[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 498 Reported in House (RH)]

<DOC>





                                                  Union Calendar No. 35
118th CONGRESS
  1st Session
                                H. R. 498

                          [Report No. 118-52]

To amend title V of the Public Health Service Act to secure the suicide 
    prevention lifeline from cybersecurity incidents, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            January 25, 2023

 Mr. Obernolte (for himself and Mr. Cardenas) introduced the following 
    bill; which was referred to the Committee on Energy and Commerce

                              May 11, 2023

  Reported with an amendment; committed to the Committee of the Whole 
       House on the State of the Union and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
[For text of introduced bill, see copy of bill as introduced on January 
                               25, 2023]


_______________________________________________________________________

                                 A BILL


 
To amend title V of the Public Health Service Act to secure the suicide 
    prevention lifeline from cybersecurity incidents, and for other 
                               purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``9-8-8 Lifeline Cybersecurity 
Responsibility Act''.

SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE FROM CYBERSECURITY 
              INCIDENTS.

    (a) National Suicide Prevention Lifeline Program.--Section 520E-
3(b) of the Public Health Service Act (42 U.S.C. 290bb-36c(b)) is 
amended--
            (1) in paragraph (4), by striking ``and'' at the end;
            (2) in paragraph (5), by striking the period at the end and 
        inserting ``; and''; and
            (3) by adding at the end the following:
            ``(6) coordinating with the Chief Information Security 
        Officer of the Department of Health and Human Services to take 
        such steps as may be necessary to ensure the program is 
        protected from cybersecurity incidents and eliminates known 
        cybersecurity vulnerabilities.''.
    (b) Reporting.--Section 520E-3 of the Public Health Service Act (42 
U.S.C. 290bb-36c) is amended--
            (1) by redesignating subsection (f) as subsection (g); and
            (2) by inserting after subsection (e) the following:
    ``(f) Cybersecurity Reporting.--
            ``(1) In general.--
                    ``(A) In general.--The program's network 
                administrator receiving Federal funding pursuant to 
                subsection (a) shall report to the Assistant Secretary, 
                in a manner that protects personal privacy, consistent 
                with applicable Federal and State privacy laws--
                            ``(i) any identified cybersecurity 
                        vulnerabilities to the program immediately upon 
                        identification of such a vulnerability; and
                            ``(ii) any identified cybersecurity 
                        incidents to the program immediately upon 
                        identification of such incident.
                    ``(B) Local and regional crisis centers.--Local and 
                regional crisis centers participating in the program 
                shall report to the program's network administrator 
                identified in subparagraph (A), in a manner that 
                protects personal privacy, consistent with applicable 
                Federal and State privacy laws--
                            ``(i) any identified cybersecurity 
                        vulnerabilities to the program immediately upon 
                        identification of such vulnerability; and
                            ``(ii) any identified cybersecurity 
                        incidents to the program immediately upon 
                        identification of such incident.
            ``(2) Notification.--If the program's network administrator 
        receiving funding pursuant to subsection (a) discovers, or is 
        informed by a local or regional crisis center pursuant to 
        paragraph (1)(B) of, a cybersecurity vulnerability or incident, 
        such entity shall immediately report that discovery to the 
        Assistant Secretary.
            ``(3) Clarification.--
                    ``(A) Oversight.--
                            ``(i) Local and regional crisis center.--
                        Except as provided in clause (ii), local and 
                        regional crisis centers participating in the 
                        program shall oversee all technology each 
                        center employs in the provision of services as 
                        a participant in the program.
                            ``(ii) Network administrator.-- The 
                        program's network administrator receiving 
                        Federal funding pursuant to subsection (a) 
                        shall oversee the technology each crisis center 
                        employs in the provision of services as a 
                        participant in the program if such oversight 
                        responsibilities are established in the 
                        applicable network participation agreement.
                    ``(B) Supplement, not supplant.--The cybersecurity 
                incident reporting requirements under this subsection 
                shall supplement, and not supplant, cybersecurity 
                incident reporting requirements under other provisions 
                of applicable Federal law that are in effect on the 
                date of the enactment of the 9-8-8 Lifeline 
                Cybersecurity Responsibility Act.''.
    (c) Study.--Not later than 180 days after the date of the enactment 
of this Act, the Comptroller General of the United States shall--
            (1) conduct and complete a study that evaluates 
        cybersecurity risks and vulnerabilities associated with the 9-
        8-8 National Suicide Prevention Lifeline; and
            (2) submit a report of the findings of such study to the 
        Committee on Energy and Commerce of the House of 
        Representatives and the Committee on Health, Education, Labor, 
        and Pensions of the Senate.
                                                  Union Calendar No. 35

118th CONGRESS

  1st Session

                               H. R. 498

                          [Report No. 118-52]

_______________________________________________________________________

                                 A BILL

To amend title V of the Public Health Service Act to secure the suicide 
    prevention lifeline from cybersecurity incidents, and for other 
                               purposes.

_______________________________________________________________________

                              May 11, 2023

  Reported with an amendment; committed to the Committee of the Whole 
       House on the State of the Union and ordered to be printed