ARPA Supports Security Modernization
August 12, 2021 by Loren LaChapelle
COVID-19 impacted organizations of all sizes in ways nobody could have predicted. Local, state, and federal governments had to pivot rapidly. The shift to operating in a remote environment created new opportunities for cybercriminals to take hold of public sector agencies and presented new cybersecurity challenges.
In response to the unprecedented hardship the coronavirus pandemic caused, Congress passed the $1.9 trillion American Rescue Plan Act (ARPA) of 2021. Out of the $1.9 trillion, $350 billion is available for state, local, territorial, and tribal governments including:
- $195 billion for states (a minimum of $500 million for each state)
- $130 billion for local governments (a minimum of $1.25 billion per state is provided by the statute inclusive of the amounts allocated to local governments within the state)
- $20 billion for tribal governments
- $4.5 billion for territories
Eligible recipients may be able to use available funds for the modernization of cybersecurity programs, including hardware, software, and protection of critical infrastructure.
How COVID-19 Advanced the Need for Layered Cybersecurity Defenses in the Public Sector
Since early 2020, local government and other public sector organizations, like schools, police departments, and courts, had to rework and enhance their technology stack to adapt to the changing times. While new technology was adopted at a rapid pace, it also uncovered the immediate and vast need for cybersecurity investment in the public sector.
Cybercriminals took notice of the sudden switch to remote environments. They knew public organizations, which provide critical services and house valuable data, don’t always have the technical tools or security resources to defend against a cyberattack. Hackers focused on tapping into vulnerabilities found within the critical infrastructure of public sector networks. As a result, public sector agencies became a top target and continue to get hit hard with new and existing attack variations.
Countless news stories have brought this issue to light. Recently, St. Clair County, Wisconsin, suffered a ransomware attack and has since moved to enhance security procedures and protocols to add more layers of protection and minimize future risk. In another instance, it was discovered ransomware hackers had been attacking via an open port in the town of Sunset Beach, North Carolina, for more than a month before being noticed. Since then, the town has installed necessary technical controls to lessen the chances of it happening again.
Real world incidents have shed light on the need for modernizing cybersecurity in the public sector. And since defense-in-depth takes a layered approach, technical controls must be installed, policies and procedures must be established, and people need to be trained on cybersecurity awareness. Without people, process, and technology working together, public sector organizations will continue to be at a high risk for a cyberattack.
How can ARPA funds be used to modernize cybersecurity programs?
Cities, counties, states, and local government agencies can name cybersecurity modernization as an appropriate use of ARPA funds to strengthen programs and build resiliency. Specifically, recipients can use the funds “to support government services, which include modernization of cybersecurity, including hardware, software, and critical infrastructure.”
In other words, there are numerous uses for cybersecurity investment with ARPA funds. Interested parties should always follow the most recent treasury advance as it pertains to spending guidelines. As of August 2021, the current Interim Final Rule can be found here.
To strengthen and mature your program, it’s a good idea to invest in advisory services, which include help with policy development, employee cybersecurity awareness training, and risk assessments. You should also conduct frequent internal and external penetration tests and vulnerability assessments to ensure there aren’t any weak areas in your systems.
As it can take time to develop a mature program, we recommend implementing a managed threat detection service like Tyler Detect, where analysts monitor network activity and alert you to threats, 24/7. Continuous analysis of your network traffic is essential to quickly detect and contain threats, and a service like this can take the burden off your IT team so they can focus on their day-to-day work. Learn how Tyler Detect had an immediate impact on Lowndes County’s cybersecurity program.
We encourage state or local governments to take advantage of ARPA funds for cybersecurity before they become the victim of a breach. Funds can be used through December 31, 2024. View our ARPA frequently asked questions and read more about the Bill here.