SPONSOR: Simmons
This bill creates the "Missouri Critical Infrastructure Protection Act", which prohibits a company or other entity constructing, repairing, operating, or otherwise having significant access to critical infrastructure or a governmental agency from entering into an agreement relating to critical infrastructure in this State with a foreign principal from the country of a foreign adversary if the agreement would allow the foreign principal to directly or remotely access or control critical infrastructure in this State. An entity can enter into a contract or agreement relating to critical infrastructure with a foreign principal or use products or services produced by a foreign principal under certain circumstances specified in the bill.
Before accessing critical infrastructure, a company must file a certification form with and pay a certification fee to the Department of Public Safety. To maintain registration as a company with access to critical infrastructure, a company must complete the requirements specified in the bill.
The owner of a critical infrastructure installation must notify the Department of any proposed sale or transfer of or investment in such critical infrastructure to an entity domiciled outside of the United States or an entity with any foreign adversary ownership. The Department has 30 days following the notice to investigate the proposed sale, transfer, or investment. If the Department reasonably believes that such proposed sale, transfer, or investment will threaten state critical infrastructure security, state economic security, state or national public health, or any combination of those matters, the Attorney General, must file a request for injunction opposing the proposed sale, transfer, or investment with the Supreme Court. If the Court finds that such sale, transfer, or investment poses a reasonable threat, the Court must issue a denial of approval.
The Department must notify critical infrastructure entities of known or suspected cyber threats, vulnerabilities, and adversarial activities.
After August 28, 2025, a governmental entity or critical infrastructure provider cannot knowingly enter into or renew a contract with a vendor if the government of a foreign adversary owns a contracting vendor or has a controlling interest in the vendor or if the product sold by the vendor is produced by a government of a foreign adversary, a company primarily domiciled in the country of a foreign adversary, or a company owned or controlled by a company primarily domiciled in the country of a foreign adversary.
After August 28, 2025, a governmental entity or critical infrastructure provider cannot knowingly enter into or renew a contract for certain products with a vendor that is owned by the government of a foreign adversary, primarily domiciled within the country of a foreign adversary, owned or controlled by a company primarily domiciled in the country of a foreign adversary, or in which the government of a foreign adversary has a controlling interest. The Department must create a public listing of prohibited products and companies for governmental entities and critical infrastructure providers. After August 28, 2025, each critical infrastructure provider in Missouri must certify to the Department that they are in compliance with these prohibitions.
The bill also creates the "Missouri Secure Communications Act", which requires that all critical communications infrastructure located within or serving this State cannot include any equipment manufactured by a federally banned corporation, as defined in the bill. All critical communications infrastructure in operation within or serving this State, including any critical communications infrastructure that is not permanently disabled, must have all prohibited equipment removed and replaced.
Any communications provider that removes, discontinues, or replaces any prohibited communications equipment or service is not required to obtain any additional permits from any State agency or political subdivision for the removal, discontinuance, or replacement of such communications equipment or service as long as the State agency or political subdivision is notified of the necessary replacements and the replacement equipment is similar to the existing equipment.
Any communications provider providing service in this State that utilizes equipment from a Federally banned corporation must register, as required by the bill, with the Public Service Commission (PSC) before September 1, 2025, and on January first of each subsequent year until such equipment is removed. If a communications provider certifies to the PSC that it is a participant in the Federal Secure and Trusted Communications Networks Reimbursement Program, the communications provider must submit a status report to the PSC every quarter that details the communications provider's compliance with the reimbursement program.
Any communications provider that violates the provisions of the Act will be subject to a fine of no less than $5,000 and no more than $25,000 per day of noncompliance. Any communications provider that submits a false registration form will be subject to a fine of no less than $10,000 and no more than $20,000 per day of noncompliance.
Any communications provider that fails to comply is prohibited from receiving any state or local funds and any federal funds subject to distribution by state or local governments for the development or support of new or existing critical communications infrastructure.
The PSC must develop and publish, on a quarterly basis, a map of known prohibited communications equipment of all communications providers within or serving this State.
Statutes affected: