It's not like they needed 28 people, assigned 28 feds to work on the project and then hired 28 contractors so the feds didn't have to do anything, but that appears to be what you are implying.

Like most large organizations, the government has tons of different projects going on at the same time. When they take on a new project, sometimes they use actual federal employees, sometimes they use contractors with federal oversight. Sometimes they use a mix of both feds and contractors. It usually depends on what kind of funding they can get approved. They do not often hire more people than they need for a particular project, because right now it's pretty hard to get money for anything, and most politicians remain grossly uninformed about the significance of anything having to do with computers.

It's a fact that an enormous amount of taxpayers' money that gets wasted each year, but pen testing vital SCADA systems across the U.S. doesn't seem like a waste of time to me. I know that the article mentioned nessus, netcat, and nmap, but the tools that are used in the security world don't matter nearly as much as the people who are using them. Also, do you think that the NSA is really going to tell you every single piece of software that they are using for penetration testing? They were merely giving examples.

For $91 million they can hire up to 28 engineers?

The program as described in the article is something I can get behind. This is the first time I've said that about a federal program in as long as I can remember. But $91 million? Really?

Two thoughts come to mind. First, even when they get it right, they get it wrong. Second, I wonder how many other, non-disclosed, activities are being funded with that money.

However wasteful it's still a pleasant change from warrantless wiretapping and other NSA malfeasance.