The U.S. Department of Homeland Security Office of Inspector General (OIG) presented a report to the Cybersecurity and Infrastructure Security Agency (CISA) highlighting mismanagement of the agency’s Cybersecurity Retention Incentive Program, which resulted in wasted funds and endangered critical talent retention. The report follows a hotline complaint received in FY 2023, alleging widespread waste, fraud, and abuse within the program. It reveals that CISA failed to properly design, implement, comply with, or manage the program’s requirements, despite spending over $138 million between fiscal years 2020 and 2024. These deficiencies led to the inefficient use of federal funds intended to retain mission-critical cybersecurity personnel.
“CISA did not narrowly target mission-critical cybersecurity employees with unusually high or unique qualifications. Ineligible employees received incentive payments, which ranged from approximately $21,000 to $25,000 annually,” the DHS OIG detailed in its report. “CISA’s Office of the Chief Human Capital Officer (OCHCO) did not maintain records of Cyber Incentive recipients and corresponding payments.”
Moreover, the CISA did not comply with federal regulations and multiple program requirements, resulting in $1.41 million in unallowed back payments to 348 Cyber Incentive recipients, which the OIG identified as questioned costs. The audit was conducted to assess the extent to which CISA has implemented the Cybersecurity Retention Incentive for the cybersecurity workforce and complied with program requirements.
“The report contains eight recommendations aimed at improving CISA’s Cyber Incentive program,” Joseph V. Cuffari, Inspector General, wrote in his communication to Madhu Gottumukkala, acting CISA director. “Your office concurred with all eight recommendations. Based on information provided in your response to the draft report, we consider recommendation 7 open and unresolved.”
Within 90 days of the date of the memorandum, the CISA must provide the DHS OIG with a written response that includes the agency’s agreement or disagreement, corrective action plan, and target completion date for each recommendation. The response should include responsible parties and any supporting documentation necessary to show the current status of the recommendation. Until a response is received and evaluated, the recommendation will remain open and unresolved.
In 2015, CISA implemented the Cyber Incentive program to offer monetary retention incentives to mission-critical cybersecurity employees who might otherwise be likely to leave Federal service.
The DHS OIG report states that these issues arose because CISA expanded program eligibility without establishing clear implementation processes or centralizing program management. “Moreover, the DHS OCHCO did not regularly provide guidance and oversight to CISA OCHCO on its use of the Cyber Incentive program. We found CISA’s implementation of the program wasted taxpayer funds and invites the risk of attrition of cyber talent, thereby leaving CISA unable to adequately protect the Nation from cyber threats.”
“We found that CISA did not limit use of retention incentives to targeted employees with unusually high or unique cyber qualifications or those occupying mission-critical positions,” the OIG report added. “We reviewed a sample of 25 position descriptions across CISA divisions and mission support offices,10 and we found no clear documentation in any of the 25 that the positions were mission critical or required unusually high or unique qualifications. This included positions in the Cybersecurity Division, where we expected to find mission-critical positions, which did not have its position descriptions documented as such.”
In addition, when CISA supervisors completed submissions for Cyber Incentives, the DEF (Designation and Eligibility Form) system did not require an attestation that the employee and position were mission-critical. The DEF system also did not require an attestation that the employee possesses these unusually high or unique qualifications per Federal regulations; rather, it asked CISA supervisors whether the position required highly specialized knowledge.
Regardless of the different terminology, the OIG reviewed Cyber Incentive recipients for FY 2020 through pay period 13 of calendar year 2024 and found 132 instances where CISA supervisors indicated the position did not require unusually high or unique qualifications, which would make the employee ineligible for the Cyber Incentive.
Upon further analysis of the roles and responsibilities of the CISA division and mission support offices, the DHS questioned whether Cyber Incentive recipients met the intent of the program. “We could not determine what made the positions in these CISA divisions critical to its overall mission to protect against cyberattacks that pose a threat to public safety and national security, or that there was an identified shortage of skilled individuals in these areas.”
One CISA official believed employees who perform basic cyber job functions were abusing and diluting the Cyber Incentive program and said this situation decreased the motivation of those who have specialized skills and experience to maintain credentials or seek advanced certifications. Another CISA official noted that some staff, not in the Cyber Incentive program, were upset that they could not have their position descriptions changed to justify inclusion in the program. Another CISA official said the program did not ensure that CISA was retaining the best employees and that employees can qualify for certain certifications that often do not apply to their jobs.
CISA made changes to its policy that rendered the program inconsistent with controlling Federal regulations. In July 2021, CISA issued a policy statement that expanded the Cyber Incentive program so more employees could receive retention incentives. CISA reduced eligibility requirements, based on the amount of work associated with the NICE framework, from 51 to 30 percent.
Although the policy expired in July 2022, CISA OCHCO officials confirmed they continued to operate the program at the lowered 30 percent requirement as of the end of the OIG audit last November. Further, the policy statement and DHS OCHCO’s subsequent update to the DHS Cybersecurity Retention Plan 2021 allowed employees who were more administrative in nature and supported cyber functions to receive retention incentives.
“CISA OCHCO did not maintain and track the number of Cyber Incentive recipients and corresponding payments,” the OIG report said. “CISA OCHCO provided four different types of reports in response to our request for information about which employees received the Cyber Incentive. These reports contained different information regarding Cyber Incentive recipients and payments, and none contained an exclusive listing of the total number of employees who received the Cyber Incentive.”
The report observed that CISA did not implement reporting requirements as directed in the Cyber Incentive instructions. “While an OCHCO official provided two annual Labor Market Study Reports, the reports did not include any metrics for the program but rather contained basic information on the Cyber Incentive program and tenure information. The reports listed an identical number of Cyber Incentive participants in June 2022 and May 2023 despite evidence demonstrating annual increases in program participation, which calls into question CISA’s recordkeeping and data integrity.”
To generate a list of Cyber Incentive recipients, a CISA OCHCO official stated they had to manually review the list and remove any employees receiving other retention incentives. CISA OCHCO had NFC Cyber Incentive reports that were snapshots of biweekly earnings data, but could not use this information to track the cumulative amount of incentive payments each participant received beyond the pay period of the report. Without reports that track Cyber Incentive recipients and corresponding payments, CISA officials cannot adequately manage the Cyber Incentive program or ensure that the program is meeting its intended purpose.
CISA OCHCO failed to follow federal regulations and its own policies when determining participant and payment eligibility. It did not maintain documentation to justify retention incentive payments or assess whether employees were likely to leave federal service. Annual reviews to confirm continued eligibility were not conducted. CISA also paid $1.41 million in unallowable back pay to 348 recipients without explanation.
Additionally, OCHCO did not update its eligible certifications list between FY 2020 and FY 2024, limiting the targeting of employees with current cyber skills. For internal transfers, supervisors failed to complete new Cyber Incentive submissions within six months of reassignment. In reviewing 35 samples, 10 lacked position descriptions, and several descriptions were incomplete or failed to align with NIST NICE work roles.
“Insufficient oversight at the departmental level also contributed to the issues we identified,” the OIG reported. “Specifically, DHS OCHCO stated they do not regularly provide guidance and oversight to CISA OCHCO on its use of the Cyber Incentive program. Several DHS OCHCO officials said they only became involved when requested by CISA, and a senior CISA OCHCO official confirmed they did not regularly work with DHS OCHCO.”
In conclusion, the OIG found that CISA is failing to use federal funds efficiently or effectively to bolster the nation’s cybersecurity or retain its mission-critical workforce. By extending the Cyber Incentive too broadly and undermining the program’s intent, CISA risks workforce attrition, heightened exposure to cyber threats, and unnecessary spending.
The OIG recommended that the CISA director analyze and document the targeted categories of cybersecurity employees in mission-critical positions who possess unusually high or unique qualifications, and limit retention incentives to only those individuals. The OIG also recommended that the CISA director develop and implement consistent policy and guidance on the minimum percentage of time an employee must perform assignments related to a primary and secondary National Initiative for Cybersecurity Education code to qualify for the Cybersecurity Retention Incentive.
In addition, the OIG recommended that the CISA director establish an accurate, reliable, and auditable methodology and process for approving and tracking Cyber Incentive recipients and program use to ensure that data tracking needs are adequately addressed. The OIG recommended that the CISA director consolidate and assign responsibilities for managing the Cybersecurity Retention Incentive Program to an office with the authority to make program decisions.
The OIG recommended that the CISA director develop, update, and implement policies for the Cybersecurity Retention Incentive Program. These policies should document whether employees are likely to leave federal service without a retention incentive and ensure completed approvals are on file. They should also require annual reviews to confirm each employee’s continued eligibility, define unusual and extraordinary circumstances under which back pay may be granted with supporting documentation, update and publish the list of eligible cybersecurity certifications each year, and track internal transfers and resubmissions of eligibility forms promptly.
The OIG further recommended that the CISA director conduct additional analysis and evaluation to resolve the $1.41 million in unallowable back pay provided to Cybersecurity Retention Incentive recipients. The CISA director should also determine whether it is appropriate to seek repayment of improper incentive payments to ineligible employees and recover those costs. Finally, the OIG recommended that the DHS Office of the Chief Human Capital Officer periodically review and monitor CISA’s Cybersecurity Retention Incentive Program to ensure it meets program goals and complies with DHS policy, directives, and the DHS Cybersecurity Retention Incentive Plan.
