Edit

Governor’s Executive Order Strengthens State Agency Cybersecurity

Government and Politics

April 5, 2024

From: New Mexico Governor Michelle Lujan Grisham

Santa Fe, NM - Today, Gov. Michelle Lujan Grisham issued Executive Order 2024-011 (EO 2024-011), reinforcing New Mexico’s defenses against cybersecurity threats with stringent measures to safeguard sensitive state agency information.

“Cybersecurity is not just a technological issue; it’s a matter of public safety and national security,” said Gov. Lujan Grisham. “That’s why I’ve taken decisive action to fortify the resilience of our state agencies against potential cyber intrusions.”

In response to this pressing concern, EO 2024-011 mandates comprehensive action to enhance cybersecurity measures across state agencies. The order directs the Department of Information Technology (DoIT) to conduct thorough information technology and security assessments on state agencies, enabling the detection of security vulnerabilities and hardening defenses as necessary.

Under the directives of EO 2024-011, state agencies are required to adopt and implement cybersecurity, information security, and privacy policies. These measures must be based upon no less than moderate-impact security control baselines, frameworks, and standards issued by the National Institute of Standards and Technology. State agencies are mandated to certify compliance with these standards by November 1, 2024, and annually thereafter.

In cases where state agencies are unable to certify compliance, they must submit a request for exemption to DoIT. Agencies must accompany this request with a comprehensive plan outlining steps to achieve compliance and an approximate timeline for completion. DoIT will review exemption requests and make recommendations to the Office of the Govenor for approval or denial. If an exemption is denied, agencies must promptly submit an updated plan for consideration.

Additionally, EO 2024-011 encourages all public bodies not subject to the order to voluntarily comply with its rules, standards, and requirements. Such bodies are urged to participate in cybersecurity and information security programs offered by the Cybersecurity Office, the Cybersecurity Advisory Committee, or DoIT.

EO 2024-011 defines “state agencies” as departments, offices, boards, commissions, and other agencies within the Executive Branch under gubernatorial control. The order takes effect immediately and will remain in force until renewed, modified, or rescinded.

Executive Order 2024-011