This bill enacts the "Tennessee Critical Infrastructure Protection Act," the purpose of which is to protect critical infrastructure in this state by prohibiting foreign adversaries from accessing state critical infrastructure, assessing the state's vulnerability to sanctioned communications equipment, and prohibiting the use of adversary cameras and laser sensor technologies in this state's transportation systems. As used in this bill, "critical infrastructure" means systems and assets, whether physical or virtual, so vital to this state or the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on state or national security, state or national economic security, state or national public health, or any combination of those matters. A critical infrastructure may be publicly or privately owned, and includes, but is not limited to (i) gas and oil production, storage, or delivery systems; (ii) water supply, refinement, storage, or delivery systems; (iii) telecommunications networks; (iv) electrical power delivery systems; (v) emergency services; (vi) transportation systems and services; or (vii) personal data or otherwise classified information storage systems, including cybersecurity. As used in this bill, a "foreign adversary" means those countries listed in 15 CFR 791.4, as amended, which, as of the preparation of this summary, includes the People's Republic of China, including the Hong Kong Special Administrative Region and the Macau Special Administrative Region (China); the Republic of Cuba (Cuba); the Islamic Republic of Iran (Iran); the Democratic People's Republic of Korea (North Korea); and the Russian Federation (Russia). This bill generally prohibits a company or other entity that constructs, repairs, operates, or otherwise has significant access to critical infrastructure from entering into an agreement relating to critical infrastructure in this state with a foreign principal from a foreign adversary country if the agreement would allow such foreign principal to directly or remotely access or control critical infrastructure in this state. This bill generally prohibits a governmental entity from entering into a contract or other agreement relating to critical infrastructure in this state with a company that is a foreign principal from a foreign adversary country if the agreement would allow such foreign principal to directly or remotely access or control critical infrastructure in this state. However, this bill authorizes a governmental or non-governmental entity to enter into a contract or agreement relating to critical infrastructure with a foreign principal from a foreign adversary country or use products or services produced by such foreign principal if (i) there is no other reasonable option for addressing the need relevant to state critical infrastructure; (ii) the contract is pre-approved by the department of finance and administration; and (iii) not entering into such a contract or agreement would pose a greater threat to the state than the threat associated with entering into the contract. CERTIFICATION REQUIRED In order to access critical infrastructure, this bill requires a company to file a certification form with and pay a certification fee to the department of commerce and insurance ("department") on a registration form created by the department. In order to maintain registration as a company with access to critical infrastructure, a company must comply with all of the following.  Identify all employee positions in the organization that have access to critical infrastructure.  Before hiring such a person or allowing such a person to continue to have access to critical infrastructure, obtain from the department of safety or a private vendor the criminal history of the prospective employee and any other background information considered necessary by the company or required by the department to protect critical infrastructure from foreign adversary infiltration or interference.  Prohibit foreign nationals from an adversary nation from having access to critical infrastructure.  Disclose any ownership of, partnership with, or control from an entity not domiciled within the United States.  Store and process all data generated by such critical infrastructure on domestic servers.  Not use cloud service providers or data centers that are foreign entities.  Immediately report any cyberattack, security breach, or suspicious activity to the department.  Be in compliance with this bill. This bill requires the department to set the fee in an amount sufficient to cover the costs of administering the certification process. However, such fee must not exceed $150. This bill requires the department to revoke the certification of a company that is not in compliance with the provisions under this heading. NOTIFICATION AND INVESTIGATION This bill requires an owner of a critical infrastructure installation to notify the department of a proposed sale or transfer of such critical infrastructure to, or investment in such critical infrastructure by, an entity domiciled outside of the United States or an entity with any foreign adversary ownership. This bill provides that the department has 30 days from the receipt of the notice to investigate the proposed sale, transfer, or investment therein. If the department reasonably determines that the proposed sale or transfer of, or investment in, critical infrastructure is a threat to state critical infrastructure security, state economic security, state public health, or any combination of those matters, then the attorney general must file a request for an injunction opposing the proposed sale, transfer, or investment on behalf of the department. Upon a finding by a court that such sale, transfer, or investment poses a reasonable threat to state critical infrastructure security, state economic security, state or national public health, or any combination of those matters, then the court must permanently enjoin the proposed sale, transfer, or investment. This bill requires the department to notify critical infrastructure entities of known or suspected cyber threats, vulnerabilities, and adversarial activities to (i) identify and close similar threats, vulnerabilities, and activities in like critical infrastructure installations or processes; and (ii) maintain operational security and normal functioning of critical infrastructure. The notification given is intended to protect the rights of private critical infrastructure entities by reducing the extent to which trade secrets or other proprietary information is shared between entities, to the extent that such precaution does not inhibit the ability of the department to effectively communicate the threat of a known or suspected exploit or adversarial activity. SOFTWARE This bill prohibits software used in state infrastructure located within or serving this state from including software produced by a company headquartered in and subject to the laws of a foreign adversary, or a company under the direction or control of a foreign adversary. All software used in state infrastructure in operation within or serving this state, including state infrastructure that is not permanently disabled, must comply with this bill. This bill prohibits any state infrastructure provider that removes, discontinues, or replaces any prohibited software from being required to obtain additional permits from a state agency or political subdivision for the removal, discontinuance, or replacement of such software as long as the state agency or political subdivision is properly notified of the necessary replacements and such agency or subdivision can reasonably determine that the replacement software is similar to the existing software. VENDOR OF A SCHOOL BUS SYSTEMS On or after July 1, 2025, this bill prohibits a governmental entity or critical infrastructure provider from knowingly entering into or renewing a contract with a contracting vendor of a school bus infraction detection system, speed detection system, traffic infraction detector, or other camera system used for enforcing traffic if (i) the contracting vendor is owned by the government of a foreign adversary; (ii) the government of a foreign adversary has a controlling interest in the contracting vendor; or (iii) the contracting vendor is selling a product produced by a government of a foreign adversary, a company primarily domiciled in a foreign adversary, or a company owned or controlled by a company primarily domiciled in a foreign adversary. LIGHT DETECTION AND RANGING (LiDAR) TECHNOLOGY PROVIDER On or after July 1, 2025, this bill prohibits a governmental entity from knowingly entering into or renewing a contract with a LiDAR technology provider if (i) the contracting vendor is owned by the government of a foreign adversary; (ii) the government of a foreign adversary has a controlling interest in the contracting vendor; or (iii) the contracting vendor is selling a product produced by a government of a foreign adversary, a company primarily domiciled in a foreign adversary, or a company owned or controlled by a company primarily domiciled in a foreign adversary. On or after July 1, 2025, this bill requires the department of safety to create a public listing of prohibited traffic camera and Light Detection and Ranging (LiDAR) technologies for governmental entities and critical infrastructure providers. VENDOR OF A WI-FI ROUTER OR MODEM SYSTEM On or after July 1, 2025, this bill prohibits a governmental entity from knowingly entering into or renewing a contract with a contracting vendor of a Wi-Fi router or modem system if (i) the contracting vendor is owned by the government of a foreign adversary; (ii) the government of a foreign adversary has a controlling interest in the contracting vendor; or (iii) the contracting vendor is selling a product produced by a government of a foreign adversary, a company primarily domiciled in a foreign adversary, or a company owned or controlled by a company primarily domiciled in a foreign adversary. On or after July 1, 2025, this bill requires every critical infrastructure provider in this state to certify to the department that it does not use a Wi-Fi router or modem system (i) produced by a company that is owned by the government of a foreign adversary; (ii) produced by a company in which a foreign adversary has a controlling interest; or (iii) produced by a company primarily domiciled in a foreign adversary, or a company owned or controlled by a company primarily domiciled in a foreign adversary. On or after July 1, 2025, this bill requires the department to create, maintain, and update a public listing of prohibited Wi-Fi router and modem system technologies for government entities and critical infrastructure providers. COMMUNICATIONS PROVIDER This bill requires a communications provider providing service in this state and that still utilizes equipment from a federally banned corporation in providing service to this state to file a registration form with and pay a registration fee to the department by September 1, 2025, and on January 1 on each year thereafter. The communications provider must register with the department prior to providing service. The department must prescribe the registration form to be filed pursuant to this section. This bill requires a communications provider to provide the department with the name, address, telephone number, and email address of a person with managerial responsibility for the operations. A communications provider must do all of the following:  Submit a registration fee at the time of submission of the registration form. The department must set the fee in an amount sufficient to cover the costs of administering the registration process but not to exceed $50.  Keep the information required by this section current and notify the commission of any changes to such information within 60 days after the change.  Certify to the department by January 1 each year all instances of prohibited critical communications equipment or services covered under this bill if the communications provider is a participant in the Federal Secure and Trusted Communications Networks Reimbursement Program, established by the federal Secure and Trusted Communications Networks Act of 2019, along with the geographic coordinates of the areas served by such prohibited equipment. If a communications provider certifies to the department that the provider is a participant in the federal Secure and Trusted Communications Networks Reimbursement Program pursuant to this bill, then this bill requires the provider to submit a status report to the department every quarter to prove the provider's compliance with the reimbursement program. This bill requires the department to issue an administrative fine to a communications provider who (i) violates the provisions under this heading, with the fine to be not less than $5,000 and not greater than $25,000 for each day of noncompliance; and (ii) knowingly submits a false registration form described in this section, with the fine to be not less than $10,000 and not greater than $20,000 for each day of noncompliance. This bill provides that a communications provider who fails to comply with the provisions under this heading is prohibited from receiving any state or local funds for the development or support of new or existing critical communications infrastructure, including the Tennessee communications universal service fund, and is prohibited from receiving any federal funds subject to distribution by state or local governments for the development or support of new or existing critical communications infrastructure. This bill requires the department to develop and publish, on a quarterly basis, a map of known prohibited communications equipment as covered in this chapter within all communications within or serving this state. The map must (i) clearly indicate the location of the prohibited equipment and the communications area serviced by the prohibited equipment; (ii) identify the communications provider who owns or is otherwise responsible for the prohibited equipment; (iii) make clearly legible the areas serviced by the prohibited equipment; and (iv) describe the nature of the prohibited equipment by stating, at a minimum, the prohibited equipment manufacturer and equipment type or purpose.