A recent audit by the Department of Homeland Security’s Office of Inspector General (OIG) sharply criticizes the Cybersecurity and Infrastructure Security Agency (CISA) for mismanaging its Cybersecurity Retention Incentive Program, which was intended to reward and retain mission-critical cybersecurity professionals. Between fiscal years 2020-2024, CISA awarded over $138 million under this program, but the audit found that many recipients did not meet the required high-skill or mission-critical criteria. In particular, CISA broadened eligibility without proper procedures and oversight; as a result, administrative or non-cybersecurity roles were included ineligible employees, and approximately 348 individuals received $1.41 million in back payments improperly. While CISA has agreed with all eight of the OIG’s recommendations to tighten internal controls and improve documentation, only seven have been implemented so far—recovering funds from ineligible recipients remains unresolved.
Sources: Office of Inspector General, Executive Gov
Key Takeaways
– CISA’s Cyber Retention Incentive Program spent over $138 million between 2020-2024 but failed to narrowly target mission-critical cybersecurity staff as required, undermining program intent.
– Weak oversight, inadequate record keeping, and overly broad eligibility criteria led to payments to employees outside the intended scope—including non-cyber or administrative roles—and about $1.41 million in improper back pay to 348 employees.
– Although CISA concurred with eight recommendations from the OIG to reform the program, the task of recovering improper payments remains outstanding, signaling an incomplete resolution of accountability and financial stewardship.
In-Depth
In recent days, the Office of Inspector General (OIG) for the Department of Homeland Security turned the spotlight on the Cybersecurity and Infrastructure Security Agency (CISA), critiquing its handling of the Cybersecurity Retention Incentive Program. Intended as a tool to secure high-skill cybersecurity personnel who might otherwise depart for more lucrative private sector roles, the program was judged to have squandered public resources by failing to adhere to its own rules. Between 2020 and 2024, CISA doled out over $138 million under the program. However, evidence from the audit indicates that many who benefited did not satisfy the mission-critical or specialized skill requirements that the program stipulated. Among those recipients were administrative workers or personnel whose duties were only tangential to cybersecurity objectives. Notably, the OIG identified 348 individuals who received back payments amounting to $1.41 million, categorized as improper because they were not eligible under the intended criteria.
The audit’s findings highlight systemic oversight failures: eligibility rules were broadened without a matching update to procedural guidance, record-keeping was patchy, and there was no single, centralized management framework to ensure that incentives were only granted to those targeted roles. CISA’s Human Capital offices were implicated, as was its failure to enforce tighter controls on disbursements and documentation. The result, the OIG warns, is twofold: wasted taxpayer dollars and a risk to national cybersecurity because misalignment of incentives could deter or fail to retain the very experts the agency depends on.
CISA has responded by agreeing to all eight recommendations put forward by the OIG. Seven are reportedly implemented, but the last—recovering funds that were improperly paid—has not yet been completed. This unresolved element raises questions about accountability measures and whether the agency is fully committed to fixing all aspects of the problem. Given the growing threats in cyberspace and the premium on skilled defensive talent, these findings arrive at a critical time: if public agencies are seen as lax with incentives or financial stewardship, retaining top cybersecurity professionals will become even harder. Ultimately, unless these gaps are fully closed, the taxpayer expense won’t be the only cost—the security of infrastructure and digital operations may be compromised too.