Cities May Use ARP Funds for Cybersecurity IT Services and Websites

Kevin Howarth

Wednesday, February 2nd, 2022

On January 6, 2022, the Department of the Treasury published the Final Rule for the Coronavirus State and Local Fiscal Recovery Funds (Recovery Funds) portion of the American Rescue Plan (ARP). The Final Rule made it much easier for municipalities to use Recovery Funds for “government services,” loosely defined as “services traditionally provided by recipient governments […] unless Treasury has stated otherwise,” and expressly including “modernization of cybersecurity, including hardware, software, and protection of critical infrastructure.”

The Rule allows cities and towns to spend Recovery Funds for “government services” up to the amount of pandemic-related revenue loss and lets cities choose a “standard” amount of pandemic-related revenue loss of up to $10 million. Because most cities will receive less than $10 million in Recovery Funds, they have significant discretion to spend the funds on anything that meets the broad definition of “government services” as long as they meet general guidelines for use of federal funds. (Expenditures must be necessary, reasonable, allocable, consistent with a city’s expenditure policies, consistently treated, determined in accordance with generally accepted accounting principles, and adequately documented.) Reporting and documentation requirements are streamlined for these “government services” expenditures.

The Treasury uses a specific phrase, “presumption of revenue loss due to the pandemic,” to indicate that it’s assumed that municipalities lost revenue during the pandemic. Recovery Funds are assumed to replenish that lost revenue. By broadly applying to “government services,” the allowed uses for the Recovery Funds do not need to tie directly to a COVID impact.

Municipalities Can Use Recovery Funds for Cybersecurity, IT Services, and Municipal Websites

The good news is that municipalities can use Recovery Funds to pay for:

  • Data backup and disaster recovery solutions and storage
  • Cybersecurity tools and training
  • Website design and maintenance services
  • Cybersecurity management, monitoring, alerting, and detection
  • IT monitoring, maintenance, and support
  • Data backup monitoring, maintenance, and support

Once in a Generation Opportunity to Modernize IT and Enhance Cybersecurity

As you consider the best ways to use Recovery Funds, think of this once-in-a-generation funding as an opportunity to:

  • Modernize your information technology
  • Ensure you have the best protections in place against ransomware and cyberattacks
  • Create a municipal website to help residents access your services remotely

Any expenses must be obligated by December 31, 2024 and expended by December 31, 2026.

Despite a Final Rule effective date of April 1, 2022, you can start using Recovery Funds now, as long as you take actions and use funds in a manner consistent with the Final Rule. If you have been putting off important cybersecurity, IT assessments, and IT projects due to budget constraints, now is the time to move forward.