HR498-118

1. Short title This Act may be cited as the 9–8–8 Lifeline Cybersecurity Responsibility Act.

2. Protecting suicide prevention lifeline from cybersecurity incidents Section 520E–3(b) of the Public Health Service Act (42 U.S.C. 290bb–36c(b)) is amended— in paragraph (4), by striking and at the end; in paragraph (5), by striking the period at the end and inserting ; and; and by adding at the end the following: taking such steps as may be necessary to ensure the suicide prevention hotline is protected from cybersecurity incidents and to eliminate known cybersecurity vulnerabilities of such hotline. Section 520E–3 of the Public Health Service Act (42 U.S.C. 290bb–36c) is amended— by redesignating subsection (f) as subsection (g); and by inserting after subsection (e) the following: The program’s network administrator receiving Federal funding pursuant to subsection (a) shall report to the Assistant Secretary, in a manner that protects personal privacy, consistent with applicable Federal and State privacy laws— any identified cybersecurity vulnerability to the program within a reasonable amount of time after identification of such a vulnerability; and any identified cybersecurity incident to the program within a reasonable amount of time after identification of such an incident. Local and regional crisis centers participating in the program shall report to the program’s network administrator receiving Federal funding pursuant to subsection (a), in a manner that protects personal privacy, consistent with applicable Federal and State privacy laws— any identified cybersecurity vulnerability to the program within a reasonable amount of time after identification of such a vulnerability; and any identified cybersecurity incident to the program within a reasonable amount of time after identification of such an incident. If the program’s network administrator receiving funding pursuant to subsection (a) discovers, or is informed by a local or regional crisis center pursuant to paragraph (1)(B) of, a cybersecurity vulnerability or incident, within a reasonable amount of time after such discovery or receipt of information, such entity shall report the vulnerability or incident to the Assistant Secretary. Except as provided in clause (ii), local and regional crisis centers participating in the program shall oversee all technology each center employs in the provision of services as a participant in the program. The program’s network administrator receiving Federal funding pursuant to subsection (a) shall oversee the technology each crisis center employs in the provision of services as a participant in the program if such oversight responsibilities are established in the applicable network participation agreement. The cybersecurity incident reporting requirements under this subsection shall supplement, and not supplant, cybersecurity incident reporting requirements under other provisions of applicable Federal law that are in effect on the date of the enactment of the 9–8–8 Lifeline Cybersecurity Responsibility Act. Not later than 180 days after the date of the enactment of this Act, the Comptroller General of the United States shall— conduct and complete a study that evaluates cybersecurity risks and vulnerabilities associated with the 9–8–8 National Suicide Prevention Lifeline; and submit a report of the findings of such study to the Committee on Energy and Commerce of the House of Representatives and the Committee on Health, Education, Labor, and Pensions of the Senate. (6)taking such steps as may be necessary to ensure the suicide prevention hotline is protected from cybersecurity incidents and to eliminate known cybersecurity vulnerabilities of such hotline.. (f)Cybersecurity reporting (1)Notification (A)In generalThe program’s network administrator receiving Federal funding pursuant to subsection (a) shall report to the Assistant Secretary, in a manner that protects personal privacy, consistent with applicable Federal and State privacy laws— (i)any identified cybersecurity vulnerability to the program within a reasonable amount of time after identification of such a vulnerability; and (ii)any identified cybersecurity incident to the program within a reasonable amount of time after identification of such an incident. (B)Local and regional crisis centersLocal and regional crisis centers participating in the program shall report to the program’s network administrator receiving Federal funding pursuant to subsection (a), in a manner that protects personal privacy, consistent with applicable Federal and State privacy laws— (i)any identified cybersecurity vulnerability to the program within a reasonable amount of time after identification of such a vulnerability; and (ii)any identified cybersecurity incident to the program within a reasonable amount of time after identification of such an incident. (2)NotificationIf the program’s network administrator receiving funding pursuant to subsection (a) discovers, or is informed by a local or regional crisis center pursuant to paragraph (1)(B) of, a cybersecurity vulnerability or incident, within a reasonable amount of time after such discovery or receipt of information, such entity shall report the vulnerability or incident to the Assistant Secretary. (3)Clarification (A)Oversight (i)Local and regional crisis centerExcept as provided in clause (ii), local and regional crisis centers participating in the program shall oversee all technology each center employs in the provision of services as a participant in the program. (ii)Network administratorThe program’s network administrator receiving Federal funding pursuant to subsection (a) shall oversee the technology each crisis center employs in the provision of services as a participant in the program if such oversight responsibilities are established in the applicable network participation agreement. (B)Supplement, not supplantThe cybersecurity incident reporting requirements under this subsection shall supplement, and not supplant, cybersecurity incident reporting requirements under other provisions of applicable Federal law that are in effect on the date of the enactment of the 9–8–8 Lifeline Cybersecurity Responsibility Act..