The US Cybersecurity and Infrastructure Security Agency (CISA) failed to effectively manage the requirements of the Cybersecurity Retention Incentive program, designed to retain key cybersecurity professionals, and wasted federal funding, according to the Office of the Inspector General (OIG).
CISA, a US government agency created to protect the state against cyberattacks, received over $138 million between fiscal years 2020 through 2024 to target mission-critical and highly qualified cybersecurity employees.
Instead, the agency made incentive payments ranging from $21,000 to $25,000 annually to “ineligible employees”. For example, during a single pay period in 2024, CISA made incentive payments to 1,401 of its 3,220 employees — out of them, 240 employees held roles not directly related to cybersecurity.
Additionally, the OIG accuses CISA’s Office of the Chief Human Capital Officer (OCHCO) of failing to maintain records of Cyber Incentive recipients and corresponding payments. The continuous failure to comply with regulations and the program’s requirements resulted in $1.41 million in unallowed back payments to 348 Cyber Incentive recipients. The OIG identified those as “questioned costs”.
The problems occurred because CISA did not set up detailed implementation processes and did not centrally manage the program, the OIG says. As a result, the agency wasted taxpayer funds, risking attrition of cyber talent and leaving the nation unable to defend itself in the face of cyberattacks.
“If CISA continues to offer the Cyber Incentive to a broad swath of its workforce, circumventing the intent of the program, it risks attrition and increased vulnerability to cyber threats as well as spending money unnecessarily,” the OIG warns.
The Cyber Incentive program was launched in 2015 to offer monetary incentives to mission-critical cybersecurity employees who would otherwise consider leaving the agency. In 2023, the OIG received a hotline complaint, which said that “the Cyber Incentive program was marked by widespread waste, fraud, and abuse.”
The OIG made eight recommendations to help CISA better implement the program — which CISA concurred with. These range from detailing the targeted categories of its cybersecurity employees eligible for incentive compensation to conducting further analysis in order to resolve the $1.41 million in unallowable back pay.
Your email address will not be published. Required fields are markedmarked