The Department of Homeland Security Office of Inspector General has found significant weaknesses in the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Retention Incentive program, which was designed to help the agency attract and retain high-demand cybersecurity professionals.
In an audit released Thursday, the OIG reported that CISA distributed more than $138 million between fiscal years 2020 and 2024 but failed to adequately target payments to mission-critical personnel. Instead, broad eligibility rules and weak oversight led to unauthorized back payments and retention incentives being awarded to employees who did not meet program requirements.
The Potomac Officers Club’s 2025 Homeland Security Summit will convene senior DHS and industry leaders to address urgent challenges in national security, including workforce retention, cyber resilience and the protection of critical infrastructure. The summit offers a timely forum to examine how oversight, innovation and collaboration can strengthen homeland security missions. Register now to secure your place at this exciting homeland security event.
Table of Contents
CISA’s Incentive Payments to Ineligible Employees
The OIG identified $1.41 million in questioned costs tied to back pay provided to 348 employees ineligible under program criteria. Incentives generally ranged from $21,000 to $25,000 per recipient each year, yet the agency often lacked documentation that recipients possessed “unusually high or unique qualifications” or that they were at risk of leaving federal service without additional compensation.
The watchdog further found that CISA broadened eligibility beyond approved guidelines by lowering the threshold of time employees needed to spend on NICE Framework cybersecurity work from 51 percent to 30 percent. The temporary change expired, but continued in practice, the report noted.
Oversight and Tracking Gaps
According to the OIG, the Office of the Chief Human Capital Officer did not maintain accurate, centralized records of recipients and payments, making it difficult to verify compliance. Required certifications attesting to mission-critical duties and retention risk were often missing or incomplete.
These management failures, the report said, undermine the program’s effectiveness and risk wasting taxpayer dollars while also discouraging highly qualified cyber professionals if incentives are not directed appropriately.
The watchdog warned that the deficiencies increase the risk of fraud, waste and abuse and undermine CISA’s ability to ensure that incentive funds are used effectively to retain critical cybersecurity talent.
OIG Recommendations and CISA’s Response
The OIG issued eight recommendations, including developing a formal risk management plan, tightening eligibility rules, reinstating clear criteria for cybersecurity work percentages, consolidating program oversight under a single office, improving recordkeeping and tracking, and recovering unallowed payments.
CISA agreed with all recommendations. The DHS Office of the Chief Human Capital Officer has set target dates in 2026 to implement updated policies, new tracking mechanisms and recovery actions.
Related Articles
The U.S. Army’s Communications-Electronics Command Software Engineering Center, or CECOM SEC, and the U.S. Military Academy at West Point have collaborated to evaluate the feasibility of the CECOM SEC-developed mapping between zero trust and the Pentagon’s Risk Management Framework, or RMF. The Army said Thursday the testing sought to collect feedback on the mapping’s application. Zero trust is a modern cybersecurity framework built on the “never trust, always verify” principle. RMF is a systematic structure that authorizes and manages risk in the Department of War’s systems. Helping West Point Enhance Zero Trust Posture According to the Army, the mapping developed
The Federal Acquisition Regulatory Council on Thursday issued new model deviation text for four parts of the FAR as part of the Revolutionary FAR Overhaul, or RFO, initiative. In April, President Donald Trump signed an executive order directing his administration to amend FAR to streamline the federal procurement process and eliminate barriers to doing business with the government. The FAR Council released new text for Part 3 – Improper Business Practices and Personal Conflicts of Interest; Part 17 – Special Contracting Methods; Part 27 – Patents, Data, and Copyrights; and Part 45 – Government Property. These parts are open for
MITRE has released a report highlighting the need for the defense acquisition system, or DAS, to be more warfighter-centric to facilitate the delivery of capabilities that keep pace with the rapidly evolving battlefield conditions. The nonprofit corporation said Friday uniformed engineers and scientists should have sufficient acquisition training and authorities to rapidly innovate and address emerging problems at the tactical edge. Extreme Product Ownership MITRE cited U.S. Special Operations Command’s adoption of “Extreme Product Ownership,” an agile approach that focuses on users and value to reduce risks to development and combat operations. In the report, MITRE mentioned the 160 Special