Back to Ohio

HB475 • 2026

Regards municipal cybersecurity, private cybersecurity contracts

Regards municipal cybersecurity, private cybersecurity contracts

Taxes Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Ismail Mohamed
Last action
Official status
As Introduced
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Regards municipal cybersecurity, private cybersecurity contracts

To amend sections 125.18 and 5922.08 and to enact sections 5502.282, 5502.283, and 5922.09 of the Revised Code to require the assessment of municipal corporation cybersecurity infrastructure, to allow the cybersecurity strategic advisor to certify and contract with private cybersecurity firms, and to establish a toll-free secure line to the Ohio Cyber Reserve.

What This Bill Does

  • To amend sections 125.18 and 5922.08 and to enact sections 5502.282, 5502.283, and 5922.09 of the Revised Code to require the assessment of municipal corporation cybersecurity infrastructure, to allow the cybersecurity strategic advisor to certify and contract with private cybersecurity firms, and to establish a toll-free secure line to the Ohio Cyber Reserve.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. Ohio Legislature

    As Introduced

Official Summary Text

To amend sections 125.18 and 5922.08 and to enact sections 5502.282, 5502.283, and 5922.09 of the Revised Code to require the assessment of municipal corporation cybersecurity infrastructure, to allow the cybersecurity strategic advisor to certify and contract with private cybersecurity firms, and to establish a toll-free secure line to the Ohio Cyber Reserve.

Current Bill Text

Read the full stored bill text
As Introduced

136th
General Assembly

Regular
Session
H. B. No. 475

2025-2026

Representatives Mohamed, White, E.

Cosponsors: Representatives Brennan,
Brownlee, Jarrells, Lett, McNally, Russo, Upchurch, Workman

To
amend sections 125.18 and 5922.08 and to enact sections 5502.282,
5502.283, and 5922.09 of the Revised Code
to
require the assessment of municipal corporation cybersecurity
infrastructure, to allow the cybersecurity strategic advisor to
certify and contract with private cybersecurity firms, and to
establish a toll-free secure line to the Ohio Cyber Reserve.

BE
IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:

Section
1.
That
sections 125.18 and 5922.08 be amended and sections 5502.282,
5502.283, and 5922.09 of the Revised Code be enacted to read as
follows:

Sec.
125.18.
(A)
There is hereby established the office of information technology
within the department of administrative services. The office shall be
under the supervision of a state chief information officer to be
appointed by the director of administrative services and subject to
removal at the pleasure of the director. The chief information
officer is an assistant director of administrative services.

(B)
Under the direction of the director of administrative services, the
state chief information officer shall lead, oversee, and direct state
agency activities related to information technology development and
use. In that regard, the state chief information officer shall do all
of the following:

(1)
Coordinate and superintend statewide efforts to promote common use
and development of technology by state agencies. The office of
information technology shall establish policies and standards that
govern and direct state agency participation in statewide programs
and initiatives.

(2)
Coordinate with the office of procurement services to establish
policies and standards for state agency acquisition of information
technology supplies and services;

(3)
Establish policies and standards for the use of common information
technology by state agencies, including, but not limited to,
hardware, software, technology services, and security, and the
extension of the service life of information technology systems, with
which state agencies shall comply;

(4)
Establish criteria and review processes to identify state agency
information technology projects or purchases that require alignment
or oversight. As appropriate, the department of administrative
services shall provide the governor and the director of budget and
management with notice and advice regarding the appropriate
allocation of resources for those projects. The state chief
information officer may require state agencies to provide, and may
prescribe the form and manner by which they must provide, information
to fulfill the state chief information officer's alignment and
oversight role;

(5)
Establish policies and procedures for the security of personal
information that is maintained and destroyed by state agencies;

(6)
Employ a chief information security officer who is responsible for
the implementation of the policies and procedures described in
division (B)(5) of this section and for coordinating the
implementation of those policies and procedures in all of the state
agencies;

(7)
Employ a chief privacy officer who is responsible for advising state
agencies when establishing policies and procedures for the security
of personal information and developing education and training
programs regarding the state's security procedures;

(8)
Establish policies on the purchasing, use, and reimbursement for use
of handheld computing and telecommunications devices by state agency
employees;

(9)
Establish policies for the reduction of printing and for the
increased use of electronic records by state agencies;

(10)
Establish policies for the reduction of energy consumption by state
agencies;

(11)
Compute the amount of revenue attributable to the amortization of all
equipment purchases and capitalized systems from information
technology service delivery and major information technology
purchases, MARCS administration, and enterprise applications
operating appropriation items and major computer purchases capital
appropriation items that is recovered as part of the information
technology services rates the department of administrative services
charges and deposits into the information technology fund created in
section 125.15 of the Revised Code, and the user fees the department
of administrative services charges and deposits in the MARCS
administration fund created in section 4501.29 of the Revised Code,
the rates the department of administrative services charges to
benefiting agencies for the operation and management of information
technology applications and deposits in the enterprise applications
fund. The enterprise applications fund is hereby created in the state
treasury.

(12)
Regularly review and make recommendations regarding improving the
infrastructure of the state's cybersecurity operations with existing
resources and through partnerships between government, business, and
institutions of higher education;

(13)
Assist, as needed, with general state efforts to grow the
cybersecurity industry in this state.

(C)(1)
The chief information security officer shall assist each state agency
with the development of an information technology security strategic
plan and review that plan, and each state agency shall submit that
plan to the state chief information officer. The chief information
security officer may require that each state agency update its
information technology security strategic plan annually as determined
by the state chief information officer.

(2)

The
chief information security officer shall assist the state
cybersecurity strategic advisor with the assessment and report
required under section 5502.282 of the Revised Code.

(3)

Prior
to the implementation of any information technology data system, a
state agency shall prepare or have prepared a privacy impact
statement for that system.

(D)
When a state agency requests a purchase of information technology
supplies or services under Chapter 125. of the Revised Code, the
state chief information officer may review and reject the requested
purchase for noncompliance with information technology direction,
plans, policies, standards, or project-alignment criteria.

(E)
The office of information technology may operate technology services
for state agencies in accordance with this chapter.

Notwithstanding
any provision of the Revised Code to the contrary, the office of
information technology may assess a transaction fee on each license
or registration issued as part of an electronic licensing system
operated by the office in an amount determined by the office not to
exceed three dollars and fifty cents. The transaction fee shall apply
to all transactions, regardless of form, that immediately precede the
issuance, renewal, reinstatement, reactivation of, or other activity
that results in, a license or registration to operate as a regulated
professional or entity. Each license or registration is a separate
transaction to which a fee under this division applies.
Notwithstanding any provision of the Revised Code to the contrary, if
a fee is assessed under this section, no agency, board, or commission
shall issue a license or registration unless a fee required by this
division has been received. The director of administrative services
may collect the fee or require a state agency, board, or commission
for which the system is being operated to collect the fee. Amounts
received under this division shall be deposited in or transferred to
the occupational licensing and regulatory fund created in section
4743.05 or the Revised Code.

(F)
With the approval of the director of administrative services, the
office of information technology may establish cooperative agreements
with federal and local government agencies and state agencies that
are not under the authority of the governor for the provision of
technology services and the development of technology projects.

(G)
The office of information technology may operate a program to make
information technology purchases. The director of administrative
services may recover the cost of operating the program from all
participating government entities by issuing intrastate transfer
voucher billings for the procured technology or through any
pass-through billing method agreed to by the director of
administrative services, the director of budget and management, and
the participating government entities that will receive the procured
technology.

If
the director of administrative services chooses to recover the
program costs through intrastate transfer voucher billings, the
participating government entities shall process the intrastate
transfer vouchers to pay for the cost. Amounts received under this
section for the information technology purchase program shall be
deposited to the credit of the information technology governance fund
created in section 125.15 of the Revised Code.

(H)
Upon request from the director of administrative services, the
director of budget and management may transfer cash from the
information technology fund created in section 125.15 of the Revised
Code, the MARCS administration fund created in section 4501.29 of the
Revised Code, or the enterprise applications fund created in division
(B)(11) of this section to the major information technology purchases
fund in an amount not to exceed the amount computed under division
(B)(11) of this section. The major information technology purchases
fund is hereby created in the state treasury.

(I)
As used in this section:

(1)
"Personal information" has the same meaning as in section
149.45 of the Revised Code.

(2)
"State agency" means every organized body, office, or
agency established by the laws of the state for the exercise of any
function of state government, other than any state-supported
institution of higher education, the office of the auditor of state,
treasurer of state, secretary of state, or attorney general, the
adjutant general's department, the bureau of workers' compensation,
the industrial commission, the public employees retirement system,
the Ohio police and fire pension fund, the state teachers retirement
system, the school employees retirement system, the state highway
patrol retirement system, the general assembly or any legislative
agency, the capitol square review advisory board, or the courts or
any judicial agency.

Sec.
5502.282.
(A)
The state cybersecurity strategic advisor, appointed under Executive
Order 2022-07D, issued on April 25, 2022, with the assistance of the
executive director of the emergency management agency, and the chief
information security officer, shall annually assess the cybersecurity
infrastructure of municipal corporations in the state and shall
prepare and submit a report of the assessment to the governor, the
adjutant general, and to the general assembly in accordance with
division (B) of section 101.68 of the Revised Code.

(B)
The state cybersecurity strategic advisor may certify Ohio-based
private cybersecurity firms and may contract with certified firms to
do the following:

(1)
Assist the state cybersecurity strategic advisor in the assessment of
municipal corporation cybersecurity infrastructure under the
supervision of the advisor and in accordance with established
assessment standards;

(2)
Respond, in coordination with the Ohio cyber reserve under section
5922.08 of the Revised Code, to a cybersecurity incident.

(C)
Under the contract or certification, the private cybersecurity firm
shall do all of the following:

(1)
Register in Ohio and be in good standing with the secretary of state;

(2)
Provide proof of insurance coverage including cybersecurity liability
coverage;

(3)
Employ staff with relevant certifications. At least one staff member
of the private cybersecurity firm shall possess certification from at
least one of the following: the certified information systems
security professional (CISSP), certified information security manager
(CISM), certified information systems auditor (CISA), global
information assurance certification (GIAC), offensive security
certified professional (OSCP), service organization control (SOC) 2,
or an equivalent.

(4)
Demonstrate proficiency in cybersecurity frameworks such as any of
the following: the national institute of standards and technology
cybersecurity framework (NIST CSF), national institute of standards
and technology (NIST) 800-53, center for internet security (CIS)
controls, or international organization for standardization (ISO)
27001;

(5)
Provide a documented history of providing cybersecurity risk
assessments, incident response, or municipal information technology
support and have the ability to respond within forty-eight hours to a
municipal corporation incident or request;

(6)
Subject key personnel to background checks or attestations of
trustworthiness;

(7)
Complete a state-offered orientation or partnership workshop to
ensure alignment with government protocols and expectations;

(8)
Adhere to a standardized code of ethics, including transparency;

(9)
Agree to provisions prohibiting the retention of data;

(10)
Agree to provisions prohibiting the disclosure of client data;

(11)
Agree to provisions specifying the requirements of reports that shall
be provided to the state cybersecurity strategic advisor by the
private cybersecurity firm.

Sec.
5502.283.
A
countywide emergency management agency under section 5502.26 of the
Revised Code, a regional authority for emergency management under
section 5502.27 of the Revised Code, or a program for emergency
management within a political subdivision under section 5502.271 of
the Revised Code, shall incorporate utilization of the secure
toll-free cyber attack telephone line, established under section
5922.09 of the Revised Code, into the entity's emergency plan.

Sec.
5922.08.
(A)

The
governor, as commander-in-chief of the Ohio organized militia, may
order individuals or units of the Ohio cyber reserve to state active
duty to protect state, county, and local government entities and
critical infrastructure, including election systems, or for training
as the governor determines necessary. The governor, upon the request
of a business or citizen, also may order individuals or units of the
Ohio cyber reserve to state active duty to protect that business or
citizen.

(B)
The governor, as commander-in-chief of the Ohio organized militia,
upon the request of a state, county, or local government entity,
shall order individuals or units of the Ohio cyber reserve to state
active service to support the state, county, or local government
entity that has been a victim of a cyber attack. When so ordered, the
Ohio cyber reserve shall respond within forty-eight hours.

(C)
When responding to a cyberattack under division (B) of this section,
the Ohio cyber reserve may coordinate with or deploy a private
cybersecurity firm that has been certified by, and is under contract
with, the state cybersecurity strategic advisor under section
5502.282 of the Revised Code to provide specialized support.

(D)

When
ordered by the governor to perform duty or training under this
section or section 5923.21 of the Revised Code, members of the Ohio
cyber reserve shall have the same protections afforded by the
"Servicemembers Civil Relief Act," Pub. L. No. 108-189, 50
U.S.C. 3901-4043, and by the "Uniformed Services Employment and
Reemployment Rights Act," 108 Stat. 3149, 38 U.S.C. 4301-4333.

Sec.
5922.09.
The
adjutant general shall establish a toll-free telephone number that
may be used by a state, county, or local government entity to report
a cyberattack and to request immediate support by the Ohio cyber
reserve. The telephone number shall be staffed by live personnel
twenty-four hours per day at its answering point. The telephone line
shall be protected by security measures to prevent eavesdropping or
interception.

The
adjutant general shall establish adequate rules and procedures to
facilitate an immediate response to a request for support by a state,
county, or local government entity, including the procedure for
contacting the governor's office to consider an order under division
(B) of section 5922.08 of the Revised Code.

Section
2.
That
existing sections 125.18 and 5922.08 of the Revised Code are hereby
repealed.