HOUSE BILL NO. 1231 103RD GENERAL ASSEMBLY
INTRODUCED BY REPRESENTATIVE SIMMONS.
2618H.01I JOSEPH ENGLER, Chief Clerk
AN ACT To amend chapter 1, RSMo, by adding thereto two new sections relating to the infrastructure security, with penalty provisions.
Be it enacted by the General Assembly of the state of Missouri, as follows:
Section A. Chapter 1, RSMo, is amended by adding thereto two new sections, to be 2 known as sections 1.1400 and 1.1410, to read as follows: 1.1400. 1. This section shall be known and may be cited as the "Missouri 2 Critical Infrastructure Protection Act". 3 2. As used in this section, the following terms mean: 4 (1) "Company", a for-profit sole proprietorship, organization, association, 5 corporation, partnership, joint venture, limited partnership, limited liability 6 partnership, or limited liability company, including a wholly owned subsidiary, 7 majority-owned subsidiary, parent company, or affiliate of those entities or business 8 associations that exists to make a profit; or a non-profit organization; 9 (2) "Critical infrastructure", systems and assets, whether physical or virtual, so 10 vital to the state of Missouri or the United States that the incapacity or destruction of 11 such systems and assets would have a debilitating impact on state or national security, 12 state or national economic security, or state or national public health. A critical 13 infrastructure may be publicly or privately owned, and includes but is not limited to: 14 (a) Gas and oil production, storage, or delivery systems; 15 (b) Water supply, refinement, storage, or delivery systems; 16 (c) Telecommunications networks; 17 (d) Electrical power delivery systems;
EXPLANATION — Matter enclosed in bold-faced brackets [thus] in the above bill is not enacted and is intended to be omitted from the law. Matter in bold-face type in the above bill is proposed language. HB 1231 2
18 (e) Emergency services; 19 (f) Transportation systems and services; and 20 (g) Personal data or other classified information storage systems, including 21 cybersecurity; 22 (3) "Cybersecurity", the measures taken to protect a computer, computer 23 network, computer system, or other technology infrastructure against unauthorized use 24 or access; 25 (4) "Domicile", either the country in which a company is registered, where the 26 company's affairs are primarily completed, or where the majority of ownership share is 27 held; 28 (5) "Foreign adversary", an individual or government identified as a foreign 29 adversary in 15 CFR 7.4; 30 (6) "Foreign principal", any of the following: 31 (a) The government or any official of the government of a foreign adversary; 32 (b) A political party or member of a political party or any subdivision of a 33 political party of a foreign adversary; 34 (c) A partnership, association, corporation, organization, or other combination 35 of persons organized under the laws of or having its principal place of business in the 36 country of a foreign adversary, or a subsidiary of such entity, or owned or controlled 37 wholly or in part by any person, entity, or collection of persons or entities of a foreign 38 adversary; 39 (d) Any person who is domiciled in the country of a foreign adversary and is not 40 a citizen or lawful permanent resident of the United States; or 41 (e) Any person, entity, or collection of persons or entities, described in 42 paragraphs (a) to (d) having a controlling interest in a partnership, association, 43 corporation, organization, trust, or any other legal entity or subsidiary formed for the 44 purpose of owning real property; 45 (7) "Software", any program or routine, or any set of one or more programs or 46 routines, that is used or intended for use to cause one or more computers or pieces of 47 computer-related peripheral equipment, or any combination thereof, to perform a task 48 or set of tasks, as it relates to state infrastructure, or any operational software. 49 3. A company or other entity constructing, repairing, operating, or otherwise 50 having significant access to critical infrastructure shall not enter into an agreement 51 relating to critical infrastructure in this state with a foreign principal from the country 52 of a foreign adversary if the agreement would allow the foreign principal from a foreign 53 adversary country to directly or remotely access or control critical infrastructure in this 54 state. HB 1231 3
55 4. A governmental entity shall not enter into a contract or other agreement 56 relating to critical infrastructure in this state with a company that is a foreign principal 57 from a foreign adversary country if the agreement would allow the foreign principal 58 from a foreign adversary country to directly or remotely access or control critical 59 infrastructure in this state. 60 5. Notwithstanding subsections 3 and 4 of this section, an entity or governmental 61 entity may enter into a contract or agreement relating to critical infrastructure with a 62 foreign principal from a foreign adversary country or use products or services produced 63 by a foreign principal from a foreign adversary country if: 64 (1) There is no other reasonable option for addressing the need relevant to state 65 critical infrastructure; 66 (2) The contract is pre-approved by the department of public safety; and 67 (3) Not entering into such a contract or agreement would pose a greater threat to 68 the state than the threat associated with entering into the contract. 69 6. Before accessing critical infrastructure, a company shall file a certification 70 form with and pay a certification fee to the department of public safety. The 71 department of public safety shall develop a form to fulfill the requirements of this 72 subsection. 73 7. To maintain registration as a company with access to critical infrastructure, a 74 company shall: 75 (1) Identify all employee positions in the organization that have access to critical 76 infrastructure; 77 (2) Obtain from the department of public safety or private vendor, for each 78 employee that will have access to critical infrastructure, a criminal background check 79 and any other background information considered necessary by the company or 80 required by the department of public safety to protect critical infrastructure from 81 foreign adversary infiltration or interference; 82 (3) Prohibit foreign nationals from a foreign adversary nation from access to 83 critical infrastructure; 84 (4) Disclose any ownership of, partnership with, or control from any entity not 85 domiciled within the United States; 86 (5) Store and process all data generated by such critical infrastructure on 87 domestic servers; 88 (6) Not use cloud service providers or data centers that are foreign entities; 89 (7) Immediately report any cyber attack, security breach, or suspicious activity 90 to the department of public safety; and 91 (8) Be compliant with subsections 3 to 5 of this section. HB 1231 4
92 8. The department of public safety shall be notified by the owner of a critical 93 infrastructure installation of any proposed sale or transfer of or investment in such 94 critical infrastructure to an entity domiciled outside of the United States or an entity 95 with any foreign adversary ownership. 96 9. The department of public safety shall have no more than thirty days following 97 the notice to investigate the proposed sale, transfer, or investment. If the department of 98 public safety reasonably believes that such proposed sale, transfer, or investment will 99 threaten state critical infrastructure security, state economic security, state public 100 health, or any combination of those matters, the attorney general, on behalf of the 101 department of public safety, shall file a request for injunction opposing the proposed 102 sale, transfer, or investment with the supreme court of Missouri. 103 10. If the supreme court finds that such sale, transfer, or investment poses a 104 reasonable threat to state critical infrastructure security, state economic security, state 105 or national public health, or any combination of those matters, the supreme court shall 106 issue a denial of approval. 107 11. The department of public safety shall act to notify critical infrastructure 108 entities of known or suspected cyber threats, vulnerabilities, and adversarial activities in 109 order to: 110 (1) Identify and close similar exploits in similar critical infrastructure 111 installation or processes, especially after being notified of activity under subdivision 112 (7) of subsection 7 of this section; 113 (2) Maintain operation security and normal functioning of critical 114 infrastructure; and 115 (3) Protect the rights of private critical infrastructure entities, including by 116 reducing the extent to which trade secrets or other proprietary information is shared 117 between entities, to the extent that such precaution does not inhibit the ability of the 118 department of public safety to effectively communicate the threat of a known or 119 suspected exploit or adversarial activity. 120 12. All software used in state infrastructure located within or serving this state 121 shall not include any software produced by a company headquartered in and subject to 122 the laws of a foreign adversary or a company under the direction or control of a foreign 123 adversary. Any state infrastructure provider that removes, discontinues, or replaces 124 any prohibited software shall not be required to obtain any additional permits from any 125 state agency or political subdivision for the removal, discontinuance, or replacement of 126 such software as long as the state agency or political subdivision is properly notified of 127 the necessary replacements and the replacement software is similar to the existing 128 software. HB 1231 5
129 13. After August 28, 2025, a governmental entity or critical infrastructure 130 provider shall not knowingly enter into or renew a contract with a vendor if: 131 (1) The contracting vendor is owned by the government of a foreign adversary; 132 (2) The government of a foreign adversary has a controlling interest in the 133 contracting vendor; or 134 (3) The contracting vendor is selling a product produced by a government of a 135 foreign adversary, a company primarily domiciled in the country of a foreign adversary, 136 or a company owned or controlled by a company primarily domiciled in the country of a 137 foreign adversary. 138 14. After August 28, 2025, a governmental entity or critical infrastructure 139 provider shall not knowingly enter into or renew a contract with a vendor that is owned 140 by the government of a foreign adversary, primarily domiciled within the country of a 141 foreign adversary, owned or controlled by a company primarily domiciled in the 142 country of a foreign adversary, or in which the government of a foreign adversary has a 143 controlling interest for any of the following products or services: 144 (1) School bus infraction detection systems; 145 (2) Speed detection systems or traffic infraction detectors; 146 (3) Any camera system used for enforcing traffic laws; 147 (4) Video surveillance equipment or software technology; 148 (5) Light detection and ranging technology (LiDAR); and 149 (6) Wi-Fi routers or modem systems. 150 15. The department of public safety shall create a public listing of products and 151 companies prohibited under subsection 14 of this section for governmental entities and 152 critical infrastructure providers. 153 16. After August 28, 2025, each critical infrastructure provider in Missouri shall 154 certify to the department of public safety that they are in compliance with section 14 of 155 this section. 1.1410. 1. This section shall be known and may be cited as the "Missouri Secure 2 Communications Act." 3 2. As used in this section, the following terms mean: 4 (1) "Communications provider" any corporation, public or private, that 5 operates any system supporting the transmission of information of a user's choosing, 6 regardless of the transmission medium or technology employed, that connections to a 7 network permitting the end user to engage in communications including, but not limited 8 to, service provided directly to the public or to such classes of users as to be effectively 9 available directly to the public; HB 1231 6
10 (2) "Critical communications infrastructure", all physical broadband 11 infrastructure and equipment that supports the transmission of information of a 12 user's choosing, regardless of the transmission medium or technology employed, that 13 connects to a network that permits the end user to engage in communications including, 14 but not limited to, service provided directly to the public or to such classes of users as to 15 be effectively available to the public; 16 (3) "Federally banned corporation", any company or designated equipment 17 banned by the Federal Communications Commission including, but not limited to, any 18 equipment or service deemed to pose a threat to national security and identified on the 19 covered list developed as required in 47 CFR Section 1.50002 and published by the 20 Public Safety and Homeland Security Bureau of the Federal Communications 21 Commission as required in 47 U.S.C. 1601 et seq. 22 3. All critical communications infrastructure located within or serving this state 23 shall not include any equipment manufactured by a federally banned corporation. 24 4. All critical communications infrastructure in operation within or serving this 25 state, including any critical communications infrastructure that is not permanently 26 disabled, shall have all equipment prohibited by this section removed and replaced with 27 equipment not prohibited by this section. Any communications provider that removes, 28 discontinues, or replaces any prohibited communications equipment or service shall not 29 be required to obtain any additional permits from any state agency or political 30 subdivision for the removal, discontinuance, or replacement of such communications 31 equipment or service as long as the state agency or political subdivision is properly 32 notified of the necessary replacements and the replacement communications equipment 33 is similar to the existing communications equipment. 34 5. Any communications provider providing service in this state that utilizes 35 equipment from a federally banned corporation shall file a registration form with and 36 pay a registration fee to the public service commission before September 1, 2025, and on 37 January first of each subsequent year until such equipment is removed. The public 38 service commission shall create the form, which shall contain, at a minimum: 39 (1) The name, address, telephone number, and email address of each person with 40 managerial responsibility for operations in this state; and 41 (2) A certification of all instances of prohibited critical communications 42 equipment or services prohibited under subsection 3 to 5 of section 1.1400; if the 43 communications provider is a participant in the Federal Secure and Trusted 44 Communications Networks Reimbursement Program, established under 47 U.S.C. 45 Section 1601, et seq.; and the geographic coordinates of the areas served by such 46 prohibited equipment. HB 1231 7
47 6. A communications provider shall notify the commission of changes to any 48 information submitted under subsection 5 of this section within sixty days. 49 7. If, under subdivision (2) of subsection 5 of this section, a communications 50 provider certifies to the public service commission that it is a participant in the Federal 51 Secure and Trusted Communications Networks Reimbursement Program, established 52 under 47 U.S.C. Section 1601, et seq., the communications provider shall submit a status 53 report to the public service commission every quarter that details the communications 54 provider's compliance with the reimbursement program. 55 8. Any communications provider that violates this section shall be subject to a 56 fine of no less than five thousand dollars per day and no more than twenty-five thousand 57 dollars per day of noncompliance. Any communications provider that submits a false 58 registration form described in this section shall be subject to a fine of no less than ten 59 thousand dollars per day and no more than twenty thousand dollars per day of 60 noncompliance. 61 9. Any communications provider that fails to comply with this section is 62 prohibited from receiving any state or local funds for the development or support of 63 new or existing critical communications infrastructure, including the Missouri 64 communications universal service fund, and is prohibited from receiving any federal 65 funds subject to distribution by state or local governments for the development or 66 support of new or existing critical communications infrastructure. 67 10. The public service commission shall develop and publish, on a quarterly 68 basis, a map of known prohibited communications equipment within all 69 communications providers within or serving this state. The map shall: 70 (1) Clearly show the location of the prohibited equipment and the 71 communications area serviced by the prohibited equipment; 72 (2) Identify the communications provider responsible for the prohibited 73 equipment; 74 (3) Make clearly legible the areas serviced by the prohibited equipment; and 75 (4) Describe the nature of the prohibited equipment by stating, at minimum, the 76 prohibited equipment manufacturer and equipment type or purpose. ✔
Statutes affected: