N.M. Stat. Ann. § 9-27A-4
The position of "state chief information security officer" is created. The security officer shall be a classified position in accordance with rules promulgated pursuant to the Personnel Act [Chapter 10, Article 9 NMSA 1978].
History: Laws 2023, ch. 115, § 4.
Effective dates. — Laws 2023, ch. 115, § 7 made Laws 2023, ch. 115, § 4 effective July 1, 2023.
Temporary provisions. — Laws 2023, ch. 115, § 6 provided that on July 1, 2023:
A. all functions, personnel, money, appropriations, records, furniture, equipment, supplies and other property pertaining to cybersecurity or information security of the department of information technology are transferred to the cybersecurity office;
B. all contractual obligations of the department of information technology for cybersecurity or information security services are binding on the cybersecurity office;
C. all references in law to the chief information security officer of the department of information technology shall be deemed to be references to the state chief information security officer; and
D. the chief information security officer for the department of information technology shall become the initial state chief information security officer.
The legislature may constitutionally delegate rulemaking authority over cybersecurity standards to the cybersecurity office. — The nondelegation doctrine limits, but does not completely prevent, the legislature from vesting a large measure of discretionary authority in administrative officers and bodies, and therefore the legislature may constitutionally delegate authority to the chief information security officer and cybersecurity office to set certain statewide cybersecurity standards and controls so long as the delegation of authority does not unduly interfere with or encroach on the authority or within the province of a coordinate branch of government. 2026 Op. Att'y Gen. No. 26-04.