An audit that castigated the Cybersecurity and Infrastructure Security Agency’s cybersecurity pay incentives is worrying CISA staffers who say the report lacks context and could give the Trump administration an excuse to end a vital retention program.
The recent Department of Homeland Security inspector general report found that CISA had given the agency’s Cybersecurity Retention Incentive payments to hundreds of employees who didn’t qualify for them and that CISA wasn’t properly overseeing the incentives, which totaled $138 million from fiscal years 2020 to 2024. CISA paid $1.4 million in incentives to 348 people who didn’t deserve them, according to the report, which recommended that the agency consider “whether it is appropriate to seek repayment” from those workers.
Auditors said they had identified “240 employees who received the Cyber Incentive from various mission support offices whose role was not directly related to cybersecurity,” including on CISA’s strategy, external-affairs, and workforce-engagement teams.
The report is likely to shine a new spotlight on CISA, which has endured months of attacks from Trump administration leaders who have accused the agency of exceeding the scope of its authorities. DHS concurred with the report’s findings, suggesting a willingness to revisit how cyber pay incentives work.
CISA employees told Cybersecurity Dive that they were concerned about the administration eliminating the program altogether. Multiple employees said the incentives were a big part of why they were still at the agency.
Some staffers said that while the auditors raised valid points about the incentives’ vague criteria, the report overlooked important nuances, including the fact that direct cybersecurity practitioners aren’t the only employees who need cyber experience and knowledge.
“What I think the current administration (unknowingly or perhaps willfully) doesn’t realize is that cyber knowledge is even needed when not ‘directly related to cybersecurity,’” said one employee, who — like the others interviewed for this story — requested anonymity to avoid retaliation. “You need this knowledge no matter where you work in the agency to assist those that are ‘directly related.’”
It is unusual, the employee said, to suggest that people who craft policies and strategies aren’t doing cybersecurity work. “How can you design an effective cybersecurity strategy or plan if you don’t understand the underlying cyber issues?” the employee said. They argued that the same was true for CISA’s external-engagement team: “If you want to raise the awareness of something like ransomware, you need to know what it is [and] how it’s used, detected and combated.”
“These people aren’t dissecting malware,” the employee added, “but the positions require a strong unique understanding of cybersecurity to interact with the public and those that do [perform technical work].”
Another CISA employee agreed that the report highlighted complicated questions about how to define eligibility. “Should people who don’t code or run scripts, but are important in other ways, be eligible?” this person asked.
Even so, multiple employees said scrutiny of the program’s shortcomings was fair.
“I think the program has been abused by people not associated with cyber,” said the second employee.
A third employee said the report seemed “fairly on point.”
Risk of cyber brain drain
But as DHS and CISA revise the incentives, there is a chance that the government will restrict the payments so much that it pushes out truly vital workers. That alarmed CISA employees who said their agency couldn’t afford to lose many more people after the Trump administration cut one-third of its workforce.
“The report highlights some legitimate questions of who has been receiving cyber pay and if their role really needs it,” said a fourth CISA employee. “However, any adjustment or threats to take away or reduce cyber pay [will] significantly stress the CISA workforce, which is already reeling from losses (both departures and firings) since January.”
As CISA implements auditors’ recommendations to rein in incentive payments — the agency estimated it would take until the end of next summer to do so — employees are worried about what will change.
“My personal thinking is that this is another way to (a) reduce federal worker pay so that they are encouraged to leave and (b) reduce the funding for CISA,” said the first employee.
