CLEVELAND — The Ohio Auditor of State’s Office will begin evaluating school districts’ cybersecurity policies in July.
As outlined by House Bill 96, districts had to implement a cybersecurity program that safeguards the district’s data, information technology and information technology resources to ensure availability, confidentiality and integrity.
The law reads, “The program shall be consistent with generally accepted best practices for cybersecurity, such as the national institute of standards and technology cybersecurity framework, and the center for internet security cybersecurity best practices.”
“Without the standards, without the prevention, they were opening themselves all too often to cyberattacks,” Ohio Auditor of State Keith Faber said in an August social media post.
Cleveland Metropolitan School District’s Lou Marich is at the front line of data protection. As the Executive Director of Cybersecurity and IT Risk Management, he’s in charge of not only securing district data but ensuring the district complies with state law.
“I feel my job is important because, you know, it’s all about the children,” Marich said. “We are protecting student data, parents data, our own data as well. And, there’s a market for compromised data. So, I feel my job is to protect that.”
This year the CMSD cybersecurity team was honored by CSO, a cybersecurity publication, as a “CSO Hall of Fame Award Recipient” for 2026.
“We’re in there with some big, heavy-hitters,” Marich said. “United Airlines and McDonald’s, DocuSign is in there… They’re all industry leaders, the gold standard in how to protect your environments.”
CMSD was recognized for its measurable results since partially implementing its cybersecurity plan. The district reports a 20% reduction in geo-targeted threats, a 28% reduction in phishing and ransomware attacks and $950,000 in savings.
In addition, the district reports that it meets the new State of Ohio data protection, privacy and cybersecurity requirements with no additional action.
