ID H0035

Requires all Idaho state agencies to implement and maintain cybersecurity best practices and use multifactor identification (MFA) to access IT devices and services, including email, cloud storage, web applications, networks, databases, and servers

Mandates the legislative branch, judicial branch, and elected constitutional officers implement MFA for their staff and systems through a new section of Idaho Code (67-2362)

Defines multifactor identification as requiring two or more credential types: knowledge-based (passwords/PINs), possession-based (security tokens, key fobs, SIM cards, smartphone apps), or inherence-based (fingerprints, facial recognition)

Strengthens the Office of Information Technology Services' authority by changing language from "coordinate with" to "direct" state agencies on cybersecurity matters including penetration testing, vulnerability scans, and employee training

Declared an emergency measure with an effective date of July 1, 2025