New Mexico

In plain terms. New Mexico centralizes state cybersecurity in a Cybersecurity Office inside the Department of Information Technology, which sets minimum security controls and coordinates incident response.

Who it applies to. State agencies and political subdivisions, and the IT vendors that connect to or supply their networks.

What it requires. The Cybersecurity Office oversees information-security functions for agencies and may develop minimum cybersecurity controls for IT assets and infrastructure connected to any agency network, create a model incident-response plan (with the Office as incident-response coordinator), run cybersecurity awareness and training standards, and operate a centralized cybersecurity and data-breach reporting process. IT goods and services are commonly bought through department price agreements established under the state Procurement Code.

Why it matters. If your product connects to a New Mexico agency network, the state's minimum cybersecurity controls can apply to you, and incidents flow into the Cybersecurity Office's centralized reporting process.

Citation. N.M. Stat. Ann. § 9-27A-3 (Cybersecurity Office) and § 9-27-20 (IT price agreements).

In plain terms. New Mexico's IT rules sit in the state Administrative Code and govern how agencies select software and check system security.

Who it applies to. State agencies and their IT vendors.

What it requires. The Information Technology rules cover application-software selection and system-security checking, setting expectations agencies follow when acquiring and operating software systems.

Why it matters. Vendors selling software to New Mexico agencies should expect their products to be evaluated against the state's software-selection and security-checking rules.

Citation. N.M. Admin. Code 1.12 (Information Technology), including 1.12.12.8 (Application Software Selection Policy) and 1.12.20.26 (System Security Checking).