Security Resources

Security Resources oplin

Security Resources

Security Planning Webinar

Watch a recording of Security Planning from Scratch: ORC 9.64 for Public Libraries webinar from Jessica Dooley or download slides.

Security Program Templates

The Ohio Cyber Reserve offers a "Ready-Made Security Program," a packet of five accessible documents with actionable steps to create a starter security program. The packet includes a welcome letter and instructions, a template security policy, an incident response policy, an implementation guide, and a mapping of security controls to the NIST CSF 2.0, and is available by request.

ORC 9.64: Cybersecurity Requirements for Public Libraries

ORC Section 9.64, signed into law June 30 2025, creates new cybersecurity requirements for Ohio local government entities, including public libraries.

In summary, ORC Section 9.64:

  • Requires that entities create a cybersecurity program guided by standards of best practice
  • Establishes mandatory reporting requirements for cybersecurity incidents
  • Requires that entities provide regular security training to staff appropriate to their role
  • Prohibits entities from paying ransom or extortion demands without a Board motion that specifies why such payment is in the entity's best interest
  • Clarifies that cybersecurity plans, procurement records, incident information, and all related documents are not public records. 

There are many free resources available to help public libraries prepare to meet these requirements. 

Analysis
Cybersecurity Program Requirements

Section 9.64 requires that public libraries create a cybersecurity program to safeguard the confidentiality, integrity, and availability of the organization's data and technology assets. While Section 9.64 provides a minimum set of best practices cybersecurity programs should address, programs should be customized to the size, budget, resources, data assets, business function, and other legal obligations of each entity.

  • ORC 9.64 references the following best practices standards:
  • Cyber Frontline First Aid Kit is an on-demand web course provided by the Ohio Cyber Range Institute to help organizations assess their risks and set priorities to bootstrap a new cybersecurity program. CFFAK explains the concepts addressed by NIST and CIS standards, and provides a roadmap for those building a new security program from scratch.
  • Public libraries are required to have a program in place by July 1, 2026.
Mandatory Reporting

Mandatory reporting is intended to help the State of Ohio accurately track threats to public services. Cybersecurity incidents must be

Staff Training

Entities must provide all staff with cybersecurity training appropriate to their role. While ORC 9.64 does not mandate frequency, CyberOhio strongly recommends annual training.

  • ORC 9.64 specifies that participation in the Ohio Persistent Cyber Improvement program will meet this requirement. O-PCI provides free cybersecurity training to Ohio government entities customized by staff role. The participation capstone includes a private consultation with a security professional to help entities review, assess, and incrementally improve their security readiness. Learn more, view course descriptions, and register at their website.
  • Libraries can apply for TechCred to reimburse the cost of training leading to certification, which would meet the requirement to provide more in-depth training to some staff, appropriate to their role. TechCred applications are open every other month.

Security Resources:

DNS Filtering with Cisco Umbrella

OPLIN provides a subscription to Cisco Umbrella for every Ohio public library. Cisco Umbrella filters content by passing DNS requests through their managed DNS servers. Configuring Cisco Umbrella as your library's public DNS servers improves security by filtering malicious domains. Learn how to get started.

Vulnerability Notification: 

CISA Cyber Hygiene Vulnerability Scanning

OPLIN Participates in CISA's Cyber Hygiene vulnerability scans for OPLIN IP addresses. OPLIN will periodically send you the vulnerability report for your library's IP addresses. To update who receives the report, or for methodology details, please email security@oplin.ohio.gov.

MS-ISAC

The Multi-State Information Sharing & Analysis Center provides pro-active security advisories and other services for State and Local Government agencies, including incident response, weekly reports of malicious domains/IPs, tapletop exercses, education materials, webinars from other state agencies, and more. OPLIN will share any vulnerability notices we receive for your library's IP range.

OPLINsecurity Mailing List

Join OPLINsecurity, an email list for libraries to share cybersecurity questions, challenges, solutions and recommendations. OPLINsecurity archives will be only be available to list members, and will not be indexed publicly.

OPLIN Port Scanning Service

On request, OPLIN can perform a port scan of your library's public IP addresses, and provide you with a report of the results. Get in touch with OPLIN at support@oplin.ohio.gov to discuss your project, needs and goals.

Best Practices:

CIS Security

The Center for Internet Security publishes a list of 18 controls, a set of best practices for managing organizational security practices. The CIS Controls comply with the NIST Cybersecurity Framework. The CIS Controls are an excellent place to start when designing security procedures or policy for your organization. A CIS SecureSuite membership is free to State and Local Government agencies who sign up for MS-ISAC. Resources include secure configuration benchmarks and hardened system images.

NCCoE: Protecting Data from Ransomware

The National Cybersecurity Center of Excellence and NIST collaborated on this brief, essential guide for IT and managed service providers to ensure adequate backup planning and solutions are in place to protect an organization's critical data from loss and destruction. "Protecting Data from Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files."

CISA Ransomware Guide

The Cybersecurity & Infrastructure Security Agency and MS-ISAC publish a joint Ransomware Guide, a "one-stop resource with best practices and ways to prevent, protect and/or respond to a ransomware attack." Review and implement best practices for preventing a ransomware attack, and a detailed guide of how to respond to an active ransomware incident. The guide includes federal response contacts, free services provided by CISA, and links to best practices for securing common business-critical infrastructure.

CISA Cyber Essentials

The Cybersecurity & Infrastructure Security Agency is a federal entity that provides free resources to support cybersecurity in all government entities. CISA's Cyber Essentials framework is an accessible toolkit of best practices for small businesses and local government to help guide procedure and policy. CISA offers many services, including risk assessment, penetration testing, web application scanning, cyber infrastructure survey, and more.

NIST Cybersecurity Framework

The National Institute for Standards and Technology's Cybersecurity Framework is a comprehensive set of guidelines to help organizations manage the security of information, assets, and resources. The NIST cybersecurity framework provides guidance to help identify, protect, detect, respond, and recover from security threats. The NIST framework is broadly recognized as industry best practice.

Education:

Cyber Frontline First Aid Kit

Provided by Ohio Persistent Cyber Improvement, an accessible, short self-paced online course introduces security concepts and best practices, along with technical controls for enforcing those best practices.

Ohio Persistent Cyber Improvement

O-PCI offers free cybersecurity training program for Ohio local government entities. Participants can engage with three phases, including role-appropriate training for all staff, and IT and administration; a personalized review of the library's security preparedness; and a tabletop exercise and hands-on simulation to test your response plan. 

TechCred

Ohio's TechCred program reimburses employers for the cost of technical training leading to certification for current and prospective employees. A broad range of technical training is eligible, and the application process is open bi-monthly.

NIST NICE

The National Initiative for Cybersecurity Education maintains a list of free and low-cost resources for online cybersecurity training.

OCRI

The Ohio Cyber Range Institute is a partnership between higher education and state government to improve the cybersecurity awareness and education of Ohio's citizens and organizations. Part of the Ohio Cyber Collaboration Committee, the OCRI is available to libraries to host classes on the range's virtual environment. Sign up to gain access to detailed information.

FedVTE

Online, on-demand cybersecurity training program, free to employees of state and local government. Cybersecurity courses are organized according to the NICCS Cyber SEcurity Workforce Framework, and range from beginning to advanced.

Notification:

Notify OPLIN of security incidents at security@oplin.ohio.gov.

Cybersecurity Funding

Cybersecurity Funding

 

CyberOhio Grant Program

CyberOhio has opened applications for a Cybersecurity Software and Services Grant for local government entities.

  • Public libraries are eligible to apply for up to $20,000 to fund specific cybersecurity software and services.
  • Grant recipients must contribute a 20% local match.
  • Eligible projects include endpoint detection and response, multi-factor authentication, email security solutions, security operations center as a service, or consulting services to implement security controls. Example products and services are listed in the Grant Application Guidance, but other similar solutions are also eligible.
  • Applicants can submit only one application, but may request funding for multiple projects.
  • Applications are open from July 22 - September 16, 2024.
  • Grant projects must be completed between December 1, 2024 through June 30, 2026.

More information, including guidance and a sample application, are available at CyberOhio

 

E-Rate Cybersecurity Pilot Program

The Federal Communications Commission (FCC) has designated a portion of the Universal Service Fund (USF) to establish a cybersecurity pilot program. The program will require an initial application, and a pilot program cohort will be selected from the initial applicant pool. Applicants may be individual libraries, library systems, or library consortia. Selected libraries are eligible for a pre-discount budget of $15,000 per site, up to $175,000 for a system or consortium consisting of 12 or more sites. That budget re-sets each year for the 3 years of the pilot program ($45,000 per site for the duration of the pilot program or $525,000 for an applicant with 12 or more sites).

A full overview of the pilot program can be found on the USAC website.

For all of the details from the FCC, you can read the published rule in the Federal Register or the full Report and Order.

 

Program Comparison

  CyberOhio Grant Program

E-Rate Cybersecurity Pilot Program
Competitive
Application
Program		 Yes Yes
Funding Period 19 months 3 years
Total Program
Funding		 $6.84 million $200 million
Program Scope Ohio United States
Max Funding $20,000 per applicant entity
for the entire program period		 $15,000 per library per year
$175,000 max per system per year
Project Match
Requirement		 20% Varies by E-Rate discount matrix qualifications
Eligible Projects Appendix A-B (pages 11-17) Eligible Services List
Competitive Bidding
Requirement		 No Yes
Document Retention
Requirement		 No 10 years
UEI Number
Requirement		 Yes Yes
Rural Applicants
Prioritized		 Yes Not specifically
christine

Preparing for ORC 9.64

Preparing for ORC 9.64 don

 

Cybersecurity Planning: Preparing for ORC 9.64

 

  1. Watch OPLIN’s Webinar Security Planning from Scratch
    A library-focused introduction to the new requirements, cybersecurity concepts, and tools to assist.
     
  2. Request the Ohio Cyber Reserve's Ready-Made Security Program packet.
    An accessible template kit with clear, actionable steps to help you launch a security program from scratch.
    1. Sign up for the Cyber Frontline First Aid Kit.
      A self-paced introduction to security terms and essential action items to implement.
       
  3. Update backup procedures and document critical accounts.
    Document your library's critical business accounts and data, and make secure backups of your data, credentials, and contacts. Keep paper copies of your incident response plan and critical contacts.
     
  4. Ready to start planning? Use a Cybersecurity Framework to help you prioritize.
    1. NIST CSF 2.0 Quick Start Guide
      Use the concepts Govern, Identify, Protect, Detect, Respond, and Recover to design a security plan that fits your library’s resources, risks, and budget.
    2. CIS 18 Controls
      Organized like a Dewey Decimal of critical security controls to safeguard your organization's data and technology assets from security threats. 
       
  5. List existing security controls and identify areas of need.
    1. Work with your IT provider to list the security controls your library already has in place, then compare your existing controls with a Framework to identify areas that need additional safeguards.
    2. CIS Security Controls Self-Assessment Tool lets you and your IT team track your controls in a private dashboard. 
       
  6. Review, revise, and repeat over time to build your library’s security readiness.
    Your security plan must change with your library's needs, resources, and personnel. Review and update the plan frequently, rehearse response and recovery steps with key team members, and mature your security preparedness over time.
     

More Security Resources.