The DHS found that CISA wasted $1.41 million in the Cyber Incentive Program, and the GAO uncovered likely expensive overlap in DOD cyberspace operations. 
Since President Trump took office a second time, there has been a large effort to shrink the federal government, specifically looking for wasteful spending and redundancies across departments and agencies. The Cybersecurity and Infrastructure Security Agency (CISA), the nation’s top cyber agency has not been left unscathed, losing a remarkable 10% of the workforce in March, losing more staff on critical projects like the Joint Cyber Defense Collaborative, and facing massive budget cuts.
At the crux of these changes is the administration’s concern that CISA is not operating effectively, with Secretary of Homeland Security Kristi Noem saying that “CISA needs to be much more effective, smaller, more nimble, to really fulfill their mission, which is to hunt and to help harden our nation’s critical infrastructure” just days before Trump was sworn in. While Noem’s comments appeared to be deriding the agency’s initiatives fighting misinformation particularly around the election, the past couple of weeks have seen some evidence of seriously damaging fund mismanagement at CISA.
On September 11, 2025, the Department of Homeland Security (DHS)’s Office of Inspector General (OIG) released a report describing the findings of an investigation into CISA’s Cyber Incentive program: CISA Mismanaged Cybersecurity Retention Incentive Program and Wasted Funds, Risking Critical Talent Retention. According to the audit document, the review was sparked by “a hotline complaint in FY 2023 alleging the Cyber Incentive program was marked by widespread waste, fraud, and abuse.”
The Cyber Incentive Program (CIP) was launched in 2015, back when CISA was still the National Protection and Programs Directorate. The report explains that the aim of the CIP was “to help CISA retain mission-critical cybersecurity talent needed to execute its mission.” This was likely a response to the digital and cyber skills gap, a problem that was already concerning in 2015 and unfortunately has not improved much since, with 2024 marking 500,000 vacant cybersecurity jobs in the US and new initiatives to strengthen the cyber workforce. With this context, incentivizing cyber talent to work at a federal agency may have appeared as a clear way to find the “talented and highly motivated professionals” required to uphold CISA’s mission.
The program was offered “to employees who would otherwise be likely to leave Federal service for higher pay in the private sector.” This lent itself to two categories: the “group” incentive category, which meant a 10% of base pay group retention incentive depending on job description and work functions; and the “skills” incentive category, which meant a 20% or 25% of base pay individual retention incentive, based on certifications from CISA’s approved list of certifications. Between these categories, skillful employees, or those with particular jobs could be expected to receive significant salary increases.
According to the audit, these expectations were not carefully met: “CISA did not narrowly target mission-critical cybersecurity employees with unusually high or unique qualifications. Ineligible employees received incentive payments which ranged from approximately $21,000 to $25,000 annually.” 240 out of the 1,401 recipients of the CIP (or 17%) were in Mission Support Offices, in roles “not directly related to cybersecurity”, which should have made them automatically ineligible for the incentive.
This negligence in distribution was likely related to other oversights in the program, by CISA’s Office of the Chief Human Capital Officer (OCHCO). CISA OCHCO reportedly “did not maintain records of Cyber Incentive recipients and corresponding payments”, and when the OIG requested information about who was receiving the Cyber Incentive, they were not able to provide “an exclusive listing of the total number of employees who received the Cyber Incentive.” The OIG’s report describes a messy management of the CIP by the OCHCO, as they did not secure documentation proving those receiving the incentive were likely to leave without the incentive, did not review these incentives annually, update the certification lists to reflect advancing technologies, or even have position descriptions for all employees. To top off this disorganization, CISA OCHCO paid $1.41 million to 238 Cyber Incentive recipients in unallowed back pay.
The audit attributes a number of these issues to the expansions to CIP eligibility requirements without proper development of implementation plans or centralized management, along with the DHS OCHCO not properly overseeing the program. As a result, “CISA’s implementation of the
program wasted taxpayer funds and invites the risk of attrition of cyber talent, thereby leaving
CISA unable to adequately protect the Nation from cyber threats.”
The DHS OIG wraps up the audit with eight recommendations for the CISA Director and the DHS OCHCO, requesting better reporting on incentive payments, stronger organization, and assessment of repayment options. In an email to The Register, Madhu Gottumukkala, acting director of CISA shared his thoughts on the steps outlined in the report. “CISA concurs with the recommendations to improve the cyber retention incentive program for a stronger CISA team and better stewardship of taxpayer dollars… We appreciate the Inspector General’s partnership for greater efficiency and optimization and will work to implement these changes."
Gottumukkala, who replaced Bridget Bean as the current acting CISA Director in May 2025, also recently welcomed Nick Andersen as the New Executive Assistant Director for Cybersecurity. The addition to CISA’s leading board is noteworthy in the continued absence of a permanent Executive Director. Andersen has worked as the President and Chief Operating Officer at Invictus, the Chief Information Security Officer at Lumen Technologies Public Sector, and the Principal Deputy Assistant Secretary for the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response from 2019-2021.
CISA is not the only cyber related agency that was recently examined for overspending. On September 17, 2025, the US Government Accountability Office (GAO) published a report on the Department of Defense’s (DOD’s) cyberspace operations. This included 440 organizations , 61,000 personnel, and 9,500 contractors in the DOD. The GAO identified 70 organizations (mostly aligned with the U.S. Cyber Command) supporting cyberspace operations, with some overlapping functions. Recognizing that “some overlap can be intentional and appropriate,” the report warns that “unnecessary overlap can lead to organizations paying for the same service or product twice or more.”
The GAO makes two recommendations for Executive Action to assess and reduce this overlap: (1) the Secretary of Defense should examine how similar cyberspace training courses overlap and see how they can be consolidated for a streamlined, less expensive training model, and (2) the Secretary of Defense should assess opportunities to streamline DOD cybersecurity service providers to save money and run more efficiently, with help from the Assistant Secretary of Defense for Cyber Policy.
While these recommendations are yet to be implemented, hopefully their uptake will help the nation’s cyber agencies run more efficiently, saving taxpayer dollars at a time when agencies are already under the microscope for budgeting habits.