I
119THCONGRESS
1
STSESSION H. R. 912
To amend title V of the Public Health Service Act to secure the suicide
prevention lifeline from cybersecurity incidents, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
FEBRUARY4, 2025
Mr. O
BERNOLTE(for himself and Mrs. DINGELL) introduced the following
bill; which was referred to the Committee on Energy and Commerce
A BILL
To amend title V of the Public Health Service Act to secure
the suicide prevention lifeline from cybersecurity inci-
dents, and for other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE. 3
This Act may be cited as the ‘‘9–8–8 Lifeline Cyber-4
security Responsibility Act’’. 5
SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE 6
FROM CYBERSECURITY INCIDENTS. 7
(a) N
ATIONALSUICIDEPREVENTIONLIFELINEPRO-8
GRAM.—Section 520E–3(b) of the Public Health Service 9
Act (42 U.S.C. 290bb–36c(b)) is amended— 10
VerDate Sep 11 2014 03:45 Mar 05, 2025 Jkt 059200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H912.IH H912
ssavage on LAPJG3WLY3PROD with BILLS 2
•HR 912 IH
(1) in paragraph (4), by striking ‘‘and’’ at the 1
end; 2
(2) in paragraph (5), by striking the period at 3
the end and inserting ‘‘; and’’; and 4
(3) by adding at the end the following: 5
‘‘(6) taking such steps as may be necessary to 6
ensure the suicide prevention hotline is protected 7
from cybersecurity incidents and eliminates known 8
cybersecurity vulnerabilities.’’. 9
(b) R
EPORTING.—Section 520E–3 of the Public 10
Health Service Act (42 U.S.C. 290bb–36c) is amended— 11
(1) by redesignating subsection (f) as sub-12
section (g); and 13
(2) by inserting after subsection (e) the fol-14
lowing: 15
‘‘(f) C
YBERSECURITYREPORTING.— 16
‘‘(1) N
OTIFICATION.— 17
‘‘(A) I
N GENERAL.—The program’s net-18
work administrator receiving Federal funding 19
pursuant to subsection (a) shall report to the 20
Assistant Secretary, in a manner that protects 21
personal privacy, consistent with applicable 22
Federal and State privacy laws— 23
‘‘(i) any identified cybersecurity 24
vulnerabilities to the program within a rea-25
VerDate Sep 11 2014 03:45 Mar 05, 2025 Jkt 059200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H912.IH H912
ssavage on LAPJG3WLY3PROD with BILLS 3
•HR 912 IH
sonable amount of time after identification 1
of such a vulnerability; and 2
‘‘(ii) any identified cybersecurity inci-3
dents to the program within a reasonable 4
amount of time after identification of such 5
incident. 6
‘‘(B) L
OCAL AND REGIONAL CRISIS CEN -7
TERS.—Local and regional crisis centers par-8
ticipating in the program shall report to the 9
program’s network administrator identified 10
under subparagraph (A), in a manner that pro-11
tects personal privacy, consistent with applica-12
ble Federal and State privacy laws— 13
‘‘(i) any identified cybersecurity 14
vulnerabilities to the program within a rea-15
sonable amount of time after identification 16
of such vulnerability; and 17
‘‘(ii) any identified cybersecurity inci-18
dents to the program within a reasonable 19
amount of time after identification of such 20
incident. 21
‘‘(2) N
OTIFICATION.—If the program’s network 22
administrator receiving funding pursuant to sub-23
section (a) discovers, or is informed by a local or re-24
gional crisis center pursuant to paragraph (1)(B) of, 25
VerDate Sep 11 2014 03:45 Mar 05, 2025 Jkt 059200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H912.IH H912
ssavage on LAPJG3WLY3PROD with BILLS 4
•HR 912 IH
a cybersecurity vulnerability or incident, within a 1
reasonable amount of time after such discovery or 2
receipt of information, such entity shall report the 3
vulnerability or incident to the Assistant Secretary. 4
‘‘(3) C
LARIFICATION.— 5
‘‘(A) O
VERSIGHT.— 6
‘‘(i) L
OCAL AND REGIONAL CRISIS 7
CENTERS.—Except as provided in clause 8
(ii), local and regional crisis centers par-9
ticipating in the program shall oversee all 10
technology each center employs in the pro-11
vision of services as a participant in the 12
program. 13
‘‘(ii) N
ETWORK ADMINISTRATOR .— 14
The program’s network administrator re-15
ceiving Federal funding pursuant to sub-16
section (a) shall oversee the technology 17
each crisis center employs in the provision 18
of services as a participant in the program 19
if such oversight responsibilities are estab-20
lished in the applicable network participa-21
tion agreement. 22
‘‘(B) S
UPPLEMENT, NOT SUPPLANT.—The 23
cybersecurity incident reporting requirements 24
under this subsection shall supplement, and not 25
VerDate Sep 11 2014 03:45 Mar 05, 2025 Jkt 059200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H912.IH H912
ssavage on LAPJG3WLY3PROD with BILLS 5
•HR 912 IH
supplant, cybersecurity incident reporting re-1
quirements under other provisions of applicable 2
Federal law that are in effect on the date of the 3
enactment of the 9–8–8 Lifeline Cybersecurity 4
Responsibility Act.’’. 5
(c) S
TUDY.—Not later than 180 days after the date 6
of the enactment of this Act, the Comptroller General of 7
the United States shall— 8
(1) conduct and complete a study that evaluates 9
cybersecurity risks and vulnerabilities associated 10
with the 9–8–8 National Suicide Prevention Lifeline; 11
and 12
(2) submit a report on the findings of such 13
study to the Committee on Health, Education, 14
Labor, and Pensions of the Senate and the Com-15
mittee on Energy and Commerce of the House of 16
Representatives. 17
Æ
VerDate Sep 11 2014 03:45 Mar 05, 2025 Jkt 059200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6301 E:\BILLS\H912.IH H912
ssavage on LAPJG3WLY3PROD with BILLS