9–8–8 Lifeline Cybersecurity Responsibility Act

This bill focuses on keeping the 9-8-8 National Suicide Prevention Lifeline safe from cyber attacks and other security problems. It tells the program to work with the Chief Information Security Officer at the Department of Health and Human Services to protect the system and fix known weaknesses.

It sets fast reporting rules. The program’s network administrator must report any found cybersecurity weaknesses or incidents within 24 hours to the Assistant Secretary. Local and regional crisis centers must report issues to the network administrator within 24 hours, and the administrator then has 24 hours to notify the Assistant Secretary. Centers generally manage their own technology, unless their agreement says the network administrator will do it. These reporting rules add to, and do not replace, other federal reporting requirements. The bill also orders a federal study of 9-8-8’s cybersecurity risks, due within 180 days of the law taking effect.

• Who is affected: The 9-8-8 program’s network administrator, local and regional crisis centers, and HHS’s Chief Information Security Officer.
• What changes: Required coordination with HHS on cybersecurity; 24-hour reporting of vulnerabilities and incidents; clarity on who oversees technology; and a federal study of 9-8-8’s cyber risks .
• When: Reports must be made within 24 hours; the cybersecurity study is due within 180 days after enactment .