Skip links

Why Should US Public Sector Entities Invest Remaining Funds from CARES Act in Cybersecurity?

It has been over one year since the passing of the $2.2 trillion Coronavirus Aid, Relief, and Economic Security Act (CARES Act). Even so, at this juncture, a significant volume of funds appears to remain grossly underspent, including funding from both the Coronavirus Relief Fund (CRF) and the Education Stabilization Fund (ESF). Both the CRF and the ESF make available funds that could potentially be allocated towards protecting against ransomware and implementing backup and disaster recovery software, among other cybersecurity measures

With the advent of the COVID-19 pandemic, cybercrime has gone up 600%. Sophisticated email phishing schemes by hackers and cyber attackers posing as CDC and WHO representatives seem to be running rampant, and ransomware attacks on critical infrastructure have become a near-constant presence in the headlines. In fact, by the end of this year, it’s projected that such attacks could cost over $6 trillion. 

With one new organization falling prey to ransomware every 11 seconds, it stands to reason that hardening the cybersecurity of public utilities and educational institutions should be a high priority. So why does this critical resource continue to be underutilized for something as crucial as our nation’s cybersecurity? How can public leaders utilize the remaining funds to protect public sector institutions from a threat that has only grown in severity since the onset of the global pandemic? 

In this article, we’ll examine these questions, and more, and take a closer look at how and why US public sector entities can invest remaining CARES Act funds in cybersecurity. 

CARES Act Funding for Cybersecurity

In March 2020, the 116th United States Congress passed the $2.2 trillion stimulus bill under the banner of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. A host of federal funding streams came under the purview of this historic act, including the Coronavirus Relief Fund (CRF) and the Education Stabilization Fund (ESF). 

The CARES Act has many funding streams for numerous purposes, and the application process largely depends on whether your institution is private or public. Since different agencies are responsible for approving and processing allocations, institutions must first consult the appropriate entity for their specific application and disbursement process. 

For instance, the Office of Postsecondary Education, US Dept. of Education, deals with the Higher Education Emergency Relief Fund. It has an allocation of $14 billion

The Provider Relief Fund was established to support healthcare providers in fighting the Covid-19 pandemic. The US Department of Health and Human Services looks after its distribution. The fund had an allocation of $178 billion, not only through the CARES Act but also through the Paycheck Protection Program and Health Care Enhancement Act.

Unused CARES Act Funds

While many states utilized CARES Act funding well, like Iowa, which spent 72.2% of its ESF allotment by early October 2020, much of these funds still need proper allocation. In fact, up to $26 billion of CRF funds remain unused across 48 states.  

The states with the highest volume of funds remaining for allocation under the Coronavirus Relief Fund include California ($5.4 billion), Texas ($2.6 billion), North Carolina ($1.9 billion), Oregon ($1.5 billion), and Florida ($1.2 billion). 

The Education Stabilization Fund (ESF) is similarly underspent, with less than 47 states reported to have spent at least half of their ESF funding. 

Of the total ESF allocations awarded to states for the reporting period ending May 31, 2021, the percentage spent was less than 20% for most states.

Can the CARES Act be used for cybersecurity?

While much depends on the individual state and local government, there appears to be some broad allowance in the wording from the US Department of the Treasury regarding the use of CARES Act funding for cybersecurity measures like endpoint security and anti-ransomware.

Cybersecurity funding under the Coronavirus Relief Fund (CRF)

Although the allocations are primarily incumbent upon the state and local governments, the US Department of Treasury, in their non-exclusive list of allowable expenses, mentions specific provisions that allow CRF appropriations to be set aside for cybersecurity

These allowable expenses include technological improvements for schools to better comply with COVID-19 precautions such as distance learning related to school closures, improved telework capabilities for public employees requiring compliance with COVID-19 health precautions, and more. 

Allocations of CARES Act funding to improve data security standards and security of networks also appear to be a valid case for disbursement under these provisions, especially given the drastic rise in cyberattacks and ransomware since 2020.  

While not directly providing additional funding for state and local governments, the December 2020 stimulus bill did extend the deadline by which existing awards must be used. Recipients now have until December 31, 2021, to utilize these funds. 

Primary funding recipients will need to dig deeper to locate their case-specific guidelines for the use of their allocation by sub-recipients. To do that, it’s recommended that they seek out their awarding agencies for more information. 

Education Stabilization Fund (ESF)

The total Education Stabilization Fund (ESF) awarded to states comprises three emergency relief funds. These include a Governor’s Emergency Education Relief (GEER) Fund, an Elementary and Secondary School Emergency Relief (ESSER) Fund, and a Higher Education Emergency Relief (HEER) Fund. The initial allocation for the ESF was $30.75 billion.

Additional Funding for 2021

The Coronavirus Response and Relief Supplemental Appropriations Act (CRRSA Act) came into effect on December 27, 2020, and added $81.9 billion to the ESF. 

Subsequently, in March 2021, the American Rescue Plan Act (ARP Act), supporting the ongoing state and institutional COVID-19 recovery efforts, added more than $170 billion.

Investing in Cybersecurity with Acronis SCS

The onset of the global pandemic brought to light just how critical it is for data to remain secure and for employees to remain productive across various devices regardless of where in the world they may find themselves. 

As such, the demand for cybersecurity is growing at an explosive rate. Even as we inch closer to a post-COVID world, the market is poised for growth from $217.9 billion in 2021 to $345.4 billion by 2026, at a compound annual growth rate (CAGR) of 9.7%. 

At Acronis SCS, the flexible deployment and licensing of our full-stack anti-ransomware protection and comprehensive endpoint security management solutions cut to the chase to combat advanced cyber-attacks quickly. 

Certifications via the DoDIN APL, Common Criteria, FIPS 140-2, CJIA, and HIPAA stand testimony to Acronis SCS’ efforts to keep America’s federal, state, and local government computing environments operationally assured and data secure. 

The certified cloud backup and security solution offered by Acronis SCS Cyber Protect Cloud, for instance, specifically caters to the needs of the US public sector and offers backup software specially made with the needs of government and utilities in mind.

All our solutions combined cover the entire spectrum of cybersecurity applications, including backup and disaster recovery software needs, system provisioning and image deployment, anti-ransomware, secure content management, and the management of cloud backup. With Acronis SCS, you’re empowered to take control of your organization’s protection—including access to data, storage locations, file authenticity, and more—giving you the confidence you need to stay compliant with organizational and regulatory requirements. 


The CARES Act allocations are an excellent resource for the public sector to strengthen its security posture while simultaneously advancing its technological capabilities in response to the COVID-19 pandemic. It is essential to invest in cybersecurity.

With the new normal of highly data-intensive endeavors such as remote work and distance education, the pandemic has shown us just how vital this strengthening truly is. 

Utilizing remaining CARES Act funding to invest in cybersecurity can empower government organizations to improve enterprise security, make critical services more accessible, and employ new technology to protect essential systems and public data. 

In fact, between the rise in major ransomware attacks, the increased dependence on cloud systems as the world goes remote, and the availability of billions of dollars in federal funding, there has, perhaps, never been a better time to invest in cybersecurity.