State Chief Information Officers (CIOs) are looking towards an uncertain future. The rising importance of hybrid work has created in equal parts tremendous opportunity and significant challenges. This upheaval has made many state and local governments prioritize creating an adequate security posture. Thankfully, they do not have to face that challenges alone. Recently signed legislation has ensured that there are many federal cybersecurity funding opportunities available to help with creating a modern and effective cyber defense.
Cybersecurity has become increasingly more important to state and local governments since the start of the pandemic, as cybercriminals have leveraged governments’ digital and remote transition to their advantage. For instance, ransomware attacks and identity fraud are on the rise due to the ease of accessibility of personal data and low endpoint security. As state and local governments continue to utilize online delivery for public services, they will need to ensure they have the proper identification verification tools and upgrade outdated legacy systems that are not equipped to handle security threats.
As the whole-of-government approach to strengthening the nation’s cybersecurity defenses continues to be a top priority, these security investments will be a pivotal component to risk mitigation and resilience for the state and local market.
When analyzing funding opportunities for cybersecurity investments, in addition to annual state budget allocations, we’ve identified two additional federal cybersecurity funding sources for states to leverage for their security investments: The American Rescue Plan Act (ARPA) of 2021 and the Infrastructure Investment and Jobs Act (IIJA).
On March 11, 2021, President Joe Biden signed the $1.9 trillion ARPA, to aid public health and economic recovery from the COVID-19 pandemic. The plan allocates $195.3 billion to the states, and an additional $130.2 billion to local governments and authorities. Funds must be allocated by December 2024 and spent by December 2026. The law allows state, local, and education (SLED) organizations to designate cybersecurity modernization as a suitable use of ARPA funding to enhance security programs and resilience.
There are two eligible use categories that allow for cybersecurity investments:
1) Revenue Loss: Funds that would have gone toward helping states recoup pandemic-induced lost revenue can instead be redirected toward projects that modernize cybersecurity hardware and software, or protect critical infrastructure
2) Water, Sewer, and Broadband Infrastructure: ARPA also provides the Environmental Protection Agency (EPA) with that allow states to allocate dollars towards meeting cybersecurity needs that protect water and sewer infrastructure. It’s also important to note that some of the broadband modernization dollars in ARPA and the infrastructure legislation are addressable to cybersecurity vendors.
Another pocket of funding that states can tap into to fund cybersecurity projects is IIJA, signed into law by President Biden on November 15, 2021. IIJA provides $1 billion in grants towards cybersecurity enhancements for state and local government information systems. These funds will be dispersed over the next four years in the following increments: $200 million in 2022, $400 million in 2023, $300 million in 2024 and $100 million in 2025. The cybersecurity grant program requires a state match and the submission of a Cybersecurity Plan by September 30, 2023, which reflects a comprehensive understanding of relevant cybersecurity control methods and applications.
Understanding your SLED customer’s cybersecurity landscape and working with them to assess their existing capabilities and challenges is essential in determining which services, tools, and products will be most beneficial. Fortunately, the wide-ranging list of allowable ARPA fund uses provides ample IT investment opportunities. These funds may support both near- and long-term investment in cybersecurity practices, updating old enterprise legacy systems that are unequipped to handle modern threats, moving to the cloud for enhanced data storage, or employee training services and platforms that can help build a stronger and more resilient security platform. Although the infrastructure bill is smaller in fiscal scope, it will also create areas of immediate IT opportunity for cybersecurity vendors and has the potential to spur long-term state and local cybersecurity modernization investment efforts.
Both the ARPA and the bipartisan IIJA create meaningful federal cybersecurity funding opportunities and underscore the consistency of the national agenda to continue its prioritization of cybersecurity enhancements. Furthermore, as states and local entities heeded caution with regards to their fiscal commitments in 2021, many states will have entered their fiscal year 2022 in a budget surplus, which will allow for more flexibility in terms of cybersecurity allocations. Since states will be more able to dedicate funding to long-term and costlier initiatives, technology vendors have a unique opportunity to help customers create long-term technology investments that will strengthen their security posture and help them become more resilient both now and in the future.