Key Takeaways:
- Ohio’s HB 96 creates new cybersecurity compliance requirements for school districts, including mandatory incident reporting.
- Districts can use a structured assessment to understand current gaps, clarify responsibilities, and prioritize next steps for compliance.
- Moving from assessment to implementation requires ongoing policies, training, monitoring, and incident response planning aligned with recognized cybersecurity frameworks.
—
Ohio’s House Bill 96 (HB 96) introduces new cybersecurity compliance and incident reporting requirements for public school districts. Aimed at protecting sensitive data and systems, the law introduces formal expectations that many districts have not previously had to meet.
In response to these mandates — particularly in resource-limited environments — districts are evaluating how to align with the law without disrupting core educational operations or overextending internal capacity.
This article outlines how your school district can begin to align with HB 96 through structured assessment, planning, and implementation support.
What HB 96 Requires From Ohio School Districts
Enacted by the Ohio legislature and effective September 30, 2025, HB 96 establishes statewide cybersecurity standards for all political subdivisions — including K–12 public school districts. Key requirements include:
- Creating a formal cybersecurity program that protects the confidentiality, integrity, and availability of information systems.
- Reporting qualifying cybersecurity incidents to the state within seven days of discovery.
- Implementing ongoing monitoring, detection, assessments, and training aligned with frameworks such as National Institute for Standards and Technology (NIST) and Center for Internet Security (CIS).
The legislation defines “cybersecurity incidents” broadly, encompassing events such as unauthorized access, operational disruption, loss of data confidentiality, and third-party supply chain compromises.
For many school systems, these new expectations are a significant change — especially where cybersecurity programs are informal or still developing.
A Structured Approach: The HB 96 Assessment
Districts can begin by conducting a focused assessment designed to show current practices, gaps, and areas that need alignment with HB 96. This structured approach minimizes disruption while providing clarity on the next steps.
Key components of the assessment typically include:
- Self-assessment toolkit: A guided questionnaire covering all HB 96 domains.
- Support guide: Clarifies terminology, responsibilities, and expectations for district staff.
- Gap analysis: Provides a visual comparison of current practices to HB 96-aligned requirements.
- Prioritized recommendations: Shows practical next steps across people, processes, and technology.
- Executive briefing: Summarizes findings and outlines ownership, timelines, and implementation priorities.
This process helps districts understand where they are today and what actions are needed to align with the law.
From Assessment to Long-Term Cyber Resilience
An initial assessment is just one part of a sustainable compliance approach. Many districts will also need to implement or update cybersecurity policies, practices, and response capabilities.
At MGO, we provide advisory support in the following areas:
Cyber Program Development
Development or refinement of cybersecurity policies, incident response plans, staff training, and third-party/vendor risk management. This approach reduces administrative burden and supports alignment with federal and state expectations.
Managed Cybersecurity Program
For districts requiring more support, managed services can include monitoring and alerting, incident triage, tabletop exercises, and periodic compliance reporting. These services help keep readiness while reducing operational strain.
Strategic Cybersecurity Leadership (vCISO)
MGO can provide virtual Chief Information Security Officer (vCISO) services, supporting decision-making across budgeting, planning, grant applications, and strategic technology alignment — without requiring executive-level staffing commitments.
How MGO Supports HB 96 Implementation
Districts working to meet the expectations of HB 96 often face operational and budgetary constraints. MGO works with public sector organizations to support compliance strategies that align with the statutory requirements and practical realities of school systems.
This includes help interpreting the law, translating policy into action, and finding relevant gaps in current cybersecurity practices. Support is structured around nationally recognized frameworks like NIST and CIS but adapted to reflect the local context and resources available.
By combining planning, documentation, and implementation support, we can help your district set up foundational processes and controls that align with HB 96 while preserving focus on your core educational responsibilities.
Getting Started
HB 96 is now in effect. School districts are expected to take prompt action to evaluate and update their cybersecurity programs by the law.
If your district is looking to understand its current level of readiness and figure out next steps (including assessment options and timelines), may request a first assessment or planning consultation. Reach out to our public sector consulting team today.