HB 96 (ORC 9.64) Cybersecurity Compliance for Ohio Public Entities

Get audit-ready with a defensible cybersecurity program, incident reporting workflow, and staff training.
Deadline Alert: Counties/Cities deadline passed. Other entities due July 1, 2026.
Book a HB 96 Readiness Call
Download HB 96 Checklist

Ohio Compliance

What HB 96 Requires

Adopt a Cybersecurity Program

Implement a formal cybersecurity program aligned to NIST or CIS frameworks, with documented policies and procedures.

Incident Reporting Requirements

Report cybersecurity incidents to OCIC within 7 days and to the Auditor of State within 30 days.

Ransomware Decision Process

Ransomware payments require a public resolution or ordinance – you need documented procedures before an incident occurs.

Public Records Exemption

Your cybersecurity program and incident records are exempt from public records requests, protecting sensitive security details.

Common Challenges

Where Ohio Entities
Get Stuck

• “We have tools, but no formally adopted cybersecurity program.”

• “We can’t prove training completion or role-based requirements.”

• “We don’t know what triggers the 7-day reporting clock.”

• “Our incident response plan doesn’t include the legislative path for ransomware decisions.”

• “We lack the in-house expertise to build a compliant program from scratch.”

Compliance Services

How Great Lakes Computer
Gets You Compliant

HB 96 Readiness Assessment

2-3 Week Engagement

• Gap assessment mapped to NIST/CIS frameworks
• Draft adoption-ready program outline
• Prioritized action plan

Program Build + Audit Binder

30-60 Day Engagement

• Written cybersecurity program with core policies
• Training plan with completion tracking
• Evidence binder for state audits

Operate & Monitor

Ongoing Managed Services

• 24/7 SOC monitoring
• Vulnerability management & periodic testing
• Incident response support playbooks

Trusted Partner

Why Ohio Entities Partner with Great Lakes Computer

Building HB 96 compliance in-house requires specialized expertise that most public entities don’t have on staff. Partnering with Great Lakes Computer gives you:

30+ years serving Ohio government and enterprise clients
State of Ohio MMA contract holder – streamlined procurement
Expertise in regulatory compliance (NIST, CIS, CJIS)
Predictable budgeting vs. building an in-house security team
Single point of accountability for your compliance program

Resources

HB 96 Compliance Resources

Downloadable Guides

HB 96 Compliance Checklist
A one-page checklist covering the key requirements for Ohio public entities.
Download Checklist (PDF)
Incident Reporting Guide
What to do in the first 24 hours of a cybersecurity incident, including reporting timelines.
Request Guide

Frequently Asked Questions

What counts as a cybersecurity incident under HB 96?
Any unauthorized access, disruption, or compromise of IT systems, networks, or data that affects your operations or the security of sensitive information. This includes ransomware attacks, data breaches, phishing compromises, and malware infections.
Does HB 96 apply to small townships?
Yes. HB 96 applies to all Ohio public entities regardless of size, including townships, villages, and small municipalities. The compliance requirements are the same, though the scope of your cybersecurity program may vary based on your IT infrastructure.
What do state auditors check for compliance?
Auditors verify that you have a formally adopted cybersecurity program aligned to NIST or CIS frameworks, documented policies and procedures, evidence of staff training, and incident reporting processes. An evidence binder with dated documentation is essential.
Can we use NIST or CIS frameworks - or both?
You can use either NIST Cybersecurity Framework or CIS Controls – both are accepted under HB 96. Many organizations use CIS Controls for practical implementation and map them to NIST for compliance documentation. Great Lakes Computer can help you choose the right approach.
What happens if we miss the compliance deadline?
Non-compliance may result in audit findings, potential legal exposure in the event of a breach, and difficulty demonstrating due diligence. More importantly, without a compliant program, your entity is at greater risk of cyberattacks that could disrupt critical services.
Ready to make HB 96 compliance defensible?
Great Lakes Computer has helped Ohio public entities build audit-ready cybersecurity programs since 1990.
Book a Readiness Call
Request a Quote