CS/CS/SB 129/a CYBERSECURITY ACT CHANGES

Sen Michael Padilla

Actions: [2] SCC/SHPAC/SFC-SCC-germane-SHPAC [4] DNP-CS/DP-SFC [7] DNP-CS/DP - PASSED/S (37-0) [11] HAFC-HAFC [12] w/drn - ref HJC-HJC [14] DP/a [15] PASSED/H (58-0) [14] s/cncrd POCKET VETO.

Scheduled: Not Scheduled

 Senate Bill 129 (SB 129) amends the Cybersecurity Act (CA); provides for rulemaking; establishes reporting requirements for public entities receiving state appropriations in certain situations; and changes the membership of the Cybersecurity Advisory Committee (CAC). 

 Senate Bill 129 (SB 129) amends the Cybersecurity Act (CA); provides for rulemaking; establishes reporting requirements for public entities receiving state appropriations in certain situations; and changes the membership of the Cybersecurity Advisory Committee (CAC).
Section 9-27A-1 NMSA 1978 is amended to create the Cybersecurity Office (CO) and related security officer, with duties and powers detailed.
The CO is to adopt and implement rules that include a requirement that entities receiving General Fund appropriations from the legislature shall report to the CO all information technology and cybersecurity expenditures in a form and manner established by the CO. The CO is also responsible for:

•	conducting information technology and security audits;
•	approving agency information technology requests for proposals and other agency requests that are subject to the Procurement Code, prior to final approval; 

•	approving agency cybersecurity and information security contracts and amendments to those contracts, including emergency procurement, sole source contracts and price agreements, prior to final approval; and

•	reviewing and approving all agency, public school, higher education institution, county and municipality legislative appropriation requests of twenty-five million dollars ($25,000,000) or more related to cybersecurity and information security prior to submission of such appropriation requests to the legislature.

Per the Cybersecurity Act (CA) or other statutory authority, the security officer may issue orders regarding the compliance of agencies with rules, policies, standards or controls issued by the CO and guidelines or recommendations of the CAC. 

Public bodies not subject to the jurisdiction of the security officer must adopt and implement cybersecurity, information security and privacy policies, standards and procedures based upon frameworks and minimum standards issued by the National Institute of Standards and Technology.

The CAC is to become a voting body, and the following members are to be added: 

•	the Secretary of Homeland Security and Emergency management or the Secretary's designee;

•	one member appointed by the security officer who has experience with cybersecurity issues for public education institutions; and

•	one member appointed by the security officer who has experience with cybersecurity issues for public health institutions.
 

 The Cybersecurity Act is already in place, but certain requirements related to rulemaking and reporting as proposed in the bill are not included. Further, the Cybersecurity Advisory Committee membership does not include the proposed appointees with specific experience. If the bill does not pass, the Cybersecurity Act will stand as is, and will not include the proposed new elements. 

 Amended February 13, 2024 by the Senate Judiciary Committee

SJCa/SB 129: The Senate Judiciary Committee’s amendment to the Senate Finance Committee Substitute for the Senate Health and Public Affairs Committee Substitute for Senate Bill 129 (SB 129) makes the following changes:

1. On page 3, line 5, after "means", strike the remainder of the line, strike line 6 and strike line 7 through "or".

2. On page 7, line 3, after "orders", insert "to agencies". 

3. On page 7, line 11, strike "and", strike line 12 and on line 13, strike "officer". 

4. On page 7, line 25, after "body", strike the remainder of the line and on page 8, line 1, strike "of the security officer" and insert in lieu thereof "or another branch of government".
 

 Committee Substitute January 29, 2024 in SHPAC

SHPAC cs/SB 129

The Senate Health and Public Affairs Committee substitute for SB 129 amends the bill as follows:

•	caveats are inserted that the bill refers to entities receiving general fund appropriations and references are to information technology systems and infrastructure of the state;
•	a statement is added to clarify that rules must include a requirement that entities receiving general fund appropriations from the legislature must report to the cybersecurity office all cybersecurity and information technology security expenditures in a form and manner established by the cybersecurity office;
•	requirements are added that the cybersecurity office must adopt and implement rules;
•	a requirement is added that the cybersecurity office must conduct information technology and security assessments;
•	responsibilities are added for the cybersecurity office, stating the office is to (or may):
o	approve agency cybersecurity and information security requests for proposals and invitations for bids that are subject to the Procurement Code, prior to final approval; 
o	approve agency cybersecurity and information security contracts and amendments to those contracts, including sole source contracts and price agreements, prior to final approval. 
o	review and approve all agency, public school, higher education institution, county and municipality legislative appropriation requests related to cybersecurity and information security projects that incorporate protection of personal, sensitive or confidential information as defined by the cybersecurity office by rule prior to submission of such appropriation requests to the legislature. 
o	issue orders regarding agency compliance and orders necessary to protect the state's digital assets from imminent threat. 

Additional caveats are added as follows:

•	compliance with orders issued pursuant to Subsection C of this section is voluntary for county governments, municipal governments, tribal governments or public schools; 
•	public bodies not subject to the jurisdiction of the security officer must adopt and implement cybersecurity information security and privacy policies, standards and procedures based upon frameworks and minimum standards issued by the National Institute of Standards and Technology;
•	the chair of the cybersecurity advisory committee is to be a voting member;
•	the chair of the cybersecurity advisory committee is to be recused for certain matters, and in such cases the committee must select an alternate person who is not an employee of the cybersecurity office to chair;
•	the secretary referred to is the Homeland Security and Emergency Management secretary; and
•	the number of governor appointees is reduced from three to two.

Some stylistic changes are made.


Committee Substitute February 6, 2024 in the Senate Finance Committee

SFCcs/SB 129: The Senate Finance Committee substitute for Senate Bill 129 (SB129) makes the following changes:

•	definitions are revised and a definition is added for “public body.”

•	a requirement is added for certification of compliance with certain information security standards.

 

 House Bill 72 (HB 72) – Create Cybersecurity Fund