Section 9-27A-5 - Cybersecurity advisory committee created; membership; dutiesA. The "cybersecurity advisory committee" is created within the cybersecurity office and shall: (1) assist the office in the development of: (a) a statewide cybersecurity plan;(b) guidelines for best cybersecurity practices for agencies; and(c) recommendations on how to respond to a specific cybersecurity threat or attack; and(2) have authority over the hiring, supervision, discipline and compensation of the security officer.B. The security officer or the security officer's designee shall chair and be an advisory nonvoting member of the cybersecurity advisory committee; provided that the security officer shall be recused from deliberations concerning supervision, discipline or compensation of the security officer and the secretary of information technology shall chair those deliberations. The remaining members consist of:(1) the secretary of information technology or the secretary's designee;(2) the principal information technology staff person for the administrative office of the courts or the director's designee;(3) the director of the legislative council service or the director's designee;(4) one member appointed by the secretary of Indian affairs, who is experienced with cybersecurity issues;(5) three members appointed by the chair of the board of directors of the New Mexico association of counties who represent county governmental agencies and who are experienced with cybersecurity issues; provided that at least one member shall represent a county other than a class A or H class county;(6) three members appointed by the chair of the board of directors of the New Mexico municipal league who represent municipal governmental agencies and who are experienced with cybersecurity issues; provided that only one member may represent a home rule municipality; and(7) three members appointed by the governor who may represent separate agencies other than the department of information technology and are experienced with cybersecurity issues.C. The cybersecurity advisory committee may invite representatives of unrepresented county, municipal or tribal agencies or other public entities to participate as advisory members of the committee as it determines that their participation would be useful to the deliberations of the committee.D. A meeting of and material presented to or generated by the cybersecurity advisory committee are subject to the Open Meetings Act and the Inspection of Public Records Act subject to an exception for a meeting or material concerning information that could, if made public, expose a vulnerability in: (1) an information system owned or operated by a public entity; or(2) a cybersecurity solution implemented by a public entity.E. Pursuant to the Cybersecurity Act or other statutory authority, the security officer may issue orders regarding the compliance of agencies with guidelines or recommendations of the cybersecurity advisory committee; however, compliance with those guidelines or recommendations by non-executive agencies or county, municipal or tribal governments shall be strictly voluntary.F. The cybersecurity advisory committee shall hold its first meeting on or before August 16, 2023 and shall meet every two months at minimum after that; provided that the security officer shall have the discretion to call for more frequent meetings as circumstances warrant. At the discretion of the security officer, the committee may issue advisory reports regarding cybersecurity issues.G. The cybersecurity advisory committee shall present a report to the legislative finance committee and the appropriate legislative interim committee concerned with information technology at those committees' November 2023 meetings and to the governor by November 30, 2023 regarding the status of cybersecurity preparedness within agencies and elsewhere in the state. On or before October 30, 2024 and on or before October 30 of each subsequent year, the cybersecurity office shall present updated reports to the legislative committees and the governor. The reports to legislative committees shall be in executive session, and any materials connected with the report presentations are exempt from the Inspection of Public Records Act [Chapter 14, Article 2 NMSA 1978].H. The members of the cybersecurity advisory committee shall receive no pay for their services as members of the committee, but shall be allowed per diem and mileage pursuant to the provisions of the Per Diem and Mileage Act [10-8-1 through 10-8-8 NMSA 1978]. All per diem and contingent expenses incurred by the cybersecurity office shall be paid upon warrants of the secretary of finance and administration, supported by vouchers of the security officer.