SENATE RULES COMMITTEE SUBSTITUTE FOR

SENATE BILL 254

57th legislature - STATE OF NEW MEXICO - first session, 2025

 

 

 

 

 

 

 

AN ACT

RELATING TO CYBERSECURITY; AMENDING THE CYBERSECURITY ACT; CHANGING THE NAME AND DUTIES OF THE CYBERSECURITY OFFICE; CHANGING THE MEMBERSHIP OF THE CYBERSECURITY ADVISORY COMMITTEE.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     SECTION 1. Section 9-27A-2 NMSA 1978 (being Laws 2023, Chapter 115, Section 2) is amended to read:

     "9-27A-2. DEFINITIONS.--As used in the Cybersecurity Act:

          A. "agency" means executive cabinet agencies and their administratively attached agencies, offices, boards and commissions;

          B. "cybersecurity" means acts, practices or systems that eliminate or reduce the risk of loss of critical assets, loss of sensitive information or reputational harm as a result of a cyber attack or breach within an organization's network;

          C. "information security" means acts, practices or systems that eliminate or reduce the risk that legally protected information or information that could be used to facilitate criminal activity is accessed or compromised through physical or electronic means;

          D. "information technology" means computer hardware, storage media, networking equipment, physical devices, infrastructure, processes and code, firmware, software and ancillary products and services, including:

                (1) systems design and analysis;

                (2) development or modification of hardware or solutions used to create, process, store, secure or exchange electronic data;

                (3) information storage and retrieval systems;

                (4) voice, radio, video and data communications systems;

                (5) network, hosting and cloud-based systems;

                (6) simulation and testing;

                (7) interactions between a user and an information system; and

                (8) user and system credentials; [and]

          E. "security officer" means the state chief information security officer; and

          F. "state-operated or state-owned telecommunications network" means a telecommunications network controlled by the department of information technology pursuant to the Department of Information Technology Act."

     SECTION 2. Section 9-27A-3 NMSA 1978 (being Laws 2023, Chapter 115, Section 3) is amended to read:

     "9-27A-3. [CYBERSECURITY] OFFICE OF CYBERSECURITY CREATED--SECURITY OFFICER--DUTIES AND POWERS.--

          A. The "[cybersecurity] office of cybersecurity" is created and is administratively attached to the department of information technology. The office shall be managed by the security officer.

          B. Except as required by federal law, the [cybersecurity] office of cybersecurity shall oversee, in a fiscally responsible manner, cybersecurity- and information security-related functions for agencies and may:

                (1) adopt and implement rules establishing minimum security standards and policies to protect agency information technology systems and infrastructure and provide appropriate governance and application of the standards and policies across information technology resources used by agencies to promote the availability, confidentiality, security and integrity of the information processed, transmitted, transacted or stored by agencies in the state's information technology infrastructure and systems;

                (2) develop minimum cybersecurity controls for managing and protecting information technology assets and infrastructure for all entities that are connected to [an agency-operated or -owned] a state-operated or state-owned telecommunications network;

                (3) consistent with information security standards, monitor agency information technology networks to detect security incidents and support mitigation efforts as necessary and within capabilities;

                (4) as reasonably necessary to perform its monitoring and detection duties, obtain agency system event logs to support monitoring and detection pursuant to Paragraph (3) of this subsection;

                (5) in coordination with state and federal cybersecurity emergency management agencies as appropriate, create a model incident-response plan for public bodies to adopt with the [cybersecurity] office of cybersecurity as the incident-response coordinator for incidents that:

                     (a) impact multiple public bodies;

                     (b) impact more than ten thousand residents of the state;

                     (c) involve a nation-state actor; or

                     (d) involve the marketing or transfer of confidential data derived from a breach of cybersecurity;

                (6) serve as a cybersecurity resource for local governments;

                (7) develop a service catalog of cybersecurity services to be offered to agencies and to political subdivisions of the state;

                (8) collaborate with agencies in developing standards, functions and services in order to ensure the agency regulatory environments are understood and considered as part of a cybersecurity incident response;

                (9) establish core services to support minimum security standards and policies;

                (10) establish minimum data classification policies and standards and design controls to support compliance with classifications and report on exceptions;

                (11) develop and issue cybersecurity awareness policies and training standards and develop and offer cybersecurity training services; and

                (12) establish a centralized cybersecurity and data breach reporting process for agencies and political subdivisions of the state."

     SECTION 3. Section 9-27A-5 NMSA 1978 (being Laws 2023, Chapter 115, Section 5) is amended to read:

     "9-27A-5. CYBERSECURITY ADVISORY COMMITTEE CREATED--MEMBERSHIP--DUTIES.--

          A. The "cybersecurity advisory committee" is created within the [cybersecurity] office of cybersecurity and shall:

                (1) assist the office in the development of:

                     (a) a statewide cybersecurity plan;

                     (b) guidelines for best cybersecurity practices for agencies; and

                     (c) recommendations on how to respond to a specific cybersecurity threat or attack; and

                (2) have authority over the hiring, supervision, discipline and compensation of the security officer.

          B. The security officer or the security officer's designee shall chair [and be an advisory nonvoting member of] the cybersecurity advisory committee; provided that the security officer shall be recused from deliberations and votes concerning supervision, discipline or compensation of the security officer and the secretary of information technology shall chair those deliberations. The remaining members consist of:

                (1) the secretary of information technology or the secretary's designee;

                (2) [the principal information technology staff person for the administrative office of the courts or the director's designee] one member appointed by the chief justice of the supreme court;

                (3) the director of the legislative council service or the director's designee;

                (4) one member appointed by the secretary

of Indian affairs who is experienced with cybersecurity issues;

                (5) [three] two members appointed by the chair of the board of directors of the New Mexico association of counties who represent county governmental agencies and who are experienced with cybersecurity issues; provided that at least one member shall represent a county other than a class A or H class county;

                (6) [three] two members appointed by the chair of the board of directors of the New Mexico municipal league who represent municipal governmental agencies and who are experienced with cybersecurity issues; provided that only one member may represent a home rule municipality; and

                (7) [three] four members appointed by the governor [who may represent separate agencies other than the department of information technology and are experienced with cybersecurity issues] in consultation with the secretary of information technology and the state chief information security officer; provided that these members, individually and collectively, shall enable the committee to satisfy any federal or state cybersecurity grant funding requirements.

          C. The cybersecurity advisory committee may invite representatives of unrepresented county, municipal or tribal agencies or other public entities to participate as advisory members of the committee as it determines that their participation would be useful to the deliberations of the committee.

          D. A meeting of and material presented to or generated by the cybersecurity advisory committee are subject to the Open Meetings Act and the Inspection of Public Records Act subject to an exception for a meeting or material concerning information that could, if made public, expose a vulnerability in:

                (1) an information system owned or operated by a public entity; or

                (2) a cybersecurity solution implemented by a public entity.

          E. Pursuant to the Cybersecurity Act or other statutory authority, the security officer may issue orders regarding the compliance of agencies with guidelines or recommendations of the cybersecurity advisory committee; however, compliance with those guidelines or recommendations by non-executive agencies or county, municipal or tribal governments shall be strictly voluntary.

          F. The cybersecurity advisory committee shall hold its first meeting on or before August 16, 2023 and shall meet every two months at minimum after that; provided that the security officer shall have the discretion to call for more frequent meetings as circumstances warrant. At the discretion of the security officer, the committee may issue advisory reports regarding cybersecurity issues.

          G. The cybersecurity advisory committee shall present a report to the legislative finance committee and the appropriate legislative interim committee concerned with information technology at those committees' November 2023 meetings and to the governor by November 30, 2023 regarding the status of cybersecurity preparedness within agencies and elsewhere in the state. On or before October 30, 2024 and on or before October 30 of each subsequent year, the [cybersecurity] office of cybersecurity shall present updated reports to the legislative committees and the governor. The reports to legislative committees shall be in executive session, and any materials connected with the report presentations are exempt from the Inspection of Public Records Act.

          H. The members of the cybersecurity advisory committee shall receive no pay for their services as members of the committee, but shall be allowed per diem and mileage pursuant to the provisions of the Per Diem and Mileage Act. All per diem and contingent expenses incurred by the [cybersecurity] office of cybersecurity shall be paid upon warrants of the secretary of finance and administration, supported by vouchers of the security officer."

- 9 -