TECH INSIGHTS: ARPA Coronavirus State and Local Fiscal Recovery Funds Final Rule Confirms That Municipalities May Use Funds for Cybersecurity, IT Services, and Websites

Kevin Howarth, VC3

The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.

On January 6, 2022, the Department of the Treasury published the Final Rule for the Coronavirus State and Local Fiscal Recovery Funds (Recovery Funds) portion of the American Rescue Plan (ARP). The Final Rule made it much easier for municipalities to use Recovery Funds for “government services,” loosely defined as “services traditionally provided by recipient governments […] unless Treasury has stated otherwise,” and expressly including “modernization of cybersecurity, including hardware, software, and protection of critical infrastructure.”


The Rule allows cities and towns to spend Recovery Funds for “government services” up to the amount of pandemic-related revenue loss and lets cities choose a “standard” amount of pandemic-related revenue loss of up to $10 million. Because most cities will receive less than $10 million in Recovery Funds, they have significant discretion to spend the funds on anything that meets the broad definition of “government services” as long as they meet general guidelines for use of federal funds. (Expenditures must be necessary, reasonable, allocable, consistent with a city’s expenditure policies, consistently treated, determined in accordance with generally accepted accounting principles, and adequately documented.) Reporting and documentation requirements are streamlined for these “government services” expenditures.

The Treasury uses a specific phrase, “presumption of revenue loss due to the pandemic,” to indicate that it’s assumed that municipalities lost revenue during the pandemic. Recovery Funds are assumed to replenish that lost revenue. By broadly applying to “government services,” the allowed uses for the Recovery Funds do not need to tie directly to a COVID impact.

Municipalities Can Use Recovery Funds for Cybersecurity, IT Services, and Municipal Websites

The good news is that municipalities can use Recovery Funds to pay for:

  • Cybersecurity management, monitoring, alerting, and detection
  • Cybersecurity tools and training
  • Data backup and disaster recovery solutions and storage
  • Data backup monitoring, maintenance, and support
  • IT monitoring, maintenance, and support
  • Website design and maintenance services

Once in a Generation Opportunity to Modernize IT and Enhance Cybersecurity

As you consider the best ways to use Recovery Funds, think of this once-in-a-generation funding as an opportunity to:

  • Modernize your information technology
  • Ensure you have the best protections in place against ransomware and cyberattacks
  • Create a municipal website to help residents access your services remotely

Any expenses must be obligated by December 31, 2024 and expended by December 31, 2026.

Despite a Final Rule effective date of April 1, 2022, you can start using Recovery Funds now, as long as you take actions and use funds in a manner consistent with the Final Rule. If you have been putting off important cybersecurity, IT assessments, and IT projects due to budget constraints, now is the time to move forward.



Kevin Howarth is the Marketing and Communications Manager for VC3, the largest managed services provider focused on local government in the United States. His background includes 18 years of content marketing experience in information technology, cybersecurity, and municipal government.