Audit of Cape Cod Community College Overview of Audited Entity

Cape Cod Community College (CCCC) was established by Section 5 of Chapter 15A of the Massachusetts General Laws and operates under the direction of an eleven-member board of trustees, the members of which are appointed by the Governor. The board of trustees is responsible for overseeing long-term planning, managing financial resources, and determining organizational structure.

According to CCCC’s website,

CCCC delivers educational programs and services to meet the diverse needs of the residents of Cape Cod, the Greater Plymouth Area, Martha’s Vineyard, and Nantucket, across the Southeastern Coastal Region of Massachusetts. [CCCC] is the only comprehensive college on Cape Cod offering Associate of Arts, Associate of Science, Associate of Applied Science degrees, and academic certificate programs in a wide variety of areas.

CCCC is a member of the Massachusetts public higher education system, which consists of 15 community colleges, nine state universities, and five University of Massachusetts campuses. The main campus is located in West Barnstable.

According to CCCC’s 2022–2023 Academic Catalog, each semester, approximately 2,500 students enroll at the college, with 85% pursuing degree or certificate programs. Approximately 69% of students attend part-time. The college employs 61 full-time faculty members and over 220 part-time adjunct faculty.

In fiscal year 2022, CCCC’s operating revenue (i.e., tuition; fees; federal, state, and private grants; and contracts) was $17,251,790 and its nonoperating revenue (i.e., state appropriation, federal assistance, and interest income) was $33,569,768. In fiscal year 2023, CCCC’s operating revenue was $20,670,710 and its nonoperating revenue was $22,893,508.

 As a participant in federal student financial aid programs under Title IV of the Higher Education Act of 1965, CCCC is required to comply with the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act). The Clery Act is a federal law that requires institutions to disclose campus crime statistics and other related security information in the form of an annual security report (ASR) to students and the public.¹ The Clery Act was initially enacted as Title II of the Crime Awareness and Campus Security Act of 1990, which was signed into law as an amendment to the Higher Education Act of 1965. In 1998, this law was amended and renamed the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act in memory of a student who was raped and murdered in her dormitory at Lehigh University. In 2013, the act was amended to include statistics, policies, and programs related to domestic violence, dating violence, sexual assault, and stalking. The purpose of the Clery Act is to improve transparency and accountability in campus safety. Institutions covered by the Clery Act must comply with specific requirements outlined in the Clery Act Appendix of the Federal Student Aid Handbook² including those listed in the table below.

Clery Act Requirements—The Basics

Source:  The Clery Act Appendix of the Federal Student Aid Handbook

The US Department of Education (US DOE) conducts compliance reviews and audits to ensure that all higher education institutions receiving federal funds adhere to the Clery Act; it also imposes fines on institutions that do not comply.

All institutions of higher education with campus security or police departments, and which are subject to the Clery Act, must maintain a daily crime log of all crimes reported to them and any crimes that have occurred within an institution’s Clery geography. Clery geography includes buildings and property that are part of an institution’s campus (e.g., classroom buildings or cafeterias); an institution’s non-campus buildings and property (e.g., institution-owned bookstores located off campus, apartment buildings owned or controlled by the institution, and sorority- and fraternity-owned chapter houses); and public property within or immediately adjacent to and accessible from an institution’s campus (e.g., public streets, sidewalks, and parking lots). The CCCC Department of Public Safety maintains, controls, and monitors CCCC’s daily crime log.

According to the Clery Act, “The institution must make the crime log for the most recent 60-day period open to public inspection during normal business hours . . . [and] make any portion of the log older than 60 days available within two business days of a request for public inspection.”

Clery Act crimes fall into four categories: (1) criminal offenses, such as murder, rape, statutory rape, robbery, or arson; (2) arrests and disciplinary action referrals for liquor law violations, drug law violations, or illegal weapon possession; (3) hate crimes, such as intimidation or simple assault motivated by bias; and (4) Violence Against Women Act offenses, which include domestic violence, dating violence, and stalking. (See the Appendix for more information.) These crimes must be recorded based on the Clery geography categories of on-campus, non-campus buildings or property, or public property. CCCC students, employees, and visitors report crimes that occur within CCCC’s Clery geography to CCCC’s Department of Public Safety or a campus security authority (CSA). (See the "Crime Reporting" section of this report for more information.)

According to Number 202 of Volume 79 of the Federal Register, dated October 20, 2014, CSA is a term that refers to “an official of an institution who has significant responsibility for student and campus activities, including, but not limited to, student housing, student discipline, and campus judicial proceedings.” CSAs are required to report any Clery Act crimes to their campus security or police department,³ such as CCCC’s Department of Public Safety, regardless of whether the victim or witness decides to report it.

According to Section 668.46(a) of Title 34 of the Code of Federal Regulations, the following individuals meet the CSA criteria:

1. A campus police department or a campus security department of an institution.
2. Any individual who has responsibility for campus security but does not constitute a campus police or a campus security department . . . such as an individual who is responsible for monitoring entrance into institutional property.
3. Any individual or organization specified in an institution’s statement of campus security policy as an individual or organization to which students and employees should report criminal offenses.
4. An official of an institution who has significant responsibility for student and campus activities, including, but not limited to, student housing, student discipline, and campus judicial proceedings.

CCCC’s Department of Public Safety is responsible for identifying CSAs, notifying CSAs of their responsibilities on an ongoing basis, and training CSAs annually. During the audit period, CCCC did not have an established process for identifying, notifying, and training CSAs.

Institutions of higher education subject to the Clery Act are required to publish an ASR that provides accurate information on campus crime statistics and security-related details for the three most recent calendar years. Institutions of higher education compile the crime statistics in accordance with definitions provided by the Federal Bureau of Investigation for use in the Uniform Crime Reporting Program. The table below details information that institutions of higher education must include in their ASRs in accordance with the Clery Act.

Required Contents of the ASR

Source: The Clery Act Appendix of the Federal Student Aid Handbook

This report must be distributed to the entire campus community, including employees and current and prospective students, by October 1 of each year. The campus safety survey administrator must also submit the Clery Act crime statistics within the ASR to US DOE annually. CCCC electronically submits campus crime statistics to US DOE, publishes its ASR on its website, and notifies CCCC’s campus community of the report through email annually. 

CCCC students, employees, and visitors may report alleged incidents, suspicious activities, or emergencies by contacting CCCC’s Department of Public Safety in person or by telephone, or by reporting them to a different CSA. According to the Clery Act, a crime is considered reported when any person, including the victim, a witness, a third party, or an offender brings it to the attention of CCCC’s Department of Public Safety, a different CSA, or a local law enforcement agency.

According to CCCC’s website,

The Cape Cod Community College Department of Public Safety is here to protect and serve the campus community. The College employs [Peace Officer Standards and Training]-certified police officers and security officers to provide public safety and emergency services. Additionally, there are partnerships with the Massachusetts State Police, Barnstable County Sheriff’s Office and the West Barnstable Fire Department to support operations and campus officers have direct radio communication with Barnstable Police in an emergency.

CCCC management explained that there was turnover in the chief of police and public safety position during the audit period. Currently, CCCC’s Department of Public Safety comprises a director of public safety, who also serves as CCCC's chief of police and public safety, and an investigator. Both the director of public safety and the investigator are sworn officers commissioned in accordance with Section 63 of Chapter 22C of the General Laws, and they meet the standards set by the Commonwealth of Massachusetts Peace Officer Standards and Training Commission. They can make arrests, carry firearms, and investigate crimes on campus. Additionally, CCCC’s Department of Public Safety has three security officers and additional contracted security personnel members who are uniformed public safety professionals authorized to enforce campus rules and regulations. These security officers do not carry firearms or make arrests.

According to the director of public safety, during the audit period, during the audit most reports of alleged incidents were made through telephone calls to CCCC’s Department of Public Safety. Once received, the alleged incidents were entered into the Department of Public Safety’s daily crime log within CCCC’s case management system. All security officers had access to enter incidents into this log. During the audit period, the former chief of police and public safety was responsible for reviewing the daily crime log for completeness and accuracy. The daily crime log was then published on CCCC’s website each week.

During the audit period, if an individual who was a CSA witnessed or received a report of an incident related to prohibited conduct (which may or may not be related to a crime), then they were required to report the incident using the Code of Conduct Incident Report Form found on CCCC’s website. The report needed to include the reporter’s contact information, along with the date, time, and location of the alleged incident; information about the parties involved and the type of alleged prohibited conduct; and details of the alleged incident. Once the form was submitted, the information was recorded in CCCC’s student disciplinary action records management system, which sent an email notification to the applicable CCCC office (Student Conduct, Title IX,⁴ or Wellness) responsible for addressing the type of alleged incident.

During the audit period, on an annual basis, the former chief of public safety would review the daily crime log for Clery Act crimes and reach out to CCCC’s associate dean of students to obtain any student disciplinary actions that were required by the Clery Act to be included in CCCC’s ASR. CCCC published its completed ASR on its website annually. According to CCCC’s 2023 ASR, “An email notification is made to all enrolled students, faculty, and staff on how to access the Annual Security Report both on-line and in printed form.”

Additionally, CCCC must submit crime statistics for the three most recent calendar years to US DOE annually. 

CCCC’s “Cyber / Information Security Awareness Training” policy requires all information system users to complete cybersecurity awareness training upon hire and at least annually thereafter. This aligns with Section AT-3 of Revision 5 of the National Institute of Standards and Technology’s Special Publication 800-53, a best practice for information system security, which advocates for providing cybersecurity awareness training to system users as part of initial training and at a frequency defined by the organization thereafter.

Additionally, the Executive Office of Technology Services and Security (EOTSS) has established policies and procedures that apply to all Commonwealth agencies within the executive branch. EOTSS recommends, but does not require, non-executive branch state agencies to follow these policies and procedures. Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010⁵ requires that all newly hired employees complete an initial cybersecurity awareness training course within 30 days of their orientation. Since CCCC’s policy does not specify a timeframe for this initial training, we used EOTSS’s standard as a best practice to measure CCCC’s performance during the audit period in this area.

During the audit period, CCCC’s chief information officer assigned an email address to all employees, thereby classifying them as information system users. According to CCCC management, it recommended but did not mandate that all information system users complete initial training (which included cybersecurity awareness training) and annual refresher cybersecurity awareness training thereafter. CCCC used a third-party, web-based training program to provide and track CCCC’s cybersecurity awareness training during the audit period.