[House Report 118-52]
[From the U.S. Government Publishing Office]


118th Congress   }                                      {       Report
                        HOUSE OF REPRESENTATIVES
 1st Session     }                                      {       118-52

======================================================================



 
            9-8-8 LIFELINE CYBERSECURITY RESPONSIBILITY ACT

                                _______
                                

  May 11, 2023.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

Mrs. Rodgers of Washington, from the Committee on Energy and Commerce, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 498]

    The Committee on Energy and Commerce, to whom was referred 
the bill (H.R. 498) to amend title V of the Public Health 
Service Act to secure the suicide prevention lifeline from 
cybersecurity incidents, and for other purposes, having 
considered the same, reports favorably thereon with an 
amendment and recommends that the bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     2
Background and Need for Legislation..............................     3
Committee Action.................................................     3
Committee Votes..................................................     3
Oversight Findings and Recommendations...........................     5
New Budget Authority, Entitlement Authority, and Tax Expenditures     5
Congressional Budget Office Estimate.............................     5
Federal Mandates Statement.......................................     5
Statement of General Performance Goals and Objectives............     5
Duplication of Federal Programs..................................     5
Related Committee and Subcommittee Hearings......................     5
Committee Cost Estimate..........................................     6
Earmark, Limited Tax Benefits, and Limited Tariff Benefits.......     6
Advisory Committee Statement.....................................     6
Applicability to Legislative Branch..............................     6
Section-by-Section Analysis of the Legislation...................     6
Changes in Existing Law Made by the Bill, as Reported............     6

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``9-8-8 Lifeline Cybersecurity 
Responsibility Act''.

SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE FROM CYBERSECURITY 
                    INCIDENTS.

  (a) National Suicide Prevention Lifeline Program.--Section 520E-3(b) 
of the Public Health Service Act (42 U.S.C. 290bb-36c(b)) is amended--
          (1) in paragraph (4), by striking ``and'' at the end;
          (2) in paragraph (5), by striking the period at the end and 
        inserting ``; and''; and
          (3) by adding at the end the following:
          ``(6) coordinating with the Chief Information Security 
        Officer of the Department of Health and Human Services to take 
        such steps as may be necessary to ensure the program is 
        protected from cybersecurity incidents and eliminates known 
        cybersecurity vulnerabilities.''.
  (b) Reporting.--Section 520E-3 of the Public Health Service Act (42 
U.S.C. 290bb-36c) is amended--
          (1) by redesignating subsection (f) as subsection (g); and
          (2) by inserting after subsection (e) the following:
  ``(f) Cybersecurity Reporting.--
          ``(1) In general.--
                  ``(A) In general.--The program's network 
                administrator receiving Federal funding pursuant to 
                subsection (a) shall report to the Assistant Secretary, 
                in a manner that protects personal privacy, consistent 
                with applicable Federal and State privacy laws--
                          ``(i) any identified cybersecurity 
                        vulnerabilities to the program immediately upon 
                        identification of such a vulnerability; and
                          ``(ii) any identified cybersecurity incidents 
                        to the program immediately upon identification 
                        of such incident.
                  ``(B) Local and regional crisis centers.--Local and 
                regional crisis centers participating in the program 
                shall report to the program's network administrator 
                identified in subparagraph (A), in a manner that 
                protects personal privacy, consistent with applicable 
                Federal and State privacy laws--
                          ``(i) any identified cybersecurity 
                        vulnerabilities to the program immediately upon 
                        identification of such vulnerability; and
                          ``(ii) any identified cybersecurity incidents 
                        to the program immediately upon identification 
                        of such incident.
          ``(2) Notification.--If the program's network administrator 
        receiving funding pursuant to subsection (a) discovers, or is 
        informed by a local or regional crisis center pursuant to 
        paragraph (1)(B) of, a cybersecurity vulnerability or incident, 
        such entity shall immediately report that discovery to the 
        Assistant Secretary.
          ``(3) Clarification.--
                  ``(A) Oversight.--
                          ``(i) Local and regional crisis center.--
                        Except as provided in clause (ii), local and 
                        regional crisis centers participating in the 
                        program shall oversee all technology each 
                        center employs in the provision of services as 
                        a participant in the program.
                          ``(ii) Network administrator.-- The program's 
                        network administrator receiving Federal funding 
                        pursuant to subsection (a) shall oversee the 
                        technology each crisis center employs in the 
                        provision of services as a participant in the 
                        program if such oversight responsibilities are 
                        established in the applicable network 
                        participation agreement.
                  ``(B) Supplement, not supplant.--The cybersecurity 
                incident reporting requirements under this subsection 
                shall supplement, and not supplant, cybersecurity 
                incident reporting requirements under other provisions 
                of applicable Federal law that are in effect on the 
                date of the enactment of the 9-8-8 Lifeline 
                Cybersecurity Responsibility Act.''.
  (c) Study.--Not later than 180 days after the date of the enactment 
of this Act, the Comptroller General of the United States shall--
          (1) conduct and complete a study that evaluates cybersecurity 
        risks and vulnerabilities associated with the 9-8-8 National 
        Suicide Prevention Lifeline; and
          (2) submit a report of the findings of such study to the 
        Committee on Energy and Commerce of the House of 
        Representatives and the Committee on Health, Education, Labor, 
        and Pensions of the Senate.

                          Purpose and Summary

    H.R. 498 amends title V of the Public Health Service Act to 
require the Assistant Secretary for Substance Abuse and Mental 
Health Services Administration (SAMHSA) to coordinate 9-8-8 
lifeline cybersecurity protections with the Chief Information 
Security Officer of the Department of Health and Human Services 
(HHS). It also requires the 9-8-8 lifeline administrator and 
local call centers to report cybersecurity vulnerabilities and 
incidents to SAMHSA immediately.

                  Background and Need for Legislation

    The 9-8-8 Lifeline suffered a cybersecurity attack in 
December 2022 and was proactively taken offline for several 
hours due to the attack. It is unknown how many individuals 
were negatively impacted by the outage, but we do know that 
individuals in emotional distress or suicidal crisis were 
unable to utilize the lifeline for hours. This legislation was 
introduced in direct response to the cyberattack in an effort 
to prevent future incidents.

                            Committee Action

    On February 1, 2023, the Subcommittee on Health held a 
hearing on H.R. 498. The Subcommittee received testimony from:
           Mr. Kemp Chester, Senior Advisor, 
        International Relations and Supply Reduction, Office of 
        National Drug Control Policy (ONDCP)
           Dr. Neeraj Gandotra, Chief Medical Officer, 
        Substance Abuse and Mental Health Services 
        Administration (SAMHSA)
           Mr. Jon C. DeLena, Associate Administrator, 
        Business Operations, Drug Enforcement Administration 
        (DEA)
           Ms. Kandi Pickard, President and CEO, 
        National Down Syndrome Society (NDSS)
           Mr. Frederick Isasi, J.D. MPH, Executive 
        Director, Families USA
           Ms. Molly Cain, Parent Advocate
           Dr. Stephen Loyd, MD, Chief Medical Officer, 
        Cedar Recovery
           Dr. Timothy Westlake, MD, Emergency Medicine 
        Physician
    On March 8, 2023, the Subcommittee on Health met in open 
markup session and forwarded H.R. 498, as amended, to the full 
Committee by a record vote of 28 yeas and 0 nays. On March 24, 
2023, the full Committee on Energy and Commerce met in open 
markup session and ordered H.R. 498, as amended, favorably 
reported to the House by a record vote of 44 yeas and 0 nays.

                            Committee Votes

    Clause 3(b) of rule XIII requires the Committee to list the 
record votes on the motion to report legislation and amendments 
thereto. The following reflects the record votes taken during 
the Committee consideration:

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                 Oversight Findings and Recommendations

    Pursuant to clause 2(b)(1) of rule X and clause 3(c)(1) of 
rule XIII, the Committee held a hearing and made findings that 
are reflected in this report.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    Pursuant to clause 3(c)(2) of rule XIII, the Committee 
finds that H.R. 498 would result in no new or increased budget 
authority, entitlement authority, or tax expenditures or 
revenues.

                  Congressional Budget Office Estimate

    Pursuant to clause 3(c)(3) of rule XIII, at the time this 
report was filed, the cost estimate prepared by the Director of 
the Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974 was not available.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII, the general 
performance goal or objective of this legislation is to require 
increased coordination and reporting to prevent future 
cyberattacks on the 9-8-8 lifeline.

                    Duplication of Federal Programs

    Pursuant to clause 3(c)(5) of rule XIII, no provision of 
H.R. 498 is known to be duplicative of another Federal program, 
including any program that was included in a report to Congress 
pursuant to section 21 of Public Law 111-139 or the most recent 
Catalog of Federal Domestic Assistance.

              Related Committee and Subcommittee Hearings

    Pursuant to clause 3(c)(6) of rule XIII, the following 
related hearing was used to develop or consider H.R. 498:
    On February 1, 2023, the Subcommittee on Health held a 
hearing on H.R. 498. The Subcommittee received testimony from:
           Mr. Kemp Chester, Senior Advisor, 
        International Relations and Supply Reduction, Office of 
        National Drug Control Policy (ONDCP)
           Dr. Neeraj Gandotra, Chief Medical Officer, 
        Substance Abuse and Mental Health Services 
        Administration (SAMHSA)
           Mr. Jon C. DeLena, Associate Administrator, 
        Business Operations, Drug Enforcement Administration 
        (DEA)
           Ms. Kandi Pickard, President and CEO, 
        National Down Syndrome Society (NDSS)
           Mr. Frederick Isasi, J.D. MPH, Executive 
        Director, Families USA
           Ms. Molly Cain, Parent Advocate
           Dr. Stephen Loyd, MD, Chief Medical Officer, 
        Cedar Recovery
           Dr. Timothy Westlake, MD, Emergency Medicine 
        Physician

                        Committee Cost Estimate

    Pursuant to clause 3(d)(1) of rule XIII, the Committee 
adopts as its own the cost estimate prepared by the Director of 
the Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974. At the time this report was 
filed, the estimate was not available.

       Earmark, Limited Tax Benefits, and Limited Tariff Benefits

    Pursuant to clause 9(e), 9(f), and 9(g) of rule XXI, the 
Committee finds that H.R. 498 contains no earmarks, limited tax 
benefits, or limited tariff benefits.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1. Short title

    Section 1 provides a short title of ``9-8-8 Lifeline 
Cybersecurity Responsibility Act.''

Section. 2. Protecting suicide prevention lifeline from cybersecurity 
        incidents

    Section 2 amends section 520E-3(b) of the Public Health 
Service Act to coordinate 9-8-8 lifeline cybersecurity 
protections with the Chief Information Security Officer of the 
Department of Health and Human Services (HHS). It also requires 
the 9-8-8 lifeline administrator and local call centers to 
report cybersecurity vulnerabilities and incidents to SAMHSA 
immediately.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italics, and existing law in which no 
change is proposed is shown in roman):

                       PUBLIC HEALTH SERVICE ACT




           *       *       *       *       *       *       *
TITLE V--SUBSTANCE ABUSE AND MENTAL HEALTH SERVICES ADMINISTRATION

           *       *       *       *       *       *       *



Part B--Centers and Programs

           *       *       *       *       *       *       *



Subpart 3--Center for Mental Health Services

           *       *       *       *       *       *       *



SEC. 520E-3. NATIONAL SUICIDE PREVENTION LIFELINE PROGRAM.

  (a) In General.--The Secretary, acting through the Assistant 
Secretary, shall maintain the National Suicide Prevention 
Lifeline program (referred to in this section as the 
``program''), authorized under section 520A and in effect prior 
to the date of enactment of the Helping Families in Mental 
Health Crisis Reform Act of 2016.
  (b) Activities.--In maintaining the program, the activities 
of the Secretary shall include--
          (1) supporting and coordinating a network of crisis 
        centers across the United States for providing suicide 
        prevention and mental health crisis intervention 
        services, including appropriate follow-up services, to 
        individuals seeking help at any time, day or night;
          (2) maintaining a suicide prevention hotline to link 
        callers to local emergency, mental health, and social 
        services resources;
          (3) consulting with the Secretary of Veterans Affairs 
        to ensure that veterans calling the suicide prevention 
        hotline have access to a specialized veterans' suicide 
        prevention hotline;
          (4) improving awareness of the program for suicide 
        prevention and mental health crisis intervention 
        services, including by conducting an awareness 
        initiative and ongoing outreach to the public; [and]
          (5) improving the collection and analysis of 
        demographic information, in a manner that protects 
        personal privacy, consistent with applicable Federal 
        and State privacy laws, in order to understand 
        disparities in access to the program among individuals 
        who are seeking help[.]; and
          (6) coordinating with the Chief Information Security 
        Officer of the Department of Health and Human Services 
        to take such steps as may be necessary to ensure the 
        program is protected from cybersecurity incidents and 
        eliminates known cybersecurity vulnerabilities.
  (c) Plan.--
          (1) In general.--For purposes of supporting the 
        crisis centers under subsection (b)(1) and maintaining 
        the suicide prevention hotline under subsection (b)(2), 
        the Secretary shall develop and implement a plan to 
        ensure the provision of high-quality services.
          (2) Contents.--The plan required by paragraph (1) 
        shall include the following:
                  (A) Program evaluation, including performance 
                measures to assess progress toward the goals 
                and objectives of the program and to improve 
                the responsiveness and performance of the 
                hotline, including at all backup call centers.
                  (B) Requirements that crisis centers and 
                backup centers must meet--
                          (i) to participate in the network 
                        under subsection (b)(1); and
                          (ii) to ensure that each telephone 
                        call and applicable other communication 
                        received by the hotline, including at 
                        backup call centers, is answered in a 
                        timely manner, consistent with 
                        evidence-based guidance or other 
                        guidance or best practices, as 
                        appropriate.
                  (C) Specific recommendations and strategies 
                for implementing evidence-based practices, 
                including with respect to followup and 
                communicating the availability of resources in 
                the community for individuals in need.
                  (D) Criteria for carrying out periodic 
                testing of the hotline during each fiscal year, 
                including at crisis centers and backup centers, 
                to identify and address any problems in a 
                timely manner.
          (3) Consultation.--In developing requirements under 
        paragraph (2)(B), the Secretary shall consult with 
        State departments of health, local governments, Indian 
        Tribes, and Tribal organizations.
          (4) Initial plan; updates.--The Secretary shall--
                  (A) not later than 1 year after the date of 
                enactment of the Restoring Hope for Mental 
                Health and Well-Being Act of 2022, complete 
                development of the initial plan under paragraph 
                (1) and make such plan publicly available; and
                  (B) periodically thereafter, update such plan 
                and make the updated plan publicly available.
  (d) Improving Epidemiological Data.--The Secretary shall, as 
appropriate, formalize and strengthen agreements between the 
Suicide Prevention Lifeline program and the Centers for Disease 
Control and Prevention with respect to the secure sharing of 
de-identified epidemiological data. Such agreements shall 
include appropriate privacy and security protections that meet 
the requirements of applicable Federal law, at a minimum.
  (e) Data to Assist State and Local Suicide Prevention 
Activities.--The Secretary shall ensure that the aggregated 
information collected and any applicable analyses conducted 
under subsection (b)(5), including from local call centers, as 
applicable, are made available in a usable format to State and 
local agencies in order to inform suicide prevention 
activities.
  (f) Cybersecurity Reporting.--
          (1) In general.--
                  (A) In general.--The program's network 
                administrator receiving Federal funding 
                pursuant to subsection (a) shall report to the 
                Assistant Secretary, in a manner that protects 
                personal privacy, consistent with applicable 
                Federal and State privacy laws--
                          (i) any identified cybersecurity 
                        vulnerabilities to the program 
                        immediately upon identification of such 
                        a vulnerability; and
                          (ii) any identified cybersecurity 
                        incidents to the program immediately 
                        upon identification of such incident.
                  (B) Local and regional crisis centers.--Local 
                and regional crisis centers participating in 
                the program shall report to the program's 
                network administrator identified in 
                subparagraph (A), in a manner that protects 
                personal privacy, consistent with applicable 
                Federal and State privacy laws--
                          (i) any identified cybersecurity 
                        vulnerabilities to the program 
                        immediately upon identification of such 
                        vulnerability; and
                          (ii) any identified cybersecurity 
                        incidents to the program immediately 
                        upon identification of such incident.
          (2) Notification.--If the program's network 
        administrator receiving funding pursuant to subsection 
        (a) discovers, or is informed by a local or regional 
        crisis center pursuant to paragraph (1)(B) of, a 
        cybersecurity vulnerability or incident, such entity 
        shall immediately report that discovery to the 
        Assistant Secretary.
          (3) Clarification.--
                  (A) Oversight.--
                          (i) Local and regional crisis 
                        center.--Except as provided in clause 
                        (ii), local and regional crisis centers 
                        participating in the program shall 
                        oversee all technology each center 
                        employs in the provision of services as 
                        a participant in the program.
                          (ii) Network administrator.-- The 
                        program's network administrator 
                        receiving Federal funding pursuant to 
                        subsection (a) shall oversee the 
                        technology each crisis center employs 
                        in the provision of services as a 
                        participant in the program if such 
                        oversight responsibilities are 
                        established in the applicable network 
                        participation agreement.
                  (B) Supplement, not supplant.--The 
                cybersecurity incident reporting requirements 
                under this subsection shall supplement, and not 
                supplant, cybersecurity incident reporting 
                requirements under other provisions of 
                applicable Federal law that are in effect on 
                the date of the enactment of the 9-8-8 Lifeline 
                Cybersecurity Responsibility Act.
  [(f)] (g) Authorization of Appropriations.--To carry out this 
section, there are authorized to be appropriated $101,621,000 
for each of fiscal years 2023 through 2027.

           *       *       *       *       *       *       *


                                  [all]