ID H0004

Requires all Idaho state agencies to implement and maintain cybersecurity best practices and mandates multifactor identification for accessing IT devices and services, including email, cloud storage, web applications, networks, databases, and servers

Extends multifactor identification requirements to the legislative branch, judicial branch, and elected constitutional officers and their staffs through a new Section 67-2362

Defines multifactor identification as using two or more credential types: knowledge-based (passwords/PINs), possession-based (security tokens, key fobs, SIM cards, smartphone apps), or inherence-based (fingerprints, facial recognition)

Strengthens the Office of Information Technology Services' authority by changing language from "coordinate" to "direct" regarding state agencies' information security, penetration testing, vulnerability scans, and cybersecurity training

Declared an emergency measure with an effective date of July 1, 2025