Senate Bill 254 (SB 254):  This legislation renames the Cybersecurity Office to the Office of Cybersecurity, clarifies its expanded duties in setting cybersecurity standards and coordinating incident responses for state and local entities, and modifies the membership of the Cybersecurity Advisory Committee to include a broader range of representatives from government, education, healthcare, and the private sector. These proposed changes will strengthen statewide cybersecurity governance and enhance collaborative protection of state and local IT infrastructures. 

 Senate Bill 254 (SB 254):  Below is a concise overview of the key changes and provisions in the proposed legislation:
1. Renaming the Office and Clarifying Duties (Section 1)
•	Name Change: The “Cybersecurity Office” is renamed the Office of Cybersecurity and remains administratively attached to the Department of Information Technology.
•	Scope and Powers: Oversees cybersecurity- and information security–related functions for agencies, focusing on protecting state-operated or state-owned telecommunications networks.
•	Can adopt and implement rules establishing minimum security standards and policies for agencies’ information technology (IT) systems.
•	Incident Response: Coordinates statewide response plans, especially for high-impact or multi-agency incidents (e.g., those involving nation-state actors or breaches affecting more than 10,000 residents).
•	Resource for Local Governments: Serves as a cybersecurity resource and offers cybersecurity services (via a service catalog) to agencies and political subdivisions.
•	Centralized Reporting: Establishes a centralized cybersecurity and data breach reporting process for agencies and political subdivisions.
2. Cybersecurity Advisory Committee Membership & Duties (Section 2)
•	Committee Structure: The Security Officer (head of the Office of Cybersecurity) remains chair of the committee but must be recused from discussions on their own supervision, discipline, or compensation. In those instances, the Secretary of Information Technology chairs.
•	New or Revised Membership: Secretary of Information Technology (or designee).
•	One member appointed by the Chief Justice of the Supreme Court (replaces the Administrative Office of the Courts IT representative).
•	A legislator appointed by the Legislative Council (replaces the Director of the Legislative Council Service).
•	One member appointed by the Secretary of Indian Affairs (unchanged)
•	Two (previously three) members appointed by the New Mexico Association of Counties; at least one from a county that is not Class A or H Class.
•	Two (previously three) members appointed by the New Mexico Municipal League; only one may represent a home-rule municipality.
•	Four (previously three) members appointed by the Governor, with at least one each representing: An educator or education institution, A health care provider or institution, The Homeland Security and Emergency Management Department, and A private-sector cybersecurity expert or a business offering cybersecurity services.
•	Primary Functions: Assists the Office in developing a statewide cybersecurity plan, best practices, and guidelines for dealing with emerging threats or specific attacks.
•	Retains authority over hiring, supervision, discipline, and compensation of the Security Officer.
•	May issue advisory reports on cybersecurity issues and makes recommendations to agencies (though compliance by non-executive agencies or local governments is voluntary).
•	Open Meetings & Confidentiality: The committee is generally subject to the Open Meetings Act and the Inspection of Public Records Act, except for sensitive cybersecurity information that could expose vulnerabilities.
•	Reporting Requirements: The committee must continue providing regular status reports regarding cybersecurity preparedness to legislative committees (in executive session) and to the Governor.
3. Practical Impact
•	Streamlined Statewide Cybersecurity: Consolidates and clarifies the authority of the Office of Cybersecurity to set minimum standards and coordinate incident responses across state agencies and local governments.
•	Enhanced Local Government Support: By serving as a direct cybersecurity resource and offering a catalog of services, the Office can help smaller local agencies address cyber threats.
•	Broader Committee Expertise: Revised membership adds voices from the legislature, judiciary, Indian Affairs, and private-sector experts, ensuring diverse perspectives on emerging cyber risks.
•	Stronger Oversight & Accountability: The committee exercises direct oversight of the Security Officer’s employment matters, reinforcing accountability in implementing statewide cybersecurity measures.
 

 Section 9-27A-5 establishes the Cybersecurity Advisory Committee within the Cybersecurity Office, defining its role to guide statewide cybersecurity planning, oversee the state’s chief information security officer, and provide advice or recommendations on cyber-related threats. It specifies the committee’s membership—drawn from a cross-section of state and local government stakeholders—and clarifies how meetings and records are handled under state open-government laws, except where disclosure might reveal network or security vulnerabilities. Finally, it outlines the schedule for meetings, reporting obligations, and arrangements for covering committee expenses. 

 Committee Substitute on February 20, 2025 in STBTC

STBTCcs/SB 254: On page 1, lines 19 through 22, strike "REQUIRING THAT FEES
 COLLECTED BY THE CANNABIS CONTROL DIVISION OF THE REGULATION AND
 LICENSING DEPARTMENT BE DEPOSITED IN THE REGULATION AND LICENSING
 DEPARTMENT OPERATING FUND;".
 2.  On pages 22 and 23, strike Section 12 in its entirety.
 3.  Renumber the succeeding sections accordingly