US
Us Congress House Bill HB498

Us Congress 2023-2024 Regular Session

Us Congress House Bill HB498 Compare Versions

OldNewDifferences
1+IB
2+Union Calendar No. 35
13 118THCONGRESS
2-2
3-DSESSION H. R. 498
4-AN ACT
4+1
5+STSESSION H. R. 498
6+[Report No. 118–52]
7+To amend title V of the Public Health Service Act to secure the suicide
8+prevention lifeline from cybersecurity incidents, and for other purposes.
9+IN THE HOUSE OF REPRESENTATIVES
10+JANUARY25, 2023
11+Mr. O
12+BERNOLTE(for himself and Mr. CA´RDENAS) introduced the following
13+bill; which was referred to the Committee on Energy and Commerce
14+M
15+AY11, 2023
16+Reported with an amendment; committed to the Committee of the Whole
17+House on the State of the Union and ordered to be printed
18+[Strike out all after the enacting clause and insert the part printed in italic]
19+[For text of introduced bill, see copy of bill as introduced on January 25, 2023]
20+VerDate Sep 11 2014 00:11 May 12, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6652 E:\BILLS\H498.RH H498
21+pbinns on DSKJLVW7X2PROD with $$_JOB 2
22+•HR 498 RH
23+A BILL
524 To amend title V of the Public Health Service Act to secure
625 the suicide prevention lifeline from cybersecurity inci-
726 dents, and for other purposes.
27+VerDate Sep 11 2014 00:11 May 12, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6652 E:\BILLS\H498.RH H498
28+pbinns on DSKJLVW7X2PROD with $$_JOB 3
29+•HR 498 RH
830 Be it enacted by the Senate and House of Representa-1
9-tives of the United States of America in Congress assembled, 2 2
10-•HR 498 EH
11-SECTION 1. SHORT TITLE. 1
12-This Act may be cited as the ‘‘9–8–8 Lifeline Cyber-2
13-security Responsibility Act’’. 3
14-SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE 4
15-FROM CYBERSECURITY INCIDENTS. 5
31+tives of the United States of America in Congress assembled, 2
32+SECTION 1. SHORT TITLE. 3
33+This Act may be cited as the ‘‘9–8–8 Lifeline Cyberse-4
34+curity Responsibility Act’’. 5
35+SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE FROM 6
36+CYBERSECURITY INCIDENTS. 7
1637 (a) N
17-ATIONALSUICIDEPREVENTIONLIFELINEPRO-6
18-GRAM.—Section 520E–3(b) of the Public Health Service 7
19-Act (42 U.S.C. 290bb–36c(b)) is amended— 8
20-(1) in paragraph (4), by striking ‘‘and’’ at the 9
21-end; 10
22-(2) in paragraph (5), by striking the period at 11
23-the end and inserting ‘‘; and’’; and 12
24-(3) by adding at the end the following: 13
25-‘‘(6) taking such steps as may be necessary to 14
26-ensure the suicide prevention hotline is protected 15
27-from cybersecurity incidents and to eliminate known 16
28-cybersecurity vulnerabilities of such hotline.’’. 17
38+ATIONALSUICIDEPREVENTIONLIFELINEPRO-8
39+GRAM.—Section 520E–3(b) of the Public Health Service Act 9
40+(42 U.S.C. 290bb–36c(b)) is amended— 10
41+(1) in paragraph (4), by striking ‘‘and’’ at the 11
42+end; 12
43+(2) in paragraph (5), by striking the period at 13
44+the end and inserting ‘‘; and’’; and 14
45+(3) by adding at the end the following: 15
46+‘‘(6) coordinating with the Chief Information Se-16
47+curity Officer of the Department of Health and 17
48+Human Services to take such steps as may be nec-18
49+essary to ensure the program is protected from cyber-19
50+security incidents and eliminates known cybersecurity 20
51+vulnerabilities.’’. 21
2952 (b) R
30-EPORTING.—Section 520E–3 of the Public 18
31-Health Service Act (42 U.S.C. 290bb–36c) is amended— 19
32-(1) by redesignating subsection (f) as sub-20
33-section (g); and 21
34-(2) by inserting after subsection (e) the fol-22
35-lowing: 23
53+EPORTING.—Section 520E–3 of the Public Health 22
54+Service Act (42 U.S.C. 290bb–36c) is amended— 23
55+(1) by redesignating subsection (f) as subsection 24
56+(g); and 25
57+VerDate Sep 11 2014 00:11 May 12, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6203 E:\BILLS\H498.RH H498
58+pbinns on DSKJLVW7X2PROD with $$_JOB 4
59+•HR 498 RH
60+(2) by inserting after subsection (e) the following: 1
3661 ‘‘(f) C
37-YBERSECURITYREPORTING.— 24
38-‘‘(1) N
39-OTIFICATION.— 25 3
40-•HR 498 EH
41-‘‘(A) IN GENERAL.—The program’s net-1
42-work administrator receiving Federal funding 2
43-pursuant to subsection (a) shall report to the 3
44-Assistant Secretary, in a manner that protects 4
45-personal privacy, consistent with applicable 5
46-Federal and State privacy laws— 6
47-‘‘(i) any identified cybersecurity vul-7
48-nerability to the program within a reason-8
49-able amount of time after identification of 9
50-such a vulnerability; and 10
51-‘‘(ii) any identified cybersecurity inci-11
52-dent to the program within a reasonable 12
53-amount of time after identification of such 13
54-an incident. 14
62+YBERSECURITYREPORTING.— 2
63+‘‘(1) I
64+N GENERAL.— 3
65+‘‘(A) I
66+N GENERAL.—The program’s network 4
67+administrator receiving Federal funding pursu-5
68+ant to subsection (a) shall report to the Assistant 6
69+Secretary, in a manner that protects personal 7
70+privacy, consistent with applicable Federal and 8
71+State privacy laws— 9
72+‘‘(i) any identified cybersecurity 10
73+vulnerabilities to the program immediately 11
74+upon identification of such a vulnerability; 12
75+and 13
76+‘‘(ii) any identified cybersecurity inci-14
77+dents to the program immediately upon 15
78+identification of such incident. 16
5579 ‘‘(B) L
80+OCAL AND REGIONAL CRISIS CEN -17
81+TERS.—Local and regional crisis centers partici-18
82+pating in the program shall report to the pro-19
83+gram’s network administrator identified in sub-20
84+paragraph (A), in a manner that protects per-21
85+sonal privacy, consistent with applicable Federal 22
86+and State privacy laws— 23
87+‘‘(i) any identified cybersecurity 24
88+vulnerabilities to the program immediately 25
89+VerDate Sep 11 2014 00:11 May 12, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6203 E:\BILLS\H498.RH H498
90+pbinns on DSKJLVW7X2PROD with $$_JOB 5
91+•HR 498 RH
92+upon identification of such vulnerability; 1
93+and 2
94+‘‘(ii) any identified cybersecurity inci-3
95+dents to the program immediately upon 4
96+identification of such incident. 5
97+‘‘(2) N
98+OTIFICATION.—If the program’s network 6
99+administrator receiving funding pursuant to sub-7
100+section (a) discovers, or is informed by a local or re-8
101+gional crisis center pursuant to paragraph (1)(B) of, 9
102+a cybersecurity vulnerability or incident, such entity 10
103+shall immediately report that discovery to the Assist-11
104+ant Secretary. 12
105+‘‘(3) C
106+LARIFICATION.— 13
107+‘‘(A) O
108+VERSIGHT.— 14
109+‘‘(i) L
56110 OCAL AND REGIONAL CRISIS CEN -15
57-TERS.—Local and regional crisis centers par-16
58-ticipating in the program shall report to the 17
59-program’s network administrator receiving Fed-18
60-eral funding pursuant to subsection (a), in a 19
61-manner that protects personal privacy, con-20
62-sistent with applicable Federal and State pri-21
63-vacy laws— 22
64-‘‘(i) any identified cybersecurity vul-23
65-nerability to the program within a reason-24 4
66-•HR 498 EH
67-able amount of time after identification of 1
68-such a vulnerability; and 2
69-‘‘(ii) any identified cybersecurity inci-3
70-dent to the program within a reasonable 4
71-amount of time after identification of such 5
72-an incident. 6
73-‘‘(2) N
74-OTIFICATION.—If the program’s network 7
75-administrator receiving funding pursuant to sub-8
76-section (a) discovers, or is informed by a local or re-9
77-gional crisis center pursuant to paragraph (1)(B) of, 10
78-a cybersecurity vulnerability or incident, within a 11
79-reasonable amount of time after such discovery or 12
80-receipt of information, such entity shall report the 13
81-vulnerability or incident to the Assistant Secretary. 14
82-‘‘(3) C
83-LARIFICATION.— 15
84-‘‘(A) O
85-VERSIGHT.— 16
86-‘‘(i) L
87-OCAL AND REGIONAL CRISIS 17
88-CENTER.—Except as provided in clause 18
89-(ii), local and regional crisis centers par-19
90-ticipating in the program shall oversee all 20
91-technology each center employs in the pro-21
92-vision of services as a participant in the 22
93-program. 23
111+TER.—Except as provided in clause (ii), 16
112+local and regional crisis centers partici-17
113+pating in the program shall oversee all tech-18
114+nology each center employs in the provision 19
115+of services as a participant in the program. 20
94116 ‘‘(ii) N
95-ETWORK ADMINISTRATOR .— 24
96-The program’s network administrator re-25 5
97-•HR 498 EH
98-ceiving Federal funding pursuant to sub-1
99-section (a) shall oversee the technology 2
100-each crisis center employs in the provision 3
101-of services as a participant in the program 4
102-if such oversight responsibilities are estab-5
103-lished in the applicable network participa-6
104-tion agreement. 7
117+ETWORK ADMINISTRATOR .— The 21
118+program’s network administrator receiving 22
119+Federal funding pursuant to subsection (a) 23
120+shall oversee the technology each crisis cen-24
121+ter employs in the provision of services as 25
122+VerDate Sep 11 2014 00:11 May 12, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6203 E:\BILLS\H498.RH H498
123+pbinns on DSKJLVW7X2PROD with $$_JOB 6
124+•HR 498 RH
125+a participant in the program if such over-1
126+sight responsibilities are established in the 2
127+applicable network participation agreement. 3
105128 ‘‘(B) S
106-UPPLEMENT, NOT SUPPLANT.—The 8
107-cybersecurity incident reporting requirements 9
108-under this subsection shall supplement, and not 10
109-supplant, cybersecurity incident reporting re-11
110-quirements under other provisions of applicable 12
111-Federal law that are in effect on the date of the 13
112-enactment of the 9–8–8 Lifeline Cybersecurity 14
113-Responsibility Act.’’. 15
129+UPPLEMENT, NOT SUPPLANT.—The 4
130+cybersecurity incident reporting requirements 5
131+under this subsection shall supplement, and not 6
132+supplant, cybersecurity incident reporting re-7
133+quirements under other provisions of applicable 8
134+Federal law that are in effect on the date of the 9
135+enactment of the 9–8–8 Lifeline Cybersecurity 10
136+Responsibility Act.’’. 11
114137 (c) S
115-TUDY.—Not later than 180 days after the date 16
116-of the enactment of this Act, the Comptroller General of 17
117-the United States shall— 18
118-(1) conduct and complete a study that evaluates 19
119-cybersecurity risks and vulnerabilities associated 20
120-with the 9–8–8 National Suicide Prevention Lifeline; 21
121-and 22
122-(2) submit a report of the findings of such 23
123-study to the Committee on Energy and Commerce of 24
124-the House of Representatives and the Committee on 25 6
125-•HR 498 EH
126-Health, Education, Labor, and Pensions of the Sen-1
127-ate. 2
128-Passed the House of Representatives March 5,
129-2024.
130-Attest:
131-Clerk. 118
138+TUDY.—Not later than 180 days after the date 12
139+of the enactment of this Act, the Comptroller General of the 13
140+United States shall— 14
141+(1) conduct and complete a study that evaluates 15
142+cybersecurity risks and vulnerabilities associated with 16
143+the 9–8–8 National Suicide Prevention Lifeline; and 17
144+(2) submit a report of the findings of such study 18
145+to the Committee on Energy and Commerce of the 19
146+House of Representatives and the Committee on 20
147+Health, Education, Labor, and Pensions of the Sen-21
148+ate. 22
149+VerDate Sep 11 2014 00:11 May 12, 2023 Jkt 039200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6203 E:\BILLS\H498.RH H498
150+pbinns on DSKJLVW7X2PROD with $$_JOB VerDate Sep 11 2014 00:11 May 12, 2023 Jkt 039200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6203 E:\BILLS\H498.RH H498
151+pbinns on DSKJLVW7X2PROD with $$_JOB Union Calendar No.
152+35
153+118
132154 TH
133155 CONGRESS
134-2
135-D
156+1
157+ST
136158 S
137159 ESSION
138160
139161 H. R. 498
140-AN ACT
162+[Report No. 118–52]
163+A BILL
141164 To amend title V of the Public Health Service Act
142165 to secure the suicide prevention lifeline from cy-
143166 bersecurity incidents, and for other purposes.
167+M
168+AY
169+11, 2023
170+Reported with an amendment; committed to the Com-
171+mittee of the Whole House on the State of the Union
172+and ordered to be printed
173+VerDate Sep 11 2014 00:11 May 12, 2023 Jkt 039200 PO 00000 Frm 00008 Fmt 6651 Sfmt 6651 E:\BILLS\H498.RH H498
174+pbinns on DSKJLVW7X2PROD with $$_JOB