CISA Program Gave Out $20k+ Payments To Unqualified Employees, Auditor Says

The US Cybersecurity and Infrastructure Security Agency (CISA) mismanaged a program designed to retain skilled security professionals so badly that auditors have concluded it left the agency "unable to adequately protect the Nation from cyber threats." 

The Cyber Incentive program began life in 2015 under the National Protection and Programs Directorate, which became CISA in 2018. According [PDF] to the Office of the Inspector General at CISA's parent agency, the Department of Homeland Security, it didn't take long for "fraud, waste, and abuse" of the initiative to become standard operation procedure at the nation's cybersecurity watchdog. 

The OIG report, which was triggered by a 2023 hotline complaint, found that CISA had approved incentive payments for a number of ineligible employees, each of whom was improperly awarded between $21,000 and $25,000 per year. CISA's HR department made the situation worse by not maintaining records of Cyber Incentive recipients and payments to them. The OIG said that the systemic failure to comply with federal regulations and CISA's own requirements for the Incentive program led to around $1.41 million in unallowed back payments to 348 recipients between fiscal years 2020 through 2024. The program paid out more than $138 million in total during those years.

In one single pay period last year, the OIG said, 1,401 out of 3,220 CISA employees were receiving a cybersecurity retention incentive payment. Of those 1,401 employees, 240 were support staff with roles "not directly related to cybersecurity," according to the report.  

According to the OIG, only two classes of CISA employees were eligible for Cyber Incentive awards: Those whose position description and duties are defined by the National Institutes of Standards and Technology as cybersecurity roles, and those who have cybersecurity certifications that align with CISA's approved list of certs. 

Support staff not in cybersecurity roles, presumably, have neither. 

• All your vulns are belong to us! CISA wants to maintain gov control of CVE program
• CISA roasts unnamed critical national infrastructure body for shoddy security hygiene
• As CISA braces for more cuts, threat intel sharing takes a hit
• Trump's cyber czar pick grilled over CISA cuts: 'If we have a cyber 9/11, you're the guy'

"We found that CISA did not limit use of retention incentives to targeted employees with unusually high or unique cyber qualifications or those occupying mission-critical positions," the OIG reported. 

The report credited the bulk of the problem to CISA's decision to broaden eligibility requirements without creating an implementation process, as well as the fact that there wasn't a single office administering the Cyber Incentive, with duties spread across CISA's HR department. CISA HR, in turn, told the OIG that it "did not have monitoring controls in place" to ensure funds went to the right recipients, nor was it given "adequately detailed procedures to follow" to ensure the program ran smoothly. 

All said, the program appears to be in such disarray that the OIG thinks it might have done CISA's mission more harm than good - and that's before Trump administration cuts to the agency have spurred numerous departures and a culture of fear that's left qualified cybersecurity professionals wondering if staying in the federal workforce is worth the headache. If CISA doesn't get its act together on incentives, the OIG said, its ability to protect US cybersecurity and infrastructure is only likely to suffer more. 

"If CISA continues to offer the Cyber Incentive to a broad swath of its workforce, circumventing the intent of the program, it risks attrition and increased vulnerability to cyber threats as well as spending money unnecessarily," the OIG said. 

The report made eight recommendations to CISA to fix the program. Only one of those recommendations - that CISA figure out how to get back pay to the proper recipients - is considered resolved, though the matter is still open until CISA actually reports its findings next year. CISA concurred with the rest of the recommendations, but has yet to provide plans or a timeline to address them.

CISA told us that it fully intends to improve the Cyber Incentive program.

"CISA concurs with the recommendations to improve the cyber retention incentive program for a stronger CISA team and better stewardship of taxpayer dollars," acting CISA director Madhu Gottumukkala told The Register in an email. Hiring and retaining top talent is essential to help CISA's mission, the acting director added. "We appreciate the Inspector General’s partnership for greater efficiency and optimization and will work to implement these changes." ®

Editor's note: This story was amended post-publication with comment from CISA.