Complaints of fraud in Ohio’s governments may be made any time by any public employee or private citizen.
The threat of cybercrime to Ohio's government entities is a reality that requires increased security efforts. That is why all political subdivisions are now required by state law ORC § 9.64 to formally adopt cybersecurity programs.
ORC § 9.64 requires local governments to adopt a cybersecurity program appropriate for their needs. Since political subdivisions vary widely in their size and responsibilities, cybersecurity plans should be tailored to fit each community’s individual needs.
AOS recognizes the importance of local control, and the law preserves local authorities' ability to have final say on how this policy is implemented. Key areas to consider include identifying critical functions and risks, setting up threat-detection systems, creating response procedures, planning for recovery and ongoing security, and establishing security training requirements for all employees based on their job duties.
As a rule, AOS prefers a statewide "No Ransom Policy", to send a message that criminals won't get paid holding Ohio governments for ransom. While this bill doesn't bar local governments from paying ransoms, it allows payment only if the local legislative authority adopts a resolution explaining to the public why they think paying the ransom is the best solution.
When AOS conducts a regular audit, we will check that the requirements of this new law are being met. The law allows local officials to design a program that best fits their needs, and AOS staff will audit according to that program.
The law requires that political subdivisions that discover a cybersecurity incident must notify Ohio Homeland Security’s Ohio Cyber Integration Center (OCIC) within seven days and the Auditor of State's office within 30 days.
Note: DPS is the umbrella agency for Homeland Security cybersecurity functions, which is why some references may mention the Ohio Department of Homeland Security. In practice, all reports go to DPS/OCIC.
Records, documents, or reports related to the cybersecurity program and framework, and reports of a cybersecurity incident or ransomware incident are not public records under ORC 9.64. Records identifying cybersecurity-related software, hardware, goods, and services, that are being considered for procurement, have been procured, or are being used by a political subdivision, including vendor name, product name, project name, or project description constitute “security records” and are exempt from the requirements to produce those records in response to a public records request.
This FAQ clarifies the new state law on cybersecurity requirements, summarizing key provisions of HB 96 ORC § 9.64, and provide guidance to local governments on how to comply.
All political subdivisions in Ohio are covered, including counties, municipalities, townships, school districts, and other local government entities.
Your cybersecurity program should be consistent with best practices. AOS recommends NIST (National Institute of Standards & Technology) and CIS (Center for Internet Security). Both frameworks can be tailored to your organization's size and needs.
You may design your own program. The legislation preserves local control, allowing you to create a cybersecurity program that best fits your organization's needs. The Auditor of State will audit according to the program you implement.
The Auditor of State will check compliance during regular audits. AOS staff will audit according to the cybersecurity program your organization has chosen.
No, but there are strict requirements. You may pay a ransom only if your local legislative authority passes a resolution explaining why the payment is in the public interest. Without it, a ransom payment is an illegal expenditure.
Emergency meeting rules allow timely sessions to approve a ransom payment, so you can convene your legislative authority quickly if needed.
The Auditor of State’s office preferred a total ban, but a compromise with local associations lets legislative authorities decide via normal process while ensuring transparency.
Note: DPS is the umbrella agency for Homeland Security cybersecurity functions, which is why some references may mention the Ohio Department of Homeland Security. In practice, all reports go to DPS/OCIC.
Reporting to DPS/OCIC within seven days is required by law and allows your organization to receive rapid response and technical assistance, including support from the Cyber Reserve. Early reporting also helps protect other local governments by tracking trends and issuing timely guidance.
Reporting to AOS within 30 days ensures the Auditor has the information needed before your next regular audit.
Any cybersecurity breach or attack affecting your systems, data, or operations should be reported. This includes disruptions such as payment re-direct, payroll re-direct, spear phishing, or other social engineering schemes that could lead to a breach. When in doubt, report and let state agencies guide the response.
No. The legislation exempts these from public records law:
This exemption protects from releasing details that could create new security risks.
The Ohio Department of Public Safety offers resources and rapid-response services, including the Ohio Cyber Reserve. You can also consult the NIST and CIS frameworks directly for scalable guidance.
This legislation takes effect Sept. 30, 2025.
Noncompliance will be flagged in regular AOS audits. Since it’s state law, failure to comply could result in formal audit findings.
Yes — every political subdivision must comply. Both NIST and CIS frameworks are scalable, so you can implement a program that fits your size and resources. The key is having a formal program in place.
Contact the Ohio Auditor of State's Office for compliance and audit-procedure questions, or the Ohio Department of Public Safety for incident-reporting and response services.