The US Cybersecurity and Infrastructure Security Agency (CISA) wasted taxpayers’ money and imperilled its mission to protect the nation from threats, a damning new report has found.
The Department of Homeland Security (DHS) Office of Inspector General (OIG) said it audited the agency after receiving a hotline complaint in 2023 that CISA had mismanaged its Cyber Incentive program.
The program was designed to incentivize “mission-critical” cybersecurity employees who might otherwise leave, but was allegedly marred by “widespread waste, fraud and abuse.”
The OIG found that CISA did not use federal funds “efficiently and effectively” in order to retain its mission-critical workforce. In fact, the OIG found 240 employees in support functions unrelated to cyber who received the incentive payment. This may have demotivated genuine cyber talent in the agency, the report claimed.
Read more on CISA: CISA Launches Roadmap for the CVE Program
“If CISA continues to offer the Cyber Incentive to a broad swath of its workforce, circumventing the intent of the program, it risks attrition and increased vulnerability to cyber threats as well as spending money unnecessarily,” the OIG said.
The report also found that CISA’s chief human capital officer (OCHCO) didn’t maintain records of program recipients or payments. The latter ranged from $21,000 to $25,000 annually per person, with over 40% of staff receiving money. Over a four year-period starting in 2020, CISA paid out more than $138m in federal funds.
Finally, the OIG claimed that CISA didn’t follow federal rules, or its own policies and procedures, when determining participant and payment eligibility. Most egregiously, the CISA OCHCO paid $1.4m in “unallowable” back pay to 348 Cyber Incentive recipients from 2022 and 2024, with no explanation given as to why.
The OIG’s Eight Recommendations
The OIG made eight recommendations in its report. It wants CISA to:
- Review and limit the program only to qualified individuals
- Develop and implement consistent policy and guidance on the minimum amount of time employees perform work that qualifies for the incentive program
- Deploy an “accurate, reliable, and auditable methodology and process” for tracking program use
- Hand over management of the program to a separate office
- Update policies on back pay, eligibility, likelihood of leaving, and more
- Carry out further analysis to resolve the unallowable back pay issue
- Determine whether it’s appropriate to recover improper incentive payments from employees
- Ensure its OCHCO periodically reviews/monitors the program to ensure it meets its goals and is in compliance with DHS policy
CISA has “concurred” with all eight recommendations.
