SENATE BILL 269

56th legislature - STATE OF NEW MEXICO - first session, 2023

INTRODUCED BY

Michael Padilla and Debra M. Sariñana

 

 

 

 

 

AN ACT

RELATING TO INFORMATION TECHNOLOGY; AMENDING, REPEALING AND ENACTING SECTIONS OF THE DEPARTMENT OF INFORMATION TECHNOLOGY ACT.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     SECTION 1. Section 9-27-3 NMSA 1978 (being Laws 2007, Chapter 290, Section 3, as amended) is amended to read:

     "9-27-3. DEFINITIONS.--As used in the Department of Information Technology Act:

          A. "agency", unless otherwise specified, means an agency within the executive branch of state government;

          B. "customer" means an agency, an educational institution, a political subdivision of the state, an instrumentality of the state or of a political subdivision of the state or an agency of an Indian nation, tribe or pueblo that receives information technology, goods or services from the department;

          C. "cybersecurity" means acts, practices or systems that eliminate or reduce the risk of loss of critical assets, sensitive information or reputational harm as a result of a cyberattack or breach within an organization's network;

          [A.] D. "department" means the department of information technology;

          E. "information architecture" means a logically consistent set of principles, policies and standards that guide the engineering of information technology systems and infrastructure in a way that ensures alignment with operational needs;

          F. "information security" means acts, practices or systems that eliminate or reduce the risk that legally protected information or information that could be used to facilitate criminal activity is accessed or compromised through physical or electronic means;

          [B.] G. "information technology" means computer hardware, [and] storage media, networking equipment, physical devices, infrastructure, processes, software, firmware, code and ancillary products and services, including:

                (1) systems design and analysis;

                (2) acquisition, storage and conversion of hardware or solutions used to create, process, store, secure or exchange electronic data;

                [(3) computer programming;

                (4)] (3) information storage and retrieval;

                [(5)] (4) voice, radio, video and data communications;

                [(6)] (5) requisite systems, including network and hosting, including cloud-based systems;

                [(7)] (6) simulation and testing; and

                [(8)] (7) related interactions between users and information systems; 

          [C.] H. "information technology project" means [the purchase, replacement, development or modification] a time- and scope-limited effort related to augmentation, development, modification, purchase, replacement or retirement of a hardware or software system, but does not include normal operation and maintenance of information technology;

           I. "infrastructure security" means acts, practices or systems that eliminate or reduce the risk that privately or publicly owned infrastructure or controls are compromised, damaged, destroyed or disrupted through physical or electronic means;

          [D.] J. "secretary" means the secretary of information technology;

          [E. "state information architecture" means a logically consistent set of principles, policies and standards that guides the engineering of state government's information technology systems and infrastructure in a way that ensures alignment with state government's business needs;

          F.] K. "state information technology strategic plan" means the information technology planning document for the state that spans a three-year period; and

          [G.] L. "telecommunication network" means the physical and logical components and all associated infrastructure used in transporting, routing, aggregating and delivering voice and data information from computer and telecommunications systems in one location to peer systems in another."

     SECTION 2. Section 9-27-4 NMSA 1978 (being Laws 2007, Chapter 290, Section 4) is amended to read:

     "9-27-4. DEPARTMENT CREATED--DIVISIONS.--

          A. The "department of information technology" is created in the executive branch. The department is a cabinet level department and includes the following divisions:

                [(1) program support division;

                (2)] (1) compliance and project management; [division; and

                (3)] (2) enterprise services [division];

                (3) program support;

                (4) project management; and

                (5) public safety radio.

          B. The secretary may [organize the department and the divisions specified in Subsection A of this section] establish divisions and may transfer or merge functions between divisions in the interest of efficiency and economy."

     SECTION 3. Section 9-27-6 NMSA 1978 (being Laws 2007, Chapter 290, Section 6, as amended by Laws 2017, Chapter 7, Section 2 and by Laws 2017, Chapter 45, Section 2) is amended to read:

     "9-27-6. SECRETARY--DUTIES AND GENERAL POWERS.--

          A. The secretary is responsible to the governor for the operation of the department. It is the secretary's duty to manage all operations of the department and to administer and enforce the laws with which the secretary or the department is charged.

          B. [To perform the secretary's duties] The secretary has every power expressly enumerated in the laws, whether granted to the secretary or the department or any division of the department, except where authority conferred upon [any] a department, division or person is explicitly exempted from the secretary's authority by statute. In accordance with these provisions, the secretary shall:

                (1) exercise general supervisory and appointing authority over all department employees, subject to any applicable personnel laws and regulations;

                (2) delegate authority to subordinates as the secretary deems necessary and appropriate, clearly delineating such delegated authority and the limitations thereto;

                (3) organize the department into those organizational units the secretary deems will enable it to function most efficiently, subject to provisions of law requiring or establishing specific organizational units;

                (4) within the limitations of available appropriations and applicable laws, employ and fix the compensation of those persons necessary to discharge the secretary's duties;

                (5) take administrative action by issuing [orders and instructions] guidance orders not inconsistent with the law, to ensure implementation of and compliance with the provisions of law for whose administration or execution the secretary is responsible and to enforce those [orders and instructions] guidance orders by appropriate administrative action [in the courts] or by seeking a court order;

                (6) conduct research and studies that will improve the operations of the department and the provision of services to [state agencies and the residents of the state] customers;

                (7) provide courses of instruction and practical training for employees of the department and other persons involved in the administration [of programs with the objective of improving the operations and efficiency of administration] or use of information technology;

                (8) prepare an annual budget of the department;

                (9) provide cooperation [at the request of heads of administratively attached agencies] to customers in order to:

                     (a) minimize or eliminate duplication of services and jurisdictional conflicts;

                     (b) coordinate activities and resolve problems of mutual concern; and

                     (c) resolve by agreement the manner and extent to which the department shall provide [budgeting, recordkeeping and related clerical assistance to administratively attached agencies; and] services to a customer;

                (10) appoint for each division a "director". These appointed positions are exempt from the provisions of the Personnel Act. Persons appointed to these positions shall serve at the pleasure of the secretary;

                (11) contract with consultants or establish advisory committees composed of subordinates, contractors or stakeholders to conduct assessments or evaluations, make recommendations to the secretary or provide services on behalf of the department;

                (12) establish additional bureaus within a departmental division as necessary to implement the Department of Information Technology Act and appoint bureau chiefs to serve as the administrative heads of bureaus; and

                (13) acquire, hold and maintain, through lease, trade or purchase, any real or personal property necessary to meet customer requirements or department obligations.

          C. As the chief information officer, the secretary shall:

                (1) review [executive] agency plans regarding prudent allocation of information technology resources; reduction of duplicate or redundant data, hardware and software; and improvement of system interoperability and data accessibility among agencies;

                (2) except as limited by restrictions established by the department by rule, evaluate and approve [executive] agency information technology [requests for proposals and other executive agency requests] contracts, requests and invitations that are subject to the Procurement Code, prior to final approval;

                (3) promulgate rules for oversight of information technology procurement;

                [(4) approve executive agency information technology contracts and amendments to those contracts, including emergency procurements, sole source contracts and price agreements, prior to approval by the department of finance and administration;

                (5)] (4) develop and implement procedures to standardize data elements, determine data ownership and ensure data sharing among [executive agencies] customers;

                [(6)] (5) verify compliance with state information architecture and the state information technology strategic plan, technical standards and industry best practices before approving documents referred to in [Paragraphs (2) and (4)] Paragraph (2) of this subsection;

                [(7)] (6) monitor [executive] agency compliance with its agency plan, the state information technology strategic plan and state information architecture and report to the governor, [executive] agency management and the legislative finance committee on noncompliance;

                [(8)] (7) develop information technology cost recovery mechanisms and information [systems] technology system rate and fee structures [of state agencies and other public or private sector providers and] for all offered services, make recommendations to the information technology rate committee and publish available services and rates;

                [(9)] (8) provide technical support to [executive] agencies in the development of their agency plans;

                [(10)] (9) ensure that the use of existing public or private information technology or telecommunications resources [when the use] by customers is practical, efficient, effective and financially prudent [and is in compliance with the Procurement Code];

                [(11)] (10) review appropriation requests related to [executive] agency information technology requests to ensure compliance with agency plans and the state information technology strategic plan and make written recommendations by November 14 of each year to the department of finance and administration and by November 21 of each year to the legislative finance committee and the appropriate interim legislative committee; provided, however, that the recommendations to the legislative committees have been agreed to by the department of information technology and the department of finance and administration;

                 [(12)] (11) promulgate rules to ensure that information technology projects satisfy criteria established by the secretary and are phased in with funding released in phases contingent upon successful completion of the prior phase;

                [(13)] (12) except as limited by the department by rule, provide oversight of agency information technology projects, including ensuring adequate risk management, disaster recovery and business continuity practices and monitoring compliance with strategies for information technology projects that affect multiple agencies;

                [(14)] (13) conduct reviews of information technology projects and provide written reports to the appropriate legislative oversight bodies;

                [(15)] (14) conduct or contract for background checks on department employees and prospective department employees that have or will have administrative access or authority to sensitive, confidential or private information or the ability to alter systems, networks or other information technology hardware or software; and

                [(16)] (15) perform any other information technology function assigned by the governor.

          D. As the chief information officer, the secretary may:

                (1) contract, conduct or order risk assessments relating to any information technology within the jurisdiction of the department;

                (2) coordinate, deploy, offer or provide cybersecurity risk prevention and information technology and mitigation and response solutions, including application and equipment selection, intrusion response, system monitoring or system testing for all users of agency-operated or -owned information technology;

                (3) offer enterprise information technology solutions to agencies and, as practical, to other customers of agency-operated or -owned information technology;

                (4) establish an administrative hearing and enforcement process internal to the department or in coordination with the administrative hearings office;

                (5) conduct information technology assessments or audits to ensure compliance with the Department of Information Technology Act, rules promulgated by the department or other applicable laws; and

                (6) make recommendations to the personnel board for the establishment and review of new information technology-related job classifications, pay bands and positions.

          [D.] E. Each [executive] agency shall submit an agency information technology plan to the secretary in the form and detail [required] specified by the secretary. Each [executive] agency shall conduct background checks on agency or prospective agency employees that have or will have administrative access or authority to alter systems, networks or other information technology hardware or software.

          [E. A state] F. An agency that receives an invoice from the department for services rendered to the agency shall have thirty days from receipt of the invoice to pay the department or to notify the department if the amount of the invoice is in dispute. The agency shall have fifteen days from its notification of dispute to the department to present its reasons in writing and request an adjustment. The department shall have fifteen days from its receipt of the reasons for dispute to notify the agency of its decision. If the department and the agency do not agree on a resolution, the secretary of finance and administration shall make a determination on the amount owed by the agency to the department. If the agency has not paid the department or notified the department of a dispute within thirty days of receipt of the invoice, the department shall notify the department of finance and administration and request that the department of finance and administration transfer funds from the agency to the department of information technology to satisfy the agency's obligation.

          [F.] G. The secretary, as chief information officer, shall prepare a state information technology strategic plan for the executive branch and update it at least once every three years, which plan shall be available to agencies by July 31 of each year. The plan shall comply with the provisions of the Department of Information Technology Act and provide for the:

                (1) interchange of information related to information technology among [executive] agencies;

                (2) coordination among [executive] agencies in the development and maintenance of information technology systems;

                (3) protection of the privacy and security of individual information as well as of individuals using the state's information technology systems; and

                [(4) development of a statewide broadband network plan in conjunction with the public education department, the higher education department, state universities, other educational institutions, the public school capital outlay council, political subdivisions of the state, Indian nations, tribes and pueblos, the public regulation commission and telecommunication network service providers; and

                (5)] (4) coordination and aggregation of services where feasible for [entities as provided for in Section 9-27-20 NMSA 1978 and other publicly funded entities] users of agency-operated or -owned information technology.

          [G.] H. The secretary may apply for and receive, with the governor's approval, in the name of the department, any public or private funds, including United States government funds, available to the department to carry out its programs, duties or services or those of an administratively attached office or public body.

          [H.] I. Where information technology functions of [executive] agencies overlap or a function assigned to one agency could better be performed by another agency, the secretary may direct the agencies to redirect or consolidate functions, unless a function is stipulated in statute, in which case the secretary shall recommend appropriate legislation to the next session of the legislature for its approval.

          [I.] J. Pursuant to the State Rules Act and rules established pursuant to that act, the secretary may make and adopt [such reasonable procedural] rules as may be necessary to carry out the duties of the department and [its divisions and requirements and standards for the executive branch's information technology needs, functions, systems and resources] administratively attached offices or public bodies, including:

                (1) information technology security;

                (2) [approval for] procurement of information technology; [that exceeds an amount set by rule

                (3) detail and format for the agency information technology plan;

                (4)] (3) acquisition, licensing and sale of information technology; [and

                (5)] (4) requirements for agency information technology projects and related plan, analysis, oversight, assessment and specifications;

          [J. Unless otherwise provided by statute, no rule affecting any person or agency outside the department shall be adopted, amended or repealed without a public hearing on the proposed action before the secretary or a hearing officer designated by the secretary. The public hearing shall be held in Santa Fe unless otherwise permitted by statute. Notice of the subject matter of the rule, the action proposed to be taken, the time and place of the hearing, the manner in which interested persons may present their views and the method by which copies of the proposed rule, proposed amendment or repeal of an existing rule may be obtained shall be published once at least thirty days prior to the hearing date in a newspaper of general circulation and mailed at least thirty days prior to the hearing date to all persons who have made a written request for an advance notice of hearing. Rules shall be filed in accordance with the State Rules Act.]

                (5) governance of the department;

                (6) identification, protection and use of agency-operated and -owned data and information technology; and

                (7) compliance with federal or state information technology law.

          K. Unless specified in statute or in an express agreement by the department or the secretary, the secretary or the department shall not be considered the public record custodian for a person who entrusts data to the department for storage. Nothing in this subsection shall be construed to limit or eliminate the department's obligations with respect to the public records of the department or the department's legal or contractual obligations to manage data for a customer."

     SECTION 4. Section 9-27-7 NMSA 1978 (being Laws 2007, Chapter 290, Section 7, as amended) is amended to read:

     "9-27-7. INFORMATION TECHNOLOGY RATE COMMITTEE--MEMBERSHIP--DUTIES.--

          A. The "information technology rate committee" is created. The committee consists of seven members as follows:

                (1) five members appointed by the governor from [executive] agencies that use information technology services and pay rates to an internal service fund;

                (2) the secretary of finance and administration, who shall serve as chair of the committee; and

                (3) the secretary of information technology.

          B. The information technology rate committee shall:

                (1) review the rate and fee schedule proposed by the secretary, and upon enactment of a statute creating a specified agency for cybersecurity services, the rate and fee schedule proposed by that agency for its services;

                (2) ensure that the rate and fee schedule complies with the federal office of management and budget circular A-87 or its successor directive with respect to rates for expenditure of money from federal grant awards;

                (3) consider for approval an equitable rate and fee schedule based on cost recovery, for [state] agencies that use information technology services and pay rates to an internal service fund, with priority service to public safety agencies;

                (4) present the [committee's] department's proposed rate and fee schedule by [June] July 1 of each year to the office of the governor, the department of finance and administration and the legislative finance committee; and

                (5) by July 15 of each year, implement a rate and fee schedule based on the committee's recommendations; provided, however, that a reduction in rates or fees by the department shall not require the committee's approval if the reduction is based on cost recovery and if the committee is notified timely."

     SECTION 5. Section 9-27-8 NMSA 1978 (being Laws 2007, Chapter 290, Section 8) is amended to read:

     "9-27-8. ORGANIZATIONAL UNITS OF THE DEPARTMENT--POWERS AND DUTIES SPECIFIED BY LAW--ACCESS TO INFORMATION.--Those organizational units of the department and the officers of those units specified by law shall have all of the powers and duties enumerated in the specific laws involved. However, the carrying out of those powers and duties shall be subject to the direction and supervision of the secretary, who shall retain the final decision-making authority and responsibility for the administration of [any such] all laws within the jurisdiction of the department. The department shall have access to all information technology records [data and information of other executive branch departments, agencies and institutions, including its own organizational units] not specifically held confidential by law of those entities, departments and institutions who receive services from the department."

     SECTION 6. Section 9-27-13 NMSA 1978 (being Laws 1977, Chapter 247, Section 23, as amended) is amended to read:

     "9-27-13. TELECOMMUNICATIONS [SERVICES] ENGINEER.--[A.] The secretary [of information technology] may hire a communications engineer to oversee the engineering responsibilities of the department [of information technology]. The communications engineer shall have a degree in either electrical engineering with an electrical communications specialty or in electronics engineering.

          [B. In providing telecommunications services pursuant to Chapter 15 NMSA 1978, the department of information technology shall not provide telecommunications services, including telephone, data and broadband services, to an entity other than those authorized pursuant to Section 15-5-1 NMSA 1978, except as is necessary to facilitate a state-mandated program, including distance education, telehealth or school-based health center programs. Before expansion or upgrade of a state-owned or state-funded telecommunications network, whether voice, data or video transmission, the department shall prepare a plan consistent with state law and applicable rules that includes an assessment of how the project would potentially affect local telecommunications service providers and telecommunications service ratepayers.]"

     SECTION 7. Section 9-27-15 NMSA 1978 (being Laws 1997, Chapter 263, Section 1, as amended by Laws 2007, Chapter 288, Section 2 and by Laws 2007, Chapter 290, Section 15) is amended to read:

     "9-27-15. LEASE OF RADIO COMMUNICATIONS NETWORK--CONDITIONS AND REQUIREMENTS.--In exercising supervisory control pursuant to Section [15-2-2] 9-27-14 NMSA 1978, the department [of information technology] may lease to a public or private entity excess capacity [relating to the provision of two-way radio services] on its radio communications property, including buildings, towers or antennas; provided that:

          [A. the lease conforms with competitive procurement requirements of the Procurement Code;

          B.] A. the lease is for an [equal] equivalent value exchange of money, [or] property or services;

          [C.] B. the secretary [of information technology] certifies that the excess capacity will be available for at least the duration of the lease;

          [D.] C. if the lease exceeds ten years, the lease is first approved by the state board of finance;

          [E.] D. the department [of information technology] has submitted to the legislative finance committee a detailed plan for the use of excess capacity being leased and an assessment of how the lease will affect public sector uses and local telecommunication service providers; and

          [F.] E. income from [the leases] a lease shall be deposited to the credit of the department [of information technology] and used to carry out the duties of the department."

     SECTION 8. Section 9-27-16 NMSA 1978 (being Laws 1970, Chapter 71, Section 1, as amended) is amended to read:

     "9-27-16. SERVICE CHARGE--CUSTOMERS.--

          A. The department [of information technology] shall charge [a fee to the state or any officer, agency, department, division, board or commission of the state for any services rendered in the exercise of its supervisory control.

          B. Fees shall be fixed by the secretary of information technology] customers approved rates for goods and services rendered.

          [C.] B. Income from [fees] customer charges collected shall be deposited to the credit of the department [of information technology] and used to carry out the duties of the department.

          [D. The department of information technology may provide two-way radio services to counties and municipalities at the same rates charged state agencies]

          C. At the discretion of the secretary, if the department has excess capacity after providing goods or services to its statutorily required customers, the department may provide services to additional federal, state or tribal customers, including political subdivisions of the state and schools."

     SECTION 9. Section 9-27-20 NMSA 1978 (being Laws 1963, Chapter 181, Section 1, as amended) is amended to read:

     "9-27-20. TELECOMMUNICATIONS--[DUTIES] REIMBURSEMENT APPLICATIONS--INFORMATION TECHNOLOGY OFFERINGS.--

          [A. The department shall enter into necessary agreements to provide, where feasible, a telecommunication network and related facilities to all executive, legislative and judicial branches. Nothing in this section shall be construed to apply to the provision of a telecommunication network and related facilities to political subdivisions of the state.

          B. Pursuant to Section 9-27-13 NMSA 1978, the department may, where feasible and economical, provide a telecommunication network and related facilities to educational institutions that request to be included in the telecommunication network and shall enter into the necessary contractual agreements with telecommunication providers to provide the telecommunication network and related facilities to educational institutions that request to be included in the telecommunication network.

          C. Pursuant to Sections 9-27-6 and 9-27-13 NMSA 1978, the department and the public education department shall coordinate to apply for reimbursements from the federal universal service fund pursuant to Section 254 of the federal Telecommunications Act of 1996, 47 U.S.C. 254, as such section existed on January 1, 2006, on behalf of state agencies, political subdivisions and educational institutions as available for telecommunication network services.

          D. Pursuant to Section 9-27-7 NMSA 1978, the department shall establish a rate structure based on actual costs, including necessary administrative expenses, and shall charge participants according to such rate structure.]

          A. Whenever feasible, the department shall be the purchaser and vendor of information technology goods and services for agencies.

          B. On July 1, 2023 and on July 1 of each subsequent year, the department shall provide a list of the information technology goods and services it has available to offer to each agency. Excepting goods and services that are not offered by the department, agencies shall acquire the information technology that they require from the department."

     SECTION 10. Section 9-27-22 NMSA 1978 (being Laws 1963, Chapter 181, Section 3, as amended) is amended to read:

     "9-27-22. CHARGES FOR CENTRAL TELECOMMUNICATION NETWORK SERVICES.--Departments, institutions and agencies participating in the central telecommunication network shall be charged for the total monthly costs of the service, including a pro rata and equitable share of the [total monthly costs of the service] department's cost of providing central telecommunications services. This determination is to be made by the department. Toll calls not covered by the wide-area telephone service and supplemental equipment shall be segregated and paid for by agencies, institutions and departments making the calls or using the supplemental equipment."

     SECTION 11. Section 9-27-24 NMSA 1978 (being Laws 1963, Chapter 181, Section 5, as amended) is amended to read:

     "9-27-24. APPROPRIATION.--All income to the central telecommunication network fund is appropriated to [carry out the purposes of Sections 9-27-20 through 9-27-25 NMSA 1978 or their successor recompiled sections] the department for the purposes of the Department of Information Technology Act. Payments from the central telecommunication network fund shall be made on vouchers signed by the secretary or the secretary's designee."

     SECTION 12. Section 9-27-26 NMSA 1978 (being Laws 2017, Chapter 7, Section 9) is amended to read:

     "9-27-26. INDIAN NATIONS, TRIBES AND PUEBLOS--[STATEWIDE BROADBAND] AGENCY-OWNED OR -OPERATED BROADBAND NETWORK--RIGHT-OF-WAY AND SERVICE AGREEMENT.--Indian nations, tribes and pueblos may connect to [the statewide] an agency-operated or -owned broadband network in exchange for a mutually agreed upon right-of-way and service agreement with the chief information officer. The chief information officer shall apply for reimbursements from the federal universal service fund pursuant to Section 254 of the federal Telecommunications Act of 1996, 47 U.S.C. 254, as such section existed on January 1, 2006, on behalf of Indian nations, tribes and pueblos that execute a right-of-way agreement."

     SECTION 13. A new section of the Department of Information Technology Act is enacted to read:

     "[NEW MATERIAL] PROVISION OF INFORMATION TECHNOLOGY GOODS AND SERVICES.--

          A. The department shall offer each agency the opportunity to outsource some or all of that agency's information technology service requirements to the department.

          B. The department shall not be required to offer any information technology service that does not have an established rate.

          C. Any information technology services outsourced to the department shall be specified in an intergovernmental agreement that identifies all services to be provided and the rates or fees for any such services that are not established through the rate committee process."

     SECTION 14. REPEAL.--Sections 9-27-9.1, 9-27-10, 9-27-18 and 9-27-19 NMSA 1978 (being Laws 2017, Chapter 45, Section 1, Laws 2007, Chapter 290, Section 26, Laws 1971, Chapter 115, Section 2 and Laws 1975, Chapter 214, Section 4, as amended) are repealed.

- 25 -