New Mexico 2025 Regular Session

New Mexico Senate Bill SB254 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	underscored material = new
2	2	[bracketed material] = delete
3	3	1
4	4	2
5	5	3
6	6	4
7	7	5
8	8	6
9	9	7
10	10	8
11	11	9
12	12	10
13	13	11
14	14	12
15	15	13
16	16	14
17	17	15
18	18	16
19	19	17
20	20	18
21	21	19
22	22	20
23	23	21
24	24	22
25	25	23
26	26	24
27	27	25
28	28	SENATE BILL 254
29	29	57
30	30	TH LEGISLATURE
31	31	-
32	32
33	33	STATE
34	34
35	35	OF
36	36
37	37	NEW
38	38
39	39	MEXICO
40	40
41	41	-
42	42	FIRST SESSION
43	43	,
44	44
45	45	2025
46	46	INTRODUCED BY
47	47	Michael Padilla
48	48	AN ACT
49	49	RELATING TO CYBERSECURITY; AMENDING THE CYBERSECURITY ACT;
50	50	CHANGING THE NAME AND DUTIES OF THE CYBERSECURITY OFFICE;
51	51	CHANGING THE MEMBERSHIP OF THE CYBERSECURITY ADVISORY
52	52	COMMITTEE.
53	53	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
54	54	SECTION 1. Section 9-27A-3 NMSA 1978 (being Laws 2023,
55	55	Chapter 115, Section 3) is amended to read:
56	56	"9-27A-3. [CYBERSECURITY ] OFFICE OF CYBERSECURITY
57	57	CREATED--SECURITY OFFICER--DUTIES AND POWERS.--
58	58	A. The "[cybersecurity ] office of cybersecurity " is
59	59	created and is administratively attached to the department of
60	60	information technology. The office shall be managed by the
61	61	security officer.
62	62	B. Except as required by federal law, the
63	63	.229897.2 underscored material = new
64	64	[bracketed material] = delete
65	65	1
66	66	2
67	67	3
68	68	4
69	69	5
70	70	6
71	71	7
72	72	8
73	73	9
74	74	10
75	75	11
76	76	12
77	77	13
78	78	14
79	79	15
80	80	16
81	81	17
82	82	18
83	83	19
84	84	20
85	85	21
86	86	22
87	87	23
88	88	24
89	89	25
90	90	[cybersecurity] office of cybersecurity shall oversee, in a
91	91	fiscally responsible manner, cybersecurity- and information
92	92	security-related functions for agencies and may:
93	93	(1) adopt and implement rules establishing
94	94	minimum security standards and policies to protect agency
95	95	information technology systems and infrastructure and provide
96	96	appropriate governance and application of the standards and
97	97	policies across information technology resources used by
98	98	agencies to promote the availability, security and integrity of
99	99	the information processed, transacted or stored by agencies in
100	100	the state's information technology infrastructure and systems;
101	101	(2) develop minimum cybersecurity controls for
102	102	managing and protecting information technology assets and
103	103	infrastructure for all entities that are connected to [an
104	104	agency-operated or -owned ] a state-operated or state-owned
105	105	telecommunications network;
106	106	(3) consistent with information security
107	107	standards, monitor agency information technology networks to
108	108	detect security incidents and support mitigation efforts as
109	109	necessary and within capabilities;
110	110	(4) as reasonably necessary to perform its
111	111	monitoring and detection duties, obtain agency system event
112	112	logs to support monitoring and detection pursuant to Paragraph
113	113	(3) of this subsection;
114	114	(5) in coordination with state and federal
115	115	.229897.2
116	116	- 2 - underscored material = new
117	117	[bracketed material] = delete
118	118	1
119	119	2
120	120	3
121	121	4
122	122	5
123	123	6
124	124	7
125	125	8
126	126	9
127	127	10
128	128	11
129	129	12
130	130	13
131	131	14
132	132	15
133	133	16
134	134	17
135	135	18
136	136	19
137	137	20
138	138	21
139	139	22
140	140	23
141	141	24
142	142	25
143	143	cybersecurity emergency management agencies as appropriate,
144	144	create a model incident-response plan for public bodies to
145	145	adopt with the [cybersecurity ] office of cybersecurity as the
146	146	incident-response coordinator for incidents that:
147	147	(a) impact multiple public bodies;
148	148	(b) impact more than ten thousand
149	149	residents of the state;
150	150	(c) involve a nation-state actor; or
151	151	(d) involve the marketing or transfer of
152	152	confidential data derived from a breach of cybersecurity;
153	153	(6) serve as a cybersecurity resource for
154	154	local governments;
155	155	(7) develop a service catalog of cybersecurity
156	156	services to be offered to agencies and to political
157	157	subdivisions of the state;
158	158	(8) collaborate with agencies in developing
159	159	standards, functions and services in order to ensure the agency
160	160	regulatory environments are understood and considered as part
161	161	of a cybersecurity incident response;
162	162	(9) establish core services to support minimum
163	163	security standards and policies;
164	164	(10) establish minimum data classification
165	165	policies and standards and design controls to support
166	166	compliance with classifications and report on exceptions;
167	167	(11) develop and issue cybersecurity awareness
168	168	.229897.2
169	169	- 3 - underscored material = new
170	170	[bracketed material] = delete
171	171	1
172	172	2
173	173	3
174	174	4
175	175	5
176	176	6
177	177	7
178	178	8
179	179	9
180	180	10
181	181	11
182	182	12
183	183	13
184	184	14
185	185	15
186	186	16
187	187	17
188	188	18
189	189	19
190	190	20
191	191	21
192	192	22
193	193	23
194	194	24
195	195	25
196	196	policies and training standards and develop and offer
197	197	cybersecurity training services; and
198	198	(12) establish a centralized cybersecurity and
199	199	data breach reporting process for agencies and political
200	200	subdivisions of the state."
201	201	SECTION 2. Section 9-27A-5 NMSA 1978 (being Laws 2023,
202	202	Chapter 115, Section 5) is amended to read:
203	203	"9-27A-5. CYBERSECURITY ADVISORY COMMITTEE CREATED--
204	204	MEMBERSHIP--DUTIES.--
205	205	A. The "cybersecurity advisory committee" is
206	206	created within the [cybersecurity ] office of cybersecurity and
207	207	shall:
208	208	(1) assist the office in the development of:
209	209	(a) a statewide cybersecurity plan;
210	210	(b) guidelines for best cybersecurity
211	211	practices for agencies; and
212	212	(c) recommendations on how to respond to
213	213	a specific cybersecurity threat or attack; and
214	214	(2) have authority over the hiring,
215	215	supervision, discipline and compensation of the security
216	216	officer.
217	217	B. The security officer or the security officer's
218	218	designee shall chair [and be an advisory nonvoting member of ]
219	219	the cybersecurity advisory committee; provided that the
220	220	security officer shall be recused from deliberations and votes
221	221	.229897.2
222	222	- 4 - underscored material = new
223	223	[bracketed material] = delete
224	224	1
225	225	2
226	226	3
227	227	4
228	228	5
229	229	6
230	230	7
231	231	8
232	232	9
233	233	10
234	234	11
235	235	12
236	236	13
237	237	14
238	238	15
239	239	16
240	240	17
241	241	18
242	242	19
243	243	20
244	244	21
245	245	22
246	246	23
247	247	24
248	248	25
249	249	concerning supervision, discipline or compensation of the
250	250	security officer and the secretary of information technology
251	251	shall chair those deliberations. The remaining members consist
252	252	of:
253	253	(1) the secretary of information technology or
254	254	the secretary's designee;
255	255	(2) [the principal information technology
256	256	staff person for the administrative office of the courts or the
257	257	director's designee] one member appointed by the chief justice
258	258	of the supreme court who is experienced with cybersecurity
259	259	issues;
260	260	(3) [the director of the legislative council
261	261	service or the director's designee ] a member of the legislature
262	262	appointed by the New Mexico legislative council who is familiar
263	263	with cybersecurity issues ;
264	264	(4) one member appointed by the secretary
265	265	of Indian affairs who is experienced with cybersecurity issues;
266	266	(5) [three] two members appointed by the chair
267	267	of the board of directors of the New Mexico association of
268	268	counties who represent county governmental agencies and who are
269	269	experienced with cybersecurity issues; provided that at least
270	270	one member shall represent a county other than a class A or H
271	271	class county;
272	272	(6) [three] two members appointed by the chair
273	273	of the board of directors of the New Mexico municipal league
274	274	.229897.2
275	275	- 5 - underscored material = new
276	276	[bracketed material] = delete
277	277	1
278	278	2
279	279	3
280	280	4
281	281	5
282	282	6
283	283	7
284	284	8
285	285	9
286	286	10
287	287	11
288	288	12
289	289	13
290	290	14
291	291	15
292	292	16
293	293	17
294	294	18
295	295	19
296	296	20
297	297	21
298	298	22
299	299	23
300	300	24
301	301	25
302	302	who represent municipal governmental agencies and who are
303	303	experienced with cybersecurity issues; provided that only one
304	304	member may represent a home rule municipality; and
305	305	(7) [three] four members appointed by the
306	306	governor who [may represent separate agencies other than the
307	307	department of information technology and ] are experienced with
308	308	cybersecurity issues; provided that at least one appointee
309	309	shall be:
310	310	(a) an educator or employed by an
311	311	education institution;
312	312	(b) a health care provider or employed
313	313	by a health care provider;
314	314	(c) employed by the homeland security
315	315	and emergency management department; and
316	316	(d) a private sector cybersecurity
317	317	expert or employed by a business offering cybersecurity
318	318	services.
319	319	C. The cybersecurity advisory committee may invite
320	320	representatives of unrepresented county, municipal or tribal
321	321	agencies or other public entities to participate as advisory
322	322	members of the committee as it determines that their
323	323	participation would be useful to the deliberations of the
324	324	committee.
325	325	D. A meeting of and material presented to or
326	326	generated by the cybersecurity advisory committee are subject
327	327	.229897.2
328	328	- 6 - underscored material = new
329	329	[bracketed material] = delete
330	330	1
331	331	2
332	332	3
333	333	4
334	334	5
335	335	6
336	336	7
337	337	8
338	338	9
339	339	10
340	340	11
341	341	12
342	342	13
343	343	14
344	344	15
345	345	16
346	346	17
347	347	18
348	348	19
349	349	20
350	350	21
351	351	22
352	352	23
353	353	24
354	354	25
355	355	to the Open Meetings Act and the Inspection of Public Records
356	356	Act subject to an exception for a meeting or material
357	357	concerning information that could, if made public, expose a
358	358	vulnerability in:
359	359	(1) an information system owned or operated by
360	360	a public entity; or
361	361	(2) a cybersecurity solution implemented by a
362	362	public entity.
363	363	E. Pursuant to the Cybersecurity Act or other
364	364	statutory authority, the security officer may issue orders
365	365	regarding the compliance of agencies with guidelines or
366	366	recommendations of the cybersecurity advisory committee;
367	367	however, compliance with those guidelines or recommendations by
368	368	non-executive agencies or county, municipal or tribal
369	369	governments shall be strictly voluntary.
370	370	F. The cybersecurity advisory committee shall hold
371	371	its first meeting on or before August 16, 2023 and shall meet
372	372	every two months at minimum after that; provided that the
373	373	security officer shall have the discretion to call for more
374	374	frequent meetings as circumstances warrant. At the discretion
375	375	of the security officer, the committee may issue advisory
376	376	reports regarding cybersecurity issues.
377	377	G. The cybersecurity advisory committee shall
378	378	present a report to the legislative finance committee and the
379	379	appropriate legislative interim committee concerned with
380	380	.229897.2
381	381	- 7 - underscored material = new
382	382	[bracketed material] = delete
383	383	1
384	384	2
385	385	3
386	386	4
387	387	5
388	388	6
389	389	7
390	390	8
391	391	9
392	392	10
393	393	11
394	394	12
395	395	13
396	396	14
397	397	15
398	398	16
399	399	17
400	400	18
401	401	19
402	402	20
403	403	21
404	404	22
405	405	23
406	406	24
407	407	25
408	408	information technology at those committees' November 2023
409	409	meetings and to the governor by November 30, 2023 regarding the
410	410	status of cybersecurity preparedness within agencies and
411	411	elsewhere in the state. On or before October 30, 2024 and on
412	412	or before October 30 of each subsequent year, the
413	413	[cybersecurity] office of cybersecurity shall present updated
414	414	reports to the legislative committees and the governor. The
415	415	reports to legislative committees shall be in executive
416	416	session, and any materials connected with the report
417	417	presentations are exempt from the Inspection of Public Records
418	418	Act.
419	419	H. The members of the cybersecurity advisory
420	420	committee shall receive no pay for their services as members of
421	421	the committee, but shall be allowed per diem and mileage
422	422	pursuant to the provisions of the Per Diem and Mileage Act.
423	423	All per diem and contingent expenses incurred by the
424	424	[cybersecurity] office of cybersecurity shall be paid upon
425	425	warrants of the secretary of finance and administration,
426	426	supported by vouchers of the security officer."
427	427	- 8 -
428	428	.229897.2