[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 2393 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 2393

To establish a food and agriculture cybersecurity clearinghouse in the 
  National Telecommunications and Information Administration, and for 
                            other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 19, 2023

Mr. Rounds (for himself and Ms. Cortez Masto) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To establish a food and agriculture cybersecurity clearinghouse in the 
  National Telecommunications and Information Administration, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Food and Agriculture Industry 
Cybersecurity Support Act''.

SEC. 2. NTIA FOOD AND AGRICULTURE CYBERSECURITY CLEARINGHOUSE.

    (a) Definitions.--In this section:
            (1) Assistant secretary.--The term ``Assistant Secretary'' 
        means the Assistant Secretary of Commerce for Communications 
        and Information.
            (2) Cybersecurity risk.--The term ``cybersecurity risk'' 
        has the meaning given the term in section 2200 of the Homeland 
        Security Act of 2002 (6 U.S.C. 650).
            (3) Cybersecurity threat.--The term ``cybersecurity 
        threat'' has the meaning given the term in section 2200 of the 
        Homeland Security Act of 2002 (6 U.S.C. 650).
            (4) Food and agriculture industry.--The term ``food and 
        agriculture industry'' means--
                    (A) equipment and systems utilized in the food and 
                agriculture supply chain, such as computer vision 
                algorithms for precision agriculture, grain silos, and 
                related food and agriculture storage infrastructure;
                    (B) food and agriculture goods processors, growers, 
                and distributors; and
                    (C) information technology systems of businesses 
                engaged in farming, ranching, planting, harvesting, 
                food and agriculture product storage, food or animal 
                genetic modification, the design or production of 
                agrochemicals, or the design or production of food and 
                agriculture tools.
            (5) Incident.--The term ``incident'' has the meaning given 
        the term in section 2200 of the Homeland Security Act of 2002 
        (6 U.S.C. 650).
            (6) NTIA.--The term ``NTIA'' means the National 
        Telecommunications and Information Administration.
            (7) Sector risk management agency.--The term ``Sector Risk 
        Management Agency'' has the meaning given the term in section 
        2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
            (8) Security vulnerability.--The term ``security 
        vulnerability'' has the meaning given the term in section 2200 
        of the Homeland Security Act of 2002 (6 U.S.C. 650).
            (9) Small business concern.--The term ``small business 
        concern'' has the meaning given the term in section 3 of the 
        Small Business Act (15 U.S.C. 632).
            (10) Software bill of materials.--The term ``software bill 
        of materials'' has the meaning given the term in section 10 of 
        Executive Order 14028 (86 Fed. Reg. 26633; relating to 
        improving the nation's cybersecurity).
    (b) NTIA Food and Agriculture Cybersecurity Clearinghouse.--
            (1) Establishment.--
                    (A) In general.--Not later than 180 days after the 
                date of enactment of this Act, the Assistant Secretary 
                shall establish in the NTIA a food and agriculture 
                cybersecurity clearinghouse (in this section referred 
                to as the ``clearinghouse'').
                    (B) Requirements.--The clearinghouse shall--
                            (i) be publicly available online;
                            (ii) contain current, relevant, and 
                        publicly available cybersecurity resources 
                        focused on the food and agriculture industry, 
                        including the recommendations described in 
                        paragraph (2), and any other appropriate 
                        materials for reference by entities that 
                        develop products with potential security 
                        vulnerabilities for the food and agriculture 
                        industry;
                            (iii) contain a mechanism for individuals 
                        or entities in the food and agriculture 
                        industry to request in-person or virtual 
                        support from the NTIA for cybersecurity related 
                        issues;
                            (iv) contain a section, updated not less 
                        frequently than annually, with answers to the 
                        top 20 most frequently asked questions relevant 
                        to the cybersecurity of the food and 
                        agriculture industry; and
                            (v) include materials specifically aimed at 
                        assisting small business concerns and non-
                        technical users in the food and agriculture 
                        industry with critical cybersecurity 
                        protections related to the food and agriculture 
                        industry, including recommendations on how to 
                        respond to a ransomware attack and resources 
                        for additional information, including the 
                        ``Stop Ransomware'' website hosted by the 
                        Cybersecurity and Infrastructure Security 
                        Agency of the Department of Homeland Security.
                    (C) Existing platform or website.--The Assistant 
                Secretary may establish the clearinghouse on an online 
                platform or a website that is in existence as of the 
                date of enactment of this Act.
            (2) Consolidation of food and agriculture industry 
        cybersecurity recommendations.--
                    (A) In general.--The Assistant Secretary, in 
                consultation with the Administrator of the Farm Service 
                Agency of the Department of Agriculture and relevant 
                Sector Risk Management Agencies, shall consolidate 
                public and private sector best practices to produce a 
                set of voluntary cybersecurity recommendations relating 
                to the development, maintenance, and operation of the 
                food and agriculture industry.
                    (B) Requirements.--The recommendations consolidated 
                under subparagraph (A) shall include, to the greatest 
                extent practicable, materials addressing the following:
                            (i) Risk-based, cybersecurity-informed 
                        engineering, including continuous monitoring 
                        and resiliency.
                            (ii) Planning for retention or recovery of 
                        positive control of systems in the food and 
                        agriculture industry in the event of a 
                        cybersecurity incident.
                            (iii) Protection against unauthorized 
                        access to critical functions of the food and 
                        agriculture industry.
                            (iv) Cybersecurity against threats to 
                        products of the food and agriculture industry 
                        throughout the lifetimes of those products.
                            (v) How businesses in the food and 
                        agriculture industry should respond to 
                        ransomware attacks, including details on the 
                        legal obligations of those businesses in the 
                        event of such an attack, including reporting 
                        requirements and Federal resources for support.
                            (vi) Any other recommendations to ensure 
                        the confidentiality, availability, and 
                        integrity of data residing on or in transit 
                        through systems in the food and agriculture 
                        industry.
            (3) Implementation.--In implementing this subsection, the 
        Assistant Secretary shall--
                    (A) to the extent practicable, consult with the 
                private sector;
                    (B) consult with non-Federal entities developing 
                equipment and systems utilized in the food and 
                agriculture industry, including private, consensus 
                organizations that develop relevant standards;
                    (C) consult with the Director of the Cybersecurity 
                and Infrastructure Security Agency of the Department of 
                Homeland Security;
                    (D) consult with food and agriculture industry 
                trade groups;
                    (E) consult with relevant Sector Risk Management 
                Agencies;
                    (F) consult with civil society organizations;
                    (G) consult with the Administrator of the Small 
                Business Administration; and
                    (H) consider the development of an advisory board 
                to advise the Assistant Secretary on implementing this 
                subsection, including the collection of data through 
                the clearinghouse and the disclosure of that data.
    (c) Study.--
            (1) In general.--The Comptroller General of the United 
        States shall conduct a study on the actions the Federal 
        Government has taken or may take to improve the cybersecurity 
        of the food and agriculture industry.
            (2) Report.--Not later than 90 days after the date of 
        enactment of this Act, the Comptroller General shall submit to 
        Congress a report on the study conducted under paragraph (1), 
        which shall include information on the following:
                    (A) The effectiveness of efforts of the Federal 
                Government to improve the cybersecurity of the food and 
                agriculture industry.
                    (B) The resources made available to the public, as 
                of the date of the submission, by Federal agencies to 
                improve the cybersecurity of the food and agriculture 
                industry, including to address cybersecurity risks and 
                cybersecurity threats to the food and agriculture 
                industry.
                    (C) The extent to which Federal agencies coordinate 
                or duplicate authorities and take other actions for the 
                improvement of the cybersecurity of the food and 
                agriculture industry.
                    (D) Whether an appropriate plan is in place to 
                prevent or adequately mitigate the risks of a 
                coordinated attack on the food and agriculture 
                industry.
                    (E) The benefits of the Food and Agriculture--
                Information Sharing and Analysis Center (commonly known 
                as the ``Food and Ag-ISAC'') established by the 
                Information Technology-Information Sharing and Analysis 
                Center and any additional needs of the Food and Ag-
                ISAC, including--
                            (i) required actions by, and expected costs 
                        to, the Federal Government to enhance the Food 
                        and Ag-ISAC; and
                            (ii) identification of industry and civil 
                        society partners that could assist the Food and 
                        Ag-ISAC.
                    (F) The advantages and disadvantages of the 
                creation by the Assistant Secretary of a database 
                containing a software bill of materials for the most 
                common internet-connected hardware and software 
                applications used in the food and agriculture industry 
                and recommendations for how the Assistant Secretary can 
                maintain and update such database.
            (3) Coordination.--In carrying out paragraphs (1) and (2), 
        the Comptroller General shall coordinate with appropriate 
        Federal agencies, including the following:
                    (A) The Department of Health and Human Services.
                    (B) The Department of Commerce.
                    (C) The Department of Agriculture.
                    (D) The Federal Communications Commission.
                    (E) The Department of Energy.
                    (F) The Small Business Administration.
            (4) Process for studying the food and agriculture-
        information sharing and analysis center.--In studying the Food 
        and Ag-ISAC for purposes of including in the report required by 
        paragraph (2) the information required by subparagraph (E) of 
        that paragraph, the Comptroller General shall convene 
        stakeholders that include civil society organizations, 
        individual food and agriculture producers, and the Federal 
        agencies described in paragraph (3).
            (5) Briefing.--Not later than 90 days after the date on 
        which the Comptroller General submits the report under 
        paragraph (2), the Comptroller General shall provide to 
        Congress a briefing regarding the report.
            (6) Classification.--The report under paragraph (2) shall 
        be unclassified but may include a classified annex.
    (d) Sunset.--This section shall have no force or effect after the 
date that is 7 years after the date of enactment of this Act.
                                 <all>