OIG-25-38 - Recommendation 5

We recommend the CISA Director develop, update, and implement its policies for the Cybersecurity Retention Incentive program to: • document if employees are likely to leave Federal service if they do not receive a retention incentive and have the completed approval on file; • annually review whether each employee is still eligible for the Cybersecurity Retention Incentive; • define unusual and extraordinary circumstances for back pay and ensure the reasons for back pay are documented; • update and publish the eligible cybersecurity certifications list annually; and • track internal transfers and resubmissions of Cybersecurity Retention Incentive eligibility forms in a timely manner.