The state is doing cybersecurity work differently, to keep pace with an evolving IT and security landscape. In-person training exercises and a unique partnership model are helping support statewide readiness.
Participants at Cyber Discovery 2025 in Idaho got to experience hands-on training.
Courtesy of Idaho Information Technology Services.
The state of Idaho is taking a comprehensive, statewide approach to cybersecurity, with an interactive training exercise that features cross-sector participation and a grant program to improve security at the local level.
Officials recently held Cyber Discovery 2025, a coordinated exercise in which participants defend the state against simulated cyber incidents. The exercise, May 16-June 12, pitted one team implementing “controlled attacks” on state infrastructure against another focused on threat detection. The yearly event, which started in 2022, is a partnership with the Idaho Army National Guard and involves state and local government entities, college students, and military personnel. Participation is open to other state national guards, too.
It’s a training opportunity for both the state and the cyber programs within the military, Gonzalez said. While other states implement this type of training, Idaho’s approach is different, he said — using a “true environment,” which is more realistic than a controlled training environment. Notably, participants also identified real and credible threats from other countries during the event.
“They’re finding real problems — real vulnerabilities — for the state,” the CIO said.
Participants work together, at Cyber Discovery 2025 in Idaho.
Courtesy of Idaho Information Technology Services.
In previous years, the National Guard’s team has beat the state’s squad — but not in 2025. This was the first year the state was able to best the National Guard, an accomplishment Gonzalez attributed to continuous cybersecurity response practice.
“Our security posture is the best it’s ever been,” he said, noting that cybersecurity’s ongoing evolution requires the state to continuously stay up-to-date with the right tools, monitoring practices and training.
Idaho also recently created a threat hunting team to find abnormalities and support the ongoing work of the state’s existing cyber response group. Around 16 million attacks against the state per month are captured by automated tools; approximately 500,000 remain, and the teams can help combat those.
Through the grant program, starting with Fiscal Year 2026, ITS will work with the Idaho National Guard and higher education to set up an apprenticeship program. The state will support 25 to 31 entities with cybersecurity assessments, including cities, counties, school districts and tribal governments. Apprentices, many of whom will be recent graduates from Boise State University or the University of Idaho, will lead remediation efforts with state oversight. Here, ITS will primarily be a cybersecurity service provider, which the grant enables the state to deliver.
Cross-sector partnership is an important piece of Idaho’s cybersecurity strategy. Leaders work closely with higher education institutions like Boise State, a university that has invested in cybersecurity and AI through an internship program. The university has gone above and beyond, Gonzalez said, but has been facing program challenges due to funding. The state partnership has enabled its work to continue with a joint approach. Now, he said, students at higher education institutions have a path to live and work in Idaho, as they can demonstrate their cyber skills with ITS or a local government entity.
As federal cybersecurity guidance is shifting, the state has the Idaho Technology Authority leading on establishing state-level tech policy. One new governance change came from House Bill 35, which passed this year. The new law requires multifactor authentication to be included as part of the security stack for all state agencies, and it provided ITS some authority over cybersecurity directives.
IDAHO IT: BEYOND SECURITY
ITS has been developing an AI framework this year to guide agencies’ use of the technologies, and it is now complete, the CIO said. Officials presented the framework to the governor’s office and the legislative AI committee in June; it is expected to be published later this month to enable “the common use of AI tools” in Idaho state government.
State technology leaders are supportive of agencies’ AI use, which Gonzalez said is why Idaho has gravitated toward guidance rather than governance — as the latter could limit agility while AI rapidly changes.
“We want to have the tools and the education for [state workers] to understand the benefits and risks associated with AI,” he said, underlining that those who want to build a large language model or use AI for productivity should be able to do so. “We just want to be part of that discussion so that we can do a data readiness and an AI readiness assessment … to safeguard citizen data in the state of Idaho.”
ITS is exploring several proofs of concept for AI, but with an eye on risk management. Gonzalez said he himself is in favor of AI but emphasized the importance of responsible use.
Data privacy has been a key priority for ITS leadership this year. ITS hired Privacy Officer Taylor Bothke, to support the work. Bothke is also serving as the Americans with Disabilities Act program manager, and will support the state’s work to meet the approaching 2026 deadline for a federal mandate that requires all digital assets be accessible to people with disabilities.
The state’s IT consolidation process carries on behind the scenes, with only one more agency remaining, Gonzalez said — the Idaho Department of Health and Welfare.
Julia Edinger is a senior staff writer for Government Technology. She has a bachelor’s degree in English from the University of Toledo and has since worked in publishing and media. She’s currently located in Ohio.
