The Cybersecurity and Infrastructure Security Agency (CISA) is shutting down its program that pays incentives to retain highly skilled cybersecurity professionals after a watchdog report found that millions were paid to ineligible employees.
The shutdown follows a September report from the Department of Homeland Security Office of Inspector General (OIG), which found that more than $138 million in incentives were paid out to ineligible employees over the last four years through the Cybersecurity Retention Initiative (CRI).
Under the CRI, CISA employees with job functions related to cybersecurity were either eligible for a 10% group retention incentive based on their position’s duties, or an individual retention incentive of 20% to 25% based on how their skills aligned with CISA’s approved certification list.
The OIG conducted the investigation after receiving a complaint in fiscal year 2023 that “CISA officials were knowingly approving Cyber Incentives for ineligible employees.”
The investigation found unallowed back payments, as well as incentive payments to hundreds of employees whose roles did not require unique qualifications or did not relate directly to cybersecurity.
In addition, two employees who received incentive payments were administrative officials tasked with overseeing the incentive program’s approval process.
“As the nation’s cyber defense agency, it’s critical that we hire and retain talented and driven experts to develop and deliver intelligence, services and support to critical infrastructure while ensuring good stewardship of taxpayer dollars,” CISA Director of Public Affairs Marci McCarthy said in a statement shared with MeriTalk.
“While CISA does not generally comment on personnel matters, the CRI program was never meant to be a permanent program, but was a temporary retention solution until the Cyber Talent Management System (CTMS) was operational. With that in mind, CISA intends to sunset the CRI program and fully utilize CTMS to recruit, hire, and retain its cyber workforce in the future,” McCarthy continued.
The CRI was created in 2015; the Department of Homeland Security began work on CTMS in 2019 to hire cybersecurity staff faster and offer pay that is more competitive with industry. CTMS began its rollout toward the end of the Biden administration.
It is unclear how many employees will be transitioned to CTMS. CISA did not provide comment on the exact date that CRI will sunset.