The Cybersecurity and Infrastructure Security Agency (CISA) did not properly design, implement, comply with, or manage requirements of the Cybersecurity Retention Incentive (Cyber Incentive) program, which paid more than $138 million between fiscal years 2020 through 2024. These deficiencies resulted in CISA not using Federal funds efficiently or effectively to retain mission-critical cybersecurity employees. • CISA did not narrowly target mission-critical cybersecurity employees with unusually high or unique qualifications. Ineligible employees received incentive payments, which ranged from approximately $21,000 to $25,000 annually. • CISA’s Office of the Chief Human Capital Officer (OCHCO) did not maintain records of Cyber Incentive recipients and corresponding payments. • CISA did not comply with Federal regulations and multiple program requirements, resulting in $1.41 million in unallowed back payments to 348 Cyber Incentive recipients, which we identified as questioned costs.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend the CISA Director analyze and document the targeted categories of its cybersecurity employees in mission-critical positions that possess unusually high or unique qualifications and limit retention incentives to only those qualified individuals. | |||||
| 2 | No | $0 | $0 | ||
| We recommend the CISA Director develop and implement consistent policy and guidance on the minimum percentage of time that an employee must perform assignments related to a primary and secondary National Initiative for Cybersecurity Education code to qualify for the Cybersecurity Retention Incentive. | |||||
| 3 | No | $0 | $0 | ||
| We recommend the CISA Director develop and implement an accurate, reliable, and auditable methodology and process for approving and tracking Cyber Incentive recipients and program use, to ensure that the data tracking needs are adequately addressed. | |||||
| 4 | No | $0 | $0 | ||
| We recommend the CISA Director consolidate and assign responsibilities for managing the Cybersecurity Retention Incentive program to an office with the authority to make program decisions. | |||||
| 5 | No | $0 | $0 | ||
| We recommend the CISA Director develop, update, and implement its policies for the Cybersecurity Retention Incentive program to: • document if employees are likely to leave Federal service if they do not receive a retention incentive and have the completed approval on file; • annually review whether each employee is still eligible for the Cybersecurity Retention Incentive; • define unusual and extraordinary circumstances for back pay and ensure the reasons for back pay are documented; • update and publish the eligible cybersecurity certifications list annually; and • track internal transfers and resubmissions of Cybersecurity Retention Incentive eligibility forms in a timely manner. | |||||
| 6 | No | $0 | $0 | ||
| We recommend the CISA Director conduct further analysis and evaluation to resolve the $1.41 million in unallowable back pay given to Cybersecurity Retention Incentive recipients. | |||||
| 7 | No | $0 | $0 | ||
| We recommend the CISA Director determine whether it is appropriate to seek repayment of improper incentive payments to ineligible employees and recover those co | |||||
| 8 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Human Capital Officer periodically review and monitor CISA’s Cybersecurity Retention Incentive program to ensure it meets programs goals and is in compliance with DHS policy, DHS directives, and the DHS Cybersecurity Retention Incentive Plan. | |||||
