Cybersecurity Act & Office Changes
One significant aspect of SB254 is its directive for the Office of Cybersecurity to create a model incident-response plan that public bodies can adopt. This model is meant to be employed in instances of security incidents affecting multiple public agencies or significant breaches involving large populations. The proposed bill also includes a framework for monitoring agency networks, which emphasizes proactive measures against security incidents. The implementation of minimum data classification standards and tailored cybersecurity training for state agencies is expected to elevate the overall cybersecurity framework in New Mexico.
Senate Bill 254 aims to bolster cybersecurity measures across state agencies in New Mexico by amending the existing Cybersecurity Act. The bill proposes the establishment of a centralized Office of Cybersecurity, tasked with overseeing cybersecurity and information security functions for state agencies. This newly structured office, headed by a designated security officer, is empowered to adopt rules for minimum security standards aimed at protecting agency information technology systems. Furthermore, it encompasses provisions for developing cybersecurity controls applicable to all entities connected to state-operated telecommunications networks.
Critically, there are concerns regarding the bill's provisions related to local government involvement in cybersecurity matters. While the bill intends to act as a resource for local governments and encourages collaboration, it is worth noting that compliance with the standards set forth in SB254 is voluntary for non-executive agencies. This aspect has lead to diverse opinions on whether the bill allows enough local autonomy to address specific cybersecurity needs and challenges faced by municipalities. Stakeholders could potentially view the degree of state control versus local agency independence as a point of contention during discussions and implementation.