[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 498 Reported in House (RH)]
<DOC>
Union Calendar No. 35
118th CONGRESS
1st Session
H. R. 498
[Report No. 118-52]
To amend title V of the Public Health Service Act to secure the suicide
prevention lifeline from cybersecurity incidents, and for other
purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
January 25, 2023
Mr. Obernolte (for himself and Mr. Cardenas) introduced the following
bill; which was referred to the Committee on Energy and Commerce
May 11, 2023
Reported with an amendment; committed to the Committee of the Whole
House on the State of the Union and ordered to be printed
[Strike out all after the enacting clause and insert the part printed
in italic]
[For text of introduced bill, see copy of bill as introduced on January
25, 2023]
_______________________________________________________________________
A BILL
To amend title V of the Public Health Service Act to secure the suicide
prevention lifeline from cybersecurity incidents, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``9-8-8 Lifeline Cybersecurity
Responsibility Act''.
SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE FROM CYBERSECURITY
INCIDENTS.
(a) National Suicide Prevention Lifeline Program.--Section 520E-
3(b) of the Public Health Service Act (42 U.S.C. 290bb-36c(b)) is
amended--
(1) in paragraph (4), by striking ``and'' at the end;
(2) in paragraph (5), by striking the period at the end and
inserting ``; and''; and
(3) by adding at the end the following:
``(6) coordinating with the Chief Information Security
Officer of the Department of Health and Human Services to take
such steps as may be necessary to ensure the program is
protected from cybersecurity incidents and eliminates known
cybersecurity vulnerabilities.''.
(b) Reporting.--Section 520E-3 of the Public Health Service Act (42
U.S.C. 290bb-36c) is amended--
(1) by redesignating subsection (f) as subsection (g); and
(2) by inserting after subsection (e) the following:
``(f) Cybersecurity Reporting.--
``(1) In general.--
``(A) In general.--The program's network
administrator receiving Federal funding pursuant to
subsection (a) shall report to the Assistant Secretary,
in a manner that protects personal privacy, consistent
with applicable Federal and State privacy laws--
``(i) any identified cybersecurity
vulnerabilities to the program immediately upon
identification of such a vulnerability; and
``(ii) any identified cybersecurity
incidents to the program immediately upon
identification of such incident.
``(B) Local and regional crisis centers.--Local and
regional crisis centers participating in the program
shall report to the program's network administrator
identified in subparagraph (A), in a manner that
protects personal privacy, consistent with applicable
Federal and State privacy laws--
``(i) any identified cybersecurity
vulnerabilities to the program immediately upon
identification of such vulnerability; and
``(ii) any identified cybersecurity
incidents to the program immediately upon
identification of such incident.
``(2) Notification.--If the program's network administrator
receiving funding pursuant to subsection (a) discovers, or is
informed by a local or regional crisis center pursuant to
paragraph (1)(B) of, a cybersecurity vulnerability or incident,
such entity shall immediately report that discovery to the
Assistant Secretary.
``(3) Clarification.--
``(A) Oversight.--
``(i) Local and regional crisis center.--
Except as provided in clause (ii), local and
regional crisis centers participating in the
program shall oversee all technology each
center employs in the provision of services as
a participant in the program.
``(ii) Network administrator.-- The
program's network administrator receiving
Federal funding pursuant to subsection (a)
shall oversee the technology each crisis center
employs in the provision of services as a
participant in the program if such oversight
responsibilities are established in the
applicable network participation agreement.
``(B) Supplement, not supplant.--The cybersecurity
incident reporting requirements under this subsection
shall supplement, and not supplant, cybersecurity
incident reporting requirements under other provisions
of applicable Federal law that are in effect on the
date of the enactment of the 9-8-8 Lifeline
Cybersecurity Responsibility Act.''.
(c) Study.--Not later than 180 days after the date of the enactment
of this Act, the Comptroller General of the United States shall--
(1) conduct and complete a study that evaluates
cybersecurity risks and vulnerabilities associated with the 9-
8-8 National Suicide Prevention Lifeline; and
(2) submit a report of the findings of such study to the
Committee on Energy and Commerce of the House of
Representatives and the Committee on Health, Education, Labor,
and Pensions of the Senate.
Union Calendar No. 35
118th CONGRESS
1st Session
H. R. 498
[Report No. 118-52]
_______________________________________________________________________
A BILL
To amend title V of the Public Health Service Act to secure the suicide
prevention lifeline from cybersecurity incidents, and for other
purposes.
_______________________________________________________________________
May 11, 2023
Reported with an amendment; committed to the Committee of the Whole
House on the State of the Union and ordered to be printed