1. The provisions of this section shall be known and may be cited as the “Missouri Cybersecurity Act”.

2. There is hereby established within the department of public safety the “Missouri Cybersecurity Commission”. The commission shall have as its purpose identifying risk to and vulnerability of the state and critical infrastructure with regard to cyber attacks of any nature from within or outside the United States and advising the governor on such matters. The commission shall consist of the following members:

(1) Eight members to be appointed by the governor, one from each congressional district, with four members from each party;

(2) The state chief information officer as designated by the governor and commissioner of the office of administration;

(3) One representative of the Missouri state highway patrol, ex officio;

(4) One representative of the state emergency management agency, ex officio; and

(5) One representative of the Missouri national guard, ex officio.

­­

­

No more than five of the nine members appointed by the governor shall be of the same political party. To be eligible for appointment by the governor, a person shall have demonstrated expertise in cybersecurity or experience in a field that directly correlates to a need of the state relating to cyber defense. The membership of the commission shall reflect both private sector and public sector expertise and experience in cybersecurity. Appointed members of the commission shall serve three-year terms, except that of the initial appointments made by the governor, three shall be for one-year terms, three shall be for two-year terms, and three shall be for three-year terms. No appointed member of the commission shall serve more than six years total. Any vacancy on the commission shall be filled in the same manner as the original appointment.

3. The members of the commission shall serve without compensation, but shall be reimbursed for the actual and necessary expenses incurred in the discharge of the members’ official duties.

4. A chair of the commission shall be selected by the members of the commission.

5. The department of public safety shall furnish administrative support and staff for the effective operation of the commission.

6. The commission shall meet at least quarterly and at such other times as the chair deems necessary.

7. The commission shall be funded by an appropriation limited to that purpose. Any expenditure constituting more than ten percent of the commission’s annual appropriation shall be based on a competitive bid process.

8. The commission shall:

(1) Advise the governor on the state of cybersecurity in the state of Missouri;

(2) Solicit data from state agencies, political subdivisions of the state, public institutions of higher education, and public schools relating to cybersecurity;

(3) Make recommendations to reduce the state’s risk of cyber attack and to identify best practices for the state to work offensively against cyber threats.

9. State agencies, public institutions of higher education, and public schools shall provide any data requested by the commission under this section unless such information is protected from disclosure under chapter 610 or is required to be kept confidential under a code of ethics from a profession licensed in the state. The provisions of this section shall not be construed to compel private sector organizations to provide information or data to the commission.

10. The commission shall prepare and present an annual report to the governor by December thirty-first of each year. Any content from the report protected under section 610.021, including any cybersecurity vulnerabilities identified by the commission, shall be held confidential.