Ohio school districts are approaching an important July 1, 2026 deadline tied to the cybersecurity requirements established in the state budget. Districts should begin preparing now to ensure that required cybersecurity governance measures are in place, including any necessary board action.
According to the requirements, “each political subdivision’s legislative authority shall adopt a cybersecurity program that safeguards the entity’s data, information technology, and information technology resources to ensure availability, confidentiality, and integrity.”
Why Districts Should Address This Now
With limited board meetings remaining before summer begins, districts that have not addressed cybersecurity governance or adopted board resolutions related to their cybersecurity program should prioritize discussions now.
Recent guidance and industry conversations have also pointed to increased Auditor of State attention surrounding cybersecurity governance and documentation requirements. Specifically, districts that delay action may face:
- Increased auditor scrutiny
- Gaps in governance documentation
- Questions about cybersecurity program maturity
- Greater operational exposure following a cyber incident
Regardless of district size, cybersecurity governance is increasingly important from both an operational and compliance perspective.
What Districts Should Be Reviewing
Districts are not required to have a fully developed cybersecurity environment by July 1, 2026. Rather, they should be able to demonstrate that cybersecurity governance has been formally considered, documented, and supported at the leadership level. Recommended areas include:
- Formal board acknowledgement or adoption of the cybersecurity program
- Alignment to recognized cybersecurity frameworks or best practices
- Incident response and recovery planning
- Cybersecurity awareness and staff training procedures
- Roles and responsibilities during a cybersecurity event
- Documentation supporting governance and decision-making processes
The law also establishes reporting requirements for cybersecurity incidents and ransomware events, reinforcing the importance of clearly defined procedures and leadership involvement.
Operational Resilience Matters
Cybersecurity incidents impact day-to-day school operations, not just technology systems. Districts across the country have experienced disruptions affecting payroll, communications, student systems, transportation, and classroom instruction. As a result, many districts are expanding cybersecurity discussions beyond technology departments to include treasurers, superintendents, operations leaders, and boards of education.
For districts that have not yet addressed the governance component of their cybersecurity program, now is the time to begin coordinating internally with district leadership, legal counsel, and technology teams before the remaining pre-July board meetings.
The goal is not simply compliance, but ensuring districts are better prepared to maintain operations, respond effectively to incidents, and reduce organizational risk in an increasingly challenging cybersecurity environment.