S 2866 Introduced – Ag Cybersecurity
Earlier this month Sen Budd (R,NC) introduced S 2866, the Cybersecurity in Agriculture Act of 2025. The bill would require the National Institute of Food and Agriculture (NIFA) to establish five Regional Agriculture Cybersecurity Centers (RACC) to carry out research, development, and education on agriculture cybersecurity. The bill would amend the National Agricultural Research, Extension, and Teaching Policy Act of 1977, adding a new §1473I. The bill would authorize $25 million in annual spending to support the Centers through 2030.
The bill is similar to similar to HR 4387, the Cybersecurity in Agriculture Act of 2023, that was introduced in the House in June of 2023 by Rep Nunn (R,LA). No action was taken on that bill in the 118th Congress. Most of the differences are editorial (format and word changes) in nature with the exception of the addition of paragraph (b)(9) which would require that the described cybersecurity activities are specifically designed to prevent cyberattacks from the usual nation-state suspects.
Definitions
A single term is defined in the new subsection (c); ‘eligible entity’.
There are no definitions of key cybersecurity terms used in the new section. At the very least the terms ‘cybersecurity threat’, ‘cybersecurity test bed’, and ‘security operations center’ should be defined. The term ‘cybersecurity threat’ could be defined by reference to 6 USC 650(8).
Cybersecurity Centers
The RACC’s would be required to:
Conduct research on cybersecurity systems for the agriculture sector, including developing cybersecurity situational awareness systems to monitor cybersecurity threats, intrusions, and anomalies,
Develop a security operations center for the agriculture sector to analyze cybersecurity threats, intrusions, and anomalies and to recommend mitigation actions,
Develop cybersecurity technologies and tools for the agricultural sector, including domain-specific intrusion and anomaly detection systems, domain-specific intrusion prevention systems, domain specific role-based access control and user authentication systems, lightweight device authentication protocols, and secure network architectures,
Build live cybersecurity testbeds to assess and refine cybersecurity technologies, tools, and systems developed, and conduct training for the agricultural sector,
Conduct attack/defense exercises to validate and evaluate cybersecurity solutions for field deployment and agriculture industry adoption,
Develop cybersecurity education and training programs for agricultural stakeholders, and
Build a regional research and development collaboration network.
Ensure that programs are specifically designed to prevent cyberattacks from China, North Korea, Russia, Iran, and other states that the Secretary determines to be appropriate.
Moving Forward
Neither Budd, nor his sole cosponsor, Sen Cortez-Masto (D,NV), are members of the Senate Agriculture, Nutrition, and Forestry Committee to which this bill was assigned for consideration. This means that there will probably not be sufficient influence to see the bill considered in committee. I suspect that there would be some level of bipartisan support for this bill in Committee, but the bill would not be considered in the Senate under regular order, it is not politically important enough to commit to the time necessary for that process. This bill would likely receive objection from one of the fiscal conservatives, because of the spending authorization, if it were offered under the unanimous consent process. The language could be offered as an amendment to an agricultural spending or authorization bill.
Commentary
There is one major deficiency in this bill, it lacks any mention of cybersecurity vulnerabilities in agricultural systems. The RACCs should conduct vulnerability research, act as vulnerability disclosure coordinators for agricultural systems, and coordinate with CISA’s NCCIC in publishing advisories about reported vulnerabilities.
To support those vulnerability related efforts, I would add a new §1473I(b)(9):
“(9) conduct vulnerability research on agricultural control systems, act as a coordinator between researchers and vendors, and, in coordination with CISA’s National Cybersecurity and Communications Integration Center, publish advisories describing discovered cybersecurity vulnerabilities in agricultural control systems.”