Skip links

How North Carolina can utilize remaining CARES Act funds for Cybersecurity

It’s been well over a year since the CARES Act– the act providing relief to individuals and businesses via specialized funds in light of the COVID 19 pandemic — was signed into law. Still, as the country continues to wrestle with the economic impacts of the global health crisis, a large amount of these funds remain unspent. During this same time, the prevalence of cybercrime like ransomware attacks has exploded. 

North Carolina is one of five states with the highest amount of unspent CARES Act funds. Today, we’re taking a closer look at how North Carolina can utilize its remaining CARES Act funds to protect public sector utilities and educational institutions from the growing threat of cybercrime.

CARES Act Funding for Cybersecurity

The Coronavirus Aid, Relief, and Economic Security (CARES) Act is a $2.2 trillion economic stimulus bill passed by the 116th US Congress and signed into law by President Donald Trump on March 27, 2020. Initially created to mitigate some of the severe economic challenges brought on by COVID-19, this historic act of legislation also brought with it two unique funds:

Coronavirus Relief Fund (CRF)

This $150 million appropriation was designed to compensate State, Local, and Tribal Governments facing impacts from COVID-19.

Education Stabilization Fund (ESF)

This fund allocates $30.75 billion to the US Department of Education. 

Unused CARE Act Funds in North Carolina

The US currently counts about $26 billion in unused federal CRF funds across 48 states and territories. North Carolina’s unused allotment totals approximately $1.9 billion with an additional $3 billion in ESF awards remaining unspent and at the state’s disposal. 

Both the Coronavirus Relief Fund (CRF) and the Education Stabilization Fund (ESF) appear to make provisions for the use of funds for cybersecurity. With the threat of serious cybercrime continuing to climb, utilizing these unspent funds to strengthen the security posture of the North Carolina public sector is wise. 

So, why does so much funding continue to sit unused? The answer may lie in a lack of clarity regarding approved uses for CARES Act funds. With such a pressing need to protect critical infrastructure from ransomware and other malicious attacks, it only makes sense to utilize a good portion of the remaining available funds for cybersecurity measures like improved endpoint security, backup and disaster recovery software, and more. 

Can CARES Act be used for cybersecurity

While guidelines regarding the use of CARES Act funds for cybersecurity may at times seem ambiguous, the US Department of the Treasury does, in fact, provide some broad allowances

Cybersecurity funding under the Coronavirus Relief Fund (CRF)

Guidance on the usage of the Coronavirus Relief Fund (CRF) by state and local governments include a non-exclusive list of allowable expenses, including:

  • Expenses associated with distance learning, including technological improvements to facilitate COVID-19 precautions and school closings
  • Expenses for improved remote work capabilities for public employees

Award recipients have until December 31, 2021, to use these funds. Primary recipients of the funds may have a set of guidelines for how sub-recipients can spend their allocation and should contact their awarding agency with questions. 

Education Stabilization Fund (ESF)

The CARES Act established the Education Stabilization Fund (ESF). This fund comprises three different types of emergency relief funds: Governor’s Emergency Education Relief (GEER), Elementary and Secondary School Emergency Relief (ESSER), and Higher Education Emergency Relief (HEER).

Unused ESF funds may be used by states and school districts to improve and support remote learning environments. This could also include the hardening of data and networks. 

Additional Funding for 2021

On December 27, 2020, an additional $81.9 billion was added to the ESF by the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSA Act). Another $170 billion was subsequently added to the ESF in March of 2021 due to the creation of the American Rescue Plan Act (ARP Act), which supports state and institutional pandemic recovery.

While funds to sub-recipients must have been awarded by June 2021, recipients have until September 30, 2022, to spend them. 

Precise rules may vary from state to state, however, given the rise in cyber-attacks and ransomware throughout 2020, a case can reasonably be made in favor of allocating CARES Act funding for hardening data and networks.

Investing in Cybersecurity with Acronis SCS

Lack of information security and increasing frequency of  ransomware attacks can have dire consequences. The global pandemic has shown just how important it is for public sector entities in North Carolina to ensure their productivity does not suffer and data isn’t at risk no matter where employees may be working.

Acronis SCS has a wide range of cybersecurity solutions to help public sector organizations protect critical infrastructure from cybercrime, such as Acronis SCS Cyber Protect Cloud. Acronis SCS products include disaster recovery and backup software, system provisioning and image deployment, anti-ransomware measures, and endpoint security management systems.

Our solutions enable organizations to stay compliant with regulatory requirements while offering complete control over your protection, including data access to storage locations, file authenticity, and more. In addition, highly flexible deployment and licensing offer a fast and easy solution that saves significant time and resources. 

With product certifications via the DoDIN APL, Common Criteria, FIPS 140-2, CJIA, and HIPAA, our solutions can guarantee operational assurance and data security across state and local government, education, healthcare, and nonprofit computing environments.


As the global pandemic continues, CARES Act funding enables the public sector to advance technology capabilities while empowering them to be better-equipped and maintain a more robust security posture. It’s essential for governments to prioritize enterprise security as they implement the new technologies that will continue to facilitate remote learning and digital service delivery, all of which are data-intensive undertakings.

With more than $4.9 billion in CARES Act allocations left unspent and time beginning to run out, there has never been a better time for the North Carolina public sector to invest in cybersecurity.