Citizen Portal
Sign In

Board hears plan to build cybersecurity program under HB 96; incident reporting and ransomware rules highlighted

5956114 · October 15, 2025
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

District technology staff outlined a six‑month plan to document and adopt a NIST‑based cybersecurity program required by HB 96 and Ohio law, including incident reporting to Ohio’s Cyber Integration Center and a public‑meeting requirement before paying any ransomware demand.

Tallmadge City technology staff briefed the Board of Education on Oct. 15 about new state requirements and the district’s plan to develop a NIST‑based cybersecurity program under changes in state law enacted this summer.

The presenter identified Ohio Revised Code requirements tied to House Bill 96 (HB 96) and summarized the key obligations for local governing authorities: adopt a cybersecurity program based on the National Institute of Standards and Technology (NIST) framework; implement incident reporting to the Ohio Cyber Integration Center (within seven days of an incident); and maintain a ransomware response policy that prohibits paying a ransom unless the board meets publicly and adopts a resolution authorizing any such payment.

District staff said much of the work required by the law is documentation and formalization of practices the district already performs, but that the auditor will begin compliance audits starting July 1 next year. The district will partner with NeoNet and Filament Information Security to develop the program; staff estimated the planning and documentation process will take roughly five to six months.

The cybersecurity presentation outlined the NIST framework’s five core functions — identify, protect, detect, respond and recover — and named practical priorities for the district: asset inventory and risk assessment, identity management and training (phishing email awareness), platform and patch management, continuous monitoring and incident detection, and formal incident‑response and recovery playbooks.

“HB 96 requires the board to adopt a cybersecurity program, which is based on the NIST cybersecurity framework,” the technology presenter said. “If we were to suffer an incident, the law requires us to report that to OSIC … within seven days, and the Auditor will be involved within 30 days.”

The presenter also said the law restricts paying ransomware demands absent a public board resolution explaining why a payment is in the district’s best interest. Staff said the district will document current controls, close identified gaps, and return to the board with a formal program for adoption.

No board vote was required at the meeting; staff requested direction and described the planned vendor engagement and timeline for producing the formal program for future adoption.