Cybersecurity Program

• Adopt a formal cybersecurity program.
• Report cybersecurity incidents to the Ohio Department of Public Safety (DPS) within seven days and to the Auditor of State within 30 days.
• Pass a resolution/ordinance before paying any ransom demands, explaining why the payment is in the public interest.

All political subdivisions in Ohio are covered, including counties, municipalities, townships, school districts, and other local government entities.

Your cybersecurity program should be consistent with best practices. AOS recommends NIST (National Institute of Standards & Technology) and CIS (Center for Internet Security). Both frameworks can be tailored to your organization's size and needs.

• Identification of critical functions and risks
• Threat-detection system
• Incident response procedures
• Measures for recovery and ongoing security
• Security training requirements for all employees based on job duties

You may design your own program. The legislation preserves local control, allowing you to create a cybersecurity program that best fits your organization's needs. The Auditor of State will audit according to the program you implement.

• Counties and cities by Jan. 1, 2026
• All other political subdivisions by July 1, 2026

The Auditor of State will check compliance during regular audits. AOS staff will audit according to the cybersecurity program your organization has chosen.

No, but there are strict requirements. You may pay a ransom only if your local legislative authority passes a resolution explaining why the payment is in the public interest. Without it, a ransom payment is an illegal expenditure.

Emergency meeting rules allow timely sessions to approve a ransom payment, so you can convene your legislative authority quickly if needed.

The Auditor of State’s office preferred a total ban, but a compromise with local associations lets legislative authorities decide via normal process while ensuring transparency.

• Ohio Department of Public Safety (DPS) within seven days: Reports should be submitted to the Ohio Cyber Integration Center (OCIC). DPS/OCIC provides multiple reporting options, including email, phone, and an online form.
• Auditor of State within 30 days: Fill out this Cybersecurity Reporting Form and send it to cyber@ohioauditor.gov

Reporting to DPS/OCIC within seven days is required by law and allows your organization to receive rapid response and technical assistance, including support from the Cyber Reserve. Early reporting also helps protect other local governments by tracking trends and issuing timely guidance.

Reporting to AOS within 30 days ensures the Auditor has the information needed before your next regular audit.

Any cybersecurity breach or attack affecting your systems, data, or operations should be reported. This includes disruptions such as payment re-direct, payroll re-direct, spear phishing, or other social engineering schemes that could lead to a breach. When in doubt, report and let state agencies guide the response.

No. The legislation exempts these from public records law:

• Cybersecurity plans and programs
• Reports of cybersecurity incidents
• Procurement records for cyber-related items

This exemption protects from releasing details that could create new security risks.

The Ohio Department of Public Safety offers resources and rapid-response services, including the Ohio Cyber Reserve. You can also consult the NIST and CIS frameworks directly for scalable guidance.

This legislation takes effect Sept. 30, 2025.

Noncompliance will be flagged in regular AOS audits. Since it’s state law, failure to comply could result in formal audit findings.

Yes — every political subdivision must comply. Both NIST and CIS frameworks are scalable, so you can implement a program that fits your size and resources. The key is having a formal program in place.

• NIST Cybersecurity Framework
• CIS Controls

Contact the Ohio Auditor of State's Office for compliance and audit-procedure questions, or the Ohio Department of Public Safety for incident-reporting and response services.