Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · Utah · Title 63A — Utah Government Operations Code · Chapter 16

63A-16-1302. Foreign adversary threats to critical infrastructure -- Guidance and assessments.

942 words·~4 min read·/ut/title-63a/chapter-16/63a-16-1302

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Effective 5/6/2026
63A-16-1302. Foreign adversary threats to critical infrastructure -- Guidance and assessments.
(1)The Cyber Center shall, within available resources and in coordination with federal agencies, develop and maintain guidance for governmental entities on protecting critical infrastructure from foreign adversary cybersecurity threats.
(2)The guidance described in Subsection
(1)shall include:
(a)best practices for identifying and assessing security risks when foreign adversary technology, software, or services are used in connection with critical infrastructure;
(b)recommended security controls and monitoring procedures for critical infrastructure that utilizes foreign adversary technology;
(c)procedures for limiting foreign adversary access to critical infrastructure systems and data;
(d)methods for assessing and documenting risks associated with foreign adversary involvement in critical infrastructure;
(e)recommendations for transitioning away from foreign adversary technology in critical infrastructure when feasible and cost effective;
(f)identification of categories of critical infrastructure that present heightened security concerns if foreign adversary technology is involved; and
(g)recommendations for a comprehensive manual operations contingency plan for critical infrastructure that:
(i)details non-networked, non-automated, and manually executable procedures; and
(ii)is sufficient to sustain core operational functions of the critical infrastructure in the event of a significant cyber incident that renders automated or networked control systems unreliable or inoperable.
(3)The Cyber Center shall:
(a)review and update the guidance described in Subsection
(1)at least annually;
(b)make the guidance readily accessible to governmental entities through the division's website; and
(c)include information on foreign adversary threats to critical infrastructure in briefings and materials provided to governmental entities on cybersecurity matters.
(4)A governmental entity that operates or maintains critical infrastructure may request a security assessment from the Cyber Center if the governmental entity:
(a)is considering procurement of technology, software, or services from a foreign adversary for use in critical infrastructure; or
(b)identifies that critical infrastructure currently utilizes technology, software, or services from a foreign adversary.
(5)The Cyber Center shall prioritize security assessment requests under Subsection
(4)based on:
(a)the sensitivity of the data or systems involved;
(b)the potential impact of a compromise on security, economic security, or public health;
(c)available Cyber Center resources; and
(d)other relevant factors determined by the Cyber Center.
(6)A security assessment conducted under Subsection
(4)may include:
(a)an evaluation of potential security vulnerabilities associated with the foreign adversary technology, software, or services;
(b)an assessment of potential risks to critical infrastructure systems and data;
(c)an analysis of the potential impact of a compromise of the critical infrastructure on the governmental entity's operations, public safety, or economic security;
(d)recommendations for security measures or contract provisions to mitigate identified risks; and
(e)identification of alternative technology, software, or services that may present lower security risks.
(7)In conducting a security assessment under Subsection
(4), the Cyber Center may:
(a)coordinate with the Department of Public Safety and other relevant governmental entities; and
(b)coordinate with and utilize resources from federal agencies, including the Cybersecurity and Infrastructure Security Agency, as available.
(8)If the Cyber Center identifies significant security risks associated with foreign adversary technology in critical infrastructure, the Cyber Center may:
(a)notify the chief information officer and the affected governmental entity of the identified risks;
(b)recommend that the governmental entity implement enhanced security monitoring or controls;
(c)recommend that the governmental entity develop a plan to transition to alternative technology; or
(d)recommend that the matter be referred to appropriate state or federal law enforcement or security agencies.
(9)A governmental entity that operates or maintains critical infrastructure shall, when reporting a data breach to the Cyber Center under Section 63A-19-405 , indicate whether the data breach involved technology, software, or services from a foreign adversary.
(10)Except as provided in Subsection
(12), a security assessment or recommendation provided under this section is advisory only and does not:
(a)prohibit a governmental entity from entering into a contract or making a procurement decision; or
(b)require a governmental entity to transition away from existing technology, software, or services.
(11)Information obtained by the Cyber Center in conducting a security assessment under this section is protected in accordance with Title 63G, Chapter 2, Government Records Access and Management Act.
(12)On or after July 1, 2026, a governmental entity or critical infrastructure provider may not:
(a)enter into or renew a contract with a vendor for information and communications technology that the Cyber Center has included on the prohibited list described in Subsection
(13); or
(b)otherwise place into service any additional information and communications technology that the Cyber Center has included on the prohibited list described in Subsection
(13).
(a)On or after July 1, 2026, the Cyber Center shall publish and maintain a list of prohibited companies and information and communications technologies that the Cyber Center has assessed pose a risk of providing a foreign adversary with remote access to or control of critical infrastructure.
(b)The prohibited list shall include, at a minimum, companies and technologies that:
(i)appear on the Pentagon 1260H list;
(ii)appear on the Federal Communications Commission Covered List; or
(iii)are a re-labeled version of, or are produced by a subsidiary of a company included in a technology described in Subsection (13)(b)(i) or
(ii), and for which the Cyber Center has identified that a reasonable alternative provider exists.
(14)Notwithstanding Subsection
(12), a governmental entity or critical infrastructure provider may use a technology included on the prohibited list described in Subsection
(13)if no reasonable alternative exists to address the need relevant to state critical infrastructure.
Enacted by Chapter 65 , 2026 General Session
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.