Farm and Food Cybersecurity Act of 2025
- Bill Number
- H.R. 1604
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Agriculture and Food
- Status
- Introduced
- Latest Action
- 2025-03-28: Referred to the Subcommittee on Nutrition and Foreign Agriculture.
- Last Updated
- 2026-04-22T08:07:15Z
AI-Generated Summary
Purpose
The Farm and Food Cybersecurity Act of 2025 aims to strengthen the cybersecurity and resilience of the agriculture and food critical infrastructure sector. It directs the Secretary of Agriculture to regularly evaluate cyber threats and weaknesses in this sector, offer recommendations for improvements, and run yearly simulation exercises to prepare for food-related emergencies or disruptions caused by cyber incidents or other issues.
Key Provisions
- Definitions (Section 2):
- Defines the "agriculture and food critical infrastructure sector" as any activities or entities involved in producing, processing, distributing, storing, transporting, consuming, or disposing of agricultural or food products (e.g., farmers, processors, distributors, retailers, consumers, and regulators).
- Adopts definitions for terms like "cybersecurity threat" (potential harm from cyberattacks), "defensive measure" (actions to protect against threats), "incident" (an actual cyber event), and "security vulnerability" (weaknesses that could be exploited) from the Homeland Security Act of 2002.
- Specifies "Secretary" as the Secretary of Agriculture and "sector-specific ISAC" as the Food and Agriculture-Information Sharing and Analysis Center (a group that shares threat information in the sector).
- Biennial Risk Assessments (Section 3):
- Requires the Secretary to conduct a risk assessment every two years on cyber threats and vulnerabilities in the sector.
- Assessments must cover: the types and scope of cyberattacks affecting the sector; potential effects on food safety, availability, the economy, public health, and national security; current readiness of governments and private entities to handle incidents; existing policies, standards, and best practices; gaps or challenges in defenses; and recommendations for federal actions, including avoiding overly burdensome regulations that hinder real security efforts.
- The Secretary must consult private sector groups like the sector-specific ISAC and sector coordinating councils (industry groups for coordination).
- Results must be reported biennially (starting one year after enactment) to four congressional committees: Senate and House Committees on Agriculture, and Senate and House Committees on Homeland Security.
- Annual Simulation Exercises (Section 4):
- Mandates the Secretary, working with the Secretaries of Homeland Security and Health and Human Services, the Director of National Intelligence, and other relevant federal agencies, to run one cross-sector crisis simulation exercise each year for five years (fiscal years 2026–2030) on food-related emergencies or disruptions (e.g., cyber-induced supply chain issues).
- Purposes include: testing preparedness and response across governments and private entities; spotting weaknesses in the food supply chain; improving coordination and information sharing; evaluating current policies and resources; developing best practices; and ensuring diverse stakeholder inclusion in future exercises.
- Exercises must use realistic scenarios affecting multiple areas, incorporate expert input from fields like agriculture, public health, emergency management, transportation, cybersecurity, and private sector researchers; employ varied formats (e.g., discussions, drills, or full simulations); and involve participants from federal, state, Tribal, local, territorial governments, and private entities (including the ISAC and coordinating councils).
- Post-exercise: Provide feedback to participants and submit a congressional report summarizing findings, lessons learned, and recommendations to boost sector cybersecurity and resilience.
- Authorizes $1,000,000 annually for fiscal years 2026–2030 to fund these exercises.
Significant Changes to Existing Law
This bill introduces new, standalone requirements for the Department of Agriculture (USDA) without directly amending prior laws. It builds on existing frameworks like the Homeland Security Act by mandating specific, recurring assessments and exercises focused on the agriculture and food sector, which previously lacked such dedicated federal oversight for cybersecurity. It also emphasizes avoiding regulatory overlap that could undermine practical security measures.
Potential Impacts
- Government Agencies: Increases responsibilities for USDA in leading assessments and exercises, requiring coordination with agencies like Homeland Security (DHS), Health and Human Services (HHS), and intelligence offices. This could enhance inter-agency collaboration but add administrative burdens and costs (offset by authorized funding). State, local, Tribal, and territorial governments may see improved emergency planning resources.
- Citizens: Could lead to a more secure food supply chain, reducing risks of cyber disruptions that cause shortages, price spikes, or health issues from contaminated or unavailable food products. Benefits everyday consumers by promoting national food security and public health resilience.
- International Relations: Minimal direct impact, though stronger U.S. food infrastructure resilience could indirectly support global food stability and reduce vulnerabilities to foreign cyber threats targeting agriculture.
Main Stakeholders Affected
- Federal Government: Primarily USDA (leading role), DHS, HHS, Office of the Director of National Intelligence, and other agencies involved in exercises and coordination.
- Private Sector: Farmers, ranchers, food processors, manufacturers, distributors, retailers, equipment suppliers, and cybersecurity experts; key groups include the Food and Agriculture-Information Sharing and Analysis Center (ISAC) and sector coordinating councils for input and participation.
- State, Local, Tribal, and Territorial Governments: Involved in assessments, exercises, and response planning to address regional food disruptions.
- Congress: Receives regular reports to oversee implementation and consider recommendations.
- Consumers and Regulators: Indirectly affected through enhanced sector-wide protections.
Notable Legal, Constitutional, or Political Implications
- Legal: Establishes clear mandates for reporting, consultation, and funding, promoting voluntary private sector involvement without new regulatory enforcement powers. Recommendations may influence future policies but highlight concerns over duplicative rules that could shift focus from risk management to mere compliance.
- Constitutional: Aligns with federal authority over interstate commerce and national security (e.g., protecting critical infrastructure under the Commerce Clause), without raising significant privacy or federalism issues, as it emphasizes coordination rather than mandates on states or individuals.
- Political: Sponsored bipartisanship (e.g., by Reps. Finstad, Tokuda, Bacon, and Davids) reflects broad consensus on agriculture as a national security priority. It could foster ongoing congressional scrutiny via reports, potentially leading to further legislation on cyber threats to essential sectors.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (6)
Rep. Tokuda, Jill N. [D-HI-2], Rep. Bacon, Don [R-NE-2], Rep. Davids, Sharice [D-KS-3], Rep. Vindman, Eugene Simon [D-VA-7], Rep. Davis, Donald G. [D-NC-1], Rep. McBride, Sarah [D-DE-At Large]
Recent Actions
- 2025-03-28: Referred to the Subcommittee on Nutrition and Foreign Agriculture.
- 2025-02-26: Referred to the House Committee on Agriculture.
- 2025-02-26: Introduced in House
- 2025-02-26: Introduced in House
Bill Versions
- Farm and Food Cybersecurity Act of 2025 — issued 2025-02-26 — PDF (8 pages)