[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1219 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 1219

To establish a food and agriculture cybersecurity clearinghouse in the 
  National Telecommunications and Information Administration, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 27, 2023

   Mr. Pfluger (for himself, Mr. Veasey, Mr. Curtis, and Ms. Matsui) 
 introduced the following bill; which was referred to the Committee on 
 Energy and Commerce, and in addition to the Committee on Agriculture, 
for a period to be subsequently determined by the Speaker, in each case 
for consideration of such provisions as fall within the jurisdiction of 
                        the committee concerned

_______________________________________________________________________

                                 A BILL


 
To establish a food and agriculture cybersecurity clearinghouse in the 
  National Telecommunications and Information Administration, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Food and Agriculture Industry 
Cybersecurity Support Act''.

SEC. 2. NTIA FOOD AND AGRICULTURE CYBERSECURITY CLEARINGHOUSE.

    (a) NTIA Food and Agriculture Cybersecurity Clearinghouse.--
            (1) Establishment.--
                    (A) In general.--Not later than 180 days after the 
                date of the enactment of this Act, the Assistant 
                Secretary shall establish in the NTIA a food and 
                agriculture cybersecurity clearinghouse (in this 
                section referred to as the ``clearinghouse'').
                    (B) Requirements.--The clearinghouse shall--
                            (i) be publicly available online;
                            (ii) contain current, relevant, and 
                        publicly available food and agriculture 
                        industry focused cybersecurity resources, 
                        including the recommendations described in 
                        paragraph (2), and any other appropriate 
                        materials for reference by entities that 
                        develop products with potential security 
                        vulnerabilities for the food and agriculture 
                        industry;
                            (iii) contain a mechanism for individuals 
                        or entities in the food and agriculture 
                        industry to request in-person or virtual 
                        support from the NTIA or, if appropriate, a 
                        cooperating agency for cybersecurity related 
                        issues;
                            (iv) contain a Frequently Asked Questions 
                        (FAQ) section, updated at least annually, with 
                        answers to the top 20 most frequently asked 
                        questions relevant to the cybersecurity of the 
                        food and agriculture industry; and
                            (v) include materials specifically aimed at 
                        assisting small business concerns and non-
                        technical users in the food and agriculture 
                        industry with critical cybersecurity 
                        protections related to the food and agriculture 
                        industry, including recommendations on how to 
                        respond to a ransomware attack and resources 
                        for additional information, including the 
                        ``Stop Ransomware'' site hosted by the 
                        Cybersecurity and Infrastructure Security 
                        Agency of the Department of Homeland Security.
                    (C) Existing platform or website.--The Assistant 
                Secretary may establish the clearinghouse on an online 
                platform or a website that is in existence as of the 
                date of the enactment of this Act.
            (2) Consolidation of food and agriculture industry 
        cybersecurity recommendations.--
                    (A) In general.--The Assistant Secretary, in 
                consultation with the Administrator of the Farm Service 
                Agency of the Department of Agriculture and relevant 
                Sector Risk Management Agencies, shall consolidate 
                public and private sector best practices to produce a 
                set of voluntary cybersecurity recommendations relating 
                to the development, maintenance, and operation of the 
                food and agriculture industry.
                    (B) Requirements.--The recommendations consolidated 
                under subparagraph (A) shall include, to the greatest 
                extent practicable, materials addressing the following:
                            (i) Risk-based, cybersecurity-informed 
                        engineering, including continuous monitoring 
                        and resiliency.
                            (ii) Planning for retention or recovery of 
                        positive control of systems in the food and 
                        agriculture industry in the event of a 
                        cybersecurity incident.
                            (iii) Protection against unauthorized 
                        access to critical functions of the food and 
                        agriculture industry.
                            (iv) Cybersecurity against threats to 
                        products of the food and agriculture industry 
                        throughout the lifetimes of such products.
                            (v) How businesses in the food and 
                        agriculture industry should respond to 
                        ransomware attacks, including details on the 
                        legal obligations of such businesses in the 
                        event of such an attack, including reporting 
                        requirements and Federal resources for support.
                            (vi) Any other recommendations to ensure 
                        the confidentiality, availability, and 
                        integrity of data residing on or in transit 
                        through systems in the food and agriculture 
                        industry.
            (3) Implementation.--In implementing this subsection, the 
        Assistant Secretary shall--
                    (A) to the extent practicable, consult with the 
                private sector;
                    (B) consult with non-Federal entities developing 
                equipment and systems utilized in the food and 
                agriculture industry, including private, consensus 
                organizations that develop relevant standards;
                    (C) consult with the Director of the Cybersecurity 
                and Infrastructure Security Agency of the Department of 
                Homeland Security;
                    (D) consult with food and agriculture industry 
                trade groups;
                    (E) consult with relevant Sector Risk Management 
                Agencies;
                    (F) consult with civil society organizations;
                    (G) consult with the Administrator of the Small 
                Business Administration; and
                    (H) consider the development of an advisory board 
                to advise the Assistant Secretary on implementing this 
                subsection, including the collection of data through 
                the clearinghouse and the disclosure of such data.
    (b) Study.--
            (1) In general.--The Comptroller General of the United 
        States shall conduct a study on the actions the Federal 
        Government has taken or may take to improve the cybersecurity 
        of the food and agriculture industry.
            (2) Report.--Not later than 90 days after the date of the 
        enactment of this Act, the Comptroller General of the United 
        States shall submit to Congress a report on the study conducted 
        under paragraph (1), which shall include information on the 
        following:
                    (A) The effectiveness of efforts of the Federal 
                Government to improve the cybersecurity of the food and 
                agriculture industry.
                    (B) The resources made available to the public, as 
                of the date of such submission, by Federal agencies to 
                improve the cybersecurity of the food and agriculture 
                industry, including to address cybersecurity risks and 
                cybersecurity threats to the food and agriculture 
                industry.
                    (C) The extent to which Federal agencies coordinate 
                or duplicate authorities and take other actions for the 
                improvement of the cybersecurity of the food and 
                agriculture industry.
                    (D) Whether there is an appropriate plan in place 
                to prevent or adequately mitigate the risks of a 
                coordinated attack on the food and agriculture 
                industry.
                    (E) The advantages and disadvantages of creating a 
                food and agriculture industry specific Information 
                Sharing and Analysis Center (ISAC), including required 
                actions by the Federal Government and expected costs to 
                the Federal Government to create such an organization 
                and potential industry and civil society partners who 
                could operate such an organization.
                    (F) The advantages and disadvantages of the 
                creation by the Assistant Secretary of a database 
                containing a software bill of materials (SBOM) for the 
                most common internet-connected hardware and software 
                applications used in the food and agriculture industry 
                and recommendations for how the Assistant Secretary can 
                maintain and update such database.
            (3) Coordination.--In carrying out paragraphs (1) and (2), 
        the Comptroller General of the United States shall coordinate 
        with appropriate Federal agencies, including the following:
                    (A) The Department of Health and Human Services.
                    (B) The Department of Commerce.
                    (C) The Department of Agriculture.
                    (D) The Federal Communications Commission.
                    (E) The Department of Energy.
                    (F) The Small Business Administration.
            (4) Process for studying creation of isac.--In studying the 
        advantages and disadvantages of creating a food and agriculture 
        industry specific Information Sharing and Analysis Center for 
        purposes of including in the report required by paragraph (2) 
        the information required by subparagraph (E) of such paragraph, 
        the Comptroller General shall convene stakeholders that include 
        civil society organizations, individual food and agriculture 
        producers, and the Federal agencies described in paragraph (3).
            (5) Briefing.--Not later than 90 days after the date on 
        which the Comptroller General of the United States submits the 
        report under paragraph (2), the Comptroller General shall 
        provide to Congress a briefing regarding such report.
            (6) Classification.--The report under paragraph (2) shall 
        be unclassified but may include a classified annex.
    (c) Definitions.--In this section:
            (1) Assistant secretary.--The term ``Assistant Secretary'' 
        means the Assistant Secretary of Commerce for Communications 
        and Information.
            (2) Cybersecurity risk.--The term ``cybersecurity risk'' 
        has the meaning given such term in section 2200 of the Homeland 
        Security Act of 2002 (6 U.S.C. 650).
            (3) Cybersecurity threat.--The term ``cybersecurity 
        threat'' has the meaning given such term in section 2200 of the 
        Homeland Security Act of 2002 (6 U.S.C. 650).
            (4) Food and agriculture industry.--The term ``food and 
        agriculture industry'' means--
                    (A) equipment and systems utilized in the food and 
                agriculture supply chain, such as computer vision 
                algorithms for precision agriculture, grain silos, and 
                related food and agriculture storage infrastructure;
                    (B) food and agriculture goods processors, growers, 
                and distributors; and
                    (C) information technology systems of businesses 
                engaged in farming, ranching, planting, harvesting, 
                food and agriculture product storage, food or animal 
                genetic modification, the design or production of 
                agrochemicals, or the design or production of food and 
                agriculture tools.
            (5) Incident.--The term ``incident'' has the meaning given 
        such term in section 2200 of the Homeland Security Act of 2002 
        (6 U.S.C. 650).
            (6) NTIA.--The term ``NTIA'' means the National 
        Telecommunications and Information Administration.
            (7) Sector risk management agency.--The term ``Sector Risk 
        Management Agency'' has the meaning given such term in section 
        2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
            (8) Security vulnerability.--The term ``security 
        vulnerability'' has the meaning given such term in section 2200 
        of the Homeland Security Act of 2002 (6 U.S.C. 650).
            (9) Small business concern.--The term ``small business 
        concern'' means a small business concern described in section 3 
        of the Small Business Act (15 U.S.C. 632).
            (10) Software bill of materials.--The term ``software bill 
        of materials'' has the meaning given such term in section 10 of 
        Executive Order 14028 (86 Fed. Reg. 26633; relating to 
        improving the Nation's cybersecurity).
    (d) Sunset.--This section shall have no force or effect after the 
date that is 7 years after the date of the enactment of this Act.
                                 <all>