A Louisville-resident IT MSP serving 15 to 25 of the roughly 83 home-rule cities that survived the 2003 Louisville-Metro consolidation, plus suburban fire districts, on cybersecurity-floor recurring retainers and project overlays.

Budget shape across the 83. The smallest cities (under 1,000 population) run sub-$100,000 annual budgets, one or two part-time staff, three to eight workstations, a hosted email tenant, an outsourced website, and no on-staff IT. Mid-tier cities (1,000 to 5,000 — Indian Hills, Anchorage, Prospect, Hurstbourne, Audubon Park, Beechwood Village, Graymoor-Devondale) run $500,000 to $3 million budgets, five to 15 workstations, and police-department CJIS requirements where they operate their own PD. Larger cities (5,000 to 30,000 — Jeffersontown, St. Matthews, Shively, Middletown, Lyndon) run $15 million to $60 million budgets and 30 to 80-plus workstations. Some carry one or two in-house IT staff who hold the operational baseline but contract out cybersecurity, Microsoft 365 administration, firewall management, GIS, and project-overlay work.

Three demand floors are converging through 2024 to 2027. First is CJIS Security Policy compliance from the FBI's Criminal Justice Information Services. Any home-rule city running its own police department — eight to ten of the larger cities including Jeffersontown, St. Matthews, Shively, Anchorage, Hurstbourne, Indian Hills, Prospect, and Lyndon PDs, plus the Middletown PD arrangement — must meet the federal CJIS floor: advanced authentication and MFA, audit logging, encryption at rest and in transit, incident response, and personnel screening. Kentucky State Police is the CJIS Systems Agency for the state.

Second is records-management workflow under the Kentucky Open Records Act (KRS 61.870-884). Every city is a records custodian. The smallest cities currently fulfill requests by clerk-side email search and PDF; the cybersecurity and retention-policy floor is rising as litigation volume around KORA responses grows statewide. An MSP that bundles a records-management overlay (Microsoft 365 retention labels, light eDiscovery search, redaction workflow) into the retainer wins differentiation.

Third is cyber-insurance underwriting. Carriers writing municipal cyber policies — Travelers, Beazley, Coalition, AmTrust, AIG Public Entity, and the KLC Insurance Services Association that serves the Kentucky League of Cities membership — have escalated MFA, endpoint-detection, backup-immutability, and offline-restore-test questions through 2024 to 2026. Cities renewing policies need a vendor signature on the underwriting application. A city-clerk-administered hosted email tenant cannot supply that signature. The MSP that signs the questionnaire on behalf of the city is the only viable renewal path.

Procurement-vehicle access matters. The Kentucky League of Cities (KLC) operates a Buying Network and an Insurance Services Association; KLC has historically offered group purchasing on municipal IT services. Pre-qualifying onto a KLC vendor roster opens broad procurement access — once a Louisville-resident MSP is KLC-listed, the roughly 70-city Jefferson roster plus the additional 370 home-rule cities elsewhere in Kentucky become reachable through one credential. The Commonwealth Office of Technology (COT) operates Kentucky Information Technology (KIT) master agreements cities can ride; an MSP holding a KIT subcontract path (typically as a sub to a KIT-prime systems integrator) reaches cities through a second channel. Below KRS 45A formal-bid thresholds (about $30,000 for most home-rule cities under their local ordinances), the city clerk can sole-source.

A representative slice of the targetable mid- and small-tier cities (not exhaustive — verify against the Kentucky League of Cities directory and the Jefferson PVA municipal-boundary file): Anchorage, Audubon Park, Beechwood Village, Bellemeade, Briarwood, Broeck Pointe, Cherrywood Village, Coldstream, Creekside, Crossgate, Douglass Hills, Druid Hills, Forest Hills, Glenview, Glenview Hills, Glenview Manor, Goose Creek, Graymoor-Devondale, Green Spring, Heritage Creek, Hickory Hill, Hills and Dales, Hollow Creek, Hollyvilla, Houston Acres, Hurstbourne, Hurstbourne Acres, Indian Hills, Keeneland, Kingsley, Langdon Place, Lincolnshire, Lynnview, Manor Creek, Maryhill Estates, Meadow Vale, Meadowbrook Farm, Meadowview Estates, Mockingbird Valley, Moorland, Murray Hill, Norbourne Estates, Northfield, Norwood, Old Brownsboro Place, Parkway Village, Plantation, Plymouth Village, Poplar Hills, Prospect, Richlawn, Riverwood, Rolling Fields, Rolling Hills, Sand Hill, Seneca Gardens, South Park View, Spring Mill, Spring Valley, St. Regis Park, Strathmoor Manor, Strathmoor Village, Sycamore, Ten Broeck, Thornhill, Watterson Park, West Buechel, Westwood, Wildwood, Windy Hills, Woodland Hills, Woodlawn Park, and Worthington Hills.

The suburban fire-protection districts run independently under KRS 75 with elected boards and tax-levy authority. There are roughly 16 to 18 of them: Anchorage, Buechel, Camp Taylor, Eastwood, Fairdale, Fern Creek, Highview, Jeffersontown, Lake Dreamland, Lyndon, Middletown, Okolona, Pleasure Ridge Park, St. Matthews, and Worthington are 15 of them. Each district chief and board secretary is a callable buyer for station network, apparatus dispatch, and records-management IT support.

Recurring revenue, Year 3 base case. Five mid-tier home-rule cities with their own PD (CJIS bundled into the retainer) at $4,500 per month each is $270,000 annually. Twelve small-tier home-rule cities with no PD at $2,200 per month each is $317,000 annually. Six suburban fire-protection districts at $1,800 per month each is $130,000 annually. Total recurring across 23 accounts is roughly $717,000.

Project-overlay revenue, Year 3. Eight project engagements averaging $35,000 each — firewall stack replacement, Microsoft 365 tenant migration, on-prem-to-cloud backup migration, KORA records-system implementation, cyber tabletop — adds about $280,000 annually.

Total Year 3 revenue lands near $996,000. The Year 1 ramp is roughly $360,000 (eight accounts at $280,000 recurring plus three projects at $80,000). Year 2 is roughly $690,000 (15 accounts at $530,000 plus five projects at $160,000).

Cost structure at Year 3. Founder plus two field technicians plus one part-time helpdesk is about $340,000 in loaded payroll. Two service vans, tools, certifications, and software stack — remote-monitoring, professional-services automation, Microsoft 365 partner-tier licensing, endpoint detection, backup, and documentation — is about $180,000 annually. Workers' comp, general liability, and cyber E&O at the $2 million aggregate floor for municipal accounts plus professional services is about $60,000. Office, training, and KLC plus KIT vendor maintenance is about $80,000. Total OpEx is roughly $660,000. Founder take-home in Year 3 lands $250,000 to $340,000. Year 1 founder draw is $80,000 to $110,000; Year 2 is $160,000 to $200,000. The model assumes 90 percent-plus renewal on recurring contracts — municipal IT switching cost is high and the documented network state plus CJIS audit history is sticky. Below 80 percent renewal, the model breaks.

Capital build at $200,000 to $600,000. Microsoft 365 Cloud Solution Provider tier plus initial certifications (Microsoft Partner, CompTIA Security+, Cisco or Meraki, Fortinet or Palo Alto NSE-level) is $25,000 to $50,000. Remote-monitoring, professional-services automation, and documentation stack (ConnectWise, NinjaOne, Datto, or Kaseya tier) is $35,000 to $60,000 in Year 1. Endpoint detection plus backup and email-security stack pre-paid is $40,000 to $80,000 in Year 1. Two service vans plus tools plus cellular service is $80,000 to $120,000. Cyber E&O plus general liability plus workers' comp first-year premium is $30,000 to $50,000. Working capital for three to four months of payroll is $80,000 to $150,000. Office buildout plus KLC and KIT vendor application fees is $20,000 to $40,000. SBA 7(a) plus founder equity plus small SBIC participation reaches the range honestly.

• Kentucky League of Cities (KLC)

  Municipal association and procurement vehicle

  Institution

  Roughly 370-city membership; operates a Buying Network and an Insurance Services Association. KLC vendor-roster listing opens broad procurement access.
• Commonwealth Office of Technology and Kentucky Office of Homeland Security

  State IT and cybersecurity-grant administration

  Out-of-county

  COT operates KIT master agreements at technology.ky.gov; KOHS administers federal State and Local Cybersecurity Grant Program (SLCGP) pass-through to Kentucky locals through September 2026.
• City of Jeffersontown (Mayor Bill Dieruf; about 28,000 residents)

  Anchor home-rule city

  Institution

  Largest home-rule city in Jefferson; runs its own PD, public works, parks, and the Bluegrass Industrial Park. A lead-anchor reference opens five to ten mid-tier referrals.
• St. Matthews, Middletown, Lyndon, Anchorage, Shively, Hurstbourne, Indian Hills, and Prospect

  Mid-tier home-rule cities

  Institution

  Each runs 2,500 to 17,000 residents; each operates its own PD now or has historically. All three demand floors — CJIS, KORA, and cyber insurance — apply.
• Suburban fire-protection districts under KRS 75

  Special-purpose local government

  Institution

  Anchorage, Buechel, Camp Taylor, Eastwood, Fairdale, Fern Creek, Highview, Jeffersontown, Lake Dreamland, Lyndon, Middletown, Okolona, Pleasure Ridge Park, St. Matthews, and Worthington districts each run elected boards with tax-levy authority.
• Mirazon Group, Bluegrass Networking, CSI Louisville, Computer Discount Inc

  Louisville-resident MSP incumbents

  Institution

  Active commercial mid-market firms; named factually as market reference points. The founder competes on municipal-specific CJIS, KORA, and cyber-insurance signature competence rather than general-commercial MSP positioning.
• Konica-Minolta All Covered, Marco, ProArch, Ntiva, Thrive Networks, Logically, Ahead

  National municipal-IT consolidators

  Out-of-county

  Acquisition-driven nationals. A Louisville-resident MSP with 10-plus city accounts becomes an acquisition target. The founder competes on Louisville-resident incident-response speed.
• Kentucky State Police (CJIS Systems Agency)

  Federal credentialing and state administration

  Out-of-county

  Runs CJIS technical audits at PD-operating cities on a recurring cadence.

The primary lane is a mid-market MSP operator with seven to ten years of MSP experience and at least one CJIS-aligned engagement on the resume. This is not a first-time founder lane. The credentialing depth required to sign a cyber-insurance underwriting questionnaire for a city PD is real, and the cost of a credentialing miss is contract loss plus potential litigation exposure on a public-sector account.

A second path is a returning-home IT-services professional. A Louisville-native former enterprise infrastructure manager, public-sector network engineer, or senior MSP technician who spent five to ten years at a Lexington, Cincinnati, Indianapolis, or Nashville public-sector MSP and is bringing back the municipal vocabulary plus the carrier-questionnaire signature credential.

A third path is an existing public-sector IT firm extending into Jefferson home-rule accounts. A Louisville-resident systems-integration or AV-control firm that already holds a state KIT-prime relationship or a Louisville Metro contract and is bolting on the municipal-MSP retainer line.

Anchor-account sequencing. Land at least two of the five larger home-rule cities (Jeffersontown, St. Matthews, Middletown, Lyndon, Anchorage) as first-anchor accounts within 18 months. Without an anchor-tier reference, the recurring-retainer book cannot break $250,000. If all five anchor-tier cities are on multi-year contracts that don't expire until 2027 or 2028, the founder lane delays. Reviewing each city's incumbent and renewal date is the most important pre-launch task.

KLC vendor-roster pre-qualification within 12 to 18 months. Once KLC-listed, the roughly 70 Jefferson cities plus the additional 370 home-rule cities elsewhere in Kentucky become reachable through one credential. If KLC's process favors statewide incumbents over Louisville-resident new entrants, the lane's reach contracts to direct sales across 15 to 25 cities — still viable but tighter.

• — Current KLC Executive Director, Buying Network IT-services vendor roster, vendor-application process, and Insurance Services Association cyber product structure and signature requirements.
• — Current state CIO at COT, the KIT master-agreement roster covering municipal MSP services, and the KOHS SLCGP pass-through sub-recipient roster with remaining 2025-2026 award capacity.
• — The final count of home-rule cities in Jefferson — we use about 83 as the working number; verify against the Kentucky League of Cities directory and the Jefferson PVA municipal-boundary file.
• — For each of the roughly 83 cities: the 2026 mayor, the 2026 city clerk, the most recent annual budget, the current IT vendor or status (in-house, outsourced, or none), workstation count, PD-operating status, and cyber-insurance carrier and renewal date.
• — Each city's ordinance threshold for sole-source versus IFB versus RFP (Jeffersontown, St. Matthews, Middletown, Lyndon, Anchorage, Shively).
• — Kentucky State Police technical-audit cadence and specific Kentucky-side CJIS audit findings across the eight to ten PD-operating cities for 2023 through 2025.
• — The final suburban fire-protection district roster, each district's elected board chair, and each district's current IT arrangement.
• — The mid-market MSP roster active in Louisville and any recent national-acquirer activity from 2024 to 2026; any MSP currently serving five-plus Jefferson home-rule cities (the principal incumbent to plan around).
• — Whether Louisville Metro Government IT has historically offered fee-for-service shared IT to home-rule cities, and the current status under the Greenberg administration.
• — Attorney-General opinion volume on small-city KORA matters from 2023 through 2025; the cyber-insurance market for Kentucky municipalities (carriers writing, market share, average premium, declination rate, KLC ISA share); SOC 2 Type II uptake among Louisville-resident MSPs serving public-sector accounts.
• — The single largest project-overlay opportunity across the 83 cities for 2026 and 2027 — a combined firewall-refresh wave, a combined Microsoft 365 migration wave, or a combined KORA records-system rollout — that anchors the Year 2 project pipeline.
• — Kentucky General Assembly 2026 session bills affecting home-rule city status or small-city consolidation.

Tonight, this week, this month — in that order. Each step produces a yes/no or a number, not a deeper understanding.