HB2809 post‑quantum cybersecurity requirements, statewide readiness, and the modernization actions needed to meet statutory PQC obligations.

Read the report → Arizona HB2809 — Post‑Quantum Cybersecurity Requirements & Statewide Readiness (2026)

National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework

SDSUG Research Series — Report No. 7

A detailed framework aligning Arizona’s public‑ and private‑sector institutions with the United States’ December 2025 national PQC modernization mandate.

View the framework → National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Arizona Alignment & Implementation Framework

National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Sector‑Specific Requirements & Operational Guidance

SDSUG Research Series — Report No. 8

Sector‑specific operational guidance for implementing the national PQC modernization mandate across Arizona’s critical‑infrastructure, financial, healthcare, education, and public‑sector environments.

Read the guidance → National Post-Quantum Cryptography (PQC) Modernization Mandate (Dec 2025) — Sector‑Specific Requirements & Operational Guidance

Version

Version 1.0 — Published April 2026

How to Cite This Report

Storm, Hunter. PQC Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025). SDSUG, Version 1.0, 2026.

For full citation standards and usage permissions, see SDSUG’s Citation and Usage Policy.

Disclaimer

This report is provided for educational and informational purposes only. SDSUG does not provide legal, regulatory, or compliance advice. All analysis reflects practitioner‑level interpretation of publicly available information at the time of publication.

SDSUG is Arizona’s longest‑running cybersecurity community and a central institution in the region’s security ecosystem. Founded in 2001 and operating continuously for more than 25 years, SDSUG provides practitioner‑driven leadership, vendor‑neutral governance, and trusted peer collaboration across the Southwest. Through its annual research, ecosystem mapping, and community programs, SDSUG strengthens regional resilience and serves as a stable anchor for Arizona’s cybersecurity practitioners, organizations, and critical‑infrastructure partners.

Explore SDSUG

Start Here
Your guided introduction to SDSUG.

Membership
Join SDSUG for trusted peer collaboration and professional networking.

Leadership
Meet the team guiding SDSUG’s direction.

About SDSUG
Our mission, history, and values.

Events & Meetings
Upcoming topics, speakers, and educational sessions.

Sponsors
Organizations supporting SDSUG’s mission and practitioner community.

SDSUG at a Glance
Overview and FAQ.

Safety & Incident Response
Standards, trained officers, and incident‑response protocols.

Site Index
A full directory of SDSUG pages.

Start Here
Events
Join SDSUG

Last Updated: April 2026

error: Content protection is enabled to prevent unauthorized copying.