A Cybersecurity Infrastructure and Security Agency (CISA) program designed to pay incentives to retain highly skilled cybersecurity professionals has spent over $138 million over the last four years – most of which hasn’t gone to the right people.
That’s the news from the Department of Homeland Security Office of the Inspector General (OIG), which said in a new report that a program designed to provide incentives to certain cyber employees have made payments to those who were ineligible and did not document who was receiving those incentives.
The Cyber Incentive program provides eligible CISA employees with a 10% group retention incentive based on their position’s duties, and other employees who have unique skills, a 20 to 25% individual retention incentive, based on how their certifications align with CISA’s approved certification list.
After receiving a complaint in fiscal year (FY) 2023 that “CISA officials were knowingly approving Cyber Incentives for ineligible employees,” OIG officials said they discovered that CISA “did not properly design, implement, comply with, or manage requirements” of the incentive program.
“The Nation faces a growing number of increasingly sophisticated cyberattacks that pose a threat to public safety and national security,” said OIG officials. “[CISA] leads our Nation’s effort to understand, manage, and reduce risk to our cyber and physical infrastructure …To perform this mission, CISA requires talented and highly motivated professionals.”
Currently, the nation faces 500,000 cyber job vacancies across the country.
The incentive program meant to retain those professionals paid out more than $138 million between fiscal years 2020 through 2024, which “wasted taxpayer funds” while risking the “attrition of cyber talent, thereby leaving CISA unable to adequately protect the Nation from cyber threats.”
Specifically, the OIG found that CISA did not narrowly target professionals with unique qualifications, did not maintain records of incentive recipients and payments, and failed to comply with federal regulations and multiple program requirements.
“These issues occurred because CISA broadened program eligibility requirements without creating detailed implementation processes and procedures and did not centrally manage the program,” said OIG officials, adding that DHS “did not regularly provide guidance and oversight to CISA OCHCO [Office of the Chief Human Capital Officer] on its use of the Cyber Incentive program.”
The OIG found that $1.41 million was given to 348 Cyber Incentive recipients in unallowed back payments between FY2022-24, and 132 ineligible employees received incentive payments where senior CISA staff said the position did not require unique qualifications.
An additional 240 employees who received the incentive were from CISA mission support offices with roles not directly related to cybersecurity. Two administrative officials within CISA OCHCO who helped oversee the incentive program’s approval process also received Cyber Incentives between FY2021-2024.
The OIG issued eight recommendations to CISA, all of which the agency agreed with.
Those recommendations include defining mission-critical roles, setting time allocation policies, creating an auditable methodology for tracking, consolidating management, and strengthening program policies, with most fixes due by July 2026. CISA also said it is reviewing the $1.41 million in improper payments.