Otto background

The CARES Act: Prioritize Cybersecurity for Economic Relief Act Funds Before They’re Gone

Time is running out for organizations to spend any of their remaining CARES Act relief funding. They must use their funds or lose them by December 30, 2020 for eligible expenditures related to COVID-19. Fortunately, for organizations still adapting their IT infrastructure to accommodate new work-from-home teams,  updating cybersecurity for remote workforces qualifies.

The Importance of Spending On Cybersecurity During Times of COVID-19

One of the fundamental changes inspired by the coronavirus pandemic is the shift to remote work. When COVID-19 hit, a majority of the population was suddenly working from home within a matter of weeks. Like other employers, state and local governments needed to quickly and efficiently adapt to a newly distributed workforce.

The hasty shift to remote work put serious pressure on IT security professionals, who were already stretched dangerously thin from setting up new systems for video conferencing, team collaboration, remote access, and more. Perhaps the most pressing need, however, was -- and is -- ensuring cybersecurity. The 2020 Cyber Threats Report from Netwrix, which asked 937 IT professionals about recent cyberthreats and their responses, found that:

  • 85% of CISOs said that they had sacrificed cybersecurity to quickly enable remote work
  • 48% of organizations reported at least one phishing attack during the first three months of the pandemic
  • 63% reported an increase in cyberattacks during the pandemic
  • 60% found new security gaps as a result of the transition to remote work
  • 54% of CISOs said that they lacked the visibility needed to ensure proper data protection

IT Administrator Looking at Security Dashboard

Automox Delivers a CARES Act-Eligible Solution for Securing and Managing Remote Teams

With Automox, state and local governments can leverage their CARES Act payments to secure their remote teams immediately and in the future. Automox is quick to set up, with zero timing roadblocks before the December 30 cutoff, and easy to use, so your team can get immediate value from the solution.

Why the Urgency to Spend CARES Act Funding Now?

When the United States Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act in March 2020, state and local governments were one of the many entities that benefited from this economic relief and received direct payments to cover expenses incurred because of the COVID-19 pandemic. Many of these organizations may have quickly spent the relief funds to cover immediate and obvious expenses resulting from the sudden shutdown of our economy. But for the other organizations that have yet to spend the CARES Act payment, consider this: The deadline for using this payment is rapidly approaching. All CARES Act money must be spent by December 30, 2020.

State and local governments with funds remaining from their economic relief act payment have a fairly urgent decision to make: how to use their CARES Act disbursement in a way that provides the immediate economic relief intended by the act, as well as supports and protects their organizations and citizens in the months and years to come.

The CARES Act does put parameters on how the payment must be spent, one of which explicitly calls out the facilitation of teleworking as a COVID-19 expense. Now that it’s becoming clear that remote work is the new norm, investing in cybersecurity is an essential and eligible expense for CARES Act funds. Keeping your remote endpoints and devices protected from possible breach must be a priority to keep government data secure. Act now with your CARES Act money to secure your remote teams with a modern, cloud-native patching and configuration management platform.

Remote worker meeting with their team

What is the CARES Act?

The CARES Act  is a $2 trillion economic relief fund implemented by the U.S. government in 2020 to help people, businesses, and governments struggling with the impact of the coronavirus pandemic. The CARES Act relief fund includes:

  • Providing Economic Impact Payments to American households of up to $1,200 per adult for individuals whose income was less than $99,000 (or $198,000 for joint filers) and $500 per child under 17 years old, or up to $3,400 for a family of four
  • Supporting businesses with the Paycheck Protection Program, which provides funds to pay up to eight weeks of payroll costs, including benefits
  • Offering Economic Injury Disaster Loan advances of up to $10,000 for businesses experiencing a temporary loss of revenue
  • Issuing Employee Retention Credits to incentivize businesses to keep employees on the payroll as well as payroll tax deferrals and payroll support
  • Delivering direct payments to state, local, and tribal governments to support their efforts in combating the coronavirus

How the CARES Act Applies to State and Local Governments

State, local, and tribal governments are among the many entities that received a portion of the $150 billion Coronavirus relief fund. Payments were distributed based on population size to local governments with populations over 500,000 that submitted the required certification by Friday, April 17, 2020.

Governments that received payments from CARES Act are required to use their funds in particular ways. The Coronavirus Relief Fund Guidance for State, Territorial, Local, and Tribal Governments document stipulates that payments from the CARES Act relief fund may only be used to cover costs that:

  • Are necessary expenditures incurred due to the public health emergency with respect to the Coronavirus Disease 2019 (COVID-19);
  • Were not accounted for in the budget most recently approved as of March 27, 2020 for the State or government; and
  • Were incurred during the period that begins on March 1, 2020 and ends on December 30, 2020.

The document goes on to provide further clarification. The first point, for instance, includes any expenses taken by the government to respond directly to the emergency, such as addressing medical or public health needs and providing economic support to people or businesses suffering from COVID-19-related challenges. It also emphasizes that the expenditure must be “reasonably necessary” and cannot be used to fill shortfalls in government revenue.

The CARES Act guidance document clarifies the second point as well. An expense meets this criteria if it can’t be funded from a line item, allotment, or allocation within the government’s most recent budget or the cost is for a “substantially different use from any expected use of funds.” So, even if an expense was accounted for in the budget, it could still potentially be covered by the economic relief act payment if circumstances have significantly changed.

Finally, the timing. The original CARES Act guidance released in April provided that “the cost of an expenditure is incurred when the recipient has expended funds to cover the cost”; in other words, when the government actually paid for the product or service. Treasury recently amended its guidance, however, to state that “performance or delivery must occur during the covered period but payment of funds need not be made during that time.” This is an important distinction that gives state and local governments more leeway in where and when to spend their economic relief act payments.  

Examples of Eligible CARES Act Expenditures

What actual expenses meet the criteria explained above? The CARES Act guidance document provides some helpful examples. These include:

  • Medical expenses, such as COVID-19-related expenses from existing healthcare facilities, establishing new medical facilities, providing COVID-19 testing, and emergency medical responses
  • Public health expenses, such as acquiring and distributing medical and protective supplies, disinfecting public areas and facilities, expenses for technical assistance to local authorities, and costs related to quarantining individuals
  • Payroll expenses for public safety, public health, human services, and similar employees whose services are substantially dedicated to mitigating or responding to the COVID-19 public health emergency
  • Expenses of actions to facilitate compliance with COVID-19-related public health measures, such as food delivery, distance learning, teleworking, and paid family and medical leave to public employees
  • Expenses associated with the provision of economic support, like grants to small businesses, payroll support programs, and unemployment insurance costs
  • Any other COVID-19-related expenses reasonably necessary to the function of government that satisfy the CARES Act relief fund’s eligibility criteria

It’s clear that state and local governments have a number of options for how to spend the funds from the economic relief act. Most have likely put some or all of their CARES Act payment towards the expenses listed above. Those with remaining funds, however, must promptly decide how to best allocate their portion of the CARES Act relief fund, preferably with an emphasis on cybersecurity.

As the Netwrix report statistics highlighted: a virtual, distributed environment engenders less IT control and increased opportunities for cyberattacks as more employees access networks and systems from more devices. Employees are more distracted working from home during the pandemic as well, further opening the aperture for cyberthreats caused by human error. Most organizations must face the fact that the “new normal” of remote work includes a vastly expanded attack surface.

The Netwrix report summarized the implications of these circumstances nicely:

“The broad disruption to businesses and swift transition to WFH [work from home] caused by the pandemic forced many organizations to prioritize service availability over security. Now that we are all more comfortable with the new normal, IT and security pros should re-examine their earlier decisions with the goal of closing security gaps. This requires identifying sensitive information and reducing its exposure, gaining visibility into user activity, and automating change and configuration auditing to ensure rapid incident detection.”

How to Use the Economic Relief Act to Fund Cybersecurity Updates

Which brings us back to the CARES Act. State and local governments must spend their payments from the economic relief act by the end of 2020. They also must adapt their cybersecurity practices to the new world of remote working as soon as possible. This process will require some expenses, and will, as required by the CARES Act, be more than “reasonably necessary.”

What does an investment in cybersecurity for the remote workforce look like? Organizations should consider a number of strategies when evaluating the best use of their economic relief act payment. Experts recommend:

  • “Revising existing cyber risk guidelines, requirements, and controls on how employees access data and communicate with a company’s network.” (MIT Sloan Management Review)
  • “Create a single, integrated security framework to simplify management and expand visibility and control… [starting with] the right corporate policy.” (TechRepublic)
  • “Rethink existing security approaches, invest in emerging technologies, and develop new solutions… [including] a low-touch was for IT staff to monitor and analyze home network traffic while ensuring that private information like websites visited or services used is not tracked.” (Security Boulevard)

Use Economic Relief Act to Fund Cybersecurity Updates

Enhance and Automate Cybersecurity with Automox

Automox offers a fast, effective, streamlined way to improve cybersecurity in a distributed environment. Automox enables organizations like state and local governments to harden their endpoints from the cloud. That means no on-premises infrastructure is required to continuously monitor every IT asset in the organization -- including those in your employees’ homes.

Automox enhances cybersecurity in a work-from-home environment by empowering organizations to apply software updates and configurations to devices not connected to the remote network or that exist outside the Active Directory. The platform removes the hassles of endpoint permissions, eliminates the need for patching via VPN, and automates remediation of vulnerabilities on remote, unpatched devices.

Organizations have many options for how to use their economic relief act funds. Keeping people safe should always be priority number one, but keeping data safe isn’t far behind. Get in touch to learn more about how Automox can help state and local governments achieve better security outcomes and operational efficiencies -- and make the most of your CARES Act distribution.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic