HR 912 Introduced

988-Line Cybersecurity

Last month, Rep Obernolte (R,CA) introduced HR 912, the 9–8–8 Lifeline Cybersecurity Responsibility Act. This bill would establish broadly written cybersecurity requirements for the National Suicide Prevention Lifeline Program. No new funding is provided in the legislation.

This bill is very similar to HR 498 that was introduced by Obernolte in January of 2023. After hearing testimony on this bill in February of 2023, the House Energy and Commerce Committee held a business meeting on March 23, 2023 that included consideration of the bill. After amending the language of the bill, the Committee adopted the measure by a vote of 46 to 0. The Committee published their report in May of 2023. The bill was considered by the full House under the suspension of the rules process on March 5^th, 2024 and passed by a voice vote. No action was taken on the measure in the Senate. A similar bill, S 1493, was introduced in the Senate by Sen Senima (I,AZ), but no action was taken.

Minor changes were made from the engrossed language of HR 498, but those changes would have no material impact on the requirements of the legislation.

Definitions

The bill would amend 42 USC 290bb–36c. No new definitions would be added by this proposed change.

Cybersecurity Protections

Section 2(a) of the bill would amend §290bb-36c(b) by adding a new paragraph (6). That paragraph would require the Substance Abuse and Mental Health Services Administration to take “such steps as may be necessary to ensure the suicide prevention hotline is protected from cybersecurity incidents and eliminates known cybersecurity vulnerabilities.”

Cybersecurity Reporting

Section 2(b) would add a new subsection (f), Cybersecurity reporting, to §290bb-36c(b). That new subsection would require the National Suicide Prevention Lifeline’s Network Administrator to report to the Substance Abuse and Mental Health Services Administration:

• Any identified cybersecurity vulnerabilities to the program within a reasonable amount of time after identification of such a vulnerability, and

• Any identified cybersecurity incidents to the program within a reasonable amount of time after identification of such incident.

Presumably, that reporting would be based on the reporting required in subsection (f)(1)(B) from the Local And Regional Crisis Centers that actually operate local 988-Line systems to report such vulnerabilities and incidents to the Network Administrator.

Subsection (f)(3)(B) specifically clarifies that these reporting requirements “supplement, and not supplant, cybersecurity incident reporting requirements under other provisions of applicable Federal law that are in effect on the date of the enactment of the 9–8–8 Lifeline Cybersecurity Responsibility Act.”

Moving Forward

Obernolte and his sole cosponsor, Rep Dingle (D,MI), are members of the House Energy and Commerce Committee to which this bill is assigned for consideration. This means that there should be sufficient influence to see the bill considered in Committee. There has been increased concern in Congress about the increasing number of cybersecurity reporting requirements to which organizations are becoming subject. It is not clear at this point whether that concern would have an impact on this bill. That is because the bill makes clear that these requirements are being imposed because the program’s network administrator are receiving Federal funding, so it becomes an accountability issue rather than just a cybersecurity reporting issue.

Commentary

When HR 498 was introduced in 2023, I commented that:

“This is not a bill that I will be following here, it is a government system IT security bill with no specific impact on control system security. Having said that, if Congress has to go through the process of introducing legislation for each relatively minor federal program to ensure that each program has adequate cybersecurity provisions in place, we are going to see an exhaustive number of this type of legislation.”

In many ways that comment still holds true, but the point that the crafters of this bill makes about federal funding being a legitimate basis for federal oversight is too important to overlook. This is especially true when federal spending on independent programs is being so thoroughly being called into question by the Trump Administration. Not only does the federal government have a right to conduct oversight when they are paying substantial portions of the bills, but they also have an obligation to ensure that those monies are spent wisely.

Just as the crafters of this bill included the obligatory privacy language in the cybersecurity reporting requirements, perhaps it is time to consider developing similarly obligatory cybersecurity reporting requirements in this type of legislation.