Mismanagement of CISA’s Cybersecurity Retention Incentive Program: A Critical Review

The U.S. Department of Homeland Security (DHS) Office of Inspector General (OIG) recently released a report that sheds light on significant mismanagement within the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Retention Incentive Program. This program, designed to retain critical cybersecurity personnel, has reportedly resulted in wasted funds and jeopardized the retention of essential talent. The findings stem from a hotline complaint received in fiscal year 2023, alleging widespread waste, fraud, and abuse within the program.

Financial Implications

Between fiscal years 2020 and 2024, CISA spent over $138 million on the Cybersecurity Retention Incentive Program. However, the OIG report indicates that these funds were not utilized effectively. The agency failed to design, implement, and manage the program according to its requirements, leading to inefficient use of taxpayer dollars intended for retaining mission-critical cybersecurity personnel.

The report highlights that CISA did not adequately target employees with unique qualifications. Instead, ineligible employees received incentive payments ranging from approximately $21,000 to $25,000 annually. The lack of proper record-keeping by CISA’s Office of the Chief Human Capital Officer (OCHCO) further exacerbated the issue, as there was no centralized tracking of recipients and payments.

Compliance Failures

The OIG’s audit revealed that CISA did not comply with federal regulations and multiple program requirements, resulting in $1.41 million in unallowed back payments to 348 Cyber Incentive recipients. These payments were identified as questioned costs, raising concerns about the agency’s oversight and management practices.

The report outlines eight recommendations aimed at improving the Cyber Incentive program, which CISA has agreed to implement. However, one recommendation remains open and unresolved, indicating ongoing challenges in addressing the identified issues.

Program Expansion and Oversight

Initially implemented in 2015, the Cyber Incentive program aimed to offer monetary retention incentives to mission-critical cybersecurity employees. However, the OIG report indicates that CISA expanded program eligibility without establishing clear implementation processes or centralized management. This lack of oversight allowed for the inclusion of employees who did not meet the program’s intended criteria.

The report notes that CISA supervisors often submitted requests for Cyber Incentives without proper documentation to justify the need for retention incentives. The Designation and Eligibility Form (DEF) system did not require supervisors to attest that the employee and position were mission-critical, leading to further inconsistencies in the program’s application.

Questionable Qualifications

The OIG’s review of 25 position descriptions across CISA divisions found no clear documentation indicating that these positions were mission-critical or required unusually high or unique qualifications. This lack of clarity raises questions about the program’s effectiveness in retaining the most qualified personnel.

Moreover, the report identified instances where CISA supervisors indicated that positions did not require specialized qualifications, which would render the employees ineligible for the Cyber Incentive. This misalignment between the program’s intent and its execution poses a risk to CISA’s ability to protect the nation from cyber threats.

Policy Changes and Their Impact

In July 2021, CISA made changes to its policy that diluted the program’s effectiveness. The eligibility requirements were reduced, allowing more employees to receive retention incentives based on a lower threshold of work associated with the National Initiative for Cybersecurity Education (NICE) framework. Although this policy expired in July 2022, CISA continued to operate under the reduced requirements, further complicating the program’s integrity.

The OIG report emphasizes that insufficient oversight at the departmental level contributed to the identified issues. DHS OCHCO officials stated they only became involved when requested by CISA, indicating a lack of proactive oversight.

Recommendations for Improvement

The OIG has put forth several recommendations for CISA to enhance the Cybersecurity Retention Incentive Program. These include:

1. Targeted Employee Analysis: CISA should analyze and document the categories of cybersecurity employees in mission-critical positions who possess unique qualifications and limit retention incentives to these individuals.

2. Consistent Policy Development: The agency must develop and implement consistent policies regarding the minimum percentage of time an employee must perform relevant assignments to qualify for the incentive.

3. Accurate Tracking Methodology: Establishing a reliable process for approving and tracking Cyber Incentive recipients is crucial to ensure data integrity.

4. Regular Reviews: Annual reviews should be conducted to confirm continued eligibility for retention incentives, ensuring that payments are justified.

5. Addressing Unallowable Payments: CISA should resolve the $1.41 million in unallowable back pay and consider seeking repayment from ineligible employees.

6. Ongoing Monitoring: The DHS OCHCO should periodically review and monitor CISA’s Cybersecurity Retention Incentive Program to ensure compliance with federal regulations and program goals.

Conclusion

The OIG’s findings underscore the critical need for CISA to reassess its Cybersecurity Retention Incentive Program. By extending the program too broadly and failing to adhere to its original intent, CISA risks not only wasting taxpayer funds but also losing valuable cybersecurity talent essential for national security. Implementing the OIG’s recommendations will be vital for CISA to enhance its operational effectiveness and ensure the protection of the nation against evolving cyber threats.