ARPA: A Once in a Generation Opportunity to Enhance Cybersecurity

It’s a tough environment out there for municipalities. If you’re afraid of a major cyberattack hitting your city or town, you’re not alone.

  • Municipalities are the most targeted sector by ransomware attacks.
  • Municipalities are soft targets, often ill-equipped to defend themselves.
  • Cyberattacks costs cities LOTS of money.
  • Without cybersecurity in place, a municipality could lose the ability to acquire cyber insurance.
  • Cyberattacks cause severe legal, operational, and reputational repercussions to municipalities.

Ask yourself…

Am I prepared for a ransomware attack?

Do I have the right cybersecurity protections in place…right now?

Can I say, with certainty, that sensitive and confidential municipal information is secure?

ARPA to the Rescue

On January 6, 2022, the Department of the Treasury published the Final Rule for the Coronavirus State and Local Fiscal Recovery Funds (Recovery Funds) portion of the American Rescue Plan (ARP). The Final Rule made it much easier for municipalities to use Recovery Funds for “government services,” loosely defined as “services traditionally provided by recipient governments […] unless Treasury has stated otherwise.”

This Final Rule expressly includes “modernization of cybersecurity, including hardware, software, and protection of critical infrastructure.”

Why It’s Time to Act Now

You might have put off cybersecurity investments or assumed your current situation is fine. But the volume of cyberattacks and sophistication of cybercriminals continues to increase.

  • Cybersecurity is a critical infrastructure investment. You need a strong cybersecurity foundation to fend off cyberattacks, protect sensitive and confidential data, and ensure operational continuity.
  • The cost of cybersecurity services are a drop in the bucket relative to your overall ARPA funds. Compared to massive capital projects/investments (new roads, buying police vehicles, installing broadband, etc.), the cost of cybersecurity services is minimal. You can still fund many other projects while diverting a trickle of your funds to invest in cybersecurity.

How VC3 Can Help

VC3 is a leader in the municipal cybersecurity space. We are:

  • Endorsed by 8 municipal leagues
  • Embraced by more than 1,100 municipalities
  • Experienced serving municipalities for more than 28 years

VC3’s services can help with many cybersecurity needs.

VC3 Cyber Assess

Lack of insight into your security vulnerabilitiesCybersecurity assessment
Your cybersecurity strategy is out of date.Annual cyber assessment


VC3 Managed Services

Lack of proactive cybersecurity monitoringRemote monitoring and management
Cyberattackers exploiting vulnerabilities in softwarePatch management
Viruses, malware, ransomwareAntivirus, antispam, antimalware
Attackers already inside an endpoint device (server, desktop, laptop, etc.)Endpoint Detection and Response (EDR)
You lack a plan to respond to a cyberattack.Incident response


VC3 Managed Security

Lack of cybersecurity strategyVirtual Chief Information Security Officer (VCISO)
Phishing attacksEmail security
Social engineering attacksSecurity awareness training
Users visiting malicious websitesWeb content filtering
Attackers already inside your systemsManaged Detection and Response (MDR)
Attackers already inside an endpoint device (server, desktop, laptop, etc.)Endpoint Detection and Response (EDR)
Attackers have already stolen user credentials and/or other sensitive information.Dark web monitoring
Lack of alerts that let you know a cyberattack is taking placeSecurity Information and Event Management


VC3 Managed Backups

Permanent data loss after cyberattackData backup and disaster recovery


Yes, You Can Use ARPA Funds for Recurring Services

Treasury and some municipal leagues are cautioning municipalities against using funds for recurring services. While well-intentioned, this guidance would only limit you to one-time purchases—which is not how addressing cybersecurity works.

Because of the critical importance of addressing cybersecurity, there are many compelling reasons to address these needs with ARPA funds.

  • Precedent with operational maintenance: Like a new building or vehicle, you pay operational costs after the initial funding ends. Cybersecurity is not a one-time cost.
  • Subsidized services until 2026: It’s unheard of to get subsidized cybersecurity funding until 2026, yet that is the opportunity ARPA provides you.
  • Get ahead of laws and regulations: Laws, regulations, and mandates will eventually require heavier investments in cybersecurity. Pay for them now with ARPA funds, or later without them.

Any expenses must be obligated by December 31, 2024 and expended by December 31, 2026.

Take Action Today

If you have questions about APRA funds, your specific cybersecurity needs, and how VC3 can help, contact us today through the form below.

Use your ARPA funds toward cybersecurity

VC3 Can Help

Client Testimonials

Town of River Bend, N.C.
Town of River Bend, N.C.

“Over the past few years, we have transitioned all of our IT functions to VC3 and found their service and pricing to be outstanding. They understand the local government market, and have served us well. We use them for disaster recovery service, systems maintenance, proactive support, and now for phone service. When we switched to VC3 from using a local IT vendor, we not only saw a reduction in the number and frequency of problems, we also saw improved response to service requests.”

More from VC3