A step-by-step checklist to help Ohio municipalities, townships, school districts, and libraries meet their HB96 obligations before the deadline.
You know you need to comply with Ohio HB96 — but where do you actually start? For many smaller entities without dedicated IT security staff, the requirements can feel overwhelming. The law references cybersecurity frameworks, incident response plans, risk assessments, and board resolutions — concepts that may be unfamiliar territory for a township clerk or school superintendent.
This checklist breaks HB96 compliance into eight concrete, manageable steps. Whether you're starting from zero or building on existing practices, this gives you a clear path from where you are to where the law requires you to be.
The first thing to establish is exactly when your entity must be in compliance. HB96 uses a staggered deadline structure based on entity type. Counties and cities had a compliance deadline of January 1, 2026 — if you fall into this category and haven't implemented a compliant program yet, treat this as urgent. You are past due, and the practical risk increases at every audit.
All other political subdivisions — including townships, school districts, public libraries, villages, and special districts — face a July 1, 2026 deadline. Knowing your deadline sets the tempo for everything that follows. Working backward from July 1, you need to account for 4–8 weeks of program development plus time for board review and formal adoption. That means mid-April is a realistic latest start date for most entities.
Before you build anything, take an honest look at what you already have in place. Some entities will discover they've been doing more than they realized — they just haven't documented it. Others will find significant gaps. Either way, you need to know your starting point.
Ask these questions: Do we have any written cybersecurity policies? Have employees received any form of security training? Do we know what devices are on our network? Who currently owns cybersecurity decisions? Do we have an incident response plan? Do we know what our insurance requires?
A formal gap assessment compares your current state against the requirements of your chosen framework. This doesn't have to be complicated — it's a structured review that identifies what exists, what's missing, and what needs to be built. Many organizations work with an outside advisor for this step because an external perspective often catches things internal teams miss.
HB96 requires alignment with a recognized cybersecurity framework. The two most common choices are NIST Cybersecurity Framework (CSF) 2.0 and CIS Controls v8. Both satisfy the law's requirements, but they have different strengths.
NIST CSF 2.0 organizes cybersecurity into six functions — Govern, Identify, Protect, Detect, Respond, and Recover. It's flexible and widely recognized, making it a good choice for entities that want a broad framework they can adapt over time. CIS Controls v8 takes a more prescriptive, action-oriented approach with 18 control categories organized into three Implementation Groups based on organizational size and complexity. Many smaller entities find CIS Controls more practical because the Implementation Groups provide clearer guidance on what to tackle first.
Either framework works. The important thing is choosing one and documenting why you chose it — the Auditor of State will want to see that your program is deliberately aligned with a recognized standard, not that you cobbled together ad-hoc policies.
Written policies are the core of HB96 compliance. The law requires a formal cybersecurity program, and that program must exist as documented, board-adopted policy — not just informal practices. At minimum, you need policies covering: acceptable use of technology, access control and authentication, incident response procedures, data protection and handling, and password and authentication requirements.
These policies must be clear, specific to your organization, and aligned with your chosen framework. Generic templates downloaded from the internet typically won't satisfy an auditor — policies need to reflect your actual environment, technology, and operational context. They should be written in plain English that your staff can understand and your board can adopt with confidence.
Incident response is particularly important under HB96. Your IR plan must include specific state reporting procedures — cyber incidents must be reported to the Ohio Department of Public Safety within 7 days and to the Auditor of State within 30 days. Your ransomware response policy must require board or council approval before any ransom payment. These aren't suggestions — they're statutory requirements.
HB96 specifically requires cybersecurity awareness training for all staff. This isn't a nice-to-have — it's a named requirement of the law. Training should cover phishing recognition, password best practices, reporting procedures for suspected incidents, and sensitive data handling.
Training should occur at employee onboarding and then annually at minimum. Keep detailed records of who attended, when, and what was covered — these records are documentation you'll need to demonstrate compliance. Simulated phishing campaigns, where employees receive test phishing emails that track who clicks, are particularly effective at measuring and improving awareness over time.
The training doesn't need to be elaborate, but it does need to be documented and consistent. A one-hour annual session covering real-world examples and practical guidance is far more effective than a checkbox e-learning module that nobody remembers.
Someone in your organization must be the named point of accountability for cybersecurity. HB96 requires a designated point of contact for cybersecurity matters. This doesn't have to be a full-time hire — it can be your IT director, city manager, superintendent, or an external advisor such as a virtual CISO.
What matters is that someone specific owns the responsibility. When the Auditor asks who manages your cybersecurity program, there needs to be a name — not a vague reference to "the IT department" or "our MSP handles that." If nobody owns cybersecurity, it falls through the cracks. Policies don't get updated, training doesn't get scheduled, incidents don't get reported properly.
Documentation is your proof of compliance. The safe harbor protection HB96 provides only works if you can demonstrate that your cybersecurity program actually exists and is being followed — and documentation is how you demonstrate that.
At minimum, maintain documentation of: your framework selection and the rationale behind it, all cybersecurity policies with version numbers and board approval dates, training records with dates and attendance, risk assessments and security scans, incident response plans and any tabletop exercises conducted, and the board resolution formally adopting the cybersecurity program.
Organize this documentation in a way that can be presented during an audit. A single binder or shared folder with clearly labeled sections makes the auditor's job easy — and makes your compliance story clear and credible.
HB96 compliance is not a one-time event. Your cybersecurity program must be a living program that evolves with your organization and the threat landscape. Plan for an annual review at minimum, plus updates any time there are significant changes — new systems, leadership transitions, organizational restructuring, or after any security incident.
Set calendar reminders for annual policy reviews, training refreshers, and periodic security assessments. Many organizations find it helpful to schedule these at the same time each year — making cybersecurity program maintenance a predictable, budgeted activity rather than a reactive scramble.
The Auditor of State doesn't just want to see that you built a program — they want to see that you're maintaining it. A program created in 2026 and never touched again will not satisfy expectations during a 2028 audit.
FAQ
We build turnkey HB96 compliance programs for Ohio political subdivisions — handling everything from gap assessment to policy development to training recommendations.