<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>On June 30, <a href="https://codes.ohio.gov/assets/laws/revised-code/authenticated/0/9/9.64/9-30-2025/9.64-9-30-2025.pdf" target="_blank">ORC 9.64</a> was signed into law, creating new cybersecurity requirements for Ohio public libraries.<br><br>In summary, ORC Section 9.64:<br><ul><li>Requires entities to create a cybersecurity program guided by standards of best practice</li><li>Requires that entities provide regular security training to all staff, appropriate to their role</li><li>Establishes mandatory reporting requirements for cybersecurity incidents </li><li>Prohibits entities from paying ransom demands without a Board motion specifying why such payment is in the organization's best interest</li><li>Clarifies that cybersecurity plans, procurement and incident records, and all related documents are not public records. </li></ul></div><div><br></div><div>Mandatory reporting takes effect <b>September 30, 2025</b>.</div><div>Public libraries are required to implement a cybersecurity program and training by <b>July 1, 2026</b>. </div><div><br></div><div>
There are many resources available to help public libraries prepare to meet these requirements.
<br></div><div><ul><li> Plain language analysis of ORC 9.64 is available from <a href="https://cyber.ohio.gov/news-and-events/all-news/new-local-government-cyber-standards" target="_blank">CyberOhio</a> and from the <a href="https://www.lsc.ohio.gov/assets/legislation/136/hb96/ps/files/hb96-bill-analysis-as-passed-by-the-senate-136th-general-assembly.pdf#550" target="_blank">Ohio Legislative Service Commission</a> (page 550).</li><li> <a href="https://cyber.ohio.gov/priorities/assisting-local-government-entities/ohio-hb-96-new-cybersecurity-requirements-for-public-entities" target="_blank">CyberOhio</a> hosted a <a href="https://player.cloudinary.com/embed/?cloud_name=stateofohio&secure_distribution=dam.assets.ohio.gov&private_cdn=true&public_id=cyber.ohio.gov%2FMicrosoftTeams-video_1&profile=cld-default" target="_blank">recorded briefing</a> and <a href="https://dam.assets.ohio.gov/image/upload/q_auto/fl_attachment/cyber.ohio.gov/New_Cyber_Law_Presentation.pdf" target="_blank">slide deck</a> for local government entities. A follow-up briefing in partnership with the Auditor of State is planned for August. </li></ul></div><div></div><div><br></div><div><b>Cybersecurity Program:</b></div><div><br></div><div>Developing a cybersecurity program to safeguard the confidentiality, integrity, and availability of the library's data and technology assets is required by July 2026. While ORC 9.64 defines a minimum set of best practices that cybersecurity programs should address, programs should be customized to the resources, needs and budget of each entity. Standards of best practice include:</div><ul><li><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf" target="_blank">NIST Special Publication 800.53 Security and Privacy Controls for Information Systems and Organizations</a></li><li><a href="https://ohioauditor.gov/fraud/docs/NIST-Cybersecurity-Framework-Policy-Template-Guide-v2111Online.pdf" target="_blank">NIST Cybersecurity Framework Policy Template Guide</a></li><li><a href="https://www.cisecurity.org/controls/cis-controls-list" target="_blank">CIS 18 Critical Security Controls</a></li></ul><div>
<a href="https://www.ohiocyberrangeinstitute.org/cffak" target="_blank">Cyber Frontline First Aid Kit</a> is an on-demand web course provided by the Ohio Cyber Range Institute to help organizations assess their risks and set priorities to bootstrap a new cybersecurity program. CFFAK explains the concepts addressed by NIST and CIS standards, and provides a roadmap for those building a new security program from scratch.</div><div><b><br></b></div><div><b>Mandatory Reporting:</b></div><div><br></div><div>
Mandatory reporting is intended to help the State of Ohio accurately
track threats to public services. Cybersecurity incidents which meet the
definition in ORC 9.64 must be reported to Ohio Homeland Security
within 7 days, and to the Auditor of State within 30 days. <br><ul><li>Ohio Homeland Security's <a href="https://cyber.ohio.gov/priorities/ocic" target="_blank">Ohio Cyber Integration Center</a> has <a href="https://dam.assets.ohio.gov/image/upload/q_auto/fl_attachment/cyber.ohio.gov/state-cyber-incident-response_7.pdf" target="_blank">published a guide</a> on how to report an incident.</li><li>The Auditor of State will publish their process for reporting in August. </li></ul><div><br></div>
</div><div></div><div></div><div><b>Staff Training:</b></div><div><br></div><div>Entities must provide all staff with cybersecurity training appropriate to their role. While ORC 9.64 does not mandate frequency, CyberOhio strongly recommends annual training.</div><ul><li>ORC 9.64 specifies that participation in the <a href="https://www.ohiocyberrangeinstitute.org/opci" target="_blank">Ohio Persistent Cyber Improvement</a> program will meet this requirement. Learn more and register for the waiting list at their website. </li><li>Libraries can apply for <a href="https://techcred.ohio.gov/about" target="_blank">TechCred</a> to fund security training for employees.</li><li>OPLIN is exploring options to assist libraries seeking training to meet this requirement.</li></ul><div><br></div><div>OPLIN provides security resources that public libraries can integrate into their cybersecurity program, including DNS filtering, vulnerability scanning, <a href="https://www.oplin.ohio.gov/dmarc" target="_blank">DMARC analysis</a>, and DDoS protection. Information is available at <a href="https://www.oplin.ohio.gov/security" target="_blank">https://www.oplin.ohio.gov/security</a>. </div><div><br></div><div>As always, please don't hesitate to reach out if I can answer any questions. </div><div><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Jessica D. Dooley (she/her)<br></div><div>Technology Project Manager<br></div><div>Ohio Public Library Information Network<br></div><div><a href="mailto:jessica@oplin.ohio.gov" target="_blank">jessica@oplin.ohio.gov</a></div><div>614-728-5254<br></div></div></div></div></div>
</div>
</div>