Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Finding 2

The following executive branch agencies did not ensure that all of their employees completed cybersecurity awareness training during the audit period: the Civil Service Commission (CSC), the Department of Labor Standards (DLS), the Department of Mental Health (DMH), the Department of Public Health (DPH), the Department of Revenue (DOR), the Massachusetts Department of Transportation (MassDOT), the Group Insurance Commission (GIC), the Massachusetts Parole Board (MPB), and the Registry of Motor Vehicles (RMV).

Regarding the completion rates for the initial cybersecurity awareness training, we observed that 445 newly hired employees completed training late, while 601 did not complete training at all. Regarding the completion rates for the annual refresher cybersecurity awareness training, we observed that 156 existing employees completed training late, while 951 did not complete training at all.

The table and graph below show our findings for these agencies regarding initial cybersecurity awareness training.

On-Time Cybersecurity Awareness Training Completion Rates for Executive Branch Agencies: Newly Hired Employees

The table and graph below show our findings for these agencies regarding annual refresher cybersecurity awareness training.

On-Time Cybersecurity Awareness Training Completion Rates for Executive Branch Agencies: Existing Employees

If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.

EOTSS’s Information Security Risk Management Standard IS.010 states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course shall be conducted via web-based learning or in class training and shall be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

Management from each of the following executive branch agencies provided us with the following reasons for noncompliance:

• CSC management stated that contracted attorneys and interns were not on the list of employees required to complete the cybersecurity awareness training.
• DLS management stated that they are not sure what the reason was for the late training completion of the employee from our finding, other than the employee overlooked the training due date. DLS management noted that this employee is no longer with DLS.
• DMH management sent us an email on February 16, 2024 regarding the employees from our finding, stating that these are “Employees who do not have [computer] Network Access—these staff are exempt.”
• DPH management stated that the staff members from our finding started their cybersecurity awareness training but did not complete the full training.
• DOR management stated that some of the employees from our finding had job duties that did not require them to have computer network access, while others separated from DOR shortly after their training due date had passed, leaving no time for DOR to enforce training completion.
• MassDOT management and RMV management stated that employees missed the training deadline and that interns did not receive cybersecurity awareness training because MassAchieve did not assign them training.
• GIC management stated that the employee from our finding left the agency shortly after starting and did not complete the training before their departure.
• MPB management stated that newly hired employees have assigned joint orientation/training days which may have been scheduled past the 30 days from hire dates for some staff. Regarding refresher training, it appears that one employee found not to have completed the training, completed only 2 out of the 5 required sections of the cybersecurity training.

The aforementioned nine executive branch agencies should do the following:

1. provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns;
2. establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure employees meet training deadlines; and
3. implement additional controls to ensure that the new hire onboarding process includes all required coursework regarding cybersecurity awareness training.

We appreciate the following responses provided by the executive branch agencies:

CSC appreciates receiving clarification from the Office of the State Auditor that seasonal interns and contract employees are required to complete the cybersecurity awareness training. In response, CSC had the seasonal interns and contract employee at the time immediately complete the required cybersecurity training. Going forward, any CSC interns and contract employees will be required to complete the same initial and refresher cybersecurity training as all regular CSC employees, ensuring 100% compliance with this requirement.

Based on its response, CSC has taken measures to address our concerns regarding this matter.

[DLS] management agrees with the finding. As [the Office of the State Auditor] has affirmed, we now have a program to ensure employees are trained in a timely manner. This is demonstrated by the 100% completion for new hires and near completion for existing employees. Of the two existing employees whose training was not completed by the deadline, one staff was one (1) day late due to her supervisor leaving and the new supervisor not receiving the alerts, while the other staff is no longer an [Executive Office of Labor and Workforce Development] employee. Regardless, we will continue to reinforce timely completion by sending email reminders.

Based on its response, DLS will take measures to address our concerns regarding this matter.

As DMH indicated to the [Office of the State Auditor] during the audit, 417 of the newly hired individuals are contract employees who do not have any network access. Consequently, they do not need cybersecurity training. In fact, providing this training would unnecessarily expend resources and increase security risk, as DMH would need to create network access solely to provide the training.

DMH recognizes that the [Office of the State Auditor] assesses compliance with the policy or standard as written, and that it reads Section 6.2 of EOTSS’s Information Security Risk Management Standards as requiring cybersecurity training for “all personnel.” Indeed, Section 6.2 states that “all personnel” must be trained. The immediately preceding sentence, however, states that the objective of the cybersecurity training is to educate “users” on their cybersecurity responsibilities. Respectfully, DMH views the word “personnel” in the second sentence as referring to the “users” referred to in the first sentence. Thus, per DMH’s reading, only “users” must be trained. . . .

The data used for this finding had some limitations, as indicated during the audit. Some employees were hired after the end date that the 2021 annual cybersecurity training was due; some left state service and then returned after the due date for the 2021 cybersecurity training; and, on account of system limitations, DMH was unable to determine dates that some staff left DMH. DMH understands that data of the sort required and assessed here typically has limitations, and that the Auditor’s Office needs to utilize data as provided, but the number here likely is not accurate.

Section 2 of Chapter 7D of the Massachusetts General Laws mandates that all executive branch state agencies, including DMH, “adhere to the policies, procedures and objectives established by the executive office of technology services and security.” DMH must ensure that contractors are trained in compliance with EOTSS’s Information Security Risk Management Standard IS.010.

Regarding the definition of “personnel,” we maintain that EOTSS’s Information Security Risk Management Standard IS.010 states, “All new personnel must complete an Initial Security Awareness Training course,” and that EOTSS does not provide an exemption to this policy for employees who lack access to computers.

We urge DMH to implement an alternative method for employees without system access to complete their training, such as offering a paper-based training option. We recognize that some agencies may disagree with EOTSS standards, but nonetheless, these standards exist. Cybersecurity awareness policies are not just guidelines; they are essential safeguards in today’s digital landscape. Comprehensive employee training and shared responsibility are critical to mitigating potential cyber threats. It is important to consistently assess and reinforce cybersecurity measures to ensure that policies are effective, compliance is maintained, and public trust in the agency’s ability to safely manage data is upheld. These policies exist to protect both individuals and organization, fostering a secure and safe digital environment.

Regarding the data’s limitations, we conducted a data reliability assessment on the information DMH provided to us, ensuring the completeness and accuracy of DMH’s employee list. As we have recommended, we believe that DMH should establish procedures to (1) monitor employee cybersecurity awareness training completion rates throughout the training cycle, (2) accurately track the dates when employees leave the agency, and (3) use historical data retained by HRD to ensure that employees meet training deadlines. 

1.   Provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns.

a.   The training is offered through MassAchieve within 30 days of start and annually.

b.   DPH has increased staffing in this area and developed and implemented a robust system of reminders for all staff who are incompliant starting in December of each year.

c.    We promote completion of this training by alerting staff to the consequence of shut-off by EOTSS.

d.   This past fiscal year we achieved near perfect completion with less than 10 shut offs.

2.   Establish procedures to monitor employee completion throughout the training cycle to ensure that staff are meeting the training deadlines.

a.   Our staff run reports monthly and have empowered each bureau, office and hospital to run their own custom-built reports.

b.   We established standard communications to go out to supervisors and incompliant staff.

We appreciate the insights provided by the audit and are addressing these findings promptly.

Based on its response, DPH has taken measures to address our concerns regarding this matter.

DOR agrees with the results of the audit. The employees who did not complete the training during the audit period were employees with no access to computers or were separated from DOR shortly after hire.

DOR will continue to utilize MassAchieve to track employee completion throughout the training cycle.

In [fiscal year 2024], DOR implemented the process of “paper training,” where Employees with no access to computers and/or systems will take the training in person, in a class organized by their managers, and sign an acknowledgement that they have received, taken and understand the training. Information will be uploaded to MassAchieve.

DOR will incorporate cybersecurity awareness training into the new hire process, where the course is added to DOR’s Learning Management System (LMS—DOR’s internal training system). LMS system also will be used to track completion and follow up with new hires that have not completed the training. Information will be uploaded to MassAchieve.

Based on its response, DOR has taken, and will continue to take, measures to address our concerns regarding this matter.

As of 2024, MassDOT has transitioned to using only the MassAchieve LMS, eliminating confusion for employees regarding where to find and complete assigned training. Furthermore, statewide improvements, such as increased frequency of reminders from HRD, have helped improve performance. Additionally, EOTSS has followed through on removing access to those who do not complete cybersecurity training on time. MassDOT has used this consequence to effect in our messaging to further incentivize timely completion of cybersecurity training and has collaborated with EOTSS as needed to reinstate access for individuals who had their access removed due to non-compliance. . . .

In the 2023–24 training cycle MassDOT implemented procedures to continue to support the agency’s efforts in meeting its compliance obligation. This includes earlier distribution of targeted activity reports, making it easier for managers to identify those yet to complete training. Reports are shared on an increasing cadence as the training deadline approaches.

Based on their response, MassDOT and RMV have taken measures to address our concerns regarding this matter.

GIC was given the opportunity to respond to a draft version of this audit report and did not provide a written response.

MPB concurs with [the Office of the State Auditor’s] recommendations to (1) provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns; and (2) establish procedures to monitor employee completion throughout the training cycle to ensure that staff are meeting the training deadlines.

To improve timely completion of cybersecurity training for new hires, MPB will modify its existing “Checklist for Employee Orientation” form to specify due dates for completion of cybersecurity training and include an acknowledgement receipt upon completion.

Bi-weekly Managers’ Meetings will be utilized to further monitor adherence to the training deadlines.

Based on its response, MPB will take measures to address our concerns regarding this matter.