Cybersecurity and IT Budgeting for State and Local Governments

Fundamentals

Cybersecurity and IT Budgeting for State and Local Governments

Executive Overview

Cybersecurity has evolved from a specialized IT function to a mission-critical governance issue for state and local governments. Ransomware attacks, data breaches, and critical infrastructure threats have made robust cybersecurity investment not optional but essential for legal compliance, stakeholder protection, and service continuity.

Yet cybersecurity budgeting remains one of the most challenging areas of government finance. Unlike traditional capital projects (a building, a fire engine), cybersecurity spending is fragmented: some costs are capital (software licenses, hardware upgrades), others are operating expenses (incident response, training, managed services). Some costs are recurring (subscriptions, annual renewals), others one-time (system architecture overhauls, cloud migration projects).

This guide provides a comprehensive framework for building, justifying, and accounting for cybersecurity and IT investments. We'll cover federal grant opportunities (CISA's State and Local Cybersecurity Grant Program), GASB 96 accounting for subscription software, the critical distinction between capital and operating costs, cybersecurity insurance strategies, FedRAMP compliance costs, and practical budget templates for common IT investment categories.

By the end of this guide, finance directors and IT leaders will have a clear playbook for budgeting cybersecurity as a strategic investment, not a grudge expense.

The Cybersecurity Landscape: Why Now?

Government Cybersecurity Threat Data

According to CISA's annual reports and the Government Accountability Office (GAO), state and local governments face escalating threats:

  • Ransomware attacks on government: 2,702 publicly disclosed attacks on U.S. government organizations between January 2018 and June 2022 (IBM X-Force)
  • Average cost per breach: $3.9 million per incident, including recovery, downtime, and legal/regulatory costs (IBM 2024 Data Breach Report)
  • Small town vulnerability: Municipalities under 50,000 population are targeted disproportionately due to weaker defenses and limited IT budgets
  • Incident response time: Average detection time is 212 days; organizations with mature cybersecurity programs detect incidents in 54 days (significantly reducing costs)

Regulatory and Legal Drivers

Beyond threat risk, governments face legal obligations:

  1. State data breach notification laws (all 50 states + DC have requirements) mandate notification to affected individuals and often to state attorneys general
  2. HIPAA and HITECH Act (if the government operates a health agency or receives Medicaid/Medicare funds): Required breach notification timelines and security safeguards
  3. Family Educational Rights and Privacy Act (FERPA) (school districts): Protections for student records and incident disclosure requirements
  4. Public Records Statutes: Ransomware attacks that destroy records can trigger legal liability for loss of public records
  5. Fiduciary duty: Government boards have a fiduciary duty to protect assets (data, systems, taxpayer information)

Budget Implications

The Federal Financial Management Act (31 U.S.C. § 3301) requires agencies to maintain effective internal controls, including IT security. A government that suffers a preventable breach due to insufficient cybersecurity spending may face:

  • Audit findings or "management letter comments"
  • Liability claims from affected citizens
  • Loss of federal funding eligibility (agencies can suspend grants to non-compliant recipients)
  • Reputational damage affecting municipal credit ratings and borrowing costs

Federal Cybersecurity Funding Opportunities

CISA State and Local Cybersecurity Grant Program (SLCGP)

The Bipartisan Infrastructure Law (2021) authorized $1 billion over five years (FY 2022–2026) for state and local cybersecurity improvements. The program is administered by the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security.

Eligibility:

  • All states are eligible
  • All localities (counties, cities, towns, Indian tribes) within eligible states are eligible
  • Funding is awarded through a formula-based distribution to states; states then distribute to locals

Current Distribution (FY 2022–2024):

State FY 2024 Allocation
Texas $18,500,000
California $17,200,000
New York $12,100,000
Florida $11,300,000
Pennsylvania $8,900,000
Illinois $8,700,000
Ohio $8,400,000

(Additional 43 states follow, with smaller allocations based on population and critical infrastructure presence)

Allowable Use Categories:

  1. Cybersecurity Assessment and Planning

    • Risk assessments (external penetration testing, vulnerability scans)
    • Security architecture reviews
    • Zero-trust model assessments
    • Business continuity and disaster recovery (BC/DR) planning

  2. Cybersecurity Training and Awareness

    • Employee phishing awareness training
    • Incident response drills and tabletop exercises
    • Cybersecurity fundamentals training for staff and elected officials

  3. Incident Detection and Response

    • Security information and event management (SIEM) systems
    • Intrusion detection/prevention systems (IDS/IPS)
    • Endpoint detection and response (EDR) tools
    • 24/7 security operations center (SOC) services

  4. Cybersecurity Infrastructure

    • Firewall upgrades and network segmentation
    • Multi-factor authentication (MFA) implementation
    • Identity and access management (IAM) systems
    • Data loss prevention (DLP) tools
    • Cloud security solutions

  5. Workforce Development

    • Scholarships for cybersecurity certifications (CISSP, CEH, CISM)
    • Internship programs in cybersecurity careers

Application Process:

  1. Contact your state cybersecurity coordinator (all states have a designated CISA liaison)
  2. Submit a cyber risk management plan demonstrating need and alignment with CISA priorities
  3. Develop a project proposal with budget and implementation timeline
  4. Obtain local government board approval (if applicable)
  5. Submit to state (deadline typically fall of prior fiscal year for next-year funding)

Match Requirement: Most SLCGP grants require a 25% local match (can be in-kind staff time or equipment). Some high-risk jurisdictions may have reduced match requirements.

Other Federal Cybersecurity Funding

Homeland Security Grant Program (HSGP): Up to $4.6 billion annually for states and locals to prevent, prepare for, and respond to threats. Cybersecurity is an allowable use.

FTA and FAA Grants: Transit agencies and airports receiving federal transportation grants can allocate grant funds to cybersecurity infrastructure (e.g., backup systems for automated fare collection, SCADA security).

EPA Water Security Grants: Drinking water and wastewater systems can use EPA grants for cybersecurity upgrades to SCADA and operational technology systems.

Utilization Rate: Most governments underutilize available federal cybersecurity funding. Reasons include:

  • Lack of awareness of funding availability
  • Perception that grants are too complex to administer
  • Insufficient internal capacity to manage a matching requirement
  • Delays in securing board approval for new grant applications

Recommendation: Assign one person (finance director or IT director) to monitor CISA and OMB grant portals for cybersecurity opportunities. Many grants have rolling or semi-annual deadlines.

GASB 96: Subscription-Based Information Technology Arrangements (SBITA)

Accounting for Software Subscriptions

Traditional government IT budgeting treated software subscriptions as operating expenses (expensed annually as incurred). GASB Statement No. 96, effective for fiscal years beginning after June 15, 2022, changed this treatment for "significant" subscription-based IT arrangements.

Definition of SBITA:

A SBITA is a contract in which a government obtains control of a right-to-use (RTU) IT asset for a defined subscription term. Common examples:

  • Cloud-based enterprise resource planning (ERP) systems (e.g., migrating from on-premises to Workday, SAP Cloud)
  • Software-as-a-Service (SaaS) platforms (e.g., Salesforce, Microsoft 365, ArcGIS Online)
  • Cybersecurity tools and platforms (e.g., Crowdstrike for endpoint protection, Splunk for security monitoring)
  • Document management systems (e.g., box.com, OneDrive for Government)
  • Payroll and HR systems

Not Included in SBITA:

  • Hardware subscriptions (unless bundled with software)
  • Consulting services or implementation support (these are expensed as incurred)
  • Operating system subscriptions for individual employee computers
  • Maintenance or support services (unless essential to providing control of the asset)

Recognition Model: Right-of-Use Asset and Liability

Under GASB 96, a government must recognize:

  1. Subscription-Based Right-of-Use Asset (ROU Asset)

    • Initial measurement: Sum of subscription payments over the subscription term, plus initial direct costs
    • Subsequent measurement: Depreciated over the subscription term using straight-line method

  2. Subscription Liability

    • Initial measurement: PV of subscription payments, discounted at the entity's incremental borrowing rate
    • Subsequent measurement: Liability is reduced as payments are made

Example: SaaS Migration

A County Parks and Recreation Department signed a 5-year SaaS contract for a cloud-based facility reservation system. The contract terms:

  • Annual payment: $150,000
  • Total payments: $750,000 ($150K × 5 years)
  • Implementation costs (initial direct costs): $45,000
  • Incremental borrowing rate (County's cost of capital): 3.5%

Initial Recognition (July 1, 2025):

First, calculate the present value of the subscription payments:

PV Factor (3-year annuity @ 3.5%): 4.515 (annuity factor)

Actually, we have 5 payments (years 1–5), so:

  • Year 1 payment (due 7/1/25): $150,000 / (1.035)^0 = $150,000
  • Year 2 payment: $150,000 / (1.035)^1 = $144,928
  • Year 3 payment: $150,000 / (1.035)^2 = $140,030
  • Year 4 payment: $150,000 / (1.035)^3 = $135,298
  • Year 5 payment: $150,000 / (1.035)^4 = $130,724
  • Total PV of future payments: $701,980

ROU Asset = PV of Subscription Payments + Initial Direct Costs ROU Asset = $701,980 + $45,000 = $746,980

Subscription Liability = PV of Subscription Payments = $701,980

Journal Entry (7/1/2025):

Dr. Right-of-Use Asset—SaaS Facility System    $746,980
    Cr. Subscription Liability                          $701,980
    Cr. Cash / Accounts Payable                         $45,000
    (To record SBITA for cloud facility reservation system;
     initial direct costs paid in cash)

Annual Depreciation (Year 1, 6/30/2026):

Dr. Depreciation Expense—ROU Asset              $149,396
    Cr. Accumulated Depreciation—ROU Asset             $149,396
    (Straight-line depreciation over 5-year term:
     $746,980 / 5 = $149,396)

Subscription Payment (7/1/2026):

Dr. Subscription Liability                      $146,072
Dr. Interest Expense                              $24,571
    Cr. Cash                                           $150,000
    (Interest = $701,980 × 3.5% = $24,569, rounded)

Over the 5-year subscription term, the ROU Asset is fully depreciated, and the Subscription Liability is paid down to zero.

Budget Impact: Capital vs. Operating

The transition to GASB 96 creates a budget distinction:

Before GASB 96: 100% expensed in the year of payment ($150K/year = $750K in operating expense over 5 years)

After GASB 96:

  • Depreciation expense: $149,400/year (appears in operations but is a non-cash expense)
  • Interest expense: Front-loaded, higher in early years, declining in later years
  • Year 1 total P&L impact: ~$173,970 (depreciation + interest)
  • Asset on Balance Sheet: Capitalized as ROU Asset (improves net position at inception)

Implications for Budget Planning

  1. Capital Planning Awareness: While SaaS subscriptions don't require council approval as "capital projects," they should be included in the entity's capital planning discussion because they create balance sheet impact.

  2. Budget Stability: Interest expense front-loading means the first few years have higher P&L impact than simple expense recognition. Budget planners should model the P&L impact across the subscription term.

  3. Disclosure Requirements: GASB 96 requires detailed footnote disclosure of:

    • Description of SBITA
    • Lease term and payment terms
    • Maturity schedule of subscription liabilities (similar to debt disclosure)
    • ROU Asset depreciation and accumulated depreciation

Capital vs. Operating Cost Classification

Beyond SBITA, government IT budgets face a fundamental classification question: Is an IT investment "capital" (balance sheet) or "operating" (expense)?

GASB Capitalization Threshold

GASB requires capitalization of tangible personal property (IT equipment, hardware) with:

  • Unit cost ≥ $5,000 (thresholds vary by entity; many use $5,000; some use $10,000 or $25,000)
  • Useful life > 1 year

This threshold applies to:

  • Servers and networking equipment
  • Workstations and laptops (if >$5,000)
  • Printers, scanners, and peripherals
  • Software-dependent hardware (e.g., cybersecurity appliances)

Frequently Misclassified Costs

Item Correct Classification Reason
Hyperscale data center migration Capitalized Creates long-lived asset; useful life 5+ years
Annual Microsoft 365 licenses Operating expense Subscription under GASB 96 (special treatment)
Network firewall upgrade Capitalized Hardware asset with useful life 5–7 years
Managed security services Operating expense Services contract; no asset created
Incident response consulting (breach) Operating expense One-time service; no asset
Zero-trust architecture redesign Capitalized (mixed) Hardware/software infrastructure investment
Cybersecurity insurance premium Operating expense Insurance; not an asset
Disaster recovery system Capitalized Hardware/equipment with useful life 5+ years
Annual penetration testing Operating expense Service contract; no asset created
SIEM platform software SBITA (under GASB 96) If multi-year subscription; if purchased, capitalize

SaaS vs. Purchased Software

A key distinction: Whether the government buys or subscribes to software changes the accounting treatment.

Purchased/Licensed Software (Perpetual License):

  • Capitalized as an intangible asset
  • Amortized over useful life (typically 3–5 years)
  • Maintenance and support services are operating expenses
  • Example: Adobe Creative Cloud bought through a perpetual site license

Subscription Software (GASB 96):

  • Recognized as ROU Asset and Subscription Liability
  • Depreciated over subscription term
  • Example: Salesforce, Workday, Microsoft 365 (if multi-year enterprise agreement with multi-user access)

Building a Cybersecurity Reserve Fund

Why Reserves Matter

Cybersecurity is unpredictable. A zero-day vulnerability may require urgent patching or system upgrades. A breach may necessitate forensic investigation, credit monitoring services for affected residents, and incident response consulting. A ransomware attack may require paying contractors for emergency BC/DR implementation or paying an extortionist (if leadership decides—discouraged by federal authorities).

Governments with adequate reserves can respond immediately to incidents. Those without reserves face:

  • Delayed detection and remediation (while seeking budget authority)
  • Emergency procurement at inflated prices (less competitive bidding)
  • Debt issuance costs (bonds or notes to fund emergency response)
  • Service interruption (critical systems down longer while funding is arranged)

Cybersecurity Reserve Fund Targets

Best practice guidance suggests:

  • Minimum: 10–15% of annual cybersecurity operations budget
  • Target: 20–25% of annual cybersecurity operations budget
  • Robust: 30% of annual cybersecurity operations budget

Example:

A City with a $2 million annual cybersecurity and IT budget would target:

  • Minimum reserve: $200,000–$300,000
  • Target reserve: $400,000–$500,000
  • Robust reserve: $600,000

Funding the Reserve

  1. Annual appropriation: Budget $X annually to grow the reserve (e.g., $100K/year until target is reached)
  2. Operating surplus: If IT department operates under a cost-recovery model (charging departments for services), any annual surplus can be transferred to the cybersecurity reserve
  3. Grant funding: Use CISA or other federal grant funds to establish the reserve (not counted against local matching requirements if grant allows)
  4. One-time revenue: Use property sale proceeds, insurance recoveries, or fund balance surpluses to seed the reserve

Reserve Governance

Clearly define in reserve policy:

  • Permitted uses: Emergency incident response, emergency system upgrades, forensic investigation, critical infrastructure protection
  • Authorization threshold: Who can authorize reserve drawdowns? (Typically IT director up to $50K, CIO or CFO up to $250K, council for amounts > $250K)
  • Replenishment timeline: After a drawdown, reserve must be restored within 12 months (through budget appropriations)
  • Annual review: Validate that reserve level remains adequate; adjust target if operational scope has grown

FedRAMP Compliance: Budget Implications

If a government operates cloud systems used by federal agencies or federal grantees, FedRAMP (Federal Risk and Authorization Management Program) compliance may be required.

FedRAMP Overview

FedRAMP is a federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud services. Key elements:

  • Assessment: Third-party assessment organization (3PAO) performs security control assessment
  • Compliance: System must meet Federal Information Processing Standards (FIPS) 200 controls (same standards as federal agencies)
  • Authorization: FedRAMP Program Management Office (PMO) issues authority to operate (ATO)
  • Continuous Monitoring: Annual recertification required

Compliance Costs

FedRAMP compliance is expensive and often not worth pursuing for purely local/state systems. However, if a government provides cloud services used by federal grantees or operates a federal program, compliance may be necessary.

Typical FedRAMP Cost Structure:

Phase Cost Range Timeline
Initial Assessment (by 3PAO) $100,000–$300,000 4–6 months
Remediation & Re-testing $50,000–$150,000 2–3 months
Initial Authorization $25,000–$50,000 (PMO fee) 2–4 months
Total Initial Compliance $175,000–$500,000 8–13 months
Annual Continuous Monitoring $30,000–$80,000 Ongoing

When FedRAMP is Required:

  • Cloud service used by federal agency or federal grantees (HHS, DoD, etc.)
  • Moderate or high-impact systems under FIPS 200
  • Cloud infrastructure shared with federal systems

When FedRAMP is NOT Required:

  • Local-government-only systems (fire, police, parks, planning)
  • Low-impact systems (administrative functions, not sensitive data)
  • Systems with no federal agency users

Recommendation: Before investing in FedRAMP compliance, validate the actual federal requirement. Many governments mistakenly pursue FedRAMP for systems that don't require it.

Cybersecurity Insurance: Coverage and Budget

Types of Cyber Coverage

Cyber insurance policies typically cover:

  1. First-Party Coverage (entity's own losses)

    • Business interruption (lost revenue during downtime)
    • Forensic investigation (cost of incident response and damage assessment)
    • Data recovery (cost to restore systems)
    • Notification costs (cost to notify affected individuals of breach)
    • Credit monitoring (provided to affected individuals at insurer's cost)
    • Extortion demands (ransomware payment, if authorized under policy)
    • Public relations (cost to hire crisis management firm)

  2. Third-Party Coverage (liability to others)

    • Breach liability (claims from affected individuals)
    • Network security liability (damage caused by entity's system to others)
    • Regulatory fines and penalties (covered up to policy limits)

Cyber Insurance Costs for Local Governments

Insurance costs vary dramatically based on:

  • Entity size: Smaller entities (< 50K population) pay $2,000–$5,000/year
  • Industry risk: Utilities and water systems pay higher premiums (critical infrastructure)
  • Loss history: Entities with prior breaches pay 2–3x more
  • Controls posture: Entities with strong cybersecurity controls get discounts (up to 25%)
  • Coverage limits: Policies with $1M limit are cheaper than $5M or $10M policies

Sample Premium Estimates:

Entity Population Annual Premium Deductible Limit
Small town 15,000 $2,500 $25,000 $1,000,000
Medium city 100,000 $6,000 $50,000 $5,000,000
Large metro 500,000 $15,000 $100,000 $10,000,000
Water utility 150,000 residents $8,500 $50,000 $3,000,000

Insurance Policy Gaps

Cyber insurance does NOT typically cover:

  • Acts of war or terrorism (often excluded)
  • Sanctions-related losses (Iran, North Korea, etc.)
  • Intentional misconduct by officers/employees
  • Intellectual property infringement (alleged in cyber incident)
  • Infrastructure replacement (recovery vs. replacement costs)

Best Practice: Work with insurance broker to understand exclusions and coordinate cyber insurance with other policies (general liability, directors & officers insurance).

Sample IT Budget Template

Below is a realistic IT and cybersecurity budget for a mid-sized city (population 75,000–100,000):

Annual IT Operating Budget: $2,450,000

Category FY 2026 FY 2027 FY 2028 Notes
Personnel
IT Director / CIO $180,000 $186,000 $192,000 3% annual increase
IT Security Manager $140,000 $144,000 $148,000 New position FY26
Network Administrators (2 FTE) $240,000 $247,000 $254,000 Existing staff
System Administrators (2 FTE) $220,000 $227,000 $234,000 Existing staff
Help Desk / Support (3 FTE) $180,000 $186,000 $192,000 Existing staff
Total Personnel $960,000 $990,000 $1,020,000
Infrastructure & Hardware
Server hardware & refresh $120,000 $125,000 $130,000 Planned refresh cycle
Network equipment (switches, firewall) $85,000 $90,000 $95,000 Cybersecurity upgrades
Workstations & laptops (40 units/yr) $60,000 $65,000 $70,000 Depreciation & replacement
Printing & peripherals $15,000 $15,000 $15,000 Maintenance level
Total Hardware $280,000 $295,000 $310,000
Software & Subscriptions
Microsoft 365 (SaaS) $95,000 $98,000 $101,000 500 users × $200/user/yr
ERP system (SaaS - new FY26) $140,000 $145,000 $150,000 5-year contract; GASB 96
Security tools (SIEM, EDR, etc.) $110,000 $115,000 $120,000 Growing sophistication
GIS/mapping licenses $35,000 $35,000 $35,000 Adobe, Esri, etc.
Business applications $45,000 $47,000 $49,000 Specialized dept software
Total Software/SaaS $425,000 $440,000 $455,000
Managed Services
Managed security services (24/7 SOC) $75,000 $80,000 $85,000 Incident response support
Cloud backup & disaster recovery $50,000 $55,000 $60,000 Ransomware protection
Help desk outsourcing (after-hours) $30,000 $30,000 $30,000 Coverage outside business hrs
Network monitoring $25,000 $25,000 $25,000 Uptime & performance
Total Managed Services $180,000 $190,000 $200,000
Professional Services & Training
Security assessments & audits $40,000 $45,000 $50,000 Annual pen testing, vulnerability
Consulting (migrations, upgrades) $60,000 $50,000 $40,000 Declining as systems stabilize
Cybersecurity training $20,000 $20,000 $20,000 Awareness, certifications
Total Professional Services $120,000 $115,000 $110,000
Insurance & Contingency
Cyber insurance $8,000 $8,500 $9,000 Growing coverage
IT contingency reserve (contribution) $75,000 $75,000 $75,000 Building reserve to $500K
Total Insurance & Reserve $83,000 $83,500 $84,000
Other
Licenses & maintenance (miscellaneous) $32,000 $32,000 $32,000 Database, dev tools, etc.
Telecommunications (internet, VoIP) $90,000 $92,000 $94,000 Monthly recurring
Miscellaneous / contingency $80,000 $80,000 $80,000 Emergency supplies, repairs
Total Other $202,000 $204,000 $206,000
TOTAL OPERATING BUDGET $2,450,000 $2,517,500 $2,585,000

Capital Investments (Separate Budget)

Item Cost Funding Notes
Data center refresh (servers, storage) $350,000 CISA grant + local match 3-year project
Network segmentation (zero-trust) $200,000 Local (multi-year) Ongoing implementation
Disaster recovery system (backup facility) $150,000 Debt financing 5-year payoff
Cloud migration (on-prem to Azure) $250,000 Operating reserves + CISA 2-year project
Total Capital $950,000

Total IT + Cybersecurity Budget (Operating + Capital): $3.4M over 3 years

This budget reflects:

  • Realistic staffing for a mid-sized city
  • Gradual increase in cybersecurity investment (new CISO position, managed SOC, enhanced tools)
  • Mix of capital and operating spending
  • Reserve building for incident response
  • Federal grant leverage (CISA funding reduces local match)

Conclusion

Cybersecurity and IT budgeting are complex because they span capital, operating, and contingency spending; involve emerging technologies and regulatory requirements; and compete with visible services like streets and public safety.

The framework presented here helps government finance leaders:

  1. Leverage federal funding (CISA and other grants) to stretch limited local budgets
  2. Account correctly for SaaS and modern IT spending (GASB 96)
  3. Classify investments appropriately (capital vs. operating) for accurate financial reporting
  4. Build reserves for incident response without crowding the operating budget
  5. Manage insurance costs by investing in controls that earn premium discounts
  6. Plan multi-year capital investments with clear ROI justification

The government IT landscape will only grow more complex. Cybersecurity will remain a top governance priority for another decade. Finance leaders who invest in this function—and communicate its value to elected officials—will be better positioned to protect their communities and avoid costly breaches.

This article was prepared with AI-assisted research by DWU Consulting. It is provided for informational purposes only and does not constitute legal, financial, or investment advice. All data should be independently verified before use in any official capacity.

This article was prepared with AI-assisted research by DWU Consulting. It is provided for informational purposes only and does not constitute legal, financial, or investment advice. All data should be independently verified before use in any official capacity.