The US Cybersecurity and Infrastructure Security Agency (CISA) wasted federal funds and jeopardized its cybersecurity mission through widespread mismanagement of its Cyber Incentive program, according to a Department of Homeland Security Office of Inspector General audit.
What happened
The Department of Homeland Security Office of Inspector General (OIG) audited CISA after receiving a hotline complaint in 2023 alleging mismanagement of the agency's Cyber Incentive program. The program was designed to retain "mission-critical" cybersecurity employees who might otherwise leave the agency.
The OIG found that CISA failed to use federal funds "efficiently and effectively" to retain its mission-critical workforce. The audit revealed that 240 employees in support functions unrelated to cyber received incentive payments ranging from $21,000 to $25,000 annually. Over 40% of CISA's staff received these payments, totaling more than $138 million in federal funds over a four-year period starting in 2020.
Additionally, CISA's chief human capital officer (OCHCO) failed to maintain proper records of program recipients or payments. The agency also violated federal rules and its own policies when determining participant and payment eligibility. Most notably, CISA OCHCO paid $1.4 million in "unallowable" back pay to 348 Cyber Incentive recipients between 2022 and 2024 without explanation.
Going deeper
The OIG made eight specific recommendations for CISA to address the program's failures:
- Review and limit the program only to qualified individuals
- Develop consistent policy on minimum time employees must perform qualifying work
- Deploy an accurate, reliable, and auditable methodology for tracking program use
- Transfer program management to a separate office
- Update policies on back pay, eligibility, likelihood of leaving, and related matters
- Conduct further analysis to resolve the unallowable back pay issue
- Determine whether to recover improper incentive payments from employees
- Ensure periodic reviews and monitoring to verify compliance with DHS policy
CISA has agreed to all eight recommendations.
What was said
The OIG stated that the program was allegedly marred by "widespread waste, fraud and abuse."
The OIG warned that, "If CISA continues to offer the Cyber Incentive to a broad swath of its workforce, circumventing the intent of the program, it risks attrition and increased vulnerability to cyber threats as well as spending money unnecessarily."
The report claimed that providing incentives to non-cyber personnel "may have demotivated genuine cyber talent in the agency."
Why it matters
This mismanagement directly threatens national cybersecurity at a time when cyber threats are escalating. CISA serves as the nation's primary cybersecurity agency, responsible for protecting critical infrastructure and coordinating cyber defense efforts across government and private sectors. When the agency designed to safeguard America's digital infrastructure wastes resources and potentially demoralizes its actual cybersecurity talent, it creates vulnerabilities that adversaries could exploit. The improper distribution of retention incentives to non-cybersecurity personnel undermines the program's core purpose.
The bottom line
CISA's mismanagement of taxpayer funds and failure to properly incentivize actual cybersecurity talent represents more than administrative incompetence—it's a national security risk. The agency must immediately implement the OIG's recommendations to restore program integrity and ensure retention efforts actually target the cybersecurity professionals America needs to defend against evolving threats.
FAQs
What was the original intent of the Cyber Incentive program?
It was designed to retain mission-critical cybersecurity staff at risk of leaving the agency.
How significant was the financial impact of this mismanagement?
More than $138 million was misallocated over four years.
What risks does this create for CISA’s cybersecurity mission?
It could demoralize actual cyber experts while diverting resources from critical defense needs.
What does “unallowable back pay” mean in this context?
It refers to payments made without justification or in violation of program rules.
Could employees be required to return improperly received payments?
Yes, the OIG recommended assessing whether to recover those funds.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
