[OPLINLIST] Cybersecurity Incident Reporting Effective Sep 30
Jessica Dooley
jessica at oplin.ohio.gov
Thu Sep 18 15:12:19 EDT 2025
Good afternoon,
A reminder that starting September 30, ORC 9.64
<https://codes.ohio.gov/assets/laws/revised-code/authenticated/0/9/9.64/9-30-2025/9.64-9-30-2025.pdf>
requires local government entities to report cybersecurity incidents to the
Ohio Cyber Integration Center within 7 days, and the Auditor of State
within 30 days.
To report an incident:
- OCIC's Cyber Incident Reporting Guide
<https://dam.assets.ohio.gov/image/upload/q_auto/v1756406895/cyber.ohio.gov/cyber-sop-2025-2-final.pdf>
- Auditor of State's Cybersecurity Reporting Form
<https://ohioauditor.gov/fraud/docs/CybersecurityReportingForm.pdf>
OCIC has published detailed guidance
<https://homelandsecurity.ohio.gov/ohio-cyber-integration-center/reporting-guidance>
on determining what qualifies as a reportable cybersecurity incident; see
the FAQ at the end for specific examples.
Mandatory reporting is intended to help the State of Ohio track threats to
local government. Incident reports to OCIC are covered by a non-disclosure
agreement, and reports to both OCIC and AoS are not public records. Other
provisions in ORC 9.64, including a requirement that public entities create
and maintain a security readiness plan, take effect for public libraries on
July 1, 2026. Find links to more resources at
https://www.oplin.ohio.gov/security.
Thanks,
Jessica D. Dooley (she/her)
Technology Project Manager
Ohio Public Library Information Network
jessica at oplin.ohio.gov
614-728-5254
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplinlist/attachments/20250918/f4583b3d/attachment.htm>
More information about the OPLINLIST
mailing list