Ohio

In plain terms. Ohio centralizes state IT in the Office of Information Technology within the Department of Administrative Services and protects personal data by statute.

Who it applies to. State agencies and their IT vendors. Ohio references NIST/FIPS standards.

What it requires. State law establishes the Office of Information Technology and an Enterprise Data Management and Analytics Program, and the personal-information statute governs how agencies handle and protect personal data.

Why it matters. Vendors selling IT or data services to Ohio should expect to support the state's centralized IT governance and personal-data protections.

Citation. Ohio Rev. Code Ann. §§ 125.18 (Office of Information Technology) and 125.32 (Enterprise Data Management and Analytics Program); ch. 1347 (Personal Information). References NIST/FIPS.

In plain terms. Ohio's operative security rules for vendors live in its system-and-services-acquisition security controls and standard data-protection contract terms.

Who it applies to. State agencies and their IT and data vendors.

What it requires. The state's System and Services Acquisition Security Controls set security expectations for acquired systems and services, and standard data-security and privacy contract terms attach those protections to agreements.

Why it matters. Expect Ohio's acquisition security controls and data-protection terms to appear directly in your contract.

Citation. Ohio DAS Policy 2100-13 (System and Services Acquisition Security Controls); state Data Security and Privacy Contract Terms.