CIS Controls Central to Ohio’s New Cybersecurity Law for Political Subdivisions

Ohio HB 96 outlines clear, actionable steps for compliance and resilience using CIS and NIST frameworks.


EAST GREENBUSH, N.Y., October 3, 2025 – The Center for Internet Security, Inc. (CIS®) is playing a key role in Ohio’s new cybersecurity law through the inclusion of its CIS Critical Security Controls® (CIS Controls®) in House Bill 96 (HB 96) signed by Governor Mike DeWine.

The law requires political subdivisions – including counties, municipalities, and townships – to begin implementing cybersecurity measures based on the CIS Controls and NIST Cybersecurity Framework.

Among other things, Ohio HB 96 (ORC 9.64) establishes statutory cybersecurity obligations for political subdivisions The law outlines key requirements, including creating a cyber program. The cyber programs may include core elements like conducting risk and impact assessments, implementing incident response protocols, establishing post-incident recovery strategies, and providing role-based cybersecurity training for employees. The law also prohibits ransom payments without formal approval from a governing body, mandates timely incident reporting to state authorities, and exempts cybersecurity-related records from public disclosure.

“Ohio is taking a bold and necessary step to protect its public infrastructure,” said Curtis Dukes, Executive Vice President and General Manager of Security Best Practices at CIS. “By embedding the CIS Critical Security Controls into HB 96, the state is empowering local governments and schools to build cybersecurity programs that are both effective and sustainable.”

Political subdivisions may choose to align with either the NIST Cybersecurity Framework, CIS Controls, or a combination of both. By incorporating CIS Controls, the law ensures that public entities have access to prioritized, actionable safeguards tailored to their operational needs.

“HB 96 reflects Ohio’s commitment to modernizing its cybersecurity posture,” added Kirk Herath, Cybersecurity Strategic Advisor to the Governor and Chairman, CyberOhio. “Leveraging frameworks like the CIS Controls ensures that our public institutions are not only compliant but resilient in the face of evolving threats.”

A bulletin published by the Ohio Auditor of State requires counties and cities to have programs in place by January 1, 2026, and all other public entities by July 1, 2026.

To help local governments and public entities meet this new requirement, CyberOhio is hosting a webinar in partnership with the Center for Internet Security® (CIS®).

CyberOhio Webinar Series: Using CIS Controls to Design and Run Your Cyber Program

October 8, 2025 | 11:00 A.M. - 12:00 P.M. EDT

Join this webinar to explore:

  • How the CIS Controls map directly to ORC 9.64 compliance requirements
  • Step-by-step guidance for tailoring the framework to smaller or resource-constrained entities
  • Examples of how the CIS Controls can be implemented in local government environments

Register here.

To arrange an interview with CIS regarding its inclusion in Ohio House Bill 96, contact Kelly Wyland, Senior Media Relations Manager at [email protected], or call/text 518-256-6978.

 

###

 

About CIS

The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities. To learn more, visit CISecurity.org or follow us on X:@CISecurity.