II
119THCONGRESS
1
STSESSION S. 1007
To amend title V of the Public Health Service Act to secure the suicide
prevention lifeline from cybersecurity incidents, and for other purposes.
IN THE SENATE OF THE UNITED STATES
MARCH12, 2025
Mr. M
ULLIN(for himself and Mr. PADILLA) introduced the following bill;
which was read twice and referred to the Committee on Health, Edu-
cation, Labor, and Pensions
A BILL
To amend title V of the Public Health Service Act to secure
the suicide prevention lifeline from cybersecurity inci-
dents, and for other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE. 3
This Act may be cited as the ‘‘9–8–8 Lifeline Cyber-4
security Responsibility Act’’. 5
VerDate Sep 11 2014 03:47 Mar 26, 2025 Jkt 059200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S1007.IS S1007
ssavage on LAPJG3WLY3PROD with BILLS 2
•S 1007 IS
SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE 1
FROM CYBERSECURITY INCIDENTS. 2
(a) N
ATIONALSUICIDEPREVENTIONLIFELINEPRO-3
GRAM.—Section 520E–3(b) of the Public Health Service 4
Act (42 U.S.C. 290bb–36c(b)) is amended— 5
(1) in paragraph (4), by striking ‘‘and’’ at the 6
end; 7
(2) in paragraph (5), by striking the period at 8
the end and inserting ‘‘; and’’; and 9
(3) by adding at the end the following: 10
‘‘(6) coordinating with the Chief Information 11
Security Officer of the Department of Health and 12
Human Services to take such steps as may be nec-13
essary to ensure the program is protected from cy-14
bersecurity incidents and eliminates known cyberse-15
curity vulnerabilities.’’. 16
(b) R
EPORTING.—Section 520E–3 of the Public 17
Health Service Act (42 U.S.C. 290bb–36c) is amended— 18
(1) by redesignating subsection (f) as sub-19
section (g); and 20
(2) by inserting after subsection (e) the fol-21
lowing: 22
‘‘(f) C
YBERSECURITYREPORTING.— 23
‘‘(1) I
N GENERAL.— 24
‘‘(A) I
N GENERAL.—The program’s net-25
work administrator receiving Federal funding 26
VerDate Sep 11 2014 03:47 Mar 26, 2025 Jkt 059200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\S1007.IS S1007
ssavage on LAPJG3WLY3PROD with BILLS 3
•S 1007 IS
pursuant to subsection (a) shall report to the 1
Assistant Secretary, in a manner that protects 2
personal privacy, consistent with applicable 3
Federal and State privacy laws— 4
‘‘(i) any identified cybersecurity 5
vulnerabilities to the program within 24 6
hours of identification of such a vulner-7
ability; and 8
‘‘(ii) any identified cybersecurity inci-9
dents to the program within 24 hours of 10
identification of such incident. 11
‘‘(B) L
OCAL AND REGIONAL CRISIS CEN -12
TERS.—Local and regional crisis centers par-13
ticipating in the program shall report to the 14
program’s network administrator described in 15
subparagraph (A), in a manner that protects 16
personal privacy, consistent with applicable 17
Federal and State privacy laws— 18
‘‘(i) any identified cybersecurity 19
vulnerabilities to the program within 24 20
hours of identification of such vulner-21
ability; and 22
‘‘(ii) any identified cybersecurity inci-23
dents to the program within 24 hours of 24
identification of such incident. 25
VerDate Sep 11 2014 03:47 Mar 26, 2025 Jkt 059200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\S1007.IS S1007
ssavage on LAPJG3WLY3PROD with BILLS 4
•S 1007 IS
‘‘(2) NOTIFICATION.—If the program’s network 1
administrator receiving funding pursuant to sub-2
section (a) discovers, or is informed by a local or re-3
gional crisis center pursuant to paragraph (1)(B) of, 4
a cybersecurity vulnerability or incident described in 5
such paragraph, within 24 hours of such discovery 6
or receipt of information, such entity shall report the 7
vulnerability or incident to the Assistant Secretary. 8
‘‘(3) C
LARIFICATION.— 9
‘‘(A) O
VERSIGHT.— 10
‘‘(i) L
OCAL AND REGIONAL CRISIS 11
CENTER.—Except as provided in clause 12
(ii), local and regional crisis centers par-13
ticipating in the program shall oversee all 14
technology each center employs in the pro-15
vision of services as a participant in the 16
program. 17
‘‘(ii) N
ETWORK ADMINISTRATOR .— 18
The program’s network administrator re-19
ceiving Federal funding pursuant to sub-20
section (a) shall oversee the technology 21
each crisis center employs in the provision 22
of services as a participant in the program 23
if such oversight responsibilities are estab-24
VerDate Sep 11 2014 03:47 Mar 26, 2025 Jkt 059200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\S1007.IS S1007
ssavage on LAPJG3WLY3PROD with BILLS 5
•S 1007 IS
lished in the applicable network participa-1
tion agreement. 2
‘‘(B) S
UPPLEMENT, NOT SUPPLANT.—The 3
cybersecurity incident reporting requirements 4
under this subsection shall supplement, and not 5
supplant, cybersecurity incident reporting re-6
quirements under other provisions of applicable 7
Federal law that are in effect on the date of the 8
enactment of the 9–8–8 Lifeline Cybersecurity 9
Responsibility Act.’’. 10
(c) S
TUDY.—Not later than 180 days after the date 11
of the enactment of this Act, the Comptroller General of 12
the United States shall— 13
(1) conduct and complete a study that evaluates 14
cybersecurity risks and vulnerabilities associated 15
with the 9–8–8 National Suicide Prevention Lifeline; 16
and 17
(2) submit a report of the findings of such 18
study to the Committee on Energy and Commerce of 19
the House of Representatives and the Committee on 20
Health, Education, Labor, and Pensions of the Sen-21
ate. 22
Æ
VerDate Sep 11 2014 03:47 Mar 26, 2025 Jkt 059200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6301 E:\BILLS\S1007.IS S1007
ssavage on LAPJG3WLY3PROD with BILLS