American Rescue Plan rule tweak allows more cybersecurity spending

The Treasury Department's final rule for the American Rescue Plan's state and local relief funds makes it easier for recipients to use that money on cybersecurity.
An exterior view of the building of US Department of the Treasury is seen on March 27, 2020 in Washington. (Olivier Douliery / AFP / Getty Images)

A rule change announced last week by the U.S. Treasury Department allows state and local governments that received funds under last year’s American Rescue Plan to more easily spend that money on cybersecurity upgrades and broadband construction, bringing relief to officials who said the original law was too restrictive.

The final rule on the American Rescue Plan’s state and local relief fund, published Thursday, loosens the restrictions on the $350 billion that states and localities are set to receive under the act, which President Joe Biden signed last March as the signature element of his pandemic response agenda.

While state and local officials were successful in lobbying the federal government to make the Rescue Plan’s funds more flexible than those in the 2020 CARES Act — which limited relief money to programs that directly addressed COVID-19 — recipients still needed to show how they would use their awards to replace tax revenue lost during the worst of the pandemic. The final rule gives governments receiving relief funds the option of claiming a standardized revenue-loss allowance of up to $10 million — which the Treasury Department says meets most recipients’ total awards — rather than calculating exact revenue losses using a complex formula.

The National Association of Counties, which pushed for the rule tweaks, applauded the Treasury’s decision. “We commend the administration for embracing the bipartisan concept of flexibility in allowing counties to use up to $10 million in Recovery Funds for important general public services,” the organization’s executive director, Matthew Chase, said in a press release.


The final rule, which is set to take effect April 1, also broadens what the Treasury considers “government services” that relief funds can fund. While state and local governments could already use their awards on IT upgrades, the new rule specifically names cybersecurity modernization and broadband infrastructure constructions as acceptable uses of relief funds, including hardware and software expenditures.

Eryn Hurley, NACo’s deputy director of government affairs, told StateScoop that before the rule change, relief funds could only be used to offset lost revenues. But with many counties, like states, reporting better-than-expected tax revenues last year, the final rule means they will be able to undertake much-needed cybersecurity upgrades.

“Recipients may provide necessary investments in cybersecurity, including modernization of hardware and software, for existing and new broadband infrastructure regardless of their speed delivery standards,” the rule reads.

So far, $245 billion of the $350 billion in state and local relief funds has been awarded, the Treasury Department said.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts