Top 5 Quick Takeaways
1. Ohio law now requires a formal cybersecurity program
House Bill 96 mandates that every county, township, city, and school district establish a written cybersecurity program aligned with NIST or CIS standards, with assigned responsibilities and review dates.
2. Cyber incidents must be reported within strict deadlines
Public entities are required to report cybersecurity incidents to the Ohio Cyber Integration Center within seven days and to the Auditor of State within thirty days. Timely reporting is now a legal obligation, not an option.
3. Vendors are accountable for cybersecurity compliance
Any vendor or subcontractor that manages systems or data for a public entity must follow the same security and reporting standards. Contracts should clearly define each party’s responsibilities and timelines for response.
4. Documentation and evidence are essential for compliance
Written policies alone are not sufficient. Entities must be able to show proof of training, testing, patching, and reviews to demonstrate compliance during audits or insurance evaluations.
5. Delayed action increases cost and public risk
Failure to prepare for House Bill 96 can lead to higher costs, last-minute work before audits, and potential loss of public trust when information is incomplete or delayed. Early preparation reduces both risk and disruption.
You handled the last phishing scare, trained staff this spring, and updated a few policies. Now that House Bill 96 is in effect, ask three simple questions. Are you still reacting only after an incident? Where is the written program that aligns to NIST or CIS with clear owners and dates? Why is incident reporting still unclear when the law sets seven and thirty day deadlines?
Public entities and their partners need more than basic security tools. They need a program that survives audits, insurer reviews, council meetings, and public scrutiny. Many organizations have policies on paper, yet lack a working plan that speeds detection, drives reporting, and proves accountability.
At Mega-Byte we help local governments and vendors move from policy fragments to a documented, repeatable, and defensible program. What matters is not how many tickets were closed. What matters is whether your program prevents incidents, meets the law, and stands up to questions.
What is the real cost of waiting
If your organization has not reviewed HB 96 requirements, mapped gaps, or assigned owners with dates, you are not getting compliance. You are carrying risk.
We see it every quarter, teams often lose days debating what counts as reportable, and seven days pass quickly. Missing logs, decisions, and timelines turns audit week into late nights of rework. Controls are required, yet unplanned hardware and license purchases drain budgets because they were never forecast. Ransom decisions now require a formal vote, which means explanations must be ready for the public.
Hidden costs add up. Extra labor. Premiums that do not improve. Delays that slow other projects. Most of all, lost trust when answers are not ready.
Tactical checklists do not scale and they slow you down
Many teams were built to fix problems. HB 96 expects a coordinated program that prevents problems and proves it with records.
A working program must handle seven day reporting to the Ohio Cyber Integration Center and thirty day reporting to the Auditor of State, deliver annual training with role based accountability, and keep alignment to NIST CSF or CIS Controls with scoped exceptions. It also needs clear rules for ransomware decisions that require public approval, plus coordinated workflows with vendors so incident response is shared and documented.
If your approach is still ticket by ticket, your leadership carries the roadmap, the risk register, and every tough call. That is not sustainable when deadlines are legal and outcomes are public.
Without a plan, the same cycle repeats. Teams rush to patch and document right before an audit, pay rush fees for emergency upgrades, revisit the same infrastructure gaps without action, and watch quarters pass with no progress on reporting, testing, or training.
The reality is simple. Reactive effort cannot keep pace with legal timelines, insurer expectations, and board oversight.
When leaders review risk and budgets in Q3/Q4, they expect clear metrics on exposure and dwell time, specific recommendations with dates and cost ranges, alignment to operational goals and school or council calendars, and a partner who has already mapped the next six to twelve months.
If your current approach cannot produce that, the issue is not effort. The issue is the model.
What strong HB 96 compliance should look like
Public entities are not asking for miracles. They want a program built around how their environment really works. Citizen data. Student records. Library systems. Public meetings. Council votes. Auditor questions. Insurer reviews.
If your team or vendor cannot deliver that, here is what a better approach looks like.
1. Program design that removes guesswork.
A working program is more than a binder. It is a schedule, ownership, and evidence.
With Mega-Byte you get:
- A controls catalog mapped to NIST or CIS with scope and exceptions
- A maintenance calendar for patches, backups, tests, tabletop exercises, and reviews
- Asset and data inventories that are updated and referenced in change control
- Risk assessments with priorities, dates, and responsible owners
2.Reporting readiness that meets the clock.
Seven days is not generous. Reporting requires details you only have if you prepared.
We build:
- Clear incident definitions with escalation triggers
- A single incident record that captures evidence, timelines, and decisions
- Notification templates for OCIC, the Auditor of State, and internal leaders
- After action reviews that feed back into training and controls
3. Governance that stands up in public.
HB 96 requires a formal approval process for any ransom payment. That decision needs context and documentation before a crisis.
We provide:
- Council ready policies and voting workflows
- Decision matrices that weigh service impact, legal issues, and insurance
- A communications plan for executives and the public
- Records management rules that support audits
4. Vendor and subcontractor alignment.
Many incidents span multiple providers. Contracts and shared runbooks prevent finger pointing.
We deliver:
- Contract language for security obligations and reporting
- Joint incident playbooks with names and response time targets
- Evidence sharing standards and retention timelines
- Readiness checks before renewals and before the school year or budget cycle
5. Training that people remember.
Annual training is not a checkbox. It should reinforce the exact steps your teams will use on the worst day.
We include:
- Role based content for help desk, supervisors, admins, and leadership
- Realistic exercises and phishing tests
- Short refreshers tied to major changes or findings
- Attendance and scoring records suitable for audits
6. Documentation that proves control.
Auditors and insurers want to see what you do and when you do it.
Our approach captures:
- Policies and procedures as living documents
- Logs, approvals, and test results linked to each control
- Change histories and exceptions with timed reviews
- Evidence packs for audits that are generated from the system, not from memory
Stop letting reactive work create public risk
The fix it when it breaks model cannot meet a law with clear timelines and public accountability. If your current plan does not include a program map, reporting drills, and council ready procedures, it is time to raise the bar.
Mega-Byte helps public entities and vendors replace scattered documents with a program that reduces risk, meets HB 96, and protects community trust.
Schedule a Compliance Readiness Review
Frequently Asked Questions
1. What entities must comply with HB 96?
Counties, municipalities, townships, school districts, public libraries, and other political subdivisions in Ohio. Vendors that support these entities are expected to align with the same practices through contracts and shared workflows.
2. What are the core program requirements?
Adopt a cybersecurity program aligned to NIST CSF or CIS Controls, deliver annual training, document policies and decisions, and maintain evidence that the program is operating. Review details at Mega-Byte resources.
3. What are the incident reporting timelines?
Report to the Ohio Cyber Integration Center within seven days and to the Auditor of State within thirty days. Prepare templates and ownership now so timelines are achievable.
4. How do we decide whether to pay a ransom?
HB 96 requires a formal vote by the governing body and a public justification. Prepare decision matrices, legal and insurer checkpoints, and communication plans in advance. Confirm the requirement at House Bill 96.
5. What documentation is most often missing?
Asset inventories, evidence of control operation, incident timelines, approval records, and after action reviews. These are essential for audits and insurance claims.
6. What if we lack budget for new tools?
Many requirements are process and documentation driven. Start by clarifying scope, roles, and schedules. Then phase upgrades based on risk. We help design plans that fit fiscal cycles.
7. How should we coordinate with vendors?
Add security and reporting obligations to contracts. Build shared incident runbooks. Test them with tabletop exercises. Require evidence of compliance during renewals.
8. What does annual training need to cover?
Role based scenarios for detection, escalation, reporting, and recovery. Include phishing, account security, incident timelines, and the public decision process for ransomware.
9. How do we show auditors that our program works?
Keep a living control map. Link each control to procedures, logs, approvals, and tests. Export evidence packs by quarter. Maintain a record of exceptions and remediation dates.
10. What should we do first if we are starting late?
Assign a single owner. Validate your asset inventory. Map controls to NIST or CIS. Build the reporting workflow. Schedule training and a tabletop exercise. Document everything as you go. If you need help, start here with Schedule a compliance readiness review.
