Sponsors (2)
Adds cybersecurity rules for the 9-8-8 National Suicide Prevention Lifeline: requires program leaders to work with the HHS Chief Information Security Officer to fix known vulnerabilities, mandates 24-hour reporting for vulnerabilities and incidents, clarifies who oversees crisis-center technology, and orders a Comptroller General study and report on 9-8-8 cybersecurity risks within 180 days.
Amends Section 520E–3(b) of the Public Health Service Act to add a new paragraph (6) requiring the national suicide prevention lifeline program to coordinate with the Department of Health and Human Services Chief Information Security Officer to take steps to protect the program from cybersecurity incidents and eliminate known cybersecurity vulnerabilities.
Redesignates existing subsection (f) of Section 520E–3 as subsection (g).
Inserts a new subsection (f) titled 'Cybersecurity reporting' that requires the program’s network administrator who receives Federal funding under subsection (a) to report any identified cybersecurity vulnerabilities and any identified cybersecurity incidents to the Assistant Secretary within 24 hours of identification, while protecting personal privacy consistent with federal and state law.
Requires local and regional crisis centers participating in the program to report any identified cybersecurity vulnerabilities and incidents to the program’s network administrator within 24 hours of identification, in a manner that protects personal privacy and is consistent with applicable Federal and State privacy laws.
If the program’s network administrator discovers, or is informed by a local or regional crisis center of, a cybersecurity vulnerability or incident, that network administrator must report the vulnerability or incident to the Assistant Secretary within 24 hours of discovery or receipt of the information.
Primary effects fall on the 9-8-8 program, including Lifeline program leaders, crisis center operators, and the technology vendors and service providers they use. Operators will need to adopt or update incident-detection and reporting processes to meet 24-hour timelines and coordinate remediation with the HHS CISO. That may require operational changes, faster communications, possible technology upgrades, and vendor coordination. Callers and people seeking help should benefit from stronger protections for data privacy and improved service continuity if vulnerabilities are fixed and incidents are handled faster. HHS personnel (especially the CISO office) will have a more active role in oversight and remediation work. The mandated GAO study will provide Congress with an independent assessment and likely recommendations; its findings could spur further legislative or funding action. Because the text does not specify funding, smaller crisis centers and nonprofit operators may face financial or technical burdens to meet new requirements unless additional resources are provided later.
Last progress March 12, 2025 (11 months ago)
Introduced on March 12, 2025 by Markwayne Mullin
Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
Updated 6 days ago
Last progress February 4, 2025 (1 year ago)