S 3661 Introduced
Food & Ag Cybersecurity
Last month, Sen Cotton (R,AR) introduced S 3661, the Farm and Food Cybersecurity Act of 2024. The bill would require USDA to periodically assess cybersecurity threats to, and vulnerabilities in, the agriculture and food critical infrastructure sector. Additionally, it would be required to conduct an annual cross-sector simulation exercise relating to a food-related emergency or disruption, and for other purposes. The bill would authorize $1 million per year through 2028 to fund such activities.
This bill is very similar to HR 7062, which was introduced shortly before this legislation. These are not technically companion measures as there are three significant differences between the two bills. First, the study to be conducted by USDA in both bills would be required to be conducted “in coordination with the Cybersecurity and Infrastructure Security Agency” in this version. The other two changes apply to the cross-sector exercise outline in §4. Both would add requirements to include “including sector-relevant information sharing and analysis centers” in the development and execution of those exercises. There was no mention of ISACS in the House bill.
Definitions
Section 2 of the bill would provide definitions of six key terms used in this bill. The cybersecurity terms are all defined by reference to 6 USC 650, all of which rely on an ICS-inclusive definition of ‘information system’.
Instead of relying on the existing term ‘Agriculture and Food Sector’, which derives from Homeland Security Presidential Directive 7 (HSPD 7), this bill defines a new term, ‘agriculture and food critical infrastructure sector’, to mean essentially the same thing.
Cybersecurity Assessment
Section 3 of the bill requires USDA to conduct a study, on a biennial basis, on the cybersecurity threats to, and security vulnerabilities in, the agriculture and food critical infrastructure sector. The study will include:
The nature and extent of cyberattacks and incidents that affect the agriculture and food critical infrastructure sector,
The potential impacts of a cyberattack or incident on the safety, security, and availability of food products, as well as on the economy, public health, and national security of the United States,
The current capability and readiness of the Federal Government, State and local governments, and private sector entities to prevent, detect, respond to, and recover from cyberattacks and incidents described in paragraph (2),
The existing policies, standards, guidelines, best practices, and initiatives applicable to the agriculture and food critical infrastructure sector to enhance defensive measures in that sector,
The gaps, challenges, barriers, or opportunities for improving defensive measures in the agriculture and food critical infrastructure sector, and
Any recommendations for Federal legislative or administrative actions to address the cybersecurity threats to, and security vulnerabilities in, the agriculture and food critical infrastructure sector.
Food Security Exercises
Section 4 of the bill would require USDA, in coordination with HHS, DHS, and the DNI, to “conduct, over a 5-year period, an annual cross-sector crisis simulation exercise relating to a food-related emergency or disruption”. These exercises will be designed to:
To assess the preparedness and response capabilities of Federal, State, Tribal, local, and territorial governments and private sector entities in the event of a food-related emergency or disruption,
To identify and address gaps and vulnerabilities in the food supply chain and critical infrastructure,
To enhance coordination and information sharing among stakeholders involved in food production, processing, distribution, and consumption,
To evaluate the effectiveness and efficiency of existing policies, programs, and resources relating to food security and resilience,
To develop and disseminate best practices and recommendations for improving food security and resilience, and
To identify key stakeholders and categories that were missing from the exercise to ensure the inclusion of those stakeholders and categories in future exercises.
Moving Forward
Cotton is not a member of the Senate Agriculture, Nutrition, and Forestry Committee to which this bill was assigned for consideration, but one of his seven cosponsors {Sen Gillibrand (D,NY)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. Beyond, the spending issue, I see nothing in the bill that would engender any organized opposition to the bill. I suspect that there would be bipartisan support in the Committee for the bill, but I am not sure that it would be enough to overcome the opposition to the additional spending.
Commentary
As with HR 7062, I find it odd that this bill fails to mention the Food and Agriculture Sector Coordinating Council (FASCC). This group is a well-established public-private partnership designed to assist the USDA in their oversight of the Food and Agriculture Sector. They would be an invaluable asset to the USDA in developing and executing the requirements of this legislation. I would like to see language inserted in §3(a) and §4(a) requiring coordination with the FASCC for execution of both the study and the exercises.