Audit of the Operational Services Division Overview of Audited Entity

In 1996, the former Department of Procurement and General Services was restructured and renamed the Operational Services Division (OSD). Section 4A of Chapter 7 of the Massachusetts General Laws created OSD and placed it within the Executive Office for Administration and Finance. The secretary of the Executive Office for Administration and Finance appoints a state purchasing agent, who serves as the administrative head of OSD.

Section 4A of Chapter 7 of the General Laws establishes the following as the basic functions of OSD:

• to manage and assist in the acquisition of goods, equipment, and services for executive branch agencies;
• to administer a collective purchasing program from third-party vendors for the Commonwealth and its political subdivisions (e.g., counties and municipalities);
• to offer copying and printing services for state and municipal governments and agencies and other eligible entities (e.g., qualified nonprofit organizations);
• to manage the use and maintenance of vehicles owned by executive branch agencies;
• to administer state and federal surplus property programs in which OSD sells unneeded government equipment and supplies to the public;
• to administer the Supplier Diversity Office, established under OSD by Chapter 56 of the Acts of 2010, to help businesses owned by people of color, women, and veterans obtain contracts, subcontracts, and financing to sell goods and services to the Commonwealth and its political subdivisions; and
• to establish the Bureau of Purchased Services, according to Section 22N of Chapter 7 of the General Laws, which reviews independent audit reports regarding financial statements and compliance supplements submitted by human service providers (e.g., special education, mental health, and elder services program providers) and the providers’ public accountants.

Additionally, OSD uses COMMBUYS as a web-based procurement platform for Commonwealth agencies and political subdivisions. COMMBUYS allows public buyers¹ to post bid solicitations,² enter into contracts with vendors for goods and services, and make purchases on new and existing contracts. COMMBUYS also allows vendors to post quotes in response to bid solicitations. OSD maintains the platform’s website, qualifies vendors, negotiates prices, and provides training and support to vendors and other users.

OSD is located at 1 Ashburton Place in Boston and had 110 full-time employees as of December 31, 2022. OSD’s main sources of revenue are fees imposed on contractors and fees for services that OSD provides to different state agencies. In fiscal year 2022, OSD had a budget of $11,555,197 and generated $27,120,000 in revenue. OSD received state appropriations, which totaled $8,463,465 in fiscal year 2022, for capital improvements—such as purchasing and repairing state vehicles and improving its computer systems—and other purposes.

Public buyers can procure goods and services on COMMBUYS through either a Statewide Contract (SWC) or a limited-use contract, if no applicable SWC exists.

SWCs

In certain instances, OSD enters into contracts with multiple vendors to provide a specific good or service that can be used by multiple executive branch agencies or other public buyers. OSD established the Strategic Sourcing Services Unit to manage and oversee the procurements for these contracts. These contracts are called SWCs and provide access to a variety of goods or services— such as fuel, medical supplies, actuarial services, and office supplies—to meet the needs of public buyers.

If an executive branch agency requires a good or service provided by an SWC, the agency must use the SWC for procurement. All other Commonwealth agencies, including constitutional offices, public authorities, commissions, and cities and towns, may also use SWCs to procure goods and services, but they are not required to do so.

After OSD awards a contract to a vendor, OSD’s Strategic Sourcing Services Unit creates a master blanket purchase order (MBPO), which is a type of purchase order (PO) that acts as a contract under which public buyers can make multiple purchases over the life of the contract. Following this, the Strategic Sourcing Services Unit creates a contract user guide (CUG), which details the types of goods or services on the contract, provides instructions for making purchases, and includes information about the contracted vendor. The Strategic Sourcing Services Unit posts the MBPO and CUG on COMMBUYS and Mass.gov.

If COMMBUYS users wish to procure goods or services from an SWC, they must first consult the associated CUG because different contracts will have different terms. For example, some SWCs require buyers to request quotes (which are offers to provide the goods or services outlined in the bid solicitation at a certain price) from vendors listed on the CUG, some allow buyers to directly issue requisitions to the vendor, and some require buyers to request quotes only if the engagement exceeds a certain dollar threshold.

Public buyers make SWC purchases under an MBPO and document the purchase in COMMBUYS with a requisition number and a release PO, which are unique to each purchase.

Limited-Use Contracts

If a public buyer’s need cannot be fulfilled by an SWC, they can also use COMMBUYS to create a limited-use contract. The public buyer uses COMMBUYS to create a bid solicitation. Public buyers create bid solicitations in COMMBUYS by entering data into predetermined fields and attaching any necessary documentation to the posting.

Once a public buyer posts a bid solicitation in COMMBUYS, vendors can respond to it and create quotes directly in COMMBUYS by entering data into predetermined fields.

Public buyers use COMMBUYS to create requisitions for limited-use contracts similarly to how public buyers use the platform for SWCs. Goods or services procured under a limited-use contract are documented in COMMBUYS with an MBPO. The public buyer often attaches to the MBPO standard contract forms (which are PDF templates provided by the Office of the Comptroller of the Commonwealth) to document additional contract terms.

 

COMMBUYS Procurement Process

In 1999, the World Wide Web Consortium (W3C), an international nongovernmental organization responsible for internet standards, published the Web Content Accessibility Guidelines (WCAG) 1.0 to provide guidance on how to make web content more accessible to people with disabilities.

In 2005, the Massachusetts Office of Information Technology,³ with the participation of state government webpage developers, including developers with disabilities, created the Enterprise Web Accessibility Standards. These standards required all state executive branch agencies to follow the guidelines in Section 508 of the Rehabilitation Act amendments of 1998. These amendments went into effect in 2001 and established precise technical requirements to which electronic and information technology (IT) products must adhere. This technology includes, but is not limited to, products such as software, websites, multimedia products, and certain physical products, such as standalone terminals.

In 2008, W3C published WCAG 2.0. In 2014, the Massachusetts Office of Information Technology added a reference to WCAG 2.0 in its Enterprise Information Technology Accessibility Standards.

In 2017, the Executive Office of Technology Services and Security (EOTSS) was designated as the Commonwealth’s lead IT organization for the executive branch. EOTSS is responsible for the development and maintenance of the Enterprise Information Technology Accessibility Standards and the implementation of state and federal laws and regulations relating to accessibility. As the principal executive branch agency responsible for coordinating the Commonwealth’s IT accessibility compliance efforts, EOTSS supervises executive branch agencies in their efforts to meet the Commonwealth’s accessibility requirements.

In 2018, W3C published WCAG 2.1, which built on WCAG 2.0 to improve web accessibility on mobile devices and to further improve web accessibility for people with visual impairments and cognitive disabilities. EOTSS published the Enterprise Information Technology Accessibility Policy in 2021 to meet Levels A and AA of WCAG 2.1.

Timeline of the Adoption of Website Accessibility Standards by the Federal Government and Massachusetts

While EOTSS establishes standards for executive branch agencies, individual agencies, such as OSD, are responsible for ensuring that their IT solutions and web content fully comply with EOTSS’s accessibility standards. The organization chart below shows the structure of EOTSS and other executive branch agencies. When publishing digital content to Mass.gov or other platforms, state agencies must comply with EOTSS’s Web Design Guidelines, which were published in 2020 based on the federal 21st Century Integrated Digital Experience Act. This law helps state government agencies evaluate their design and implementation decisions to meet state accessibility requirements.

Organization of Information Security for the Commonwealth⁴

Government websites are an important way for the general public to access government information and services. Deloitte’s⁵ 2023 Digital Citizen Survey found that 55% of respondents preferred to interact with their state government services through a website instead of face-to-face interaction or a call center. According to the analytics dashboard for Mass.gov, Commonwealth of Massachusetts websites had a total of 17,771,709 page views in December 2022 alone.

However, people do not interact with the internet uniformly. The federal government and nongovernmental organizations have established web accessibility standards intended to make websites more accessible to people with disabilities, such as visual impairments, hearing impairments, and other disabilities. The impact of these standards can be significant, as the federal Centers for Disease Control and Prevention estimates that 1,348,913 adults (23% of the adult population) in Massachusetts have a disability, as of 2021.

According to W3C, people with disabilities use assistive technologies and adaptive strategies specific to their needs to navigate web content. Examples of assistive technologies include screen readers, which read webpages aloud for people who cannot read text; screen magnifiers for individuals with low vision; and voice recognition software for people who cannot (or do not) use a keyboard or mouse. Adaptive strategies refer to techniques that people with disabilities employ to enhance their web interaction.⁶ These strategies might involve increasing text size, adjusting mouse speed, or enabling captions.

To make web content accessible to people with disabilities, developers must ensure that various components of web development and interaction work together. This includes text, images, and structural code; users’ browsers and media players; and various assistive technologies.

Common Accessibility Features of a Website

IT governance refers to the processes that state agencies use to manage their IT resources. EOTSS documents these processes in standards that it requires all executive branch agencies adopt and recommends for all other state agencies. Specifically, Section 2 of Chapter 7D of the General Laws states,

Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.

IT governance processes include business continuity and disaster recovery, information security incident management, and cybersecurity awareness training.

Business Continuity and Disaster Recovery

EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 requires each executive branch agency to develop and maintain business continuity and disaster recovery plans. These plans ensure that agencies have procedures to protect their information assets, recover critical operations, and reduce risks from a potential disruption or disaster.

Information Security Incident Management

EOTSS’s Information Security Incident Management Standard IS.009 requires executive branch agencies to document procedures and establish a plan for responding to security incidents, like a cyberattack, to limit further damage to the Commonwealth’s information assets once a security event is identified.

Cybersecurity Awareness Training

EOTSS has established policies and procedures that apply to all Commonwealth agencies within the executive branch. EOTSS recommends, but does not require, non-executive branch agencies to follow these policies and procedures. Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 states,

The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets. Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity.

To ensure that employees are clear on their responsibilities, EOTSS’s policies require that all employees in state executive branch agencies complete a cybersecurity awareness training course every year. All newly hired employees must complete an initial security awareness training course within 30 days of their orientation.