9–8–8 Lifeline Cybersecurity Responsibility Act

AI Summary

No AI Summary Available

Click the button above to generate an AI-powered summary of this bill using Claude.

The summary will analyze the bill's key provisions, impact, and implementation details.

Latest Action

Mar 12, 2025

Read twice and referred to the Committee on Health, Education, Labor, and Pensions.

Actions (2)

Read twice and referred to the Committee on Health, Education, Labor, and Pensions.

Type: IntroReferral | Source: Senate

Mar 12, 2025

Introduced in Senate

Type: IntroReferral | Source: Library of Congress | Code: 10000

Mar 12, 2025

Subjects (7)

Computer security and identity theft Congressional oversight Emergency communications systems Government information and archives Government studies and investigations Health (Policy Area) Mental health

Cosponsors (1)

Sen. Padilla, Alex [D-CA]

(D-CA)
Mar 12, 2025

Text Versions (1)

Introduced in Senate

Mar 12, 2025

PDF ↗ XML ↗

Full Bill Text

Length: 5,333 characters Version: Introduced in Senate Version Date: Mar 12, 2025 Last Updated: Nov 12, 2025 6:19 AM

[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 1007 Introduced in Senate

(IS) ]

<DOC>

119th CONGRESS
1st Session
S. 1007

To amend title V of the Public Health Service Act to secure the suicide
prevention lifeline from cybersecurity incidents, and for other
purposes.

_______________________________________________________________________

IN THE SENATE OF THE UNITED STATES

March 12, 2025

Mr. Mullin (for himself and Mr. Padilla) introduced the following bill;
which was read twice and referred to the Committee on Health,
Education, Labor, and Pensions

_______________________________________________________________________

A BILL

To amend title V of the Public Health Service Act to secure the suicide
prevention lifeline from cybersecurity incidents, and for other
purposes.

Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,

SECTION 1.

This Act may be cited as the ``9-8-8 Lifeline Cybersecurity
Responsibility Act''.

SEC. 2.

INCIDENTS.

(a) National Suicide Prevention Lifeline Program.--

Section 520E- 3 (b) of the Public Health Service Act (42 U.

3

(b) of the Public Health Service Act (42 U.S.C. 290bb-36c

(b) ) is
amended--

(1) in paragraph

(4) , by striking ``and'' at the end;

(2) in paragraph

(5) , by striking the period at the end and
inserting ``; and''; and

(3) by adding at the end the following:
``

(6) coordinating with the Chief Information Security
Officer of the Department of Health and Human Services to take
such steps as may be necessary to ensure the program is
protected from cybersecurity incidents and eliminates known
cybersecurity vulnerabilities.''.

(b) Reporting.--

Section 520E-3 of the Public Health Service Act (42 U.

U.S.C. 290bb-36c) is amended--

(1) by redesignating subsection

(f) as subsection

(g) ; and

(2) by inserting after subsection

(e) the following:
``

(f) Cybersecurity Reporting.--
``

(1) In general.--
``
(A) In general.--The program's network
administrator receiving Federal funding pursuant to
subsection

(a) shall report to the Assistant Secretary,
in a manner that protects personal privacy, consistent
with applicable Federal and State privacy laws--
``
(i) any identified cybersecurity
vulnerabilities to the program within 24 hours
of identification of such a vulnerability; and
``
(ii) any identified cybersecurity
incidents to the program within 24 hours of
identification of such incident.
``
(B) Local and regional crisis centers.--Local and
regional crisis centers participating in the program
shall report to the program's network administrator
described in subparagraph
(A) , in a manner that
protects personal privacy, consistent with applicable
Federal and State privacy laws--
``
(i) any identified cybersecurity
vulnerabilities to the program within 24 hours
of identification of such vulnerability; and
``
(ii) any identified cybersecurity
incidents to the program within 24 hours of
identification of such incident.
``

(2) Notification.--If the program's network administrator
receiving funding pursuant to subsection

(a) discovers, or is
informed by a local or regional crisis center pursuant to
paragraph

(1)
(B) of, a cybersecurity vulnerability or incident
described in such paragraph, within 24 hours of such discovery
or receipt of information, such entity shall report the
vulnerability or incident to the Assistant Secretary.
``

(3) Clarification.--
``
(A) Oversight.--
``
(i) Local and regional crisis center.--
Except as provided in clause
(ii) , local and
regional crisis centers participating in the
program shall oversee all technology each
center employs in the provision of services as
a participant in the program.
``
(ii) Network administrator.-- The
program's network administrator receiving
Federal funding pursuant to subsection

(a) shall oversee the technology each crisis center
employs in the provision of services as a
participant in the program if such oversight
responsibilities are established in the
applicable network participation agreement.
``
(B) Supplement, not supplant.--The cybersecurity
incident reporting requirements under this subsection
shall supplement, and not supplant, cybersecurity
incident reporting requirements under other provisions
of applicable Federal law that are in effect on the
date of the enactment of the 9-8-8 Lifeline
Cybersecurity Responsibility Act.''.
(c) Study.--Not later than 180 days after the date of the enactment
of this Act, the Comptroller General of the United States shall--

(1) conduct and complete a study that evaluates
cybersecurity risks and vulnerabilities associated with the 9-
8-8 National Suicide Prevention Lifeline; and

(2) submit a report of the findings of such study to the
Committee on Energy and Commerce of the House of
Representatives and the Committee on Health, Education, Labor,
and Pensions of the Senate.
<all>

[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 1007 Introduced in Senate

    (IS) ]

<DOC>

119th CONGRESS
 1st Session
 S. 1007

To amend title V of the Public Health Service Act to secure the suicide 
 prevention lifeline from cybersecurity incidents, and for other 
 purposes.

_______________________________________________________________________

 IN THE SENATE OF THE UNITED STATES

 March 12, 2025

Mr. Mullin (for himself and Mr. Padilla) introduced the following bill; 
 which was read twice and referred to the Committee on Health, 
 Education, Labor, and Pensions

_______________________________________________________________________

 A BILL

To amend title V of the Public Health Service Act to secure the suicide 
 prevention lifeline from cybersecurity incidents, and for other 
 purposes.

 Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

 This Act may be cited as the ``9-8-8 Lifeline Cybersecurity 
Responsibility Act''.

SEC. 2. PROTECTING SUICIDE PREVENTION LIFELINE FROM CYBERSECURITY 
 INCIDENTS.

    (a) National Suicide Prevention Lifeline Program.--

Section 520E-
3

    (b) of the Public Health Service Act (42 U.S.C. 290bb-36c

    (b) ) is 
amended--

    (1) in paragraph

    (4) , by striking ``and'' at the end;

    (2) in paragraph

    (5) , by striking the period at the end and 
 inserting ``; and''; and

    (3) by adding at the end the following:
 ``

    (6) coordinating with the Chief Information Security 
 Officer of the Department of Health and Human Services to take 
 such steps as may be necessary to ensure the program is 
 protected from cybersecurity incidents and eliminates known 
 cybersecurity vulnerabilities.''.

    (b) Reporting.--

Section 520E-3 of the Public Health Service Act (42 
U.S.C. 290bb-36c) is amended--

    (1) by redesignating subsection

    (f) as subsection

    (g) ; and

    (2) by inserting after subsection

    (e) the following:
 ``

    (f) Cybersecurity Reporting.--
 ``

    (1) In general.--
 ``
        (A) In general.--The program's network 
 administrator receiving Federal funding pursuant to 
 subsection

    (a) shall report to the Assistant Secretary, 
 in a manner that protects personal privacy, consistent 
 with applicable Federal and State privacy laws--
 ``
            (i) any identified cybersecurity 
 vulnerabilities to the program within 24 hours 
 of identification of such a vulnerability; and
 ``
            (ii) any identified cybersecurity 
 incidents to the program within 24 hours of 
 identification of such incident.
 ``
        (B) Local and regional crisis centers.--Local and 
 regional crisis centers participating in the program 
 shall report to the program's network administrator 
 described in subparagraph
        (A) , in a manner that 
 protects personal privacy, consistent with applicable 
 Federal and State privacy laws--
 ``
            (i) any identified cybersecurity 
 vulnerabilities to the program within 24 hours 
 of identification of such vulnerability; and
 ``
            (ii) any identified cybersecurity 
 incidents to the program within 24 hours of 
 identification of such incident.
 ``

    (2) Notification.--If the program's network administrator 
 receiving funding pursuant to subsection

    (a) discovers, or is 
 informed by a local or regional crisis center pursuant to 
 paragraph

    (1)
        (B) of, a cybersecurity vulnerability or incident 
 described in such paragraph, within 24 hours of such discovery 
 or receipt of information, such entity shall report the 
 vulnerability or incident to the Assistant Secretary.
 ``

    (3) Clarification.--
 ``
        (A) Oversight.--
 ``
            (i) Local and regional crisis center.--
 Except as provided in clause
            (ii) , local and 
 regional crisis centers participating in the 
 program shall oversee all technology each 
 center employs in the provision of services as 
 a participant in the program.
 ``
            (ii) Network administrator.-- The 
 program's network administrator receiving 
 Federal funding pursuant to subsection

    (a) shall oversee the technology each crisis center 
 employs in the provision of services as a 
 participant in the program if such oversight 
 responsibilities are established in the 
 applicable network participation agreement.
 ``
        (B) Supplement, not supplant.--The cybersecurity 
 incident reporting requirements under this subsection 
 shall supplement, and not supplant, cybersecurity 
 incident reporting requirements under other provisions 
 of applicable Federal law that are in effect on the 
 date of the enactment of the 9-8-8 Lifeline 
 Cybersecurity Responsibility Act.''.
            (c) Study.--Not later than 180 days after the date of the enactment 
of this Act, the Comptroller General of the United States shall--

    (1) conduct and complete a study that evaluates 
 cybersecurity risks and vulnerabilities associated with the 9-
 8-8 National Suicide Prevention Lifeline; and

    (2) submit a report of the findings of such study to the 
 Committee on Energy and Commerce of the House of 
 Representatives and the Committee on Health, Education, Labor, 
 and Pensions of the Senate.
 <all>

View original source ↗

119-s1007