The Cybersecurity and Infrastructure Security Agency (CISA) is eliminating a program it used to retain uniquely valuable security professionals after an audit found that the agency had mismanaged the program.
In 2015, CISA’s predecessor inside the Department of Homeland Security created the Cybersecurity Retention Incentive (CRI) program to offer extra money to employees who were likely to leave the government for higher-paying private-sector jobs. CRI incentives were intended to apply only to a narrow subset of CISA employees with specialized cybersecurity skills. But, in September, the DHS inspector general found that CISA was offering the incentives too broadly.
In a statement to Cybersecurity Dive, CISA said it would soon end the CRI program.
“The CRI program was never meant to be a permanent program, but was a temporary retention solution until the Cyber Talent Management System (CTMS) was operational,” said Marci McCarthy, CISA’s director of public affairs. “With that in mind, CISA intends to sunset the CRI program and fully utilize CTMS to recruit, hire, and retain its cyber workforce in the future.”
DHS launched CTMS during the Biden administration to create a faster hiring pathway for cyber staffers and offer those employees higher pay than they would normally qualify for as government workers.
The CRI program will end in two phases, according to a question-and-answer document for CISA employees seen by Cybersecurity Dive. “All non-cyber positions will be disenrolled from the CRI program on April 4, 2026,” the document said, “with the entire CRI program slotted to be sunset by September 30, 2026.”
Bloomberg first reported CISA’s decision to end the program.
It remains unclear what will happen to employees receiving CRI payments, which often total tens of thousands of dollars per year. The incentives begin at 10% of an employee’s salary and top out at 25%.
In a recent staff memo announcing a hiring initiative, CISA’s acting director said that “existing employees retained under cyber retention incentives may … be transitioned to CTMS roles.” CISA leaders made similar comments during a Nov. 19 town-hall meeting, according to a person familiar with the matter.
Transitioning CRI recipients into CTMS would allow CISA to continue paying them effectively the same amount, but in the form of a salary above the standard government pay cap, rather than as supplements to the typical government salary.
It is unclear, however, how many employees will be transitioned. “Currently, you have to completely recompete for CTMS,” said a second person familiar with the matter. “They’ll have to significantly overhaul that system.” DHS, not CISA, runs CTMS, and while CISA could ask DHS to waive the recompete requirement, this person said they doubted DHS would be “willing to make those accommodations.”
There are also logistical challenges. More than 70% of employees in CISA’s Cybersecurity Division receive CRI payments, according to the second person familiar with the matter. “I have no faith they will be able to navigate the process to convert the entire workforce to a new program in less than a year.” CTMS is “a much better program,” this person said, and the change is “overall the right thing to do,” but, “I just have doubts it can be implemented in time.”
CISA did not address the recent IG report in its statement about ending CRI, but it indicated that concerns about wasted funds factored into the decision.
“As the nation’s cyber defense agency,” McCarthy said, “it’s critical that we hire and retain talented and driven experts to develop and deliver intelligence, services and support to critical infrastructure while ensuring good stewardship of taxpayer dollars.”
In the employee FAQ document, CISA promised to release an overview of its incentive policies by the end of March. “Those programs will have a series of reviews and internal controls that will effectively meet audit compliance,” the document said.