Can New Mexico's legislature give the State Chief Information Security Officer authority to set cybersecurity standards across all branches of government, including for judicial branch IT systems, without violating the separation of powers?

Plain-English summary

Representative Debra Sariñana asked the AG whether the legislature can amend the Cybersecurity Act to give the State CISO and Cybersecurity Office authority to set statewide cybersecurity standards, including standards that apply across all branches of government. The Administrative Office of the Courts had previously raised concerns that earlier versions of similar legislation could let the executive monitor and audit judicial networks.

The AG's answer is layered. The proposed amendment is likely constitutional on its face, but specific regulations promulgated under it could be unconstitutional if they unduly interfere with the judiciary's core functions.

Three different scenarios in the analysis:

1. Legislature delegating to the executive in general. Constitutional under New Mexico's nondelegation doctrine, as long as the legislature includes "reasonable standards" with specificity proportional to the scope of delegation.

2. Executive conditioning judicial use of executive-owned networks. Constitutional. The judiciary has a right to adequate resources, but neither the executive nor the legislature is constitutionally required to host the judiciary's IT infrastructure. So the executive can offer the judiciary network access on conditions, including minimum cybersecurity standards.

3. Executive setting standards for networks operated entirely by the judiciary. Closer call. De minimis standards (basic password complexity, two-factor authentication) are permissible. Standards that conflict with judicial rules but do not substantially interfere may be permissible. Standards that unduly interfere with core judicial functions (e.g., unfettered executive access to monitor judicial communications, which would compromise judicial deliberations privilege) are not constitutional.

The opinion notes a workaround: requiring the judiciary to develop its own cybersecurity standards, without dictating their substance, is unlikely to raise separation-of-powers concerns.

What this means for you

If you are a New Mexico state legislator considering cybersecurity-related amendments

You have flexibility, but draft carefully. A clean approach:

• Authorize the State CISO and Cybersecurity Office to set minimum standards for executive-branch entities and any entity that connects to executive-branch networks.
• For the judicial branch, require the judiciary to set its own standards that meet at least the minimum baseline. Padilla v. Torres (2024) and the Saltonstall (Cal. 2014) approach support this structure.
• Avoid mandating direct executive monitoring or auditing of judicial networks. That likely runs afoul of the judicial deliberations privilege, as the Supreme Court recognized in Pacheco v. Hudson (2018).

The AG specifically endorses Kansas's approach (Kan. Stat. Ann. § 75-7206) of having a Judicial CIO under the supervision of the judicial administrator and chief justice.

If you are the State CISO or work in the Cybersecurity Office

You can set minimum standards and condition executive-network access on compliance. For the judicial branch:

• Coordinate with the AOC and Judicial Information Division (JID). They are the technology arm of the judiciary. JID already provides cybersecurity for the courts.
• Avoid asserting authority to monitor or audit judicial communications. That is a core-power line.
• Consider establishing minimum baseline standards that the judiciary can adopt voluntarily as part of a coordinated approach.

If you are the AOC, JID, or a judicial branch IT administrator

The opinion supports your position that the judiciary controls its own IT systems for confidentiality reasons. If a future statute purports to authorize executive monitoring of judicial systems, you have a strong constitutional argument. The Pacheco v. Hudson decision (2018) is direct support for protecting judicial communications even on third-party servers operated under AOC supervision.

You should still cooperate on baseline standards (basic encryption, password complexity, multi-factor authentication, etc.). De minimis standards are within the legislature's authority and may help your security posture.

If you are a state agency CIO or technology director

The opinion does not change your obligations. Section 9-27A-3(B)(2) already authorizes the Cybersecurity Office to set "minimum cybersecurity controls" for entities connected to agency-operated networks. Continue to comply with those controls. If new standards come out under amended legislation, expect to comply with them as well.

If you are an outside attorney advising on legislative drafting in this space

The opinion is a helpful checklist for separation-of-powers risk:

• Delegation specificity: Standards-with-limits OK; unbridled discretion not OK.
• Conditioning network access: OK.
• Direct regulation of judicial systems: Risk-tiered. De minimis OK. Conflicting-but-not-substantial probably OK. Unduly interfering not OK.
• Required self-regulation by judiciary: Almost always OK.
• Monitoring or auditing of judicial communications: Almost always not OK.

Common questions

Q: Can the legislature simply give the executive open-ended cybersecurity authority?
A: No. The nondelegation doctrine requires "reasonable standards" with specificity proportional to the scope of delegation. The Cobb v. State Canvassing Bd. (2006) case rejected "unfettered discretion" with no standards. The legislature has to give guidance.

Q: What is "core judicial power" in this context?
A: Power that the judiciary exclusively exercises. Mowrer v. Rusk (1980) said the judiciary's power to "directly control court personnel" and their hiring and firing is exclusive. The judicial deliberations privilege is also a core function (Pacheco v. Hudson, 2018). Auditing or monitoring judicial communications would interfere with this privilege.

Q: What is "judicial administration" and who controls it?
A: A shared power per the AG's analysis. The legislature appropriates funds and passes laws; the judiciary administers itself. When the two come into conflict, the question is whether the legislature's action "unduly interferes" with core judicial power.

Q: Can the AOC and JID just refuse to comply with cybersecurity standards?
A: Voluntary coordination is the cleanest approach. The AOC is already authorized to manage judicial branch technology under § 34-9-3(A), and the JID already provides cybersecurity to the courts. Coordinated standards (rather than imposed standards) are the recommended path.

Q: What about Wisconsin and Kansas precedents the opinion cites?
A: The Wisconsin case (Flynn v. Dep't of Admin., 1998) recognized that judicial funding is a "shared authority" area where reductions are permissible if they do not "unreasonably curtail the powers or materially impair the efficacy of the courts." Kansas's statute (§ 75-7206) creates a Judicial CIO under judicial supervision, a structure the AG endorses as a workable separation-of-powers compliant model.

Background and statutory framework

The Cybersecurity Act (NMSA 1978 §§ 9-27A-1 to -5) currently authorizes the Cybersecurity Office and State CISO to oversee cybersecurity for "executive cabinet agencies and their administratively attached agencies, offices, boards and commissions." The proposed amendments would extend that authority more broadly.

The constitutional framework starts with N.M. Const. art. III § 1: "no branch shall exercise any powers properly belonging to either of the others except as expressly authorized in the Constitution." The Supreme Court has interpreted this to permit some "overlap" but not "undue interference" with another branch's authority.

The judicial branch enjoys specific protections:

• Inherent power to control court operations. Mowrer v. Rusk (1980).
• Judicial deliberations privilege. Pacheco v. Hudson (2018) protected a judge's emails on AOC servers from disclosure under IPRA.
• Right to adequate resources. Mowrer suggests courts "may incur necessary and reasonable expenses in the performance of their judicial duties," though the obligation is on the legislature to appropriate funds, not on the executive to host infrastructure.

The AG's three-tier framework:

1. De minimis regulations. Always permitted. Routine reporting requirements, minor administrative obligations.
2. Regulations that do not conflict with express judicial rules or core functions. Permissible.
3. Regulations that unduly interfere with core judicial powers. Not permissible.

The opinion declines to opine on specific proposed regulations because the constitutional question turns on the substance of each rule. But it sets clear guideposts for what the legislature can and cannot authorize.

Citations and references

Statutes and Constitution:
- NMSA 1978 §§ 9-27A-1 to -5 (Cybersecurity Act)
- NMSA 1978 § 9-27-20(A); §§ 34-9-1, 34-9-3 (judicial administration)
- N.M. Const. art. III § 1 (separation of powers)

Cases:
- Cobb v. State Canvassing Bd., 2006-NMSC-034 (nondelegation)
- Mowrer v. Rusk, 1980-NMSC-113 (judicial inherent powers)
- State ex rel. Clark v. Johnson, 1995-NMSC-048 (separation of powers, "undue interference")
- Pacheco v. Hudson, 2018-NMSC-022 (judicial deliberations privilege)
- Padilla v. Torres, 2024-NMSC-007; Pena v. State, 2025-NMSC-041; Amdor v. Grisham, 2025-NMSC-024
- Whitman v. Am. Trucking Ass'ns, 531 U.S. 457 (2001) (federal nondelegation)
- Flynn v. Dep't of Admin., 576 N.W.2d 245 (Wis. 1998) (judicial funding shared authority)
- Saltonstall v. City of Sacramento, 231 Cal. App. 4th 837 (2014) (legislature can require judicial council to adopt rules)

Source

• Landing page: https://nmdoj.gov/publications/opinions/
• Original PDF: https://nmdoj.gov/wp-content/uploads/Attorney-General-Opinion-2026-04.pdf

Original opinion text

February 3, 2026

OPINION OF RAÚL TORREZ
Attorney General

Opinion No. 2026-04

To: Representative Debra M. Sariñana
Re: Attorney General Opinion – Legislative Changes to Cybersecurity Act

Question

May the Legislature amend the Cybersecurity Act, NMSA 1978, §§ 9-27A-1 to -5 (2023), to provide the State Chief Information Security Officer (CISO) and the Cybersecurity Office the authority to set statewide cybersecurity standards and controls, and provide appropriate governance and application thereof, without violating the constitutional separation of powers? At a minimum, may the Legislature authorize the Cybersecurity Office and the CISO to specify minimum cybersecurity standards applicable to all connections to the state Information Technology (IT) network?

Short Answer

The Legislature may constitutionally delegate authority to the State CISO and Cybersecurity Office to set certain statewide cybersecurity standards and controls, depending on their substance. De minimis regulations do not violate the separation of powers. Regulations that do not conflict with express judicial rules and implicit core powers are permissible as well. Regulations that conflict, but do not substantially interfere with express judicial rules and implicit core powers might be constitutional. Regulations that unduly interfere with core judicial powers are not constitutional.

Background

New Mexico's Cybersecurity Office sits within the Department of Information Technology (DoIT) and is led by the State CISO. Sections 9-27A-3(A), -4. Under the Cybersecurity Act, the Office oversees cybersecurity and information security-related functions for executive agencies. Section 9-27A-2(A). Cybersecurity means "acts, practices or systems that eliminate or reduce the risk of loss of critical assets, loss of sensitive information or reputational harm as a result of a cyber attack or breach within an organization's network." Section 9-27A-2(B).

Analysis

The request asks whether proposed amendments to the Cybersecurity Act granting the State CISO and Cybersecurity Office rulemaking authority to set minimum cybersecurity standards would violate the separation of powers. Under the New Mexico Constitution, no branch "shall exercise any powers properly belonging to either of the others" except as expressly authorized in the Constitution. N.M. Const. art. III, § 1. There are two potential separation of powers issues. One, can the Legislature delegate rulemaking authority over cybersecurity standards to the State CISO and Cybersecurity Office? And two, does executive rulemaking authority over cybersecurity standards for the judicial branch infringe upon the separation of powers. We address each in turn.

1. Legislative Delegation of Authority

The Legislature can delegate rulemaking authority over cybersecurity standards to an executive agency like the Cybersecurity Office. Courts analyze the separation of powers issue in legislative delegations of authority under the nondelegation doctrine. A creature of the New Mexico Constitution, "[t]he nondelegation doctrine limits, but does not completely prevent, the Legislature from vesting a large measure of discretionary authority in administrative officers and bodies." Cobb v. State Canvassing Bd., 2006-NMSC-034, ¶ 41, 140 N.M. 77.

The Legislature cannot delegate "unbridled or arbitrary" authority to the executive. Id. But if the Legislature dictates "reasonable standards" with specificity proportional to the scope of delegated authority, the delegation is constitutionally permissible. Id.; compare Montoya v. O'Toole, 1980-NMSC-045, ¶¶ 4–5, 94 N.M. 303 (upholding a statute containing "specific legislative standards" with specific factors and thresholds), with Cobb, 2006-NMSC-034, ¶¶ 15–16 (holding the Legislature cannot delegate "unfettered discretion" with no standards); see also Whitman v. Am. Trucking Ass'ns, 531 U.S. 457, 474 (2001) (observing that "[i]n the history of the [United States Supreme] Court . . . only two statutes" had ever been struck down on nondelegation principles).

In short, most delegations of power from the Legislature to the executive branch are constitutional, as long as the Legislature prescribes standards for the exercise of delegated authority and sets limits on the same. This analysis applies in equal force to the authority of the Cybersecurity Office and State CISO to set cybersecurity standards. Accordingly, as long as the Legislature includes specific language guiding and limiting the delegated authority, the delegation is likely constitutional.

2. Regulation of Judicial Branch

Whether the Legislature can delegate authority to the executive branch to set cybersecurity standards that apply to the judicial branch is a more difficult question. Nonetheless, we find the Legislature likely has authority to set such minimum standards vis-à-vis a delegation to the executive so long as they do not infringe on the core powers of the judiciary.

We will assume, based on the request, in reading the phrases "statewide" or "all connections to the state IT network" in conjunction with the stated concern about separation of powers, that there is concern about how and whether the Cybersecurity Office and State CISO can, consistent with the New Mexico Constitution, regulate the judicial branch's information technology infrastructure. As currently written, the Cybersecurity Act only authorizes the Cybersecurity Office and State CISO to regulate "executive cabinet agencies and their administratively attached agencies, offices, boards and commissions." Sections 9-27A-2(A), -3(B).

We will break this separation of powers doctrine question down into two parts. First, can the Cybersecurity Office and State CISO condition the voluntary use of agency-operated or -owned networks by the judicial and legislative branches? And second, if the judicial and legislative branches are not using agency-operated or -owned networks, can the Cybersecurity Office and State CISO still set minimum standards for those networks?

a. Conditioning Use of Executive Branch Networks

The separation of powers doctrine is not "absolute," and the Supreme Court has recognized that there must be some "overlap" among the branches. State ex rel. Clark v. Johnson, 1995-NMSC-048, ¶ 32, 120 N.M. 562 (citation modified). The central inquiry is whether one branch "unduly interferes with or encroaches on the authority or within the province of a coordinate branch of government." State ex rel. Candelaria v. Grisham, 2023-NMSC-031, ¶ 14 (citation modified). An unlawful disruption of the balance must amount to "more than de minimis dissonance or conflict." Amdor v. Grisham, 2025-NMSC-024, ¶ 113.

In accordance with these principles, the answer to the first question is yes—the Cybersecurity Office and State CISO may condition the judicial branch's general use of agency-operated or -owned telecommunications networks on certain minimum cybersecurity standards. At the outset, we note the Cybersecurity Act already appears to delegate some of that authority. Section 9-27A-3(B)(2) grants the Office the power to "develop minimum cybersecurity controls . . . for all entities that are connected to an agency-operated or -owned telecommunications network." (Emphasis added). The Act also authorizes the DoIT to "enter into necessary agreements to provide, where feasible, a telecommunication network and related facilities to all executive, legislative and judicial branches." Section 9-27-20(A).

To answer this question it is helpful to rephrase it: Is there anything in New Mexico's separation of powers caselaw that compels the executive branch (acting pursuant to legislatively delegated authority) to provide some constitutional minimum telecommunications infrastructure to the other branches? If no such constitutional mandate exists, then the executive branch would be entitled to condition judicial and legislative branch access to its networks like any other service provider and negotiate the terms of providing those services. In effect, the judicial branch would then be faced with a choice of using the executive branch systems (with conditions) or seeking alternatives. Neither the executive nor legislative branch is constitutionally required to host such a network.

While the issue has not been squarely raised in New Mexico, our Supreme Court has implied, and other states have held, that legislatures have a legal duty to appropriate money for the adequate functioning of courts. See Mowrer v. Rusk, 1980-NMSC-113, ¶ 29, 95 N.M. 48 (suggesting courts "may incur necessary and reasonable expenses in the performance of their judicial duties"). These resources must be "reasonably necessary for the performance of [the courts'] responsibilities in the administration of justice." J.C., 759 S.E.2d at 209. But nothing in this duty requires that the executive branch host the cybersecurity infrastructure of the courts—the duty only requires that the judicial branch have sufficient resources to carry out its cybersecurity operations.

Thus, there is no violation of the separation of powers doctrine if the executive branch were to impose conditions on the judicial branch's connection to executive branch-owned or -operated networks in compliance with certain minimum cybersecurity standards.

b. Regulating Networks Operated Independently by the Judicial Branch

The second question—whether the State CISO and Cybersecurity Office can promulgate rules that govern a network owned and operated entirely by the judicial branch (i.e. not an "agency network")—is a somewhat closer call. In sum, we find that where the standards pose de minimis requirements on the judicial branch, they are permissible. Where the standards are more than de minimis, the standards will govern (1) in the absence of conflicting judiciary policy and (2) so long as they do not substantially interfere with the core functions of the judicial branch.

In answering this question, we first note that there is nothing inherently improper about the Legislature delegating authority to the Cybersecurity Office and State CISO to set rules for the judiciary. Whether any regulations promulgated pursuant to this authority violate the separation of powers doctrine, however, will depend on the specific requirements they impose on the judiciary. In other words, the proposed amendment is not unconstitutional, but the regulations might be.

i. Separation of Powers in New Mexico

Separation of powers issues fall between two poles: de minimis conflicts and undue interference. A de minimis regulation of another branch does not threaten the separation of powers. While our Supreme Court has not defined precisely what constitutes a de minimis regulation, certain ministerial duties imposed on the judiciary—e.g., the responsibility to submit "a report of the activities of the administrative office of the courts and of the state of business of the courts"—are likely de minimis. NMSA 1978, § 34-9-3(C).

At the other end of the spectrum, a regulation that "unduly interferes" with the core judicial power is never permissible. Whether a regulation unduly interferes with the powers of another branch requires a more complex analysis. While each branch possesses inherent powers, some powers are shared and others are exclusive. If a power is exclusive, like the judiciary's power to "directly control court personnel" and their hiring and firing, the Legislature has no authority to regulate the issue because it would substantially interfere with the judicial branch's core functions.

If a power is shared, the question requires a more complex inquiry. Where a power is shared, the first question is whether there is a true conflict between its exercise by two coordinate branches. If there is no conflict with either, the exercise is permissible. If there is a conflict, "[w]hich branch must yield to the other depends upon the circumstances of each individual case" and the "essence of power exercised by the other branch of government." The relevant question is whether the statute "unduly interferes" with the judicial rule or power.

In this case, judicial administration appears to be a shared power, as the Legislature appropriates funding to the courts, "make[s] public policy," and passes laws that govern the administrative structure of the judicial branch. Whether the judicial or legislative branch must yield will likely depend on the regulation and to what extent it impacts the core functions of the judicial branch.

In sum, de minimis regulations of the judicial branch are permissible. Judicial administration is likely a shared power, so cybersecurity regulations that do not conflict with express judicial rules or implicit judicial powers are probably valid. If cybersecurity regulations conflict with a judicial rule or power, they may be invalid, depending on whether that conflict unduly interferes with the judicial branch's powers.

ii. Cybersecurity regulation

We now turn specifically to the legislative amendment suggested in the request. The request references concerns raised by the Administrative Office of the Courts (AOC) when similar legislation was previously introduced. Then, the AOC expressed concern that the legislation would "allow the cybersecurity office to monitor and audit judicial networks and systems." On the one hand, we agree with the AOC that allowing unfettered access by the executive branch to judicial networks, even for the sole purpose of monitoring and auditing such systems, would likely run afoul of the separation of powers because confidentiality is a prerequisite to the effective exercise of the judiciary's core powers. See Pacheco v. Hudson, 2018-NMSC-022, ¶¶ 43–51. On the other hand, imposing certain basic cybersecurity requirements (e.g., two-factor authentication, password complexity) would likely not infringe on core judicial powers and falls somewhere between a de minimis requirement and one that could be imposed absent conflicting judiciary policy. Ultimately, the separation of powers issue will turn on the proposed substance of the regulation.

The above analysis primarily concerns direct regulation of the judiciary's cybersecurity by the legislative and executive branches. In other words, can the judiciary's own systems be bound by standards it did not itself promulgate? However, the separation of powers question is somewhat easier where the legislature requires the judiciary to adopt standards but leaves ultimate control over those standards to the judicial branch. Our statutes contain many similar provisions that, so far, remain unchallenged. See, e.g., NMSA 1978, § 34-1-11 (2009) (authorizing the Supreme Court to impose electronic services fee); NMSA 1978, § 34-2-11 (2018) (establishing the Supreme Court Law Library and vesting its management in the Supreme Court).

Requiring the judiciary to set cybersecurity standards without specifically dictating the actual substance of those standards is unlikely to pose a separation of powers concern. See, e.g., Padilla, 2024-NMSC-007, ¶ 29; see also Saltonstall v. City of Sacramento, 231 Cal. App. 4th 837, 855 (2014); Kan. Stat. Ann. § 75-7206 (2026). In other words, requiring the judiciary to develop its own cybersecurity standards likely does not violate the separation of powers. Or, to provide another example, requiring the judiciary to conduct its own audit of its cybersecurity systems is unlikely to flout the separation of powers.

Conclusion

For the reasons outlined above, we conclude that the amendment proposed in the request is likely constitutional. However, any regulations promulgated pursuant to that authority may be unconstitutional if they unduly interfere with the judiciary's core powers.

Please note that this opinion is a public document and is not protected by the attorney-client privilege. It will be published on our website and made available to the general public.

RAÚL TORREZ
ATTORNEY GENERAL