Audit of the Department of Fire Services Overview of Audited Entity

The Department of Fire Services (DFS) was established under Section 109 of Chapter 151 of the 1996 Massachusetts Acts and Resolves and codified in Section 1 of Chapter 22D of the Massachusetts General Laws. The State Fire Marshal directs DFS and its divisions. The Executive Office of Public Safety and Security develops policies and oversees the budget for DFS.

According to its internal control plan, DFS’s mission is as follows:

To provide the citizens of Massachusetts with the ability to create safer communities; to assist and support the fire service community in the protection of life and property; to promote and enhance firefighter safety; and to provide a fire service leadership presence in the Executive Office of Public Safety and Security in order to direct policy and legislation on all fire related matters.

DFS provides training and assistance to fire departments in the Commonwealth through its Massachusetts Firefighting Academy. DFS provides further assistance to communities through its Hazardous Materials Emergency Response Division, Special Operations Team, Fire and Explosion Investigation Unit, and Division of Fire Safety.

DFS’s state appropriations for fiscal years 2021, 2022, and 2023 were $31,897,664, $30,092,332, and $32,444,914, respectively.

In 1999, the World Wide Web Consortium (W3C), an international nongovernmental organization responsible for internet standards, published the Web Content Accessibility Guidelines (WCAG) 1.0 to provide guidance on how to make web content more accessible to people with disabilities.

In 2005, the Massachusetts Office of Information Technology,¹ with the participation of state government webpage developers, including developers with disabilities, created the Enterprise Web Accessibility Standards. These standards required all state executive branch agencies to follow the guidelines in Section 508 of the Rehabilitation Act amendments of 1998. These amendments went into effect in 2001 and established precise technical requirements to which electronic and information technology (IT) products must adhere. This technology includes, but is not limited to, products such as software, websites, multimedia products, and certain physical products, such as standalone terminals.

In 2008, W3C published WCAG 2.0. In 2014, the Massachusetts Office of Information Technology added a reference to WCAG 2.0 in its Enterprise Information Technology Accessibility Standards.

In 2017, the Executive Office of Technology Services and Security (EOTSS) was designated as the Commonwealth’s lead IT organization for the executive branch. EOTSS is responsible for the development and maintenance of the Enterprise Information Technology Accessibility Standards and the implementation of state and federal laws and regulations relating to accessibility. As the principal executive agency responsible for coordinating the Commonwealth’s IT accessibility compliance efforts, EOTSS supervises executive branch agencies in their efforts to meet the Commonwealth’s accessibility requirements.

In 2018, W3C published WCAG 2.1, which built on WCAG 2.0 to improve web accessibility on mobile devices and to further improve web accessibility for people with visual impairments and cognitive disabilities. EOTSS published the Enterprise Information Technology Accessibility Policy in 2021 to meet Levels A and AA of WCAG 2.1.

Timeline of the Adoption of Website Accessibility Standards by the Federal Government and Massachusetts
 

While EOTSS establishes standards for executive branch agencies, individual agencies, such as DFS, are responsible for ensuring that their IT solutions and web content fully comply with EOTSS’s accessibility standards. The organization chart below shows the structure of EOTSS and other executive branch agencies. When publishing digital content to Mass.gov or other platforms, state agencies must comply with EOTSS’s Web Design Guidelines, which were published in 2020 based on the federal 21st Century Integrated Digital Experience Act. This law helps state government agencies evaluate their design and implementation decisions to meet state accessibility requirements.

Organization of Information Security for the Commonwealth²
 

Government websites are an important way for the general public to access government information and services. Deloitte’s³ 2023 Digital Citizen Survey found that 55% of respondents preferred to interact with their state government services through a website instead of face-to-face interaction or a call center. Commonwealth of Massachusetts websites had a total of 17,771,709 page views in December 2022 alone.

However, people do not interact with the internet uniformly. The federal government and nongovernmental organizations have established web accessibility standards intended to make websites more accessible to people with disabilities, such as visual impairments, hearing impairments, and other disabilities. The impact of these standards can be significant, as the federal Centers for Disease Control and Prevention estimates that 1,348,913 adults (23% of the adult population) in Massachusetts have a disability, as of 2021.

According to W3C, people with disabilities use assistive technologies and adaptive strategies specific to their needs to navigate web content. Examples of assistive technologies include screen readers, which read webpages aloud for people who cannot read text; screen magnifiers for individuals with low vision; and voice recognition software for people who cannot (or do not) use a keyboard or mouse. Adaptive strategies refer to techniques that people with disabilities employ to enhance their web interaction.⁴ These strategies might involve increasing text size, adjusting mouse speed, or enabling captions.

To make web content accessible to people with disabilities, developers must ensure that various components of web development and interaction work together. This includes text, images, and structural code; users’ browsers and media players; and various assistive technologies.

Common Accessibility Features of a Website
 

IT governance refers to the processes that state agencies use to manage their IT resources. EOTSS documents these processes in standards that it requires all executive agencies follow and recommends for all other state agencies. Specifically, Section 2 of Chapter 7D of the General Laws states,

Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.

IT governance processes include business continuity and disaster recovery, information security incident management, and cybersecurity awareness training.

Business Continuity and Disaster Recovery

EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 requires each executive branch agency to develop and maintain business continuity and disaster recovery plans. These plans ensure that agencies have procedures to protect their information assets, recover critical operations, and reduce risks from a potential disruption or disaster.

Information Security Incident Management

EOTSS’s Information Security Incident Management Standard IS.009 requires executive branch agencies to document procedures and establish a plan for responding to security incidents, like a cyberattack, to limit further damage to the Commonwealth’s information assets once a security event is identified.

Cybersecurity Awareness Training

EOTSS has established policies and procedures that apply to all Commonwealth agencies within the executive branch. EOTSS recommends, but does not require, non-executive branch agencies to follow these policies and procedures. Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 states,

     The objective of the Commonwealth information security training is to educate users on their responsibility       to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.           Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and         regulations for cybersecurity.

To ensure that employees are clear on their responsibilities, EOTSS’s policies require that all employees in state executive branch agencies complete a cybersecurity awareness training every year. All newly hired employees must complete initial security awareness training within 30 days of their orientation.