CISA Cybersecurity Retention Mismanagement Wastes Millions

A new watchdog report exposes CISA cybersecurity retention mismanagement. The Office of the Inspector General (OIG) revealed that the Cybersecurity and Infrastructure Security Agency misused millions of dollars from its cybersecurity retention incentive program. Between 2020 and 2024, CISA failed to enforce eligibility rules, allowed improper payments, and did not maintain required records. These failures wasted taxpayer money and undermined the program’s purpose: retaining mission-critical cybersecurity staff.

How the Program Failed

The OIG found that CISA awarded retention incentives of $21,000–$25,000 annually to employees who did not qualify. In one 2024 pay period, 240 out of 3,220 employees receiving incentives held jobs unrelated to cybersecurity. This violated program rules.

The report also found $1.41 million in unallowable back payments made to 348 employees. CISA’s record-keeping was incomplete, with the Office of the Chief Human Capital Officer failing to ensure payments aligned with requirements.

Why Mismanagement Matters

The retention program was designed to keep top cybersecurity professionals at CISA, ensuring the agency could respond to evolving threats. Mismanagement has two key consequences:

• Taxpayer funds are wasted, reducing trust in government spending.
• Cyber defense capacity weakens, as incentives go to ineligible staff instead of critical cybersecurity talent.

The OIG concluded that this misuse undercut CISA’s ability to meet its national security mission.

Watchdog Recommendations

The OIG provided several corrective measures that CISA agreed to adopt:

• Define clear eligibility rules for retention incentives.
• Restrict payments to qualifying cybersecurity positions.
• Improve record-keeping to document and track payments.
• Address improper back payments and prevent future violations.

Conclusion

The findings on CISA cybersecurity retention mismanagement highlight the risks of weak oversight. By misdirecting funds and failing to enforce eligibility, CISA wasted millions and jeopardized its mission. Implementing strict rules, stronger accountability, and better record-keeping will be essential to restore trust and protect national cybersecurity.