Security Resources

ORC 9.64: Cybersecurity Requirements for Public Libraries

ORC Section 9.64, signed into law June 30 2025, creates new cybersecurity requirements for Ohio local government entities, including public libraries.

In summary, ORC Section 9.64:

• Requires that entities create a cybersecurity program guided by standards of best practice
• Establishes mandatory reporting requirements for cybersecurity incidents
• Requires that entities provide regular security training to staff appropriate to their role
• Prohibits entities from paying ransom or extortion demands without a Board motion that specifies why such payment is in the entity's best interest
• Clarifies that cybersecurity plans, procurement records, incident information, and all related documents are not public records. 

There are many free resources available to public libraries as they explore ways to meet these obligations. 

Analysis

Plain language analysis of ORC 9.64 is available from CyberOhio and from the Ohio Legislative Service Commission (page 550).

CyberOhio hosted a recorded briefing and slide deck for local government entities.

Cybersecurity Program Requirements

• Section 9.64 requires that public libraries create a cybersecurity program to safeguard the confidentiality, integrity, and availability of the organization's data and technology assets. While Section 9.64 provides a minimum set of best practices cybersecurity programs should address, programs should be customized to the size, budget, resources, data assets, business function, and other legal obligations of each entity.
• ORC 9.64 references the following best practices standards:
  • NIST Cybersecurity Framework Policy Template Guide
  • CIS 18 Critical Security Controls
  • NIST Special Publication 800-12
• Public libraries are required to have a program in place by July 1, 2026.

Mandatory Reporting

• Section 9.64(A) defines cybersecurity incidents that will trigger mandatory reporting requirements.
• Cybersecurity incidents must be reported to Ohio Homeland within 7 days, and the Auditor of State within 30 days.
• Ohio Homeland offers guidance for reporting incidents, including their response checklist.
• The Auditor of State will publish reporting guidance in August 2025.
• Mandatory reporting requirements take effect September 30, 2025. 

 Staff Training

• Entities must provide all staff with cybersecurity training appropriate to their role. While ORC 9.64 does not mandate frequency, CyberOhio strongly recommends annual training.
• ORC 9.64 specifies that participation in the Ohio Persistent Cyber Improvement program will meet this requirement. O-PCI is a grant-funded initiative that provides free cybersecurity training to Ohio government entities. Training is customized by staff role, and participation includes private consultation to help entities review, assess, and incrementally improve security readiness.

Security Resources:

DNS Filtering with Cisco Umbrella

OPLIN provides a subscription to Cisco Umbrella for every Ohio public library. Cisco Umbrella filters content by passing DNS requests through their managed DNS servers. Configuring Cisco Umbrella as your library's public DNS servers improves security by filtering malicious domains. Learn how to get started.

Vulnerability Notification: 

CISA Cyber Hygiene Vulnerability Scanning

OPLIN Participates in CISA's Cyber Hygiene vulnerability scans for OPLIN IP addresses. OPLIN will periodically send you the vulnerability report for your library's IP addresses. To update who receives the report, or for methodology details, please email security@oplin.ohio.gov.

MS-ISAC

The Multi-State Information Sharing & Analysis Center provides pro-active security advisories and other services for State and Local Government agencies, including incident response, weekly reports of malicious domains/IPs, tapletop exercses, education materials, webinars from other state agencies, and more.

OPLIN Port Scanning Service

On request, OPLIN can perform a port scan of your library's public IP addresses, and provide you with a report of the results. Get in touch with OPLIN at support@oplin.ohio.gov to discuss your project, needs and goals.

Best Practices:

CIS Security

The Center for Internet Security publishes a list of 18 controls, a set of best practices for managing organizational security practices. The CIS Controls comply with the NIST Cybersecurity Framework. The CIS Controls are an excellent place to start when designing security procedures or policy for your organization. A CIS SecureSuite membership is free to State and Local Government agencies who sign up for MS-ISAC. Resources include secure configuration benchmarks and hardened system images.

NCCoE: Protecting Data from Ransomware

The National Cybersecurity Center of Excellence and NIST collaborated on this brief, essential guide for IT and managed service providers to ensure adequate backup planning and solutions are in place to protect an organization's critical data from loss and destruction. "Protecting Data from Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files."

CISA Ransomware Guide

The Cybersecurity & Infrastructure Security Agency and MS-ISAC publish a joint Ransomware Guide, a "one-stop resource with best practices and ways to prevent, protect and/or respond to a ransomware attack." Review and implement best practices for preventing a ransomware attack, and a detailed guide of how to respond to an active ransomware incident. The guide includes federal response contacts, free services provided by CISA, and links to best practices for securing common business-critical infrastructure.

CISA Cyber Essentials

The Cybersecurity & Infrastructure Security Agency is a federal entity that provides free resources to support cybersecurity in all government entities. CISA's Cyber Essentials framework is an accessible toolkit of best practices for small businesses and local government to help guide procedure and policy. CISA offers many services, including risk assessment, penetration testing, web application scanning, cyber infrastructure survey, and more.

NIST Cybersecurity Framework

The National Institute for Standards and Technology's Cybersecurity Framework is a comprehensive set of guidelines to help organizations manage the security of information, assets, and resources. The NIST cybersecurity framework provides guidance to help identify, protect, detect, respond, and recover from security threats. The NIST framework is broadly recognized as industry best practice.

Education:

TechCred

Ohio's TechCred program reimburses employers for the cost of technical training leading to certification for current and prospective employees. A broad range of technical training is eligible, and the application process is open frequently.

NIST NICE

The National Initiative for Cybersecurity Education maintains a list of free and low-cost resources for online cybersecurity training.

OCRI

The Ohio Cyber Range Institute is a partnership between higher education and state government to improve the cybersecurity awareness and education of Ohio's citizens and organizations. Part of the Ohio Cyber Collaboration Committee, the OCRI is available to libraries to host classes on the range's virtual environment. Sign up to gain access to detailed information.

FedVTE

Online, on-demand cybersecurity training program, free to employees of state and local government. Cybersecurity courses are organized according to the NICCS Cyber SEcurity Workforce Framework, and range from beginning to advanced.