Skip to Content

The Infrastructure Investment and Jobs Act brings substantial funding to state and local governments for infrastructure, including cybersecurity and broadband. Here’s what you can do now to ensure meaningful long-term impact for your municipality.

Close-up view of a steel bridge.On November 5, the U.S. House of Representatives passed the bipartisan Infrastructure Investment and Jobs Act (IIJA), or Senate Amendment 2137 to H.R. 3684. This follows the August 10th passage of the bill by the U.S. Senate. The bill provides over $550 billion in funding for a broad range of infrastructure projects — roads, bridges, passenger and freight rail, broadband internet, water infrastructure, public transportation, and more.

This level of federal investment in state and local government infrastructure is unprecedented. Many local governments may not have envisioned being in the position to receive such significant monies for infrastructure projects. That’s why now’s the time to proactively consider how your organization will put the funds to work toward meaningful long-term impact.

Now’s the time to proactively consider how your organization will put the funds to work toward meaningful long-term impact.

Funds are expected to be made available to most, if not all, municipalities through either direct allocation or an application process. As we await further details in the coming weeks, it’s critical to think strategically in order to optimize — and meet requirements for — use of these dollars. Don’t wait — your community can take several actions to prepare, now: 

1. Consider your government’s long-term goals and objectives

Does your organization have a well-laid-out infrastructure plan? (If not, don’t worry — we’ll address that in a moment.) How does IIJA funding play into the goals and objectives you’ve identified in the plan? How will IIJA monies dovetail with other grant funding you may be receiving under the American Rescue Plan Act (ARPA) and other programs? How will your plans change knowing you’ll receive additional IIJA funding?

If your government doesn’t currently have an infrastructure funding plan, it’s not too late to develop one. Your plan should lay out your community’s needs so you’re prepared when funding streams come online. Grant navigation tools offered by the National League of Cities can help you match your needs with ARPA and other grant programs, but you must identify those needs first. 

Conduct an infrastructure needs assessment

Your infrastructure plan should be based on a recent comprehensive needs assessment. Engage key stakeholders to conduct your assessment and be prepared to implement that plan as soon as funding and final guidance become available. 

One-time money should address one-time or long-term needs

Be sure to consider the long-term impacts of your infrastructure plan. To avoid an all-too-common pitfall, remember that IIJA funds are one-time monies and should be used to address one-time or long-term capital needs, not operations. Otherwise, when the one-time infusion is spent, you’ll be left with a revenue gap to fill to continue delivering the same level of services to your constituents.

2. Assess capacity and expertise

With the additional federal funding already provided to governmental entities through ARPA, and the IIJA funding to come, organizations should carefully consider whether they have the capacity (manpower) and the expertise to administer the funds.  Also, consider the capacity of the outside resources you may be using. Including your engineers and architects upfront in the conversation will enable you to plan accordingly and hit the ground running. This is particularly important when you’re working with multiple federal grant programs, since each funding agency and grant brings its own set of rules and compliance requirements. 

Add these requirements to those that already fall under Uniform Guidance (UG), and your team needs to have significant time, and know-how, to understand the rules and administer each grant to ensure adherence. The funds will add additional tasks to your staff’s plate, and the federal government will be looking at compliance.

Keep in mind, the support and expertise your organization will need may extend beyond accounting and audit. If you don’t have the capacity internally, consider the impact on your budget should you need to outsource some of it.

The support and expertise your organization will need may extend beyond accounting and audit.

With both Coronavirus Aid, Relief, and Economic Security (CARES) Act and ARPA monies, funding agency guidance around each grant program typically has trailed the funds, so we encourage our clients to plan well and retain support for all spending decisions made based on any available interim guidance. Fortunately, IIJA funding will come with an adequate ramp-up period. If the particular grants require an application, it’s likely you’ll receive the guidance at the time funds are released. If funding is allocated, expect the guidance to trail the money. You’ll have to be on the lookout for the rules in this case — another item for which you’ll need adequate staffing.

3. Assess internal controls and prepare for a single audit

There’s a high likelihood IIJA funds, like CARES Act and ARPA funding, will be subject to a single audit. Are your internal controls up to the task? In addition to thinking strategically about how to spend the money, it’ll be important to understand the applicable regulations and assess your existing policies, procedures, and related internal controls to ensure that they’re set up to meet the compliance requirements that grants will require. Also, you’ll want to ensure you have the appropriate policies in place to comply with those same compliance requirements. 

4. Perform a comprehensive IT and cybersecurity risk assessment

The IIJA provides important funding for cyber projects, including cybersecurity and broadband infrastructure. Eligible cybersecurity expenses include developing or revising an existing cybersecurity plan, as well as activities to address immediate cyber risks and threats and to enhance overall cybersecurity. Welcome news certainly, but you’ll need to identify your cybersecurity risks and needs in order to apply, which entails an IT and cybersecurity risk assessment.

If you haven’t performed a risk assessment, you can’t know what you don’t know. Assessing your cyber risks goes beyond conducting pen testing or ensuring staff don’t click on phishing emails. Risk assessments cover hardware, end users, and your entire cyber program — governance, policies and procedures, end-user education, upgrades — the system as a whole. Nearly all systems have vulnerabilities, no matter how expert and conscientious your IT team is. Older hardware and software, staffing resource issues — hackers thrive on these opportunities.

Identify your weak points to develop a strong plan

We’ve seen many (too many) governments start down the cybersecurity road without an assessment, and often there’s a lot of wasted effort. Implementation becomes a challenge, too. Identify your vulnerabilities and risks — and areas where your cyber efforts are working as intended — first in order to optimize the use of funds and make impactful changes.

The IIJA also makes funding available for broadband infrastructure, a top priority for connecting citizenry and supporting economic development. Your IT assessment should include plans for overall broadband architecture.

5. Communicate

Upgrades to high-impact areas such as infrastructure, including broadband and cybersecurity, will bring large changes to your organization and community. Don’t forget to put an effective communications plan in place. Constituents, internal and external audiences, leadership, and many other stakeholders will expect transparency about how your government entity is going to spend IIJA funds.

In conclusion

Don’t leave funding — or the opportunity to undertake projects with meaningful impact — on the table. Begin planning strategically now:

  • What are your community’s infrastructure, including cybersecurity and broadband, vulnerabilities and needs?
  • How will you prioritize spending?
  • What additional resources and staffing will you need to administer and track funds?

Assess your risks and needs and develop your plans so you’re prepared to apply early and quickly once the IIJA is finalized.

As always, if you have any questions about strategic planning, infrastructure needs assessments, grant compliance, internal controls assessments, cyber risk assessments or IT assessments, feel free to get in touch. We’re happy to help.

Looking for expert advice?

Subscribe now