Introduction and Key Players
The Mexican government, under the leadership of José Antonio Peña Merino, head of the Agency for Digital Transformation and Telecommunications (ATDT), has formalized the General Policy of Cybersecurity for Federal Public Administration (APF). This policy was published in the Official Gazette of the Federation (DOF) and aims to establish protocols for information and communication security within federal government operations.
The announcement was previously teased during the presentation of the National Cybersecurity Plan 2025-2030 on December 4, 2025, by Karla Heidy Rocha Ruiz, head of the General Directorate of Cybersecurity. The policy’s publication now makes it mandatory and initiates the institutional implementation cycle.
Policy Details and Implementation
The DOF agreement designates the General Directorate of Cybersecurity as the unit responsible for overseeing strategic axes, goals, and actions, monitoring compliance, and conducting evaluations and audits of federal dependencies and entities. It also outlines a communication platform between the authority and institutional responsible parties.
The government has set two timeframes to accelerate policy execution: within 180 natural days of entry into force, the ATDT must issue technical guidelines, compliance criteria, and official formats; and within 60 natural days, dependencies and federal entities must formally designate a Titular Institutional in Matters of Cybersecurity and their Assistant, notifying the ATDT in writing.
Scope and Operational Changes
This policy is obligatory for APF dependencies, delegations, and entities, excluding the Ministry of Defense, the Navy Ministry, and the National Intelligence Center regarding national security and their respective activities.
Operationally, each institution must have a Institutional Cybersecurity Responsible (RIC), preferably separate from the IT unit head, to serve as a technical and coordination point with the authority.
The policy document specifies that institutional heads must designate an RIC and approve an Institutional Cybersecurity Plan; while the RIC must develop and update this plan, coordinate its execution, monitor and report incidents, and manage self-assessment and continuous improvement processes.
From Fragmented Defense to a Federal Architecture
The policy outlines a common framework organized into eight strategic axes, ranging from governance and risk management to identity, supply chain, talent, and innovation. Among its bets are the adoption of approaches like Zero Trust and multi-factor authentication to reduce exposure to cyberattacks resulting from compromised credentials.
Regarding incident response, the policy profiles two elements: the National CSIRT-APF and a Federated National CSOC. The CSIRT, according to the policy, must establish notification protocols and a severity matrix, with a rule: critical incidents must be reported within 24 hours, in addition to coordinating containment and recovery among entities and issuing alerts with playbooks for scenarios like ransomware or DDoS attacks.
The CSOC, on the other hand, is defined as a 24/7 monitoring center with correlation and alerting, threat hunting, and issuing intelligence bulletins and containment directives.
Key Questions and Answers
- Who is affected by this policy? The policy applies to dependencies, delegations, and entities of the Federal Public Administration, excluding the Ministry of Defense, Navy Ministry, and National Intelligence Center regarding national security and their respective activities.
- What changes in operational terms? Each institution must have an Institutional Cybersecurity Responsible (RIC) to act as a technical and coordination point with the authority. The RIC will develop, update, and implement an Institutional Cybersecurity Plan.
- What are the key aspects of the incident response framework? The policy establishes a National CSIRT-APF for establishing notification protocols and severity matrices, ensuring critical incidents are reported within 24 hours. It also outlines a Federated National CSOC as a 24/7 monitoring center for correlation, alerting, threat hunting, and issuing intelligence bulletins and containment directives.
With the publication in the DOF, the federal government’s cybersecurity plan transitions from a roadmap to an administrative obligation with deadlines, responsible parties, and future technical rules.
