HR 912119th CongressIn Committee

9–8–8 Lifeline Cybersecurity Responsibility Act

Introduced: Feb 4, 2025

Standard Summary

Comprehensive overview in 1-2 paragraphs

The 9–8–8 Lifeline Cybersecurity Responsibility Act would strengthen protections for the national suicide prevention lifeline (the 9–8–8 system) by requiring dedicated steps to shield the hotline from cybersecurity incidents and to address known vulnerabilities. It amends the Public Health Service Act to mandate proactive cybersecurity measures and to establish formal reporting channels so vulnerabilities and incidents are identified and reported promptly to the federal level, while preserving privacy protections. The bill also directs an immediate evaluation of cybersecurity risks through a Comptroller General study within 180 days of enactment. Key elements include creating a clear responsibility framework among the program’s network administrator (the entity receiving federal funding for the lifeline) and local/regional crisis centers, requiring timely reporting of vulnerabilities and incidents, and ensuring that reporting supplements other applicable federal cybersecurity requirements. The act’s aim is to reduce downtime or disruptions to the 9–8–8 Lifeline and improve resilience against cyber threats, with a formal GAO/Comptroller General study to assess ongoing risks. Sponsors listed in the bill introduction are Rep. Obernolte (along with Rep. Dingell), and the bill was referred to the Committee on Energy and Commerce.

Key Points

1Amends title V of the Public Health Service Act to require proactive steps to protect the 9–8–8 suicide prevention lifeline from cybersecurity incidents and to remediate known cybersecurity vulnerabilities.
2Establishes cybersecurity reporting requirements:
3- The program’s network administrator (the federally funded entity for the lifeline) must report identified vulnerabilities and incidents to the Assistant Secretary in a privacy-protective way.
4- Local and regional crisis centers participating in the program must report vulnerabilities and incidents to the program’s network administrator, also with privacy protections.
5Specifies for reporting:
6- Both vulnerabilities and incidents must be reported within a reasonable amount of time after identification or receipt of information.
7- If the network administrator discovers a vulnerability or is informed of one by a local center, the administrator must report it to the Assistant Secretary within a reasonable time.
8Clarifies oversight and reporting relationships:
9- Local/regional crisis centers oversee the technology they use unless otherwise specified in a network participation agreement.
10- The network administrator oversees technology if oversight responsibilities are established in the agreement.
11- The reporting requirements are intended to supplement, not replace, other federal cybersecurity reporting requirements.
12Provides for a Comptroller General study (GAO) within 180 days of enactment to evaluate cybersecurity risks and vulnerabilities related to the 9–8–8 Lifeline, with a report to key Senate and House committees.

Impact Areas

Primary group/area affected- Entities involved in the 9–8–8 Lifeline: the program’s network administrator (the federally funded entity), and local and regional crisis centers that operate as part of the lifeline network.Secondary group/area affected- Federal program administrators (Assistant Secretary) and agencies implementing privacy protections; states and localities that administer or interact with the lifeline network under privacy laws.Additional impacts- Increased compliance and reporting duties for funded program entities, with privacy protections for individuals.- Potential improvements in cybersecurity resilience and faster detection/containment of vulnerabilities and incidents affecting the lifeline.- Administrative and potential funding implications to support enhanced cybersecurity measures and GAO/Comptroller General study activities.

Generated by gpt-5-nano on Nov 18, 2025