- CISA mismanaged over $138 million in cybersecurity retention funds, awarding incentives to unqualified or unrelated personnel
- The agency lacked proper oversight, documentation, and compliance, undermining its ability to retain critical cybersecurity talent
- DHS OIG recommended eight corrective actions; seven have been implemented, with one unresolved concerning recovery of improper payments
The US Cybersecurity and Infrastructure Agency (CISA) mismanaged funds and failed to properly oversee and document various funding incentives, risking its ability to retain top cybersecurity talent.
This is the conclusion of “CISA Mismanaged Cybersecurity Retention Incentive Program and Wasted Funds, Risking Critical Talent Retention”, a new report published by the DHS Office of Inspector General (OIG).
CISA is a US government agency responsible for protecting critical infrastructure and leading federal cybersecurity efforts, and apparently – it’s been doing a poor job lately.
Lacking oversight
In the report, OIG slammed the agency for mismanagement and noncompliance, claiming the agency failed to properly design, implement, and manage its Cybersecurity Retention Incentive program.
As a result, its use of more than $138 million in federal funds, which it received between 2020 and 2024, was inefficient, by large. Among other things, OIG said the agency paid incentives to employees who did not meet mission-critical, or high-qualification criteria.
In fact, some recipients held administrative roles unrelated to cybersecurity, and 348 individuals received $1.41 million in unallowed back payments.
OIG also said CISA lacked oversight and documentation, claiming its Office of the Chief Human Capital Officer did not maintain accurate records of recipients or payments, and broadened eligibility requirements without proper procedures. DHS’s oversight was also insufficient, it was added.
All these things meant CISA was risking cybersecurity talent retention. OIG argued that the diluted incentive program undermined morale among qualified cybersecurity professionals and jeopardized CISA’s ability to retain critical talent.
“If CISA continues to offer the Cyber Incentive to a broad swath of its workforce, circumventing the intent of the program, it risks attrition and increased vulnerability to cyber threats as well as spending money unnecessarily,” the OIG warned.
Finally, the agency recommended eight steps to improve program integrity and, per the document, CISA agreed with all eight of them. Seven already seem to be implemented, while the eighth one is currently unresolved, and it revolves around recovering improper payments made to ineligible employees.
Via Cybernews
