[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 498 Referred in Senate (RFS)]

<DOC>
118th CONGRESS
  2d Session
                                H. R. 498


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 6, 2024

     Received; read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 AN ACT


 
To amend title V of the Public Health Service Act to secure the suicide 
    prevention lifeline from cybersecurity incidents, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``9-8-8 Lifeline Cybersecurity 
Responsibility Act''.

SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE FROM CYBERSECURITY 
              INCIDENTS.

    (a) National Suicide Prevention Lifeline Program.--Section 520E-
3(b) of the Public Health Service Act (42 U.S.C. 290bb-36c(b)) is 
amended--
            (1) in paragraph (4), by striking ``and'' at the end;
            (2) in paragraph (5), by striking the period at the end and 
        inserting ``; and''; and
            (3) by adding at the end the following:
            ``(6) taking such steps as may be necessary to ensure the 
        suicide prevention hotline is protected from cybersecurity 
        incidents and to eliminate known cybersecurity vulnerabilities 
        of such hotline.''.
    (b) Reporting.--Section 520E-3 of the Public Health Service Act (42 
U.S.C. 290bb-36c) is amended--
            (1) by redesignating subsection (f) as subsection (g); and
            (2) by inserting after subsection (e) the following:
    ``(f) Cybersecurity Reporting.--
            ``(1) Notification.--
                    ``(A) In general.--The program's network 
                administrator receiving Federal funding pursuant to 
                subsection (a) shall report to the Assistant Secretary, 
                in a manner that protects personal privacy, consistent 
                with applicable Federal and State privacy laws--
                            ``(i) any identified cybersecurity 
                        vulnerability to the program within a 
                        reasonable amount of time after identification 
                        of such a vulnerability; and
                            ``(ii) any identified cybersecurity 
                        incident to the program within a reasonable 
                        amount of time after identification of such an 
                        incident.
                    ``(B) Local and regional crisis centers.--Local and 
                regional crisis centers participating in the program 
                shall report to the program's network administrator 
                receiving Federal funding pursuant to subsection (a), 
                in a manner that protects personal privacy, consistent 
                with applicable Federal and State privacy laws--
                            ``(i) any identified cybersecurity 
                        vulnerability to the program within a 
                        reasonable amount of time after identification 
                        of such a vulnerability; and
                            ``(ii) any identified cybersecurity 
                        incident to the program within a reasonable 
                        amount of time after identification of such an 
                        incident.
            ``(2) Notification.--If the program's network administrator 
        receiving funding pursuant to subsection (a) discovers, or is 
        informed by a local or regional crisis center pursuant to 
        paragraph (1)(B) of, a cybersecurity vulnerability or incident, 
        within a reasonable amount of time after such discovery or 
        receipt of information, such entity shall report the 
        vulnerability or incident to the Assistant Secretary.
            ``(3) Clarification.--
                    ``(A) Oversight.--
                            ``(i) Local and regional crisis center.--
                        Except as provided in clause (ii), local and 
                        regional crisis centers participating in the 
                        program shall oversee all technology each 
                        center employs in the provision of services as 
                        a participant in the program.
                            ``(ii) Network administrator.--The 
                        program's network administrator receiving 
                        Federal funding pursuant to subsection (a) 
                        shall oversee the technology each crisis center 
                        employs in the provision of services as a 
                        participant in the program if such oversight 
                        responsibilities are established in the 
                        applicable network participation agreement.
                    ``(B) Supplement, not supplant.--The cybersecurity 
                incident reporting requirements under this subsection 
                shall supplement, and not supplant, cybersecurity 
                incident reporting requirements under other provisions 
                of applicable Federal law that are in effect on the 
                date of the enactment of the 9-8-8 Lifeline 
                Cybersecurity Responsibility Act.''.
    (c) Study.--Not later than 180 days after the date of the enactment 
of this Act, the Comptroller General of the United States shall--
            (1) conduct and complete a study that evaluates 
        cybersecurity risks and vulnerabilities associated with the 9-
        8-8 National Suicide Prevention Lifeline; and
            (2) submit a report of the findings of such study to the 
        Committee on Energy and Commerce of the House of 
        Representatives and the Committee on Health, Education, Labor, 
        and Pensions of the Senate.

            Passed the House of Representatives March 5, 2024.

            Attest:

                                             KEVIN F. MCCUMBER,

                                                                 Clerk.