underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
SENATE BILL 254
57
TH LEGISLATURE
-
STATE
OF
NEW
MEXICO
-
FIRST SESSION
,
2025
INTRODUCED BY
Michael Padilla
AN ACT
RELATING TO CYBERSECURITY; AMENDING THE CYBERSECURITY ACT;
CHANGING THE NAME AND DUTIES OF THE CYBERSECURITY OFFICE;
CHANGING THE MEMBERSHIP OF THE CYBERSECURITY ADVISORY
COMMITTEE.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
SECTION 1. Section 9-27A-3 NMSA 1978 (being Laws 2023,
Chapter 115, Section 3) is amended to read:
"9-27A-3. [CYBERSECURITY ] OFFICE OF CYBERSECURITY
CREATED--SECURITY OFFICER--DUTIES AND POWERS.--
A. The "[cybersecurity ] office of cybersecurity " is
created and is administratively attached to the department of
information technology. The office shall be managed by the
security officer.
B. Except as required by federal law, the
.229897.2 underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[cybersecurity] office of cybersecurity shall oversee, in a
fiscally responsible manner, cybersecurity- and information
security-related functions for agencies and may:
(1) adopt and implement rules establishing
minimum security standards and policies to protect agency
information technology systems and infrastructure and provide
appropriate governance and application of the standards and
policies across information technology resources used by
agencies to promote the availability, security and integrity of
the information processed, transacted or stored by agencies in
the state's information technology infrastructure and systems;
(2) develop minimum cybersecurity controls for
managing and protecting information technology assets and
infrastructure for all entities that are connected to [an
agency-operated or -owned ] a state-operated or state-owned
telecommunications network;
(3) consistent with information security
standards, monitor agency information technology networks to
detect security incidents and support mitigation efforts as
necessary and within capabilities;
(4) as reasonably necessary to perform its
monitoring and detection duties, obtain agency system event
logs to support monitoring and detection pursuant to Paragraph
(3) of this subsection;
(5) in coordination with state and federal
.229897.2
- 2 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
cybersecurity emergency management agencies as appropriate,
create a model incident-response plan for public bodies to
adopt with the [cybersecurity ] office of cybersecurity as the
incident-response coordinator for incidents that:
(a) impact multiple public bodies;
(b) impact more than ten thousand
residents of the state;
(c) involve a nation-state actor; or
(d) involve the marketing or transfer of
confidential data derived from a breach of cybersecurity;
(6) serve as a cybersecurity resource for
local governments;
(7) develop a service catalog of cybersecurity
services to be offered to agencies and to political
subdivisions of the state;
(8) collaborate with agencies in developing
standards, functions and services in order to ensure the agency
regulatory environments are understood and considered as part
of a cybersecurity incident response;
(9) establish core services to support minimum
security standards and policies;
(10) establish minimum data classification
policies and standards and design controls to support
compliance with classifications and report on exceptions;
(11) develop and issue cybersecurity awareness
.229897.2
- 3 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
policies and training standards and develop and offer
cybersecurity training services; and
(12) establish a centralized cybersecurity and
data breach reporting process for agencies and political
subdivisions of the state."
SECTION 2. Section 9-27A-5 NMSA 1978 (being Laws 2023,
Chapter 115, Section 5) is amended to read:
"9-27A-5. CYBERSECURITY ADVISORY COMMITTEE CREATED--
MEMBERSHIP--DUTIES.--
A. The "cybersecurity advisory committee" is
created within the [cybersecurity ] office of cybersecurity and
shall:
(1) assist the office in the development of:
(a) a statewide cybersecurity plan;
(b) guidelines for best cybersecurity
practices for agencies; and
(c) recommendations on how to respond to
a specific cybersecurity threat or attack; and
(2) have authority over the hiring,
supervision, discipline and compensation of the security
officer.
B. The security officer or the security officer's
designee shall chair [and be an advisory nonvoting member of ]
the cybersecurity advisory committee; provided that the
security officer shall be recused from deliberations and votes
.229897.2
- 4 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
concerning supervision, discipline or compensation of the
security officer and the secretary of information technology
shall chair those deliberations. The remaining members consist
of:
(1) the secretary of information technology or
the secretary's designee;
(2) [the principal information technology
staff person for the administrative office of the courts or the
director's designee] one member appointed by the chief justice
of the supreme court who is experienced with cybersecurity
issues;
(3) [the director of the legislative council
service or the director's designee ] a member of the legislature
appointed by the New Mexico legislative council who is familiar
with cybersecurity issues ;
(4) one member appointed by the secretary
of Indian affairs who is experienced with cybersecurity issues;
(5) [three] two members appointed by the chair
of the board of directors of the New Mexico association of
counties who represent county governmental agencies and who are
experienced with cybersecurity issues; provided that at least
one member shall represent a county other than a class A or H
class county;
(6) [three] two members appointed by the chair
of the board of directors of the New Mexico municipal league
.229897.2
- 5 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
who represent municipal governmental agencies and who are
experienced with cybersecurity issues; provided that only one
member may represent a home rule municipality; and
(7) [three] four members appointed by the
governor who [may represent separate agencies other than the
department of information technology and ] are experienced with
cybersecurity issues; provided that at least one appointee
shall be:
(a) an educator or employed by an
education institution;
(b) a health care provider or employed
by a health care provider;
(c) employed by the homeland security
and emergency management department; and
(d) a private sector cybersecurity
expert or employed by a business offering cybersecurity
services.
C. The cybersecurity advisory committee may invite
representatives of unrepresented county, municipal or tribal
agencies or other public entities to participate as advisory
members of the committee as it determines that their
participation would be useful to the deliberations of the
committee.
D. A meeting of and material presented to or
generated by the cybersecurity advisory committee are subject
.229897.2
- 6 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
to the Open Meetings Act and the Inspection of Public Records
Act subject to an exception for a meeting or material
concerning information that could, if made public, expose a
vulnerability in:
(1) an information system owned or operated by
a public entity; or
(2) a cybersecurity solution implemented by a
public entity.
E. Pursuant to the Cybersecurity Act or other
statutory authority, the security officer may issue orders
regarding the compliance of agencies with guidelines or
recommendations of the cybersecurity advisory committee;
however, compliance with those guidelines or recommendations by
non-executive agencies or county, municipal or tribal
governments shall be strictly voluntary.
F. The cybersecurity advisory committee shall hold
its first meeting on or before August 16, 2023 and shall meet
every two months at minimum after that; provided that the
security officer shall have the discretion to call for more
frequent meetings as circumstances warrant. At the discretion
of the security officer, the committee may issue advisory
reports regarding cybersecurity issues.
G. The cybersecurity advisory committee shall
present a report to the legislative finance committee and the
appropriate legislative interim committee concerned with
.229897.2
- 7 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
information technology at those committees' November 2023
meetings and to the governor by November 30, 2023 regarding the
status of cybersecurity preparedness within agencies and
elsewhere in the state. On or before October 30, 2024 and on
or before October 30 of each subsequent year, the
[cybersecurity] office of cybersecurity shall present updated
reports to the legislative committees and the governor. The
reports to legislative committees shall be in executive
session, and any materials connected with the report
presentations are exempt from the Inspection of Public Records
Act.
H. The members of the cybersecurity advisory
committee shall receive no pay for their services as members of
the committee, but shall be allowed per diem and mileage
pursuant to the provisions of the Per Diem and Mileage Act.
All per diem and contingent expenses incurred by the
[cybersecurity] office of cybersecurity shall be paid upon
warrants of the secretary of finance and administration,
supported by vouchers of the security officer."
- 8 -
.229897.2