Skip to Content
Close-up view of a steel bridge.
Article

Infrastructure Act: What local governments need to know

November 10, 2021 / 7 min read

The Infrastructure Investment and Jobs Act brings substantial funding to state and local governments for infrastructure, including cybersecurity and broadband. Here’s what you can do now to ensure meaningful long-term impact for your municipality.

On On November 5, the U.S. House of Representatives passed the bipartisan Infrastructure Investment and Jobs Act (IIJA), or Senate Amendment2137 to H.R. 3684. This follows the August 10th passage of the bill by the U.S. Senate. The bill provides over$550 billion in funding for a broad range of infrastructure projects — roads, bridges, passenger and freight rail, broadband internet, water infrastructure, public transportation, and more.



This level of federal investment in state and local government infrastructure is unprecedented. Many local governments may not have envisioned being in the position to receive such significant monies for infrastructure projects. That’s why now’s the time to proactively consider how your organization will put the funds to work toward meaningful long-term impact.  

Now’s the time to proactively consider how your organization will put the funds to work toward meaningful long-term impact.

Funds are expected to be made available to most, if not all, municipalities through either direct allocation or an application process. As government agencies prepare for how the funding will be available at a local agency level, it’s not yet clear how each State may allocate funding. Whether through a formula, by application, or by some other means, it’ll be important to be ready to optimize use of this funding, when it becomes available. It's critical to think strategically in order to optimize— and meet requirements for — use of these dollars. Don’t wait— your community can take several actions to prepare, now:

1. Consider your government’s long-term goals and objectives

Does your organization have a well-laid-out infrastructure plan? (If not, don’t worry — we’ll address that in a moment.) How does IIJA funding play into the goals and objectives you’ve identified in the plan? How will IIJA monies dovetail with other grant funding you may be receiving under the American Rescue Plan Act (ARPA) and other programs? How will your plans change knowing you’ll receive additional IIJA funding?

If your government doesn’t currently have an infrastructure funding plan, it’s not too late to develop one. Your plan should lay out your community’s needs so you’re prepared when funding streams come online. Grant navigation tools offered by the National League of Cities can help you match your needs with ARPA and other grant programs, but you must identify those needs first.

Conduct an infrastructure needs assessment

Your infrastructure plan should be based on a recent comprehensive needs assessment. Engage key stakeholders to conduct your assessment and be prepared to implement that plan as soon as funding and final guidance become available.

One-time money should address one-time or long-term needs

Be sure to consider the long-term impacts of your infrastructure plan. To avoid an all-too-common pitfall, remember that IIJA funds are one-time monies and should be used to address one-time or long-term capital needs, not operations. Otherwise, when the one-time infusion is spent, you’ll be left with a revenue gap to fill to continue delivering the same level of services to your constituents.

2. Assess capacity and expertise

With the additional federal funding already provided to governmental entities through ARPA, and the IIJA funding to come, organizations should carefully consider whether they have the capacity (manpower) and the expertise to administer the funds.  Also, consider the capacity of the outside resources you may be using. Including your engineers and architects upfront in the conversation will enable you to plan accordingly and hit the ground running. This is particularly important when you’re working with multiple federal grant programs, since each funding agency and grant brings its own set of rules and compliance requirements. 

Add these requirements to those that already fall under Uniform Guidance (UG), and your team needs to have significant time, and know-how, to understand the rules and administer each grant to ensure adherence. The funds will add additional tasks to your staff’s plate, and the federal government will be looking at compliance.

Keep in mind, the support and expertise your organization will need may extend beyond accounting and audit. If you don’t have the capacity internally, consider the impact on your budget should you need to outsource some of it.

A key step in utilizing the funding is to assess potential cyber threats that may impact critical operations and technology infrastructure.

With both Coronavirus Aid, Relief, and Economic Security (CARES) Act and ARPA monies, funding agency guidance around each grant program typically has trailed the funds, so we encourage our clients to plan well and retain support for all spending decisions made based on any available interim guidance. Fortunately, IIJA funding will come with an adequate ramp-up period. If the particular grants require an application, it’s likely you’ll receive the guidance at the time funds are released. If funding is allocated, expect the guidance to trail the money. You’ll have to be on the lookout for the rules in this case — another item for which you’ll need adequate staffing.

3. Assess internal controls and prepare for a single audit

There’s a high likelihood IIJA funds, like CARES Act and ARPA funding, will be subject to a single audit. Are your internal controls up to the task? In addition to thinking strategically about how to spend the money, it’ll be important to understand the applicable regulations and assess your existing policies, procedures, and related internal controls to ensure that they’re set up to meet the compliance requirements that grants will require. Also, you’ll want to ensure you have the appropriate policies in place to comply with those same compliance requirements. 

4. Perform a comprehensive IT and cybersecurity risk assessment

The IIJA provides important funding for cyber projects, including cybersecurity and broadband infrastructure. A key step in utilizing the funding is to assess potential threats that may impact critical operations and technology infrastructure. In today's world, cybersecurity risk is part of this threat landscape. And by strengthening your cyber position, you can mitigate the risk of a cyber incident occurring at your organization. Eligible cybersecurity expenses include developing or revising an existing cybersecurity plan, as well as activities to address immediate cyber risks and threats and to enhance overall cybersecurity. Welcome news certainly, but you’ll need to identify your cybersecurity risks and needs in order to apply, which entails an IT and cybersecurity risk assessment.

If you haven’t performed a risk assessment, you can’t know what you don’t know. Assessing your cyber risks goes beyond conducting pen testing or ensuring staff don’t click on phishing emails. Risk assessments cover hardware, end users, and your entire cyber program — governance, policies and procedures, end-user education, upgrades — the system as a whole. An assessment will shed light on how well you’re protecting the confidentiality, availability, and integrity of your information and IT assets, as well as compliance with various security and privacy regulations. Nearly all systems have vulnerabilities, no matter how expert and conscientious your IT team is. Older hardware and software, staffing resource issues — hackers thrive on these opportunities.

Identify your weak points to develop a strong plan

We’ve seen many (too many) governments start down the cybersecurity road without an assessment, and often there’s a lot of wasted effort. Implementation becomes a challenge, too. Identify your vulnerabilities and risks — and areas where your cyber efforts are working as intended — first in order to optimize the use of funds and make impactful changes.

The IIJA also makes funding available for broadband infrastructure, a top priority for connecting citizenry and supporting economic development. Your IT assessment should include plans for overall broadband architecture.

Want tips on where to start with a cybersecurity assessment? Read this next

5. Communicate

Upgrades to high-impact areas such as infrastructure, including broadband and cybersecurity, will bring large changes to your organization and community. Don’t forget to put an effective communications plan in place. Constituents, internal and external audiences, leadership, and many other stakeholders will expect transparency about how your government entity is going to spend IIJA funds.

In conclusion

Don’t leave funding — or the opportunity to undertake projects with meaningful impact — on the table. Begin planning strategically now:

Assess your risks and needs and develop your plans so you’re prepared to apply early and quickly.

As always, if you have any questions about strategic planning, infrastructure needs assessments, grant compliance, internal controls assessments, cyber risk assessments or IT assessments, feel free to get in touch. We’re happy to help.

Related Thinking

View of an office room with empty desktop computers.
May 6, 2021

Caution: An influx of federal funds comes with increased risks for organizations

Article 3 min read
Two public sector professionals discussing the OMB 2024 Compliance Supplement.
September 26, 2024

5 key takeaways from the 2024 Compliance Supplement for nonfederal entities

Article 3 min read
Business professionals discussing their retirement system cybersecurity.
September 26, 2024

Cybersecurity: Protecting your retirement system from hidden threats

Article 7 min read