The New Mexico Office of Cybersecurity on Aug. 14 told the Senate Technology and Telecommunications Committee it has stood up enterprise services — including a security operations center and mandatory multifactor authentication for executive‑branch systems — but officials said declining federal supports and limited recurring state funding raise near‑term risks.

Office director Raja Simbenam said the office provides services to executive branch agencies and to interested public entities on a voluntary basis; it reported serving 73 agencies with networks and assisting counties, municipalities, K‑12 schools, higher‑education institutions and water/wastewater systems when those entities opt in. "OCS provides service to interested public entities such as K‑through‑12, higher educational institutions, counties, municipal‑ities, tribal entities, water and wastewater systems," Simbenam said.

Why it matters: state information systems hold sensitive data and control critical services; vulnerabilities in partner organizations or legacy systems can escalate quickly. Dan Garcia, the office’s senior program manager, told the committee that the current set of systemic vulnerabilities is serious: "There is a ticking time bomb," he said, adding that the office addresses hundreds of thousands of vulnerabilities across state systems and conducts daily incident‑management work.

Highlights and achievements presented to lawmakers included: the implementation of statewide multifactor authentication (MFA) for executive‑branch users, an enterprise risk and vulnerability scanning program, a unified security monitoring platform (the security operations center) and an awareness program that reduced simulated‑phishing failure rates to 3.9 percent (compared with a government‑sector industry average of about 17.9 percent). Simbenam told the committee that the MFA rollout began over a weekend and that users were completing registration the morning of the hearing.

The office reported a State and Local Cybersecurity Grant Program award (year‑one funding of $2.4 million) and work with federal partners to provide scanning and templates for incident response plans to 73 selected water and wastewater systems. Simbenam said the office coordinated with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and with state environment and health partners on that work.

Challenges cited by the office include reductions in free federal threat‑intelligence services, the move of the Multi‑State ISAC to a fee‑based model, a tightening federal cybersecurity workforce and the termination or restructuring of certain federal review services. Simbenam said those changes have increased the state office’s workload and left it to absorb additional operational responsibilities.

On funding, officials said most earlier work relied on one‑time special appropriations and grants. Simbenam said recurring operating funding is needed to sustain enterprise defenses and core services; the office estimated mid‑tens of millions of dollars would be required for a full recurring operating budget, depending on scope. Simbenam asked the committee for continued support and said the office will return in September with FY‑26 plans and in October to discuss funding and any legislative changes.

Some lawmakers asked for more visibility into non‑executive branch cybersecurity practices and whether technical details could be addressed in a closed session; office staff said they could provide deeper technical briefings under appropriate confidentiality.

Taper: The office stressed that it has made rapid operational progress but that ongoing support and external intelligence/workforce resources are necessary to sustain protections for the state’s networks and critical services.