Arizona

In plain terms. Arizona governs state IT and cybersecurity through the Department of Administration, an IT Authorization Committee, and a data-breach law.

Who it applies to. State agencies and their IT vendors. The state participates in StateRAMP, its baseline for vetting cloud-service security.

What it requires. State law sets up the Information Technology Authorization Committee, gives the Department of Administration its IT authority, and requires response and notification after data-security breaches. Agencies build statewide security policies and baseline controls into IT buys.

Why it matters. Vendors selling IT to Arizona must meet statewide security policies and baseline controls and support the state's breach-response duties.

Citation. Ariz. Rev. Stat. §§ 18-121 (IT Authorization Committee), 18-401 et seq. (Department of Administration), and 18-551 et seq. (Data Security Breaches).

In plain terms. Arizona sets concrete vendor security expectations through technical bulletins, baseline controls, and contract addenda.

Who it applies to. State agencies and their IT vendors.

What it requires. The state's cybersecurity risk-assessment process, baseline infrastructure security controls, and a contract addendum requiring compliance with statewide IT policies, standards, and procedures define what vendors must deliver.

Why it matters. Expect Arizona's baseline security controls and statewide-policy warranties to appear directly in your contract.

Citation. Arizona Technical Bulletin 009 (Cybersecurity Risk Assessment and Management Process); AZ Baseline Infrastructure Security Controls; Contract Addendum B (Statewide IT Policies, Standards, and Procedures).