type: timeline_event
The Trump administration eliminated CISA's Cyber Retention Incentive (CRI) program on December 4, 2025, dealing a devastating blow to the nation's primary civilian cybersecurity agency already reeling from massive workforce losses. The decision terminated retention payments providing 10-25% salary supplements to nearly half of CISA's employees—payments specifically designed to prevent cybersecurity experts from leaving government for higher-paying private sector positions. The elimination came as CISA had already lost approximately 1,000 employees since Trump took office in January 2025, representing one-third of the agency's total workforce of roughly 3,300 employees.
The workforce exodus occurred through multiple waves of cuts throughout 2025, beginning with the "Fork in the Road" deferred resignation program in February, the "Valentine's Day Massacre" mass firing of over 130 probationary workers (including threat hunters, incident response team members, and analysts with top secret clearances), April layoffs of 405 DHS workers across cybersecurity divisions, and October shutdown-related terminations targeting CISA's Stakeholder Engagement Division which lost all 95 employees. By the time retention incentives were eliminated in December, mission-critical areas were already down 30-40% in staffing, with most division chiefs and regional office leaders having departed.
Former CISA Director Chris Krebs, fired by Trump in 2020 for affirming the integrity of the presidential election, expressed outrage at the workforce gutting during an RSA Conference appearance in April 2025. "Cybersecurity is national security," Krebs stated. "We need more Cyber Command, more folks at the NSA collecting intel, we need more front-line defenders, threat hunters, red teamers. We need more of that, not less." Krebs later created a matching website to connect fired CISA employees with prospective employers, noting that people should be "absolutely outraged" at the administration's cuts. His predecessor, Jen Easterly who served as CISA director under Biden, called the upheaval "a real loss for the federal government, but more so it's a loss for the American people," attributing workforce losses to "a mandate for loyalty to a person over loyalty to the Constitution of the United States of America."
Former NSA cybersecurity director Rob Joyce raised "grave concerns" that aggressive cuts would have a "devastating impact on the cybersecurity and our national security," noting that "remarkable technical talent was recruited into developmental programs" and that "eliminating probationary employees will destroy a pipeline of top talent responsible for hunting and eradicating [Chinese] threats." Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, was more direct: "Firing cyber personnel at CISA harms national security on a daily basis—this goes well beyond disruption and is actually causing destabilization."
The timing of the retention incentive elimination was particularly alarming given the escalating cyber threat environment. Just five days after the program termination, on December 9, 2025, CISA issued a joint cybersecurity advisory with the FBI, NSA, and international partners warning that pro-Russia hacktivist groups including Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16 were "actively engaging in opportunistic, low-sophistication malicious cyber activity" targeting U.S. critical infrastructure. The attacks successfully compromised Water and Wastewater, Food and Agriculture, and Energy sector systems, with hackers exploiting internet-facing VNC connections to infiltrate operational technology control devices, resulting in "varying degrees of impact, including physical damage."
CISA serves as the National Coordinator for the Security and Resilience of U.S. Critical Infrastructure under National Security Memorandum 22, coordinating protection efforts across 16 critical infrastructure sectors that form the backbone of American commerce and society. The agency acts as Sector Risk Management Agency for eight sectors including chemical, commercial facilities, critical manufacturing, emergency services, IT, communications, dams, nuclear facilities, and the elections subsector. Former intelligence community cybersecurity executive Laura Galante testified that CISA's workforce "is building out a real ability to communicate with state, local and other entities who have the tough job of really securing networks"—precisely the capability being decimated by the workforce collapse.
The retention incentive elimination followed a September 2025 DHS Inspector General audit finding that CISA "mismanaged" the Cyber Retention Incentive program by distributing more than $138 million between fiscal years 2020 and 2024 without adequately targeting payments to mission-critical personnel. The audit found CISA offered incentives "too broadly," including to employees without critical cybersecurity skills. However, rather than reform the program to focus on essential cybersecurity positions, the Trump administration simply terminated it entirely during a period of unprecedented workforce hemorrhaging and escalating cyber threats.
Industry partners reported "radio silence" from CISA as communications to critical infrastructure organizations in healthcare, energy, water, finance, and other sectors sharply decreased following the cuts. Congressional officials expressed alarm about the agency's ability to carry out its core mission. Senator Angus King called the workforce reductions "grave," noting the ongoing daily cyber threats facing American institutions. The National Association of State Chief Information Officers voiced concerns about risks to state and local cyber defenses with their primary federal partner effectively crippled.
Trump's proposed 2026 budget would cut CISA funding by nearly $500 million, reducing the workforce from 3,292 employees to 2,324—a 29% reduction—making the rebuilding of lost expertise highly unlikely. The elimination of retention incentives accelerated the expertise drain at precisely the moment when Chinese advanced persistent threat groups like Volt Typhoon, Salt Typhoon, and Flax Typhoon were conducting sophisticated intrusions into U.S. critical infrastructure to pre-position for potential conflict scenarios. The systematic dismantling of CISA's workforce represented a deliberate weakening of the nation's cyber defenses during a period of heightened adversarial activity, leaving critical infrastructure sectors vulnerable and state/local governments without federal cybersecurity coordination and support.