Money that was meant to help the Cybersecurity and Infrastructure Security Agency (CISA) retain top cyber talent was wasted and misused, and was sometimes paid to people who were not eligible for the retention money.
In fact, at least 240 ineligible employees from the mission support office ended up receiving the extra pay, which ranged from $21,000 to $25,000 a year.
That’s according to a new report from the Department of Homeland Security (DHS) Office of Inspector General (OIG), which was initially triggered by a hotline complaint made in 2023.
The report noted that CISA’s implementation of the retention program “wasted taxpayer funds and invites the risk of attrition of cyber talent, thereby leaving CISA unable to adequately protect the Nation from cyber threats.”
The program in question, the Cyber Incentive Program, was implemented in 2015 to help CISA retain employees who would otherwise leave for more lucrative opportunities in the private sector.
The OIG reviewed payments from fiscal year 2020 through 2024, in which the program paid out more than $138 million. It found that CISA failed to “properly design, implement, comply with, or manage requirements” by not narrowly targeting mission-critical cybersecurity employees and not properly maintaining records of recipients or payments.
CISA was also cited for not conducting an annual review to see if employees were still eligible and for not updating eligible certifications for the additional pay.
On top of that, the OIG report noted that CISA paid out $1.4 million in backpay to 348 recipients of the Cyber Incentive without any explanation or justification for the back pay.
“These issues occurred because CISA broadened program eligibility requirements without creating detailed implementation processes and procedures and did not centrally manage the program,” said the OIG report, which added that DHS “did not regularly provide guidance and oversight to CISA OCHCO (Office of the Chief Human Capital Officer) on its use of the Cyber Incentive program.”
The OIG made eight recommendations to CISA, which concurred with all of them.
