CISA Slammed for Mismanagement of Cybersecurity Retention Program
The Cybersecurity and Infrastructure Security Agency (CISA) has been criticized for mismanagement of its Cybersecurity Retention Incentive program. An audit revealed significant issues, including improper payments and lack of record-keeping.
CISA failed to adhere to federal regulations in running the program. It broadened eligibility requirements without establishing clear implementation processes and procedures. This led to employees without 'mission critical' cybersecurity skills receiving annual payments ranging from $21,000 to $25,000.
An audit identified $1.4 million in questionable back pay to 348 employees. Between 2020 and 2024, CISA paid over $138 million in incentives without proper record-keeping. The agency did not maintain records of recipients and corresponding payments.
CISA's lack of central management for the program resulted in potential waste of taxpayer funds and loss of cyber talent. The inspector general made eight recommendations to fix the program, which CISA concurred with. These include tracking recipients, reviewing employee eligibility annually, and exploring recoupment of errant payments.
Madhu Gottumukkala, the acting director of CISA, is responsible for implementing the inspector general's recommendations. The agency must address these issues to ensure the program's effectiveness and accountability. Proper management and record-keeping are crucial to prevent further misuse of funds and to retain vital cybersecurity talent.
