[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 498 Referred in Senate (RFS)]
<DOC>
118th CONGRESS
2d Session
H. R. 498
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 6, 2024
Received; read twice and referred to the Committee on Health,
Education, Labor, and Pensions
_______________________________________________________________________
AN ACT
To amend title V of the Public Health Service Act to secure the suicide
prevention lifeline from cybersecurity incidents, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``9-8-8 Lifeline Cybersecurity
Responsibility Act''.
SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE FROM CYBERSECURITY
INCIDENTS.
(a) National Suicide Prevention Lifeline Program.--Section 520E-
3(b) of the Public Health Service Act (42 U.S.C. 290bb-36c(b)) is
amended--
(1) in paragraph (4), by striking ``and'' at the end;
(2) in paragraph (5), by striking the period at the end and
inserting ``; and''; and
(3) by adding at the end the following:
``(6) taking such steps as may be necessary to ensure the
suicide prevention hotline is protected from cybersecurity
incidents and to eliminate known cybersecurity vulnerabilities
of such hotline.''.
(b) Reporting.--Section 520E-3 of the Public Health Service Act (42
U.S.C. 290bb-36c) is amended--
(1) by redesignating subsection (f) as subsection (g); and
(2) by inserting after subsection (e) the following:
``(f) Cybersecurity Reporting.--
``(1) Notification.--
``(A) In general.--The program's network
administrator receiving Federal funding pursuant to
subsection (a) shall report to the Assistant Secretary,
in a manner that protects personal privacy, consistent
with applicable Federal and State privacy laws--
``(i) any identified cybersecurity
vulnerability to the program within a
reasonable amount of time after identification
of such a vulnerability; and
``(ii) any identified cybersecurity
incident to the program within a reasonable
amount of time after identification of such an
incident.
``(B) Local and regional crisis centers.--Local and
regional crisis centers participating in the program
shall report to the program's network administrator
receiving Federal funding pursuant to subsection (a),
in a manner that protects personal privacy, consistent
with applicable Federal and State privacy laws--
``(i) any identified cybersecurity
vulnerability to the program within a
reasonable amount of time after identification
of such a vulnerability; and
``(ii) any identified cybersecurity
incident to the program within a reasonable
amount of time after identification of such an
incident.
``(2) Notification.--If the program's network administrator
receiving funding pursuant to subsection (a) discovers, or is
informed by a local or regional crisis center pursuant to
paragraph (1)(B) of, a cybersecurity vulnerability or incident,
within a reasonable amount of time after such discovery or
receipt of information, such entity shall report the
vulnerability or incident to the Assistant Secretary.
``(3) Clarification.--
``(A) Oversight.--
``(i) Local and regional crisis center.--
Except as provided in clause (ii), local and
regional crisis centers participating in the
program shall oversee all technology each
center employs in the provision of services as
a participant in the program.
``(ii) Network administrator.--The
program's network administrator receiving
Federal funding pursuant to subsection (a)
shall oversee the technology each crisis center
employs in the provision of services as a
participant in the program if such oversight
responsibilities are established in the
applicable network participation agreement.
``(B) Supplement, not supplant.--The cybersecurity
incident reporting requirements under this subsection
shall supplement, and not supplant, cybersecurity
incident reporting requirements under other provisions
of applicable Federal law that are in effect on the
date of the enactment of the 9-8-8 Lifeline
Cybersecurity Responsibility Act.''.
(c) Study.--Not later than 180 days after the date of the enactment
of this Act, the Comptroller General of the United States shall--
(1) conduct and complete a study that evaluates
cybersecurity risks and vulnerabilities associated with the 9-
8-8 National Suicide Prevention Lifeline; and
(2) submit a report of the findings of such study to the
Committee on Energy and Commerce of the House of
Representatives and the Committee on Health, Education, Labor,
and Pensions of the Senate.
Passed the House of Representatives March 5, 2024.
Attest:
KEVIN F. MCCUMBER,
Clerk.