The US Cybersecurity and Infrastructure Security Agency (CISA) wasted federal funds and jeopardized its cybersecurity mission through widespread mismanagement of its Cyber Incentive program, according to a Department of Homeland Security Office of Inspector General audit.
The Department of Homeland Security Office of Inspector General (OIG) audited CISA after receiving a hotline complaint in 2023 alleging mismanagement of the agency's Cyber Incentive program. The program was designed to retain "mission-critical" cybersecurity employees who might otherwise leave the agency.
The OIG found that CISA failed to use federal funds "efficiently and effectively" to retain its mission-critical workforce. The audit revealed that 240 employees in support functions unrelated to cyber received incentive payments ranging from $21,000 to $25,000 annually. Over 40% of CISA's staff received these payments, totaling more than $138 million in federal funds over a four-year period starting in 2020.
Additionally, CISA's chief human capital officer (OCHCO) failed to maintain proper records of program recipients or payments. The agency also violated federal rules and its own policies when determining participant and payment eligibility. Most notably, CISA OCHCO paid $1.4 million in "unallowable" back pay to 348 Cyber Incentive recipients between 2022 and 2024 without explanation.
The OIG made eight specific recommendations for CISA to address the program's failures:
CISA has agreed to all eight recommendations.
The OIG stated that the program was allegedly marred by "widespread waste, fraud and abuse."
The OIG warned that, "If CISA continues to offer the Cyber Incentive to a broad swath of its workforce, circumventing the intent of the program, it risks attrition and increased vulnerability to cyber threats as well as spending money unnecessarily."
The report claimed that providing incentives to non-cyber personnel "may have demotivated genuine cyber talent in the agency."
This mismanagement directly threatens national cybersecurity at a time when cyber threats are escalating. CISA serves as the nation's primary cybersecurity agency, responsible for protecting critical infrastructure and coordinating cyber defense efforts across government and private sectors. When the agency designed to safeguard America's digital infrastructure wastes resources and potentially demoralizes its actual cybersecurity talent, it creates vulnerabilities that adversaries could exploit. The improper distribution of retention incentives to non-cybersecurity personnel undermines the program's core purpose.
CISA's mismanagement of taxpayer funds and failure to properly incentivize actual cybersecurity talent represents more than administrative incompetence—it's a national security risk. The agency must immediately implement the OIG's recommendations to restore program integrity and ensure retention efforts actually target the cybersecurity professionals America needs to defend against evolving threats.
It was designed to retain mission-critical cybersecurity staff at risk of leaving the agency.
More than $138 million was misallocated over four years.
It could demoralize actual cyber experts while diverting resources from critical defense needs.
It refers to payments made without justification or in violation of program rules.
Yes, the OIG recommended assessing whether to recover those funds.