Tennessee 2025-2026 Regular Session

Tennessee Senate Bill SB0378 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1
2		-	HOUSE BILL 549
3		-	By Cochran
	2	+	<BillNo> <Sponsor>
4	3
5	4		SENATE BILL 378
6	5		By Rose
7	6
8	7
9	8		SB0378
10	9		000268
11	10		- 1 -
12	11
13	12		AN ACT to amend Tennessee Code Annotated, Title 4,
14	13		relative to critical infrastructure.
15	14
16	15		BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF TENNESSEE:
17	16		SECTION 1. Tennessee Code Annotated, Title 4, is amended by adding the following
18	17		as a new chapter:
19	18		4-59-101.
20	19		(a) This chapter is known and may be cited as the "Tennessee Critical
21	20		Infrastructure Protection Act."
22	21		(b) The purpose of this chapter is to protect critical infrastructure in this state by
23	22		prohibiting foreign adversaries from accessing state critical infrastructure, assessing the
24	23		state's vulnerability to sanctioned communications equipment, and prohibiting the use of
25	24		adversary cameras and laser sensor technologies in this state's transportation systems.
26	25		4-59-102. As used in this chapter:
27	26		(1) "Company" means:
28	27		(A) A for-profit sole proprietorship, organization, association, corporation,
29	28		partnership, joint venture, limited partnership, limited liability partnership, or
30	29		limited liability company, including a wholly owned subsidiary, majority-owned
31	30		subsidiary, parent company, or affiliate of those entities or business associations
32	31		that exists to make a profit; or
33	32		(B) A nonprofit organization;
34	33		(2) "Critical infrastructure" means systems and assets, whether physical or
35	34		virtual, so vital to this state or the United States that the incapacity or destruction of such
	35	+	systems and assets would have a debilitating impact on state or national security, state
36	36
37	37
38	38		- 2 - 000268
39	39
40		-	systems and assets would have a debilitating impact on state or national security, state
41	40		or national economic security, state or national public health, or any combination of
42	41		those matters. A critical infrastructure may be publicly or privately owned, and includes,
43	42		but is not limited to:
44	43		(A) Gas and oil production, storage, or delivery systems;
45	44		(B) Water supply, refinement, storage, or delivery systems;
46	45		(C) Telecommunications networks;
47	46		(D) Electrical power delivery systems;
48	47		(E) Emergency services;
49	48		(F) Transportation systems and services; or
50	49		(G) Personal data or otherwise classified information storage systems,
51	50		including cybersecurity;
52	51		(3) "Cybersecurity" means an information system or nonpublic information stored
53	52		on an information system;
54	53		(4) "Department" means the department of commerce and insurance;
55	54		(5) "Domicile" means either the country in which a company is registered, or
56	55		where the company's affairs are primarily completed, or where the majority of ownership
57	56		share is held;
58	57		(6) "Foreign adversary" means those countries listed in 15 CFR 791.4, as
59	58		amended;
60	59		(7) "Foreign principal" means:
61	60		(A) The government or any official of the government of a foreign
62	61		adversary;
63	62		(B) A political party or member of a political party or any subdivision of a
64	63		political party of a foreign adversary;
65	64
66	65
67	66		- 3 - 000268
68	67
69	68		(C) A partnership, association, corporation, organization, or other
70	69		combination of persons organized under the laws of or having its principal place
71	70		of business in a foreign adversary, or a subsidiary of such entity, or owned or
72	71		controlled wholly or in part by a person, entity, or collection of persons or entities
73	72		of a foreign adversary;
74	73		(D) A person who is domiciled in a foreign adversary and is not a citizen
75	74		or lawful permanent resident of the United States; or
76	75		(E) A person, entity, or collection of persons or entities, described in
77	76		subdivisions (7)(A)-(D) having a controlling interest in a partnership, association,
78	77		corporation, organization, trust, or other legal entity or subsidiary formed for the
79	78		purpose of owning real property; and
80	79		(8) "Software" means a program or routine, or a set of one (1) or more programs
81	80		or routines that are used or intended for use to cause one (1) or more computers or
82	81		pieces of computer-related peripheral equipment, or any combination thereof, to perform
83	82		a task or set of tasks, as it relates to state infrastructure, or operational software.
84	83		4-59-103.
85	84		(a) A company or other entity that constructs, repairs, operates, or otherwise has
86	85		significant access to critical infrastructure shall not enter into an agreement relating to
87	86		critical infrastructure in this state with a foreign principal from a foreign adversary country
88	87		if the agreement would allow such foreign principal to directly or remotely access or
89	88		control critical infrastructure in this state.
90	89		(b) A governmental entity shall not enter into a contract or other agreement
91	90		relating to critical infrastructure in this state with a company that is a foreign principal
92	91		from a foreign adversary country if the agreement would allow such foreign principal to
93	92		directly or remotely access or control critical infrastructure in this state.
94	93
95	94
96	95		- 4 - 000268
97	96
98	97		(c) Notwithstanding subsections (a) and (b), a governmental or non-
99	98		governmental entity may enter into a contract or agreement relating to critical
100	99		infrastructure with a foreign principal from a foreign adversary country or use products or
101	100		services produced by such foreign principal if:
102	101		(1) There is no other reasonable option for addressing the need relevant
103	102		to state critical infrastructure;
104	103		(2) The contract is pre-approved by the department of finance and
105	104		administration; and
106	105		(3) Not entering into such a contract or agreement would pose a greater
107	106		threat to the state than the threat associated with entering into the contract.
108	107		4-59-104.
109	108		(a) In order to access critical infrastructure, a company must file a certification
110	109		form with and pay a certification fee to the department on a registration form created by
111	110		the department.
112	111		(b) To maintain registration as a company with access to critical infrastructure, a
113	112		company must:
114	113		(1) Identify all employee positions in the organization that have access to
115	114		critical infrastructure;
116	115		(2) Before hiring a person described in subsection (a) or allowing such
117	116		person to continue to have access to critical infrastructure, obtain from the
118	117		department of safety or a private vendor the:
119	118		(A) Criminal history of the prospective employee; and
120	119		(B) Any other background information considered necessary by
121	120		the company or required by the department to protect critical
122	121		infrastructure from foreign adversary infiltration or interference;
123	122
124	123
125	124		- 5 - 000268
126	125
127	126		(3) Prohibit foreign nationals from an adversary nation from having
128	127		access to critical infrastructure;
129	128		(4) Disclose any ownership of, partnership with, or control from an entity
130	129		not domiciled within the United States;
131	130		(5) Store and process all data generated by such critical infrastructure on
132	131		domestic servers;
133	132		(6) Not use cloud service providers or data centers that are foreign
134	133		entities;
135	134		(7) Immediately report any cyberattack, security breach, or suspicious
136	135		activity to the department; and
137	136		(8) Be in compliance with § 4-59-103.
138	137		(c) The department shall set the fee in an amount sufficient to cover the costs of
139	138		administering the certification process, however such fee may not exceed one hundred
140	139		fifty dollars ($150).
141	140		(d) The department shall revoke the certification of a company that is not in
142	141		compliance with this section.
143	142		4-59-105.
144	143		(a) An owner of a critical infrastructure installation shall notify the department of
145	144		a proposed sale or transfer of such critical infrastructure to, or investment in such critical
146	145		infrastructure by, an entity domiciled outside of the United States or an entity with any
147	146		foreign adversary ownership.
148	147		(b) The department has thirty (30) days from the receipt of the notice required in
149	148		subsection (a) to investigate the proposed sale, transfer, or investment therein. If the
150	149		department reasonably determines that the proposed sale or transfer of, or investment
151	150		in, critical infrastructure is a threat to state critical infrastructure security, state economic
152	151
153	152
154	153		- 6 - 000268
155	154
156	155		security, state public health, or any combination of those matters, then the attorney
157	156		general and reporter shall file a request for an injunction opposing the proposed sale,
158	157		transfer, or investment on behalf of the department. Upon a finding by a court that such
159	158		sale, transfer, or investment poses a reasonable threat to state critical infrastructure
160	159		security, state economic security, state or national public health, or any combination of
161	160		those matters, then the court shall permanently enjoin the proposed sale, transfer, or
162	161		investment.
163	162		(c)
164	163		(1) The department shall notify critical infrastructure entities of known or
165	164		suspected cyber threats, vulnerabilities, and adversarial activities to:
166	165		(A) Identify and close similar threats, vulnerabilities, and activities
167	166		in like critical infrastructure installations or processes, in accordance with
168	167		§ 4-59-104(b)(7); and
169	168		(B) Maintain operational security and normal functioning of critical
170	169		infrastructure.
171	170		(2) The notification given pursuant to this subsection (c) is intended to
172	171		protect the rights of private critical infrastructure entities by reducing the extent to
173	172		which trade secrets or other proprietary information is shared between entities, to
174	173		the extent that such precaution does not inhibit the ability of the department to
175	174		effectively communicate the threat of a known or suspected exploit or adversarial
176	175		activity.
177	176		4-59-106.
178	177		(a) No software used in state infrastructure located within or serving this state
179	178		shall include software produced by a company headquartered in and subject to the laws
180	179
181	180
182	181		- 7 - 000268
183	182
184	183		of a foreign adversary, or a company under the direction or control of a foreign
185	184		adversary.
186	185		(b) All software used in state infrastructure in operation within or serving this
187	186		state, including state infrastructure that is not permanently disabled, must comply with §
188	187		4-59-105.
189	188		(c) Any state infrastructure provider that removes, discontinues, or replaces any
190	189		prohibited software shall not be required to obtain additional permits from a state agency
191	190		or political subdivision for the removal, discontinuance, or replacement of such software
192	191		as long as the state agency or political subdivision is properly notified of the necessary
193	192		replacements and such agency or subdivision can reasonably determine that the
194	193		replacement software is similar to the existing software.
195	194		4-59-107.
196	195		(a) On or after July 1, 2025, a governmental entity or critical infrastructure
197	196		provider shall not knowingly enter into or renew a contract with a contracting vendor of a
198	197		school bus infraction detection system, speed detection system, traffic infraction
199	198		detector, or other camera system used for enforcing traffic if:
200	199		(1) The contracting vendor is owned by the government of a foreign
201	200		adversary;
202	201		(2) The government of a foreign adversary has a controlling interest in
203	202		the contracting vendor; or
204	203		(3) The contracting vendor is selling a product produced by a
205	204		government of a foreign adversary, a company primarily domiciled in a foreign
206	205		adversary, or a company owned or controlled by a company primarily domiciled
207	206		in a foreign adversary.
208	207
209	208
210	209		- 8 - 000268
211	210
212	211		(b) On or after July 1, 2025, a governmental entity shall not knowingly enter into
213	212		or renew a contract with a Light Detection and Ranging (LiDAR) technology provider if:
214	213		(1) The contracting vendor is owned by the government of a foreign
215	214		adversary;
216	215		(2) The government of a foreign adversary has a controlling interest in
217	216		the contracting vendor; or
218	217		(3) The contracting vendor is selling a product produced by a
219	218		government of a foreign adversary, a company primarily domiciled in a foreign
220	219		adversary, or a company owned or controlled by a company primarily domiciled
221	220		in a foreign adversary.
222	221		(c) On or after July 1, 2025, the department of safety shall create a public listing
223	222		of prohibited traffic camera and Light Detection and Ranging (LiDAR) technologies for
224	223		governmental entities and critical infrastructure providers.
225	224		4-59-108.
226	225		(a) On or after July 1, 2025, a governmental entity shall not knowingly enter into
227	226		or renew a contract with a contracting vendor of a Wi-Fi router or modem system if:
228	227		(1) The contracting vendor is owned by the government of a foreign
229	228		adversary;
230	229		(2) The government of a foreign adversary has a controlling interest in
231	230		the contracting vendor; or
232	231		(3) The contracting vendor is selling a product produced by a
233	232		government of a foreign adversary, a company primarily domiciled in a foreign
234	233		adversary, or a company owned or controlled by a company primarily domiciled
235	234		in a foreign adversary.
236	235
237	236
238	237		- 9 - 000268
239	238
240	239		(b) On or after July 1, 2025, every critical infrastructure provider in this state
241	240		shall certify to the department that it does not use a Wi-Fi router or modem system:
242	241		(1) Produced by a company that is owned by the government of a foreign
243	242		adversary;
244	243		(2) Produced by a company in which a foreign adversary has a
245	244		controlling interest; or
246	245		(3) Produced by a company primarily domiciled in a foreign adversary, or
247	246		a company owned or controlled by a company primarily domiciled in a foreign
248	247		adversary.
249	248		(c) On or after July 1, 2025, the department shall create, maintain, and update a
250	249		public listing of prohibited Wi-Fi router and modem system technologies for government
251	250		entities and critical infrastructure providers.
252	251		4-59-109.
253	252		(a) A communications provider providing service in this state and that still utilizes
254	253		equipment from a federally banned corporation in providing service to this state shall file
255	254		a registration form with and pay a registration fee to the department by September 1,
256	255		2025, and on January 1 on each year thereafter. The communications provider shall
257	256		register with the department prior to providing service. The department shall prescribe
258	257		the registration form to be filed pursuant to this section.
259	258		(b) A communications provider shall provide the department with the name,
260	259		address, telephone number, and email address of a person with managerial
261	260		responsibility for the operations.
262	261		(c) A communications provider shall:
263	262
264	263
265	264		- 10 - 000268
266	265
267	266		(1) Submit a registration fee at the time of submission of the registration
268	267		form. The department shall set the fee in an amount sufficient to cover the costs
269	268		of administering the registration process but not to exceed fifty dollars ($50.00);
270	269		(2) Keep the information required by this section current and notify the
271	270		commission of any changes to such information within sixty (60) days after the
272	271		change; and
273	272		(3) Certify to the department by January 1 each year all instances of
274	273		prohibited critical communications equipment or services covered under Section
275	274		3 of this act if the communications provider is a participant in the Federal Secure
276	275		and Trusted Communications Networks Reimbursement Program, established by
277	276		the federal Secure and Trusted Communications Networks Act of 2019, 47
278	277		U.S.C. § 1601 et seq., along with the geographic coordinates of the areas served
279	278		by such prohibited equipment.
280	279		(d) If a communications provider certifies to the department that the provider is a
281	280		participant in the federal Secure and Trusted Communications Networks Reimbursement
282	281		Program pursuant to subdivision (c)(3), then the provider shall submit a status report to
283	282		the department every quarter to prove the provider's compliance with the reimbursement
284	283		program.
285	284		(e) The department shall issue an administrative fine to a communications
286	285		provider who:
287	286		(1) Violates this section, with the fine to be not less than five thousand
288	287		dollars ($5,000) and not greater than twenty-five thousand dollars ($25,000) for
289	288		each day of noncompliance; and
290	289
291	290
292	291		- 11 - 000268
293	292
294	293		(2) Knowingly submits a false registration form described in this section,
295	294		with the fine to be not less than ten thousand dollars ($10,000) and not greater
296	295		than twenty thousand dollars ($20,000) for each day of noncompliance.
297	296		(f) A communications provider who fails to comply with this section is prohibited
298	297		from receiving any state or local funds for the development or support of new or existing
299	298		critical communications infrastructure, including the Tennessee communications
300	299		universal service fund, and is prohibited from receiving any federal funds subject to
301	300		distribution by state or local governments for the development or support of new or
302	301		existing critical communications infrastructure.
303	302		(g) The department shall develop and publish, on a quarterly basis, a map of
304	303		known prohibited communications equipment as covered in this chapter within all
305	304		communications within or serving this state. The map must:
306	305		(1) Clearly indicate the location of the prohibited equipment and the
307	306		communications area serviced by the prohibited equipment;
308	307		(2) Identify the communications provider who owns or is otherwise
309	308		responsible for the prohibited equipment;
310	309		(3) Make clearly legible the areas serviced by the prohibited equipment;
311	310		and
312	311		(4) Describe the nature of the prohibited equipment by stating, at a
313	312		minimum, the prohibited equipment manufacturer and equipment type or
314	313		purpose.
315	314		SECTION 2. If any provision of this act or its application to any person or circumstance
316	315		is held invalid, then the invalidity does not affect other provisions or applications of the act that
317	316		can be given effect without the invalid provision or application, and to that end, the provisions of
318	317		this act are severable.
319	318
320	319
321	320		- 12 - 000268
322	321
323	322		SECTION 3. This act takes effect July 1, 2025, the public welfare requiring it.