As Introduced

136th General Assembly

Regular Session H. B. No. 475

2025-2026

To amend sections 125.18 and 5922.08 and to enact sections 5502.282, 5502.283, and 5922.09 of the Revised Code to require the assessment of municipal corporation cybersecurity infrastructure, to allow the cybersecurity strategic advisor to certify and contract with private cybersecurity firms, and to establish a toll-free secure line to the Ohio Cyber Reserve.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:

Section 1. That sections 125.18 and 5922.08 be amended and sections 5502.282, 5502.283, and 5922.09 of the Revised Code be enacted to read as follows:

Sec. 125.18. (A) There is hereby established the office of information technology within the department of administrative services. The office shall be under the supervision of a state chief information officer to be appointed by the director of administrative services and subject to removal at the pleasure of the director. The chief information officer is an assistant director of administrative services.

(B) Under the direction of the director of administrative services, the state chief information officer shall lead, oversee, and direct state agency activities related to information technology development and use. In that regard, the state chief information officer shall do all of the following:

(1) Coordinate and superintend statewide efforts to promote common use and development of technology by state agencies. The office of information technology shall establish policies and standards that govern and direct state agency participation in statewide programs and initiatives.

(2) Coordinate with the office of procurement services to establish policies and standards for state agency acquisition of information technology supplies and services;

(3) Establish policies and standards for the use of common information technology by state agencies, including, but not limited to, hardware, software, technology services, and security, and the extension of the service life of information technology systems, with which state agencies shall comply;

(4) Establish criteria and review processes to identify state agency information technology projects or purchases that require alignment or oversight. As appropriate, the department of administrative services shall provide the governor and the director of budget and management with notice and advice regarding the appropriate allocation of resources for those projects. The state chief information officer may require state agencies to provide, and may prescribe the form and manner by which they must provide, information to fulfill the state chief information officer's alignment and oversight role;

(5) Establish policies and procedures for the security of personal information that is maintained and destroyed by state agencies;

(6) Employ a chief information security officer who is responsible for the implementation of the policies and procedures described in division (B)(5) of this section and for coordinating the implementation of those policies and procedures in all of the state agencies;

(7) Employ a chief privacy officer who is responsible for advising state agencies when establishing policies and procedures for the security of personal information and developing education and training programs regarding the state's security procedures;

(8) Establish policies on the purchasing, use, and reimbursement for use of handheld computing and telecommunications devices by state agency employees;

(9) Establish policies for the reduction of printing and for the increased use of electronic records by state agencies;

(10) Establish policies for the reduction of energy consumption by state agencies;

(11) Compute the amount of revenue attributable to the amortization of all equipment purchases and capitalized systems from information technology service delivery and major information technology purchases, MARCS administration, and enterprise applications operating appropriation items and major computer purchases capital appropriation items that is recovered as part of the information technology services rates the department of administrative services charges and deposits into the information technology fund created in section 125.15 of the Revised Code, and the user fees the department of administrative services charges and deposits in the MARCS administration fund created in section 4501.29 of the Revised Code, the rates the department of administrative services charges to benefiting agencies for the operation and management of information technology applications and deposits in the enterprise applications fund. The enterprise applications fund is hereby created in the state treasury.

(12) Regularly review and make recommendations regarding improving the infrastructure of the state's cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education;

(13) Assist, as needed, with general state efforts to grow the cybersecurity industry in this state.

(C)(1) The chief information security officer shall assist each state agency with the development of an information technology security strategic plan and review that plan, and each state agency shall submit that plan to the state chief information officer. The chief information security officer may require that each state agency update its information technology security strategic plan annually as determined by the state chief information officer.

(2) The chief information security officer shall assist the state cybersecurity strategic advisor with the assessment and report required under section 5502.282 of the Revised Code.

(3) Prior to the implementation of any information technology data system, a state agency shall prepare or have prepared a privacy impact statement for that system.

(D) When a state agency requests a purchase of information technology supplies or services under Chapter 125. of the Revised Code, the state chief information officer may review and reject the requested purchase for noncompliance with information technology direction, plans, policies, standards, or project-alignment criteria.

(E) The office of information technology may operate technology services for state agencies in accordance with this chapter.

Notwithstanding any provision of the Revised Code to the contrary, the office of information technology may assess a transaction fee on each license or registration issued as part of an electronic licensing system operated by the office in an amount determined by the office not to exceed three dollars and fifty cents. The transaction fee shall apply to all transactions, regardless of form, that immediately precede the issuance, renewal, reinstatement, reactivation of, or other activity that results in, a license or registration to operate as a regulated professional or entity. Each license or registration is a separate transaction to which a fee under this division applies. Notwithstanding any provision of the Revised Code to the contrary, if a fee is assessed under this section, no agency, board, or commission shall issue a license or registration unless a fee required by this division has been received. The director of administrative services may collect the fee or require a state agency, board, or commission for which the system is being operated to collect the fee. Amounts received under this division shall be deposited in or transferred to the occupational licensing and regulatory fund created in section 4743.05 or the Revised Code.

(F) With the approval of the director of administrative services, the office of information technology may establish cooperative agreements with federal and local government agencies and state agencies that are not under the authority of the governor for the provision of technology services and the development of technology projects.

(G) The office of information technology may operate a program to make information technology purchases. The director of administrative services may recover the cost of operating the program from all participating government entities by issuing intrastate transfer voucher billings for the procured technology or through any pass-through billing method agreed to by the director of administrative services, the director of budget and management, and the participating government entities that will receive the procured technology.

If the director of administrative services chooses to recover the program costs through intrastate transfer voucher billings, the participating government entities shall process the intrastate transfer vouchers to pay for the cost. Amounts received under this section for the information technology purchase program shall be deposited to the credit of the information technology governance fund created in section 125.15 of the Revised Code.

(H) Upon request from the director of administrative services, the director of budget and management may transfer cash from the information technology fund created in section 125.15 of the Revised Code, the MARCS administration fund created in section 4501.29 of the Revised Code, or the enterprise applications fund created in division (B)(11) of this section to the major information technology purchases fund in an amount not to exceed the amount computed under division (B)(11) of this section. The major information technology purchases fund is hereby created in the state treasury.

(I) As used in this section:

(1) "Personal information" has the same meaning as in section 149.45 of the Revised Code.

(2) "State agency" means every organized body, office, or agency established by the laws of the state for the exercise of any function of state government, other than any state-supported institution of higher education, the office of the auditor of state, treasurer of state, secretary of state, or attorney general, the adjutant general's department, the bureau of workers' compensation, the industrial commission, the public employees retirement system, the Ohio police and fire pension fund, the state teachers retirement system, the school employees retirement system, the state highway patrol retirement system, the general assembly or any legislative agency, the capitol square review advisory board, or the courts or any judicial agency.

Sec. 5502.282. (A) The state cybersecurity strategic advisor, appointed under Executive Order 2022-07D, issued on April 25, 2022, with the assistance of the executive director of the emergency management agency, and the chief information security officer, shall annually assess the cybersecurity infrastructure of municipal corporations in the state and shall prepare and submit a report of the assessment to the governor, the adjutant general, and to the general assembly in accordance with division (B) of section 101.68 of the Revised Code.

(B) The state cybersecurity strategic advisor may certify Ohio-based private cybersecurity firms and may contract with certified firms to do the following:

(1) Assist the state cybersecurity strategic advisor in the assessment of municipal corporation cybersecurity infrastructure under the supervision of the advisor and in accordance with established assessment standards;

(2) Respond, in coordination with the Ohio cyber reserve under section 5922.08 of the Revised Code, to a cybersecurity incident.

(1) Register in Ohio and be in good standing with the secretary of state;

(2) Provide proof of insurance coverage including cybersecurity liability coverage;

(3) Employ staff with relevant certifications. At least one staff member of the private cybersecurity firm shall possess certification from at least one of the following: the certified information systems security professional (CISSP), certified information security manager (CISM), certified information systems auditor (CISA), global information assurance certification (GIAC), offensive security certified professional (OSCP), service organization control (SOC) 2, or an equivalent.

(4) Demonstrate proficiency in cybersecurity frameworks such as any of the following: the national institute of standards and technology cybersecurity framework (NIST CSF), national institute of standards and technology (NIST) 800-53, center for internet security (CIS) controls, or international organization for standardization (ISO) 27001;

(5) Provide a documented history of providing cybersecurity risk assessments, incident response, or municipal information technology support and have the ability to respond within forty-eight hours to a municipal corporation incident or request;

(6) Subject key personnel to background checks or attestations of trustworthiness;

(7) Complete a state-offered orientation or partnership workshop to ensure alignment with government protocols and expectations;

(8) Adhere to a standardized code of ethics, including transparency;

(9) Agree to provisions prohibiting the retention of data;

(10) Agree to provisions prohibiting the disclosure of client data;

(11) Agree to provisions specifying the requirements of reports that shall be provided to the state cybersecurity strategic advisor by the private cybersecurity firm.

Sec. 5502.283. A countywide emergency management agency under section 5502.26 of the Revised Code, a regional authority for emergency management under section 5502.27 of the Revised Code, or a program for emergency management within a political subdivision under section 5502.271 of the Revised Code, shall incorporate utilization of the secure toll-free cyber attack telephone line, established under section 5922.09 of the Revised Code, into the entity's emergency plan.

Sec. 5922.08. (A) The governor, as commander-in-chief of the Ohio organized militia, may order individuals or units of the Ohio cyber reserve to state active duty to protect state, county, and local government entities and critical infrastructure, including election systems, or for training as the governor determines necessary. The governor, upon the request of a business or citizen, also may order individuals or units of the Ohio cyber reserve to state active duty to protect that business or citizen.

(B) The governor, as commander-in-chief of the Ohio organized militia, upon the request of a state, county, or local government entity, shall order individuals or units of the Ohio cyber reserve to state active service to support the state, county, or local government entity that has been a victim of a cyber attack. When so ordered, the Ohio cyber reserve shall respond within forty-eight hours.

(C) When responding to a cyberattack under division (B) of this section, the Ohio cyber reserve may coordinate with or deploy a private cybersecurity firm that has been certified by, and is under contract with, the state cybersecurity strategic advisor under section 5502.282 of the Revised Code to provide specialized support.

(D) When ordered by the governor to perform duty or training under this section or section 5923.21 of the Revised Code, members of the Ohio cyber reserve shall have the same protections afforded by the "Servicemembers Civil Relief Act," Pub. L. No. 108-189, 50 U.S.C. 3901-4043, and by the "Uniformed Services Employment and Reemployment Rights Act," 108 Stat. 3149, 38 U.S.C. 4301-4333.

Sec. 5922.09. The adjutant general shall establish a toll-free telephone number that may be used by a state, county, or local government entity to report a cyberattack and to request immediate support by the Ohio cyber reserve. The telephone number shall be staffed by live personnel twenty-four hours per day at its answering point. The telephone line shall be protected by security measures to prevent eavesdropping or interception.

The adjutant general shall establish adequate rules and procedures to facilitate an immediate response to a request for support by a state, county, or local government entity, including the procedure for contacting the governor's office to consider an order under division (B) of section 5922.08 of the Revised Code.

Section 2. That existing sections 125.18 and 5922.08 of the Revised Code are hereby repealed.