Navigation Path:  Home > Research > PQC Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025)
Site Search: 
Published:  April 6, 2026 Last Updated:  April 26, 2026 Author:  Hunter Storm

Sonoran Desert Security (SDSUG)

Post-Quantum Cryptography (PQC) Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025)

How Arizona’s HB2809 requirements align with the national post-quantum cryptography (PQC) modernization mandate — and what statewide institutions must do next.

Sonoran Desert Security (SDSUG) Research — Governance, Policy & Institutional Resilience

Post‑Quantum Cryptography (PQC) Modernization Series — Report No. 3 (2026)

Author: Hunter Storm (https://hunterstorm.com)

Version 1.0 — Published April 2026

About This Report

This report is published by Sonoran Desert Security (SDSUG) as part of its formal research publication series. It supports cybersecurity awareness, resilience, and informed decision‑making across Arizona, reflecting SDSUG’s role as a trusted institutional resource for clear, accessible guidance. The analysis is openly accessible for reading, learning, and citation by practitioners, policymakers, and community members, and is intended for full search engine indexing. All content on this page is non‑sensitive.

All materials remain the sole intellectual property of the author and may not be presented, republished, or redistributed as original work. Proper attribution is required under the Citation & Usage Policy.

By Hunter Storm

Post-Quantum Cryptography (PQC) Modernization Series

Arizona’s transition to post‑quantum cryptography requires clear governance, statutory alignment, and sector‑ready implementation guidance. As part of the Sonoran Desert Security (SDSUG) Governance, Policy & Institutional Resilience domain, the Post-Quantum Cryptography (PQC) Modernization Series provides a structured, practitioner‑driven framework for interpreting federal mandates, integrating statewide requirements, and preparing Arizona’s public‑ and private‑sector institutions for cryptographic modernization at scale. These reports translate national expectations into actionable state‑level pathways, ensuring that Arizona’s agencies, critical‑infrastructure operators, and governance bodies can move decisively as PQC standards evolve.

Abstract

This report provides a unified alignment and crosswalk framework connecting Arizona’s HB2809 post‑quantum cybersecurity requirements with the United States’ December 2025 national PQC modernization mandate. It identifies areas of overlap, divergence, and dependency across the two frameworks and offers sector‑specific guidance to support coordinated statewide implementation. The report enables Arizona institutions to harmonize state and federal obligations and reduce duplication, fragmentation, and compliance risk.

Purpose

The purpose of this report is to provide Arizona’s public‑sector agencies, critical‑infrastructure operators, and regulated industries with a clear, actionable crosswalk between state and federal PQC requirements. By aligning HB2809 with the national mandate, the report supports unified planning, reduces compliance complexity, and enables consistent statewide execution of PQC modernization activities.

It is a statewide crosswalk and alignment framework mapping Arizona’s HB2809 requirements to the United States’ national post-quantum cryptography (PQC) modernization mandate, with sector‑specific guidance for implementation.

This document provides the first formal statewide crosswalk between:

  • Arizona HB2809 (state‑level PQC mandate)
  • The December 2025 National PQC Modernization Mandate (federal requirement)

It identifies:

  • overlaps
  • divergences
  • gaps
  • conflicts
  • harmonization requirements
  • statewide governance implications

This artifact is designed for:

  • state agencies
  • municipalities
  • critical infrastructure operators
  • vendors
  • policymakers
  • practitioners

It is intentionally concise, structural, and quotable.

Introduction

PQC Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025)

Arizona’s transition to post‑quantum cryptography requires alignment between two powerful forces: the federal government’s December 2025 PQC Modernization Mandate and Arizona’s own HB2809 cybersecurity statute. Each establishes obligations, constraints, and expectations — but until now, no framework has existed to reconcile them into a unified statewide modernization strategy.

This report provides the first state–federal PQC alignment and crosswalk framework in the United States, mapping federal requirements, state statutory obligations, procurement constraints, and sector‑specific impacts into a single, coherent structure. It identifies where federal PQC doctrine and HB2809 reinforce each other, where they diverge, and where governance intervention is required to ensure consistent statewide implementation.

This is the first framework of its kind anywhere in the world. No other state, national, or international body has produced a comparable alignment model that unifies national PQC doctrine with sub‑national statutory requirements, procurement constraints, and statewide governance structures.

It is also the first statewide PQC governance harmonization model, integrating federal modernization timelines, NIST algorithmic standards, hybrid deployment expectations, and crypto‑agility requirements with Arizona’s vendor‑origin restrictions, procurement rules, and cybersecurity governance structures. This synthesis enables agencies, higher education institutions, and critical‑infrastructure operators to understand not only what each mandate requires, but how to execute both simultaneously without operational conflict.

Arizona’s HB2809 represents one of the first state‑level cybersecurity statutes in the nation to explicitly incorporate post‑quantum security requirements, supply‑chain restrictions, and statewide governance obligations. As quantum‑resilient cryptography becomes a national priority, HB2809 positions Arizona at the forefront of state‑driven cybersecurity modernization — but it also introduces new operational, procurement, and compliance challenges that agencies and regulated sectors must navigate immediately.

This report provides the first comprehensive, practitioner‑driven analysis of HB2809 as a post‑quantum cybersecurity statute, interpreting its requirements through the lens of real‑world implementation rather than abstract policy. It examines how HB2809’s vendor‑origin restrictions, procurement controls, and statewide governance mandates intersect with the operational realities of cryptographic modernization, including inventory requirements, legacy system constraints, and the need for crypto‑agility across public sector systems. This is the first analysis of its kind globally; no other state, national, or international body has produced a comparable statutory‑grade PQC readiness assessment.

It is also the first statewide readiness assessment tied to a PQC‑related statute in the United States. By evaluating Arizona’s current posture, sector‑specific obligations, and operational gaps, the report establishes a baseline for statewide PQC preparedness and identifies the governance structures, inventories, and modernization pathways required for compliance. This analysis provides Arizona agencies, higher education institutions, and critical infrastructure operators with a clear, actionable understanding of what HB2809 demands — and what must change for the state to meet its statutory and operational obligations in the quantum era.

Post‑quantum cryptography (PQC) — sometimes written in industry materials as “post quantum” — refers to cryptographic algorithms designed to remain secure against adversaries equipped with large‑scale quantum computers.

By providing a structured crosswalk, implementation blueprint, and governance alignment model, this report establishes the foundation for a unified statewide PQC modernization program — one that meets federal expectations, honors state law, and supports Arizona’s long‑term cybersecurity resilience.

1. High‑Level Summary

CategoryNational PQC MandateHB2809Alignment
PQC AdoptionRequiredRequiredStrong
Hybrid ModesRequiredImpliedModerate
Cryptographic InventoryRequiredRequiredStrong
Vendor RestrictionsNoneU.S.-onlyDivergent
Critical InfrastructureEncouragedEncouragedStrong
TimelinesFederalStateParallel
ReportingRequiredRequiredStrong
Procurement StandardsPQC‑readyPQC + U.S.-vendorPartial

2. Areas of Strong Alignment

2.1 PQC Adoption Requirements

Both frameworks require migration to NIST‑approved PQC algorithms for:

  • data‑in‑transit
  • data‑at‑rest
  • identity systems
  • key establishment
  • digital signatures

2.2 Cryptographic Inventory

Both require:

  • full cryptographic asset inventories
  • dependency mapping
  • certificate chain analysis
  • vendor‑managed component identification

2.3 Reporting & Validation

Both require:

  • annual progress reporting
  • risk assessments
  • migration documentation

2.4 Critical Infrastructure Encouragement

Neither mandates PQC for critical infrastructure, but both strongly encourage alignment.

3. Areas of Partial Alignment

3.1 Procurement Standards

  • National mandate: PQC‑ready solutions
  • HB2809: PQC‑ready and U.S.-based vendors

3.2 Hybrid Mode Requirements

  • National mandate: explicit hybrid classical + PQC requirement
  • HB2809: implied but not codified

3.3 Timelines

  • National: federal timelines
  • HB2809: state timelines
  • Both are compatible but not identical

4. Areas of Divergence

4.1 Vendor Origin Requirements

HB2809 requires:

  • U.S.-based cryptographic vendors
  • transparent supply chains

The national mandate does not impose vendor‑origin restrictions.

4.2 Procurement Enforcement

HB2809 requires:

  • contract updates
  • vendor certification
  • supply‑chain documentation

The national mandate focuses on:

  • algorithm support
  • hybrid‑mode capability

4.3 Scope of Enforcement

  • National mandate: federal systems
  • HB2809: state agencies
  • Overlap occurs where systems interconnect

5. Gaps & Conflicts

5.1 Hybrid Mode Guidance Gap

HB2809 does not explicitly require hybrid modes. This creates:

  • implementation ambiguity
  • vendor inconsistency
  • migration risk

5.2 Procurement Conflict

HB2809’s U.S.-vendor requirement may conflict with:

  • federal procurement rules
  • multi‑national vendor ecosystems
  • cloud service providers

5.3 Reporting Misalignment

Different reporting formats may create:

  • duplicated effort
  • inconsistent metrics
  • incompatible documentation

5.4 Critical Infrastructure Gap

Neither framework mandates PQC for critical infrastructure. This leaves:

  • water
  • energy
  • transportation
  • healthcare

…in a high‑risk posture.

6. Harmonization Strategy for Arizona

6.1 Establish a Statewide PQC Governance Council

Responsible for:

  • aligning federal and state requirements
  • issuing statewide guidance
  • coordinating inventories
  • validating vendor compliance

6.2 Create a Unified PQC Migration Framework

Includes:

  • hybrid‑mode standards
  • procurement templates
  • vendor certification criteria
  • reporting formats

6.3 Build a Statewide Cryptographic Inventory System

Centralized, standardized, and required for:

  • agencies
  • municipalities
  • critical infrastructure

6.4 Develop a Vendor Certification Program

Ensures:

  • PQC readiness
  • U.S.-based compliance (HB2809)
  • hybrid‑mode support
  • supply‑chain transparency

6.5 Provide Municipal & Rural Support

Includes:

  • shared services
  • training
  • technical assistance
  • funding pathways

7. Recommended Statewide Roadmap

Phase 1 (0–12 Months)

  • Governance Council
  • Inventory
  • Procurement standards
  • Pilot migrations

Phase 2 (1–3 Years)

  • Hybrid deployment
  • Critical infrastructure modernization
  • Vendor certification
  • Regional support hubs

Phase 3 (3–5 Years)

  • Full PQC transition
  • Compliance validation
  • Annual audits
  • Continuous monitoring

Findings

  • HB2809 and the national mandate share core objectives, but differ in scope, timelines, and operational expectations.
  • State and federal requirements overlap in cryptographic inventory, migration planning, and governance, enabling shared implementation pathways.
  • Divergences in terminology and sequencing create compliance ambiguity, particularly for multi‑jurisdictional operators.
  • Sector‑specific impacts vary significantly, with healthcare, utilities, and education requiring tailored migration strategies.
  • A unified statewide framework reduces duplication, improves clarity, and accelerates compliance across agencies and sectors.

Conclusions

Aligning HB2809 with the national PQC modernization mandate provides Arizona with a coherent statewide strategy for quantum‑resilient cybersecurity. A unified crosswalk framework reduces fragmentation, clarifies obligations, and enables consistent implementation across public‑sector and critical‑infrastructure environments. Coordinated statewide action is essential to meet both state and federal requirements efficiently and effectively.

Appendices

  • Post‑Quantum Cryptography (PQC) Modernization — 2019–2026 Longitudinal Practitioner Dataset & Analytic Framework
  • NIST PQC standards
  • Federal mandate summary
  • Migration templates
  • Glossary
  • Inventory worksheets

Post‑Quantum Cryptography (PQC) Modernization — 2019–2026 Longitudinal Practitioner Dataset & Analytic Framework

This analysis is grounded in more than a decade of practitioner‑level experience in quantum technology research, post‑quantum cryptography, and large‑scale cryptographic‑modernization efforts across global financial institutions, advanced‑research ecosystems, and national‑level governance bodies. The methodology reflects long‑horizon exposure to quantum‑risk modeling, cryptographic‑lifecycle management, and the operational realities of migrating complex, multi‑sector environments toward NIST‑approved post‑quantum standards.

The analysis was developed using a practitioner‑first, governance‑aligned methodology grounded in national standards, state legislative analysis, and cross‑sector threat modeling. It incorporates federal PQC guidance, NIST standards, Arizona legislative text, and statewide cybersecurity assessments.

The author, Hunter Storm, brings extensive expertise across emerging and disruptive technologies (EDTs), including post‑quantum cryptography (PQC), quantum technologies, and hybrid cyber‑physical‑psychological threat modeling. Her background includes:

  • involvement in PQC and quantum‑technology working groups
  • advisory work across financial, research, and critical infrastructure domains
  • leadership in enterprise architecture and cross‑domain governance
  • deep experience in Security Operations Center (SOC) design and operational architecture
  • research leadership in statewide cybersecurity posture assessments
  • authorship of Arizona’s 2026 Material Weaknesses Audit, Statewide Action Plan, and Cyber Fusion Center roadmap

Her work integrates EDT strategy, governance modernization, and practitioner‑layer security, with a focus on long‑horizon risk, cryptographic transition planning, and institutional resilience.

Data Sources

The findings draw from a uniquely broad and longitudinal set of practitioner‑derived inputs, including:

  • Enterprise quantum‑technology research (2019–2026) — direct involvement in Wells Fargo’s foundational Quantum Technology Research Team, including early quantum‑risk modeling, hybrid cryptography evaluation, and enterprise‑scale modernization planning.
  • QED‑C and national‑level PQC governance work — participation in technical advisory councils, quantum‑technology working groups, and cross‑sector modernization initiatives supporting U.S. PQC readiness.
  • PQC research and migration frameworks — exposure to industry‑leading PQC transition models, hybrid‑mode deployment patterns, and cryptographic‑inventory methodologies.
  • Cross‑sector cryptographic‑modernization engagements — practitioner‑level work supporting financial institutions, research organizations, public sector agencies, and critical infrastructure operators preparing for PQC transition.
  • Operational observations across cryptographic lifecycles — including key‑management evolution, certificate‑authority modernization, protocol migration, and dependency mapping across multi‑environment architectures.
  • Federal guidance and national frameworks — NIST PQC standards, CISA modernization advisories, federal cryptographic‑transition roadmaps, and cross‑sector risk‑management resources.
  • State‑level statutory and governance materials — including Arizona HB2809, statewide modernization plans, legislative analyses, and public sector cryptographic‑readiness assessments.
  • Practitioner interviews and SME consultations — with cryptographers, quantum researchers, security architects, public sector leaders, and critical infrastructure operators.
  • Review of federal PQC directives, including NIST standards, OMB memoranda, CISA guidance, and national‑level modernization expectations.
  • Analysis of Arizona’s statutory and regulatory landscape, with emphasis on HB2809, statewide cybersecurity governance structures, and sector‑specific obligations.
  • Cross‑sector practitioner interviews and operational insights from state agencies, critical‑infrastructure operators, and security leaders responsible for implementing cryptographic transitions.
  • Comparative assessment of state and federal requirements, identifying alignment points, gaps, dependencies, and areas requiring coordinated governance action.
  • Evaluation of implementation readiness, focusing on crypto‑agility, inventory maturity, risk exposure, and institutional capacity to execute PQC migration at scale.
  • SDSUG internal analysis and statewide PQC‑readiness modeling — integrating cross‑sector insight from Arizona’s practitioner community and institutional ecosystem.

Analytic Approach

The analysis applies a structured, practitioner‑driven lens that emphasizes:

  • Cryptographic‑lifecycle realism — assessing how long‑term key‑management, certificate‑authority, and protocol decisions shape PQC migration complexity.
  • Hybrid‑mode transition patterns — evaluating the operational viability of classical‑plus‑PQC deployments across diverse architectures.
  • Systemic dependency mapping — identifying how cryptographic weaknesses propagate across interconnected systems, supply chains, and multi‑sector environments.
  • Governance and statutory alignment — interpreting federal mandates, state requirements, and sector‑specific obligations through a modernization‑ready lens.
  • Quantum‑risk modeling — integrating long‑horizon analysis of quantum‑computing trajectories, algorithmic exposure, and cryptographic deprecation timelines.
  • Institutional memory and continuity — assessing how workforce stability, architectural lineage, and organizational maturity influence PQC readiness.

Scope

The PQC Modernization Series assesses:

  • statewide PQC readiness
  • sector‑specific migration requirements
  • cryptographic‑inventory maturity
  • governance and statutory alignment
  • hybrid‑mode deployment feasibility
  • critical infrastructure exposure
  • public sector modernization constraints
  • enterprise‑scale migration patterns
  • supply‑chain and vendor‑dependency risks

The analysis prioritizes clarity, implementability, and statewide resilience, emphasizing the decisions, timelines, and governance structures required to support Arizona’s transition to post‑quantum cryptography.

Limitations

The analysis is practitioner‑driven and qualitative. It does not rely on vendor‑reported metrics, marketing‑driven maturity models, or survey‑based scoring. Instead, it reflects:

  • longitudinal quantum technology experience
  • cryptographic lifecycle analysis
  • governance and statutory interpretation
  • cross‑sector modernization insight
  • SME‑level consultation
  • publicly available information
  • limited access to proprietary systems

Where quantitative data is unavailable or inconsistent, findings are presented using structured qualitative scoring consistent with industry‑standard risk assessment practices.

Why This Methodology Is Appropriate

PQC modernization is not a purely technical exercise. It is a governance, lifecycle, and dependency‑driven transformation shaped by:

  • cryptographic‑inventory complexity
  • architectural lineage
  • institutional memory
  • workforce readiness
  • statutory requirements
  • systemic dependencies

These conditions cannot be captured through short‑term surveys or tool‑generated metrics. They require long‑horizon, practitioner‑level exposure to quantum risk evolution, cryptographic modernization, and cross‑sector operational realities.

This methodology provides a grounded, accurate, and actionable foundation for statewide PQC transition.

About This Report

PQC Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025) is published periodically (state–federal alignment changes only) as part of Sonoran Desert Security (SDSUG) Research to provide practitioner‑driven intelligence for Arizona’s cybersecurity, governance, and critical‑infrastructure communities. This report contributes to the Post‑Quantum Cryptography (PQC) Modernization Series, which delivers statewide guidance on statutory alignment, governance readiness, and quantum‑resilient modernization.

For additional publications and analysis, visit the Sonoran Desert Security (SDSUG) Research hub.

Hunter Storm, President of SDSUG smiling

By Hunter Storm

President, Sonoran Desert Security (SDSUG)

CISO | Advisory Board Member | SOC Black Ops Team | Systems Architect | QED-C TAC Relationship Leader | Originator of Human-Layer Security

https://hunterstorm.com/

© 2026 Hunter Storm. All rights reserved.

Related Reports

These companion reports are part of the Sonoran Desert Security (SDSUG) Research Series. For the full collection, visit the Sonoran Desert Security (SDSUG) Research hub.

Version

Version 1.0 — Published April 2026

How to Cite This Report

Storm, Hunter. PQC Statewide Alignment Framework — HB2809 and the National PQC Mandate (Dec 2025). Sonoran Desert Security (SDSUG), Version 1.0, 2026.

For full citation standards and usage permissions, see the Sonoran Desert Security (SDSUG) Citation and Usage Policy.

Disclaimer

This report is provided for educational and informational purposes only. Sonoran Desert Security (SDSUG) does not provide legal, regulatory, or compliance advice. All analysis reflects practitioner‑level interpretation of publicly available information at the time of publication.

Sonoran Desert Security (SDSUG) is Arizona’s longest‑running cybersecurity community and a central institution in the region’s security ecosystem. Established in 2001 and operating continuously for more than 25 years, Sonoran Desert Security (SDSUG) provides practitioner‑led leadership, vendor‑neutral governance, and trusted peer collaboration across the Southwest. Through its annual research, ecosystem mapping, and community programs, Sonoran Desert Security (SDSUG) strengthens regional resilience and serves as a stable anchor for Arizona’s cybersecurity practitioners, organizations, and critical infrastructure partners. Sonoran Desert Security (SDSUG) also publishes independent research used by organizations and policymakers across Arizona, the broader Southwest, and national and international security, technology, and governance communities.

Explore Sonoran Desert Security (SDSUG)

Start Here
Guided introduction to SDSUG.

Membership
Join SDSUG for trusted peer collaboration and professional networking.

Leadership
Meet the team guiding SDSUG’s direction.

About SDSUG
Our mission, history, purpose, and values.

Events & Meetings
Upcoming topics, speakers, certification prep, and educational sessions.

Sponsors
Organizations supporting SDSUG’s.

SDSUG at a Glance
Overview and orientation FAQ.

Safety & Incident Response
Standards, trained officers, and incident‑response protocols.

Site Index
A full directory of SDSUG web pages.

Start Here
Events
Join SDSUG

Last Updated: April 2026

error: Content protection is enabled to prevent unauthorized copying.