06/04/2026
Quick refresher for every elected official, fiscal officer, and superintendent in Ohio:
There's a new cybersecurity law on the books, and the audit clock has already started.
ORC 9.64, enacted through House Bill 96 of the 136th General Assembly, requires every political subdivision in Ohio to adopt a formal cybersecurity program. The law took effect September 30, 2025, and the Auditor of State began checking compliance January 1, 2026.
The statute is short. The compliance work is real. Here's what your program has to cover:
1. Identify your critical functions and cybersecurity risks
2. Identify the potential impacts of a breach
3. Detect threats and events
4. Establish communication, analysis, and containment procedures
5. Repair infrastructure and maintain post incident security
6. Train every employee on cybersecurity awareness
You also have to notify Ohio Homeland Security within 7 days of any cybersecurity incident, and the Auditor of State within 30 days.
The ransomware provision deserves its own spotlight: your subdivision may not pay a ransom unless the legislative authority passes a formal resolution stating why payment is in the best interest of the subdivision.
Most Ohio local governments don't yet have this program documented and adopted. If you're one of them, the path forward is straightforward when you have the right framework. NIST CSF and CIS Controls IG1 are both explicitly recognized by the statute as acceptable best practices.
If you want our policy template or a no cost readiness review, drop a comment or send me a message.
