I
118th CONGRESS
1st Session
H. R. 1219
IN THE HOUSE OF REPRESENTATIVES
February 27, 2023
Mr. Pfluger (for himself, Mr. Veasey, Mr. Curtis, and Ms. Matsui) introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committee on Agriculture, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
A BILL
To establish a food and agriculture cybersecurity clearinghouse in the National Telecommunications and Information Administration, and for other purposes.
Short title
This Act may be cited as the Food and Agriculture Industry Cybersecurity Support Act
.
NTIA food and agriculture cybersecurity clearinghouse
NTIA food and agriculture cybersecurity clearinghouse
Establishment
In general
Not later than 180 days after the date of the enactment of this Act, the Assistant Secretary shall establish in the NTIA a food and agriculture cybersecurity clearinghouse (in this section referred to as the clearinghouse
).
Requirements
The clearinghouse shall—
be publicly available online;
contain current, relevant, and publicly available food and agriculture industry focused cybersecurity resources, including the recommendations described in paragraph (2), and any other appropriate materials for reference by entities that develop products with potential security vulnerabilities for the food and agriculture industry;
contain a mechanism for individuals or entities in the food and agriculture industry to request in-person or virtual support from the NTIA or, if appropriate, a cooperating agency for cybersecurity related issues;
contain a Frequently Asked Questions (FAQ) section, updated at least annually, with answers to the top 20 most frequently asked questions relevant to the cybersecurity of the food and agriculture industry; and
include materials specifically aimed at assisting small business concerns and non-technical users in the food and agriculture industry with critical cybersecurity protections related to the food and agriculture industry, including recommendations on how to respond to a ransomware attack and resources for additional information, including the Stop Ransomware
site hosted by the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.
Existing platform or website
The Assistant Secretary may establish the clearinghouse on an online platform or a website that is in existence as of the date of the enactment of this Act.
Consolidation of food and agriculture industry cybersecurity recommendations
In general
The Assistant Secretary, in consultation with the Administrator of the Farm Service Agency of the Department of Agriculture and relevant Sector Risk Management Agencies, shall consolidate public and private sector best practices to produce a set of voluntary cybersecurity recommendations relating to the development, maintenance, and operation of the food and agriculture industry.
Requirements
The recommendations consolidated under subparagraph (A) shall include, to the greatest extent practicable, materials addressing the following:
Risk-based, cybersecurity-informed engineering, including continuous monitoring and resiliency.
Planning for retention or recovery of positive control of systems in the food and agriculture industry in the event of a cybersecurity incident.
Protection against unauthorized access to critical functions of the food and agriculture industry.
Cybersecurity against threats to products of the food and agriculture industry throughout the lifetimes of such products.
How businesses in the food and agriculture industry should respond to ransomware attacks, including details on the legal obligations of such businesses in the event of such an attack, including reporting requirements and Federal resources for support.
Any other recommendations to ensure the confidentiality, availability, and integrity of data residing on or in transit through systems in the food and agriculture industry.
Implementation
In implementing this subsection, the Assistant Secretary shall—
to the extent practicable, consult with the private sector;
consult with non-Federal entities developing equipment and systems utilized in the food and agriculture industry, including private, consensus organizations that develop relevant standards;
consult with the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security;
consult with food and agriculture industry trade groups;
consult with relevant Sector Risk Management Agencies;
consult with civil society organizations;
consult with the Administrator of the Small Business Administration; and
consider the development of an advisory board to advise the Assistant Secretary on implementing this subsection, including the collection of data through the clearinghouse and the disclosure of such data.
Study
In general
The Comptroller General of the United States shall conduct a study on the actions the Federal Government has taken or may take to improve the cybersecurity of the food and agriculture industry.
Report
Not later than 90 days after the date of the enactment of this Act, the Comptroller General of the United States shall submit to Congress a report on the study conducted under paragraph (1), which shall include information on the following:
The effectiveness of efforts of the Federal Government to improve the cybersecurity of the food and agriculture industry.
The resources made available to the public, as of the date of such submission, by Federal agencies to improve the cybersecurity of the food and agriculture industry, including to address cybersecurity risks and cybersecurity threats to the food and agriculture industry.
The extent to which Federal agencies coordinate or duplicate authorities and take other actions for the improvement of the cybersecurity of the food and agriculture industry.
Whether there is an appropriate plan in place to prevent or adequately mitigate the risks of a coordinated attack on the food and agriculture industry.
The advantages and disadvantages of creating a food and agriculture industry specific Information Sharing and Analysis Center (ISAC), including required actions by the Federal Government and expected costs to the Federal Government to create such an organization and potential industry and civil society partners who could operate such an organization.
The advantages and disadvantages of the creation by the Assistant Secretary of a database containing a software bill of materials (SBOM) for the most common internet-connected hardware and software applications used in the food and agriculture industry and recommendations for how the Assistant Secretary can maintain and update such database.
Coordination
In carrying out paragraphs (1) and (2), the Comptroller General of the United States shall coordinate with appropriate Federal agencies, including the following:
The Department of Health and Human Services.
The Department of Commerce.
The Department of Agriculture.
The Federal Communications Commission.
The Department of Energy.
The Small Business Administration.
Process for studying creation of ISAC
In studying the advantages and disadvantages of creating a food and agriculture industry specific Information Sharing and Analysis Center for purposes of including in the report required by paragraph (2) the information required by subparagraph (E) of such paragraph, the Comptroller General shall convene stakeholders that include civil society organizations, individual food and agriculture producers, and the Federal agencies described in paragraph (3).
Briefing
Not later than 90 days after the date on which the Comptroller General of the United States submits the report under paragraph (2), the Comptroller General shall provide to Congress a briefing regarding such report.
Classification
The report under paragraph (2) shall be unclassified but may include a classified annex.
Definitions
In this section:
Assistant Secretary
The term Assistant Secretary
means the Assistant Secretary of Commerce for Communications and Information.
Cybersecurity risk
The term cybersecurity risk
has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
Cybersecurity threat
The term cybersecurity threat
has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
Food and agriculture industry
The term food and agriculture industry
means—
equipment and systems utilized in the food and agriculture supply chain, such as computer vision algorithms for precision agriculture, grain silos, and related food and agriculture storage infrastructure;
food and agriculture goods processors, growers, and distributors; and
information technology systems of businesses engaged in farming, ranching, planting, harvesting, food and agriculture product storage, food or animal genetic modification, the design or production of agrochemicals, or the design or production of food and agriculture tools.
Incident
The term incident
has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
NTIA
The term NTIA
means the National Telecommunications and Information Administration.
Sector Risk Management Agency
The term Sector Risk Management Agency
has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
Security vulnerability
The term security vulnerability
has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
Small business concern
The term small business concern
means a small business concern described in section 3 of the Small Business Act (15 U.S.C. 632).
Software bill of materials
The term software bill of materials
has the meaning given such term in section 10 of Executive Order 14028 (86 Fed. Reg. 26633; relating to improving the Nation’s cybersecurity).
Sunset
This section shall have no force or effect after the date that is 7 years after the date of the enactment of this Act.
