The Cybersecurity and Infrastructure Security Agency (CISA) has not properly managed a fund intended to help retain cybersecurity workers, according to an audit released Thursday.

CISA did not “properly design, implement, comply with or manage” requirements for its Cybersecurity Retention Incentive program, according to the report from the Department of Homeland Security (DHS) inspector general. 

From 2020 to 2024, CISA paid more than $138 million in cyber incentives total. Auditors were not able to break down how all the money was spent because CISA’s Office of the Chief Human Capital Officer (OCHCO) “did not maintain records of Cyber Incentive recipients and corresponding payments,” the report said.

The inspector general’s office was able to identify $1.4 million in questionable back pay to 348 employees, the report said.

The agency failed to properly target who should qualify for the incentives and paid employees who lacked “mission critical” cybersecurity skills between $21,000 to $25,000 annually, the report said.

The agency failed to follow multiple federal regulations in running the incentives program, according to the report.

“These issues occurred because CISA broadened program eligibility requirements without creating detailed implementation processes and procedures and did not centrally manage the program,” the report says.

“We found that CISA’s implementation of the program wasted taxpayer funds and invites the risk of attrition of cyber talent, thereby leaving CISA unable to adequately protect the nation from cyber threats.”

CISA concurred with all 8 recommendations the inspector general made for fixing the problem, the office said. Those include having the CISA director establish a program for tracking recipients of cyber incentives, review employee eligibility annually and explore whether the agency can recoup errant payments which have already been made.

A spokesperson for CISA did not immediately respond to a request for comment.