How Public Schools Can Utilize ARP Funding for Cybersecurity
How Public Schools Can Utilize ARP Funding for Cybersecurity

Sam Rawdon, Grants Development Associate, K-12 Education

According to the Cyber Infrastructure Security Agency (CISA), cyber-attacks on school districts increased by 323% in 2022. When surveyed as to the cause of this drastic increase in cyber threats, 81% of public schools cited a lack of funding for network security solutions, making K-12 one of the most vulnerable sectors to cyber-attacks. While programs like the State and Local Cybersecurity Grant Program (SLCGP) have seen increased funding and allow for investment in cybersecurity technology, grants with this focus are generally few and far between. Luckily, this is where the American Rescue Plan (ARP) funding can truly help.

The US Department of Education made nearly $122 billion available for schools across the country as part of its third and final cycle of the Elementary and Secondary School Emergency Education Relief Fund (ESSER III). Additionally, the US Treasury Department allocated $65.1 billion in funds to local governments as part of the Coronavirus State and Local Fiscal Recovery Funds (CSLFRF). Many public schools have utilized these funding sources for a variety of purposes, such as investing in health and safety equipment, classroom furniture and equipment to keep educators and students safe and/or socially distanced, providing teacher salary raises or hiring new teachers, and long-term projects such as water or sewer upgrades.

So where does cybersecurity come in? To start, ESSER III funds are essentially low-hanging fruit since districts already have this on hand. Also, at least 20% of ESSER III must go towards rectifying learning loss associated with the COVID-19 pandemic. These include investments in classroom devices such as laptops or tablets for students and instructors for remote or hybrid learning purposes. Protection of these learning tools is paramount to achieve the purpose of mitigating learning loss, therefore cybersecurity solutions are justifiable investments with ESSER III funds. Many districts have already obligated their ESSER III funds, however, others are still figuring out where their biggest needs are and which gaps to address when it comes to navigating through post-pandemic times. Since districts need to obligate these funds by September 30, 2024, they still have time to identify their priorities. After all, the cost to implement cybersecurity measures is a lot less costly now than the cost if or when the district is hit with a cyber-attack.

Local governments received CSLFRF to assist in the recovery efforts from the pandemic, mainly to offset revenue losses resulting from COVID-19. Since then, these local governments concluded that they had excess funding, and brought this to the attention of the Treasury Department. In January 2023, the final ruling from the Treasury Department stated that an allowable expense of this funding is the modernization of cybersecurity. Hardware and software dedicated to combating cyber risks and threats offer critical network protection on a district-wide scale, and CSLFRF can be leveraged for this. Since school districts are considered a part of local government, they are also capable of taking advantage of these funds if they develop a partnership with their respective county or municipality. A partnership could mean several things, such as creating a Memorandum of Understanding (MOU) with the county or obtaining letters of support from relevant stakeholders, so it is strongly recommended for schools that want to access this funding to reach out to their county or municipality for these details. CSLFRF must be obligated by December 31, 2024, and spent by December 31, 2026, so like with ESSER III, schools have time to form those partnerships.

Being too exposed to the risk of a cyber-attack, school districts must be vigilant in the ways they utilize funding allocated to them since grants that solely focus on cybersecurity investments remain less plentiful. ESSER III funding can be leveraged through financing technology related to remote and hybrid learning to aid learning loss that resulted from COVID, and solutions to protect these technologies are justified as part of that. CSLFRF specifically calls out cybersecurity enhancements as an eligible expense for local governments. Since school districts are classified as a part of their local government, they are also able to take advantage of this funding, so long as they create a partnership with their county or municipality. Heading into the fall and winter months of 2024, it is hopeful that more schools put this money into cybersecurity so that students, faculty, and staff will feel safer and more secure online.