ORC 9.64 for MSPs and MSSPs – and Their Clients
Deliver scalable cybersecurity services aligned with Ohio’s HB 96 legislation and its implementing requirement, ORC 9.64, using Cynomi’s AI-powered vCISO platform. Enable Ohio public entities to protect sensitive data, demonstrate compliance, and reduce regulatory risk.
What is ORC 9.64 and Why
Does It Matter for MSPs and MSSPs?
Ohio Revised Code (ORC) 9.64, enacted through Ohio’s HB 96 budget legislation, establishes a statutory requirement for Ohio local public offices to create, implement, and maintain a formal cybersecurity program. The law applies to entities such as counties, townships, municipalities, and school districts, and is intended to ensure the protection of sensitive data and information systems against cybersecurity risks.
For MSPs and MSSPs supporting Ohio’s public sector, ORC 9.64 represents a significant service opportunity. Many public entities lack the internal expertise or capacity to design and operate a compliant cybersecurity program independently. By delivering services aligned with ORC 9.64 providers can help clients meet their statutory obligations while establishing recurring, long-term engagements.
What Organizations Does
ORC 9.64 Apply To?
ORC 9.64 applies broadly to local public offices within the state of Ohio.
This includes a wide range of government and educational institutions that must now demonstrate formal cybersecurity planning:
- Counties and Townships
- Municipalities and Cities
- School Districts and Educational Service Centers
- Public Libraries
- Health Districts and Public Safety Agencies
MSPs and MSSPs play a critical role in supporting covered Ohio public entities in meeting ORC 9.64 requirements.
ORC 9.64 Core Components
ORC 9.64 requires Ohio public offices to establish and maintain a governed cybersecurity program with defined accountability. Within that program, the law specifies six core components that must be addressed. MSPs and MSSPs commonly support public-sector clients in implementing and operationalizing these requirements:
Risk Identification and Critical Functions
Identify cybersecurity risks and prioritize systems, data, and essential services.
Impact Assessment
Evaluate the potential operational and data impacts of cybersecurity events.
Threat Detection Mechanisms
Implement capabilities to identify and monitor cybersecurity events.
Incident Response Procedures
Define and maintain procedures for responding to cybersecurity incidents.
Infrastructure Repair and Maintenance
Ensure systems are routinely updated, patched, and maintained to address vulnerabilities.
Employee Training Requirements
Provide regular training to employees to recognize and address cybersecurity threats.
Why MSPs and MSSPs Choose Cynomi
Cynomi streamlines ORC 9.64 compliance, freeing up time and resources so you can support more clients with less effort, make more margin and expand your revenue potential. What you get with Cynomi:
Unified platformsupporting coverage for all six ORC 9.64 program components
Standardized templates and workflows aligned to ORC 9.64 requirements
Automated policies, task assignments and documentation to support audit readiness
Rapid deployment of a consistent, scalable ORC 9.64 compliance offering
How MSPs and MSSPs Can Support ORC 9.64 Compliance for Their Clients
Cynomi helps MSPs and MSSPs guide public-sector clients through the practical implementation and ongoing management of ORC 9.64–aligned cybersecurity programs.
Assess & Identify
Launch ORC 9.64-Aligned Assessments
- Conduct automated assessments mapped to the six required components of ORC 9.64
- Identify gaps in the client’s current cybersecurity program relative to statutory expectations
- Generate a clear gap analysis to support executive and board-level discussions
Establish & Plan
Build a Statutorily Aligned Cybersecurity Program
- Generate core cybersecurity policies supporting ORC 9.64 requirements, including Incident Response and Recovery planning
- Define employee security awareness and training activities aligned to statutory expectations
- Create a structured remediation plan to address identified risks
Optimize & Track Progress
Support Ongoing Program Management
- Track implementation status across all six ORC 9.64 components from a centralized view
- Schedule recurring assessments to support continued alignment as programs evolve
- Maintain supporting documentation to assist with oversight, reviews, and stakeholder inquiries
Framework FAQs
ORC 9.64 establishes phased compliance deadlines based on the type of political subdivision. The law applies only to Ohio political subdivisions (sub-state public entities) and does not impose a single universal deadline.
- January 1, 2026 – Counties and cities must have a cybersecurity program in place.
- July 1, 2026 – All other political subdivisions, including townships, villages, school districts, libraries, and similar entities, must have a cybersecurity program in place.
Public entities are expected to establish and maintain their cybersecurity programs on an ongoing basis once their applicable deadline has passed.
No. ORC 9.64 does not mandate the use of a specific technical standard or framework. Public entities may choose to align their cybersecurity programs with recognized frameworks such as NIST or CIS Controls. These controls are recommended as an implementation approach, provided the statutory requirements are met.
Yes. ORC 9.64 requires public offices to designate a cybersecurity contact, but it does not require that individual to be a direct employee. Many public entities fulfill this requirement through an MSP, MSSP, or vCISO provider.
ORC 9.64 does not prescribe a specific assessment frequency. Public entities are expected to manage cybersecurity risks as part of an ongoing program. In practice, many organizations perform periodic risk assessments—often annually or following significant changes—to support continued alignment.
Cynomi supports MSPs and MSSPs by automating assessments aligned to ORC 9.64’s six core components, generating supporting cybersecurity policies and documentation, and providing a centralized platform for ongoing risk and program management – enabling scalable delivery across public-sector clients.