The Ohio Cyber Range Institute (OCRI) is a State of Ohio-funded organization dedicated to advancing cybersecurity education, workforce development, and economic growth throughout Ohio. Powered by the University of Cincinnati, it aims to bridge the cybersecurity skills gap, strengthen the workforce pipeline, and enhance the overall security and economy of Ohio. 

Ohio Persistent Cyber Improvement (O-PCI) is a training program developed and delivered by the Ohio Cyber Range Institute (OCRI), funded through the Cybersecurity and Infrastructure Security Agency (CISA) and the State of Ohio, at no cost to Ohio local government entities. O-PCI was established to support local government entities and their staff across Ohio. The Persistent Cyber Improvement model positions local government entities to build and sustain the capacity to anticipate, adapt, withstand and, when necessary, recover from cyber aggression. 

• This training will help you in various aspects of your job, including: 

• Increase awareness of cybersecurity threats and risks relevant to your daily work responsibilities within your organization.  

• Improve your ability to protect sensitive public data from unauthorized access, theft, or compromise.  

• Enhance your organization's resilience against disruptions caused by cyberattacks.  

• Align employees with guidelines established by your organization's IT/Cybersecurity staff, ensuring commitment to and understanding of all data security standards. 

The training is conducted mostly online. For some staff, there are limited in-person or virtual requirements; participants will be made aware if an in-person training session is required. 

Recipients will receive an email with a unique link to log into the training platform. Recipients are instructed to log onto the platform as soon as they receive the training link. Once you have created an account, you can return to the training platform by visiting: learn.ohiocyberrange.org.  

If you can’t find the e-mail we’ve sent to you, please manually reset your password: 1. Go to learn.ohiocyberrange.org 2. Click on ‘Forgot Password?’ located above the ‘Login’ button 3. Type in your work email address and click on ‘Reset Password’ 4. A link will be sent to your email where it will give you instructions to set a new password. 

Yes, technical support is available. Should you need assistance with the training platform or encounter any technical issues, please email requests to: opciprogram@uc.edu.

No, you do not need any specific software or plugins installed on your device. You may find it helpful to have a pair of headphones on hand if you’d like to listen to the video portions of the training. 

Operating System: Windows 11, MacOS 13+, iOS, iPadOS 17+, Linux (Kernel 6.5+) (Ubuntu, Debian, Fedora) Browser: Firefox (126+), Chrome (126+), Edge (126+), Safari (17+) Memory:  Minimum 4GB, recommended 8GB

Estimated training varies based on individual learning styles. Training time for each employee is based on specific job roles within your organization. Training times by employee role are:  

General Staff, Non-IT: < 2 hours  

IT/Cybersecurity Professional: 11- 13 hours  

IT/Cybersecurity Manager/Executive: 7 - 9 hours 

Organizational Manager/Executive: 5 - 7 hours 

Employees will not need to allocate any additional time outside of the online courses. The asynchronous nature of the training means the allotted time during the sessions should be enough for completing assignments and reviewing materials. Therefore, employees can focus solely on their training tasks during the designated time frame without the need for extra study. 

The training program operates within a set structure and timeframe due to resource constraints and predefined learning objectives. Extending the program’s duration will disrupt the overall schedule and affect other participants’ commitments or the training’s effectiveness. Therefore, adjusting the program’s duration is considered on a case-by-case basis.

Cybersecurity is the responsibility of every employee in an organization. Completing the cybersecurity training is crucial for all staff members, as it equips them with the knowledge and skills necessary to recognize and mitigate cybersecurity threats. There are many common cybersecurity threats that can be identified by non-IT staff, and it would significantly enhance the organization’s overall security posture by empowering every member to actively contribute to our cyber defense strategy.

Please refer to this course outline document and the learning management system at learn.ohiocyberrange.org to see which courses are assigned to you. 

No, there are no prerequisites or recommended knowledge required before starting the training.

Yes, there will be a quiz after finishing every training module to evaluate your understanding of the material and your progress in the training. Your performance in these assessments and quizzes is only used by OCRI for the delivery of the training and not individually shared across your organization, unless otherwise requested by the leadership of your organization.

No, based on your role, the training duration varies. For example, most staff are provided several months to finish less than two hours of bite-sized modules of the “Cyber Mindfulness” course. Other staff such as IT/Cybersecurity Professional, IT/Cybersecurity Manager/Executives, and Organizational Manager/Executives can complete additional courses over the same period.

The training platform provides an indicator of your progress. It will display a percentage indicating how much of the training you have completed and the points you’ve collected for doing so.

To proceed to the following lesson, you must pass the quiz. Some quizzes require answering all questions correctly while others are more lenient. Quiz questions will be based on lesson material.

When your organization completes the training program, all participating employees who completed the training may opt in to recieve a badge through O-PCI’s partner, Credly. Credly badges are issued weekly. Please allow five business days before inquiring about your badge to: opciprogram@uc.edu. 

To provide feedback on improving the training, please reach out to the following email address: opciprogram@uc.edu.

Your personal information will not be shared or sold to any third parties. Your progress is shared with your organization or used in future research projects that are aimed at improving cybersecurity.

The number of counties and other local government entities enrolled in O-PCI varies on a regular basis. However, to date, more than 200 local government entities have registered for training, and it has been completed by tens of thousands of employees like you across Ohio.

Various data breaches have occurred, affecting companies, organizations, and public sector agencies of different sizes. Interesting incidents and examples of cybersecurity breaches in the public sector are many. For instance: Public Sector: On November 12, 2023, the city of Huber Heights experienced a serious ransomware attack. An IT technician alerted city leaders about the breach, which led to the shutdown of Huber Heights’ city network. The Huber Heights City Council declared a “State of Emergency”, allowing city leaders to allocate up to $350,000 from the “General Fund” for investigating the attack and enhancing the city’s cybersecurity infrastructure. While public safety services remained unaffected, divisions such as Zoning, Engineering, Tax, Finance, Utilities, Human Resources, and Economic Development were impacted by the attack.   

In December 2022, the city of Circleville, Ohio, encountered a serious ransomware attack that significantly impacted its municipal court systems. The court’s IT department collaborated with external cybersecurity professionals to address the breach. The LockBit ransomware group added the Circleville Municipal Court to their leak site, claiming to have stolen 500 GB of data, including case information, and issued a ransom demand with a deadline of January 24 for payment. The court is diligently working to restore its systems and assess the extent compromised information.  Ohio has faced several ransomware attacks over the past few years, affecting various entities such as local schools and hospitals. The LockBit ransomware gang has been particularly active, targeting poorly resourced local governments across the United States.   

These incidents underscore the critical need for cybersecurity measures to safeguard sensitive data and prevent future breaches. O-PCI is offering this opportunity free of charge to equip the public sector in Ohio with the necessary skills and knowledge to recognize and respond to cyber threats effectively.

A well-trained staff and leadership team protect organizational assets and contribute to the community's overall safety and security by mitigating cyber threats and vulnerabilities, making sure citizens' information is protected, and upholding public trust. Additionally, the proactive approach to cybersecurity helps prevent potential disruptions to essential services, such as maintaining the integrity of critical infrastructure, and fosters resilience in the face of evolving cyber risks. 

The courses that you are enrolled in are decided by the point of contact we have at your organization. Please contact your supervisor to inquire about taking additional courses through the O-PCI training. 

To join O-PCI training, local government entities must complete registration, sign an MOU (Memorandum of Understanding), Consent Letters provided by Ohio EMA, and adhere to the program's guidelines. It is asked that all employees finish the training to ensure comprehensive cybersecurity preparedness across the organization.

The consent letters found attached to the bottom of your MOU, are requested from the Ohio Emergency Management Agency (OEMA), which monitors the funds used to enable O-PCI. FEMA requires that local government entities sign these letters to make free cybersecurity training and education possible.

We partner with many governments that rely on private vendors and do not have IT/cyber roles in-house. You can choose to not have anyone enrolled in those courses or designate someone with a little bit of knowledge to take on those courses. We leave all role assignments up to you.

To help generate interest and facilitate registration for your county, please register for our newsletter here and visit the OCRI website for the latest updates and resources here.

No, those working for private companies are not required to participate in O-PCI. However, you may want to consult them while creating your anticipation and resilience strategy (ARS), since they have all the knowledge of your hardware and software.

Yes, we would be happy to sign you up as an internal reviewer to see the courses and get a feel for our learning management system. However, you will not be considered a partner with us until you sign an MOU and go through the whole-of-organization training.

We do not offer group training; however, we have had partner governments who run their own group trainings. If you decide to go this route, you can send us a sign in sheet of those who have participated, and we will mark them as complete in our system.

O-PCI is funded through the state of Ohio and therefore will be delivered at no cost to you.

Yes.

• To remain in good standing as an O-PCI partner, we require one of two options: 

• Advance from Gateway 1 to Gateway 2 within the first year of receiving Gateway 1. 

• After a year of having access to Gateway 1 training, you ask your employees to complete the general Cyber Mindfulness course once again. 

Here are some common titles associated with each category.  

IT/Cybersecurity Professional: System Administrator, Tech Support, etc. 

IT/Cybersecurity Manager/Executive: CISO, CIO, ITD, etc.  

Organizational Manager/Executive*: Mayor, Commissioner, CEO, Department Director, Chief of Operations, County Auditor, Superintendent, County Executive, Board Member, etc. 

General Staff, Non-IT: non-Cybersecurity, non-Managerial Employee/General user. Any position not included in the above categories, could be Police Officer, Teacher, Maintenance Employee, Public Works Engineer, Economic Development Specialist, Human Resources Officer, Code Enforcement Specialist, Building Inspector, Firefighter, Sheriff’s Deputy, Librarian, Mechanic, Arborist, Lifeguard, etc. 

*When deciding on who should be in the Organizational Manager/Executive track, consider: do they make risk management, purchasing/contracting, or policy decisions? If not, and they simply have "manager" in their title, they would fall under the General Employee category. 

The default approach to O-PCI training is to provide the training to all employees at the same time; this reinforces the whole-of-organization approach to cybersecurity. On a case-by-case basis, we can consider staging the roll-out to some employee groups if labor or logistical challenges exist in requiring training at a particular time of the year.

The templates that we provide as part of O-PCI are rooted in the educational materials that surround them. For this reason, we do not provide templates to local governments outside of the training.

Yes, the Ohio Cyber Range Institute team seeks to keep all courses up to date on the latest cybersecurity threats and challenges facing local governments. We aim to update each course roughly every 18 months and prioritize the courses that are seen by the greatest number of learners.

To date, over 100 local governments across Ohio have partnered to receive O-PCI, bringing tens of thousands of public employees onboard. These governments range from those with only a few employees, to some of the largest in the state.

• Below are a few testimonials from our partner governments:  "Since we began participating in the Ohio Persistent Cyber Improvement Training, I have witnessed a shift in both behavior and organizational practices at the County. The training has fostered a greater awareness of cybersecurity challenges and has led to a more proactive, collaborative approach to addressing vulnerabilities as well as functional considerations in Cloud providers. Employees now demonstrate a heightened sense of responsibility and are more diligent in following security protocols and best practices, creating a stronger, more resilient Cyber Security posture. Organization Managers and Executives are using their training in Frameworks and third-party security to assess the risks associated with outside vendors.  It's been rewarding to see how these trainings are not only enhancing our security posture but also encouraging employees to work together with IT to more effectively safeguard our systems." - County IT Director  

•  I knew my city was behind when it came to anything IT, but having so many IT things for me to figure out immediately has allowed some less pressing items to fall through the gaps.  These two introductory classes led me to investigate our DRP and ARP.  I pulled the city's Disaster Recovery Plan only to discover that IT was not included in the document, and our Incident Response Plan/Anticipation and Resilience Plan (IRP/ARP) and COOP (continuity of operations plan) do not exist at all.  I have begun meeting with my stakeholders to generate corrected forms of these documents.  I spend so much time on the advanced problems that the basics have been neglected, and this course helped remind me about planning for how we should operate once I get us back to maintenance mode." - City IT Director  

• “The Executive Team kick-off meeting has helped to jump-start our thinking, not only about our own roles in risk management and mitigation, but also in the ways we will ask our users to engage with the training to make it as impactful as possible. That one meeting elevated cybersecurity thinking in every department."  - School District IT Director  
  

• “Our contracted IT company that does updates to our patron computers called the main line to the library and was asking about software that was blocking updates and how he needed to walk through with someone how to deactivate. The employee took a message and gave it to me saying how he knew that was a good way to let in a cyberattacker.”  - Library Director

There is no requirement that all 3 gateways must be completed. O-PCI recommends going through all 3, but it is not mandatory. Regardless of how far you go in O-PCI training (Gateway 1, Gateway 2, Gateway 3) clarification must be sought from the Ohio State Auditor for compliance.  O-PCI can not make that determination at any point in the training or partnership.

Regardless of how far you go in O-PCI training (Gateway 1, Gateway 2, Gateway 3) clarification must be sought from the Ohio State Auditor for compliance.  O-PCI cannot make that determination at any point in the training or partnership.

Upon request, slides can be sent.

All local government entities in Ohio are eligible for O-PCI training. This includes municipal governments, county governments, and other public sector organizations such as public schools, libraries, and utilities.

You can start Gateway 2 when it is convenient for your organization.  However, please keep in mind an 80% completion rate across your organization is required to advance from the first Gateway to the second Gateway

You can be successful with O-PCI training even if you do not have IT/Cyber staff at your organization. If that is the case, please assign the Organizational Manager/Executive role of the training to the individual (it could be you) that has the primary responsibility to make strategic and policy decisions related to IT and cybersecurity for your organization.

There is no set schedule that we require for you to update your employee information in the learning management system. Some local government points of contact choose to do this as changes occur at the organization, others on a weekly, monthly or quarterly basis. 

Yes, those who are designated as the point of contact have a reports tab where they can track the progress of their staff. You can view progress by employee, department, organizations, etc. and download the spreadsheets.

As a point of contact, you can add, remove, and edit users in the learning management system. When you add a user, they will need to be enrolled and notified on our end. Enrollments happen every Friday morning.