Ohio’s New Cybersecurity Standards for Local Governments: What You Need to Know

By Shawn Waldman, CEO of SecureCyber

Cybersecurity is no longer a nice-to-have for local governments—it is now a legal and operational requirement.

The State of Ohio has released new cybersecurity standards for local government entities, marking a major shift in how cities, townships, counties, and school districts must protect their systems, data, and digital services.

If you manage or support a public agency, these new standards apply to you—and now is the time to act.

What Is Changing

The new rules, issued by the Ohio Department of Administrative Services (DAS), establish minimum cybersecurity requirements for public-facing systems and networks used by local government organizations. These standards are a direct response to the increase in cyberattacks targeting public sector agencies and critical infrastructure.

The standards cover:

Encryption of data at rest and in transit
Multi-factor authentication (MFA) for system access
Patch management to reduce known vulnerabilities
Logging and monitoring of network activity
Vendor oversight with cybersecurity requirements in contracts
Documented incident response planning
Annual compliance attestation to the state

This is not a recommendation, it is a mandate.

Why It Matters

Local governments are increasingly targeted by ransomware, phishing attacks, and nation-state threats. Many operate with limited IT staff, outdated infrastructure, and no dedicated cybersecurity leadership. These new standards provide a clear framework for improving cybersecurity posture—but they also introduce new accountability.

Failure to comply could result in:

State audit findings or reduced funding
Limitations or denial of cyber insurance coverage
Service disruptions from preventable breaches
Legal liability in the event of a security incident

Being proactive is essential—not just for compliance, but for protecting the communities you serve.

What Should Local Governments Do Next

If you are a city manager, township administrator, IT director, or school official, here are the steps to take:

Assess your current cybersecurity posture
Perform a formal gap assessment to understand where you stand compared to the new requirements.
Implement essential controls
Start with MFA, encryption, patching, and logging. These four steps go a long way toward reducing your risk.
Update your policies and plans
Make sure your incident response plan, user access policy, and vendor agreements align with the standards.
Prepare for annual reporting
DAS will require a yearly attestation of compliance and may request documentation during or after an incident.
Partner with cybersecurity experts
If you do not have in-house expertise, now is the time to engage a trusted advisor.

Introducing the Ohio Cyber Compliance Kit

SecureCyber offers the Ohio Cyber Compliance Kit—an all-in-one solution designed to help local governments achieve compliance quickly and efficiently.

The kit includes:

A custom cybersecurity assessment
Pre-built templates for policies, procedures, and incident response
Technical implementation support
Virtual Chief Information Security Officer (vCISO) advisory services
Compliance documentation preparation

If you need to get compliant and stay protected without the cost of hiring a full-time cybersecurity team, we can help.

Want to Learn More

Listen to our latest podcast episode, “Securing Local Government,” where we explain the new standards in plain language and share expert advice on how to comply.

Find it on Apple Podcasts or Spotify.

Join Our Free Webinar

We are hosting a live session to walk through the new rules, what they mean, and how to comply affordably.

Date: July 10, 2025
Time: 11:00 AM to 12:00 PM Eastern
Location: Microsoft Teams
Register here: Webinar Registration

Have Questions

We are here to help. Visit www.secdef.com or call 937-388-4405 to schedule a free consultation.

Let’s work together to protect Ohio’s local governments from today’s cyber threats.