The Farm and Food Cybersecurity Act of 2025 directs the Secretary of Agriculture to produce a biennial risk assessment of cybersecurity threats and vulnerabilities across the agriculture and food critical infrastructure sector and to propose legislative or administrative remedies. It also mandates a five‑year program of annual cross‑sector crisis simulation exercises, designed and conducted by USDA with interagency partners, to test preparedness for food‑related emergencies and disruptions.
The measure formalizes USDA’s coordination role with the Food and Agriculture Information Sharing and Analysis Center (ISAC) and sector coordinating councils, creates a recurring reporting cadence to four Congressional committees, and authorizes $1 million per year (FY2026–2030) for the exercise program. For compliance officers, supply‑chain managers, and public‑health planners, the bill converts previously informal information‑sharing expectations into a repeatable federal assessment-and-exercise framework that will generate prioritized recommendations but does not impose new mandatory security standards.
At a Glance
What It Does
The bill requires USDA to complete a detailed risk assessment every two years covering attack activity, impacts on food safety and availability, government and private readiness, existing standards, and gaps, then submit findings to relevant Congressional committees. It also requires USDA, working with DHS, HHS, DNI and other agencies, to run an annual, multi‑jurisdictional food‑security simulation for five years and to provide participant feedback and a post‑exercise report to Congress.
Who It Affects
The statute covers the full food and agriculture value chain—farmers and ranchers, processors, manufacturers, distributors, retailers, equipment suppliers, and regulators—and names the Food and Agriculture ISAC and sector coordinating councils as required consultees. Federal, State, Tribal, local, and territorial emergency‑management and public‑health agencies are required partners in the exercises.
Why It Matters
This bill institutionalizes periodic threat analysis and recurring cross‑sector testing for the food system, producing regular, actionable recommendations and after‑action reports that will influence federal program priorities and private‑sector risk management. It creates a visible federal forum for identifying systemic supply‑chain gaps—without creating new mandatory security rules—so private actors should expect increased scrutiny and opportunities for public‑private coordination.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act starts by defining the covered scope broadly: any activity tied to producing, processing, distributing, storing, transporting, consuming, or disposing of agricultural or food products, and every entity involved in those activities. That expansive definition means the USDA’s work under the bill targets the entire food value chain—from input suppliers and equipment manufacturers to retailers and regulators—rather than a narrow subset of critical nodes.
On the assessment side, USDA must carry out a biennial, structured risk analysis. The statute specifies what the assessment must analyze: recent cyber incidents affecting the sector, potential consequences for food safety and national security, current federal, state, and private capabilities for prevention and recovery, the universe of existing standards and best practices, and where gaps or duplicative rules exist.
The job is not merely descriptive; USDA must offer recommendations for federal legislative or administrative changes, and it must be sensitive to regulatory overlap that could shift attention from operational security to box‑checking.For exercises, USDA will lead an annual cross‑sector crisis simulation for five consecutive years, in coordination with DHS, HHS, the DNI, and other relevant agencies. Each exercise must use realistic scenarios, draw on subject‑matter experts (including cybersecurity researchers and the sector ISAC), and employ a mix of formats—from tabletop sessions to larger drills.
The statute requires participation by government at all levels and by private‑sector entities with roles in the food system; after each exercise USDA must provide participant feedback and a written report to Congress summarizing findings and recommendations.Operationally, the bill relies heavily on consultation with the Food and Agriculture ISAC and sector coordinating councils, which are named as required private‑sector partners for both assessments and exercises. Funding is narrow and specific: the Act authorizes $1 million per year for FY2026–2030 to support the exercise program.
Notably, the bill sets an explicit reporting line to four Congressional committees, so its outputs are designed to inform legislative and budget decisions rather than to create immediate regulatory obligations.
The Five Things You Need to Know
USDA must produce a detailed cybersecurity risk assessment for the agriculture and food sector every two years and submit it to four Congressional committees.
The assessment must evaluate incident trends, impacts on food safety and national security, government and private readiness, existing standards, gaps, and recommend federal legislative or administrative actions.
USDA must run an annual cross‑sector food‑security simulation exercise for five years, in coordination with DHS, HHS, the DNI, and other federal partners, with private‑sector and subnational participation required.
The bill specifically requires consultation with the Food and Agriculture Information Sharing and Analysis Center (sector‑specific ISAC) and sector coordinating councils for both assessments and exercises.
Congressional reporting and after‑action feedback are mandatory after each exercise, and $1,000,000 is authorized per fiscal year (FY2026–2030) to support the exercise program.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the measure the 'Farm and Food Cybersecurity Act of 2025.' This is a naming provision only but signals the bill’s dual emphasis on both cybersecurity and food‑system resilience.
Definitions and scope
Sets the operational perimeter: 'agriculture and food critical infrastructure sector' covers any activity from production to disposal and explicitly lists farmers, processors, distributors, retailers, consumers, and regulators. It imports DHS definitions for cybersecurity terms (threat, incident, vulnerability) and identifies the Food and Agriculture‑ISAC as the sector‑specific ISAC. That makes the ISAC a statutory touchpoint for information flow and consultation.
Biennial cybersecurity risk assessment and reporting
Requires USDA to carry out a risk assessment every two years addressing incident patterns, impacts on food safety/availability, readiness across federal/state/private actors, existing policies and standards, and gaps or duplicative regulations. The statute directs USDA to recommend legislative or administrative fixes and to submit the assessment to specific Congressional committees within set cadence—establishing a formal feedback loop between USDA’s analysis and congressional oversight.
Private‑sector consultation requirement
Mandates that USDA consult with private‑sector entities, explicitly naming the sector ISAC and sector coordinating councils. This requirement elevates the ISAC and coordinating councils as guaranteed participants in risk analysis design and information gathering, rather than optional collaborators.
Annual cross‑sector simulation exercises and authorization
Directs USDA to lead an annual food‑security simulation for five years in coordination with DHS, HHS, DNI and other agencies. Exercises must be realistic, multi‑method, and include federal, state, tribal, local, territorial, and private participants. USDA must provide participant feedback and submit post‑exercise reports to Congress. The section authorizes $1M per year (FY2026–2030) to fund these exercises, but it does not create mandatory compliance obligations or prescribe specific cybersecurity standards for the private sector.
This bill is one of many.
Codify tracks hundreds of bills on Agriculture across all five countries.
Explore Agriculture in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Farmers and ranchers: will gain sector‑level threat intelligence and prioritized recommendations identifying systemic vulnerabilities that may simplify investment decisions and attract targeted federal support.
- Food processors and manufacturers: receive actionable after‑action findings and best practices from realistic simulations, which can inform their continuity plans and supplier requirements.
- Food and Agriculture‑ISAC and sector coordinating councils: their consultative role is formalized, increasing their influence over federal assessments and access to federal analysis.
- State, Tribal, and local emergency‑management and public‑health agencies: benefit from interagency exercises that reveal coordination gaps and lead to clearer incident response roles across jurisdictions.
- Consumers and public‑health officials: indirectly benefit from improved preparedness and identification of risks to food safety and availability that could reduce the duration and scope of real disruptions.
Who Bears the Cost
- USDA: must allocate staff time and program resources to run biennial assessments and annual exercises and to prepare detailed reports for Congress, increasing agency operational responsibilities.
- Private‑sector participants (including small producers and suppliers): face time and resource costs to prepare for and participate in exercises and may need to share sensitive operational or vulnerability information.
- State, Tribal, and local governments: must devote personnel to participate in exercises and implement follow‑up recommendations, potentially stretching emergency management budgets.
- Small and midsize farms and processors: could face indirect costs if follow‑on recommendations prompt voluntary standards or procurement requirements that impose new compliance costs.
- Federal partner agencies (DHS, HHS, DNI and others): must contribute personnel and analytical resources to design and evaluate exercises, incurring programmatic costs not fully covered by the $1M authorization.
Key Issues
The Core Tension
The central dilemma is balancing the public interest in comprehensive, government‑led threat assessments and realistic cross‑sector exercises against private actors’ need to protect proprietary information and avoid burdensome compliance regimes—achieving meaningful resilience requires information and participation, but those come at the cost of privacy, potential liability, and resource expenditure for both government and industry.
The bill creates a recurring analytical and testing framework but stops short of establishing mandatory cybersecurity standards or reporting obligations for private entities. That design emphasizes information, coordination, and recommendations over regulation—but it raises questions about how USDA will translate high‑level findings into practical, fundable actions for diverse actors in the supply chain.
The authorized $1 million per year is narrowly earmarked for exercises; it may be insufficient if USDA is expected to support broad technical assistance, detailed auditing, or follow‑through on remediation recommendations across a large, heterogeneous sector.
Another practical tension concerns information sensitivity and participation incentives. The statute requires consultation and participant feedback yet does not specify confidentiality protections, liability shields, or safe‑harbor mechanisms for companies that share vulnerability data during the assessment or exercises.
Without explicit protections, some private actors—particularly equipment manufacturers and large processors—may limit participation or withhold operational details, which would blunt the assessments’ accuracy and the exercises’ realism. Finally, the Act overlaps conceptually with existing DHS and CISA initiatives; it does not articulate how USDA will coordinate authority and avoid duplicative data requests, which could create confusion for private‑sector partners and duplicate federal reporting burdens.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.