[OPLINTECH] New Cybersecurity Requirements for Public Libraries

Jessica Dooley jessica at oplin.ohio.gov
Thu Jul 31 15:47:47 EDT 2025 

On June 30, ORC 9.64
<https://codes.ohio.gov/assets/laws/revised-code/authenticated/0/9/9.64/9-30-2025/9.64-9-30-2025.pdf>
was signed into law, creating new cybersecurity requirements for Ohio
public libraries.

In summary, ORC Section 9.64:

   - Requires entities to create a cybersecurity program guided by
   standards of best practice
   - Requires that entities provide regular security training to all staff,
   appropriate to their role
   - Establishes mandatory reporting requirements for cybersecurity
   incidents
   - Prohibits entities from paying ransom demands without a Board motion
   specifying why such payment is in the organization's best interest
   - Clarifies that cybersecurity plans, procurement and incident records,
   and all related documents are not public records.


Mandatory reporting takes effect *September 30, 2025*.
Public libraries are required to implement a cybersecurity program and
training by *July 1, 2026*.

There are many resources available to help public libraries prepare to meet
these requirements.

   - Plain language analysis of ORC 9.64 is available from CyberOhio
   <https://cyber.ohio.gov/news-and-events/all-news/new-local-government-cyber-standards>
   and from the Ohio Legislative Service Commission
   <https://www.lsc.ohio.gov/assets/legislation/136/hb96/ps/files/hb96-bill-analysis-as-passed-by-the-senate-136th-general-assembly.pdf#550>
   (page 550).
   - CyberOhio
   <https://cyber.ohio.gov/priorities/assisting-local-government-entities/ohio-hb-96-new-cybersecurity-requirements-for-public-entities>
   hosted a recorded briefing
   <https://player.cloudinary.com/embed/?cloud_name=stateofohio&secure_distribution=dam.assets.ohio.gov&private_cdn=true&public_id=cyber.ohio.gov%2FMicrosoftTeams-video_1&profile=cld-default>
   and slide deck
   <https://dam.assets.ohio.gov/image/upload/q_auto/fl_attachment/cyber.ohio.gov/New_Cyber_Law_Presentation.pdf>
   for local government entities. A follow-up briefing in partnership with the
   Auditor of State is planned for August.


*Cybersecurity Program:*

Developing a cybersecurity program to safeguard the confidentiality,
integrity, and availability of the library's data and technology assets is
required by July 2026. While ORC 9.64 defines a minimum set of best
practices that cybersecurity programs should address, programs should be
customized to the resources, needs and budget of each entity. Standards of
best practice include:

   - NIST Special Publication 800.53 Security and Privacy Controls for
   Information Systems and Organizations
   <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf>
   - NIST Cybersecurity Framework Policy Template Guide
   <https://ohioauditor.gov/fraud/docs/NIST-Cybersecurity-Framework-Policy-Template-Guide-v2111Online.pdf>
   - CIS 18 Critical Security Controls
   <https://www.cisecurity.org/controls/cis-controls-list>

Cyber Frontline First Aid Kit
<https://www.ohiocyberrangeinstitute.org/cffak> is an on-demand web course
provided by the Ohio Cyber Range Institute to help organizations assess
their risks and set priorities to bootstrap a new cybersecurity program.
CFFAK explains the concepts addressed by NIST and CIS standards, and
provides a roadmap for those building a new security program from scratch.

*Mandatory Reporting:*

Mandatory reporting is intended to help the State of Ohio accurately track
threats to public services. Cybersecurity incidents which meet the
definition in ORC 9.64 must be reported to Ohio Homeland Security within 7
days, and to the Auditor of State within 30 days.

   - Ohio Homeland Security's Ohio Cyber Integration Center
   <https://cyber.ohio.gov/priorities/ocic> has published a guide
   <https://dam.assets.ohio.gov/image/upload/q_auto/fl_attachment/cyber.ohio.gov/state-cyber-incident-response_7.pdf>
   on how to report an incident.
   - The Auditor of State will publish their process for reporting in
   August.


*Staff Training:*

Entities must provide all staff with cybersecurity training appropriate to
their role. While ORC 9.64 does not mandate frequency, CyberOhio strongly
recommends annual training.

   - ORC 9.64 specifies that participation in the Ohio Persistent Cyber
   Improvement <https://www.ohiocyberrangeinstitute.org/opci> program will
   meet this requirement. Learn more and register for the waiting list at
   their website.
   - Libraries can apply for TechCred <https://techcred.ohio.gov/about> to
   fund security training for employees.
   - OPLIN is exploring options to assist libraries seeking training to
   meet this requirement.


OPLIN provides security resources that public libraries can integrate into
their cybersecurity program, including DNS filtering, vulnerability
scanning, DMARC analysis <https://www.oplin.ohio.gov/dmarc>, and DDoS
protection. Information is available at https://www.oplin.ohio.gov/security
.

As always, please don't hesitate to reach out if I can answer any
questions.

Jessica D. Dooley (she/her)
Technology Project Manager
Ohio Public Library Information Network
jessica at oplin.ohio.gov
614-728-5254
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20250731/5ce13703/attachment.htm>

More information about the OPLINTECH mailing list