Cybersecurity Health Check Program FAQ

Yes!  EOTSS conducted a thorough RFQ process, with the respondents required to be on a Statewide Contract.  We secured vendors to provide the service offerings at no cost to organizations.

Please send an email to CyberHealthCheck@mass.gov and we will contact you to review and discuss your needs and suggest a service that initially aligns best to meet your objectives. 

After we receive your application, OMST will contact you to explain the next steps, address any questions or concerns, and request your availability for a meeting with the vendor. Once we have this information, we will assign a vendor to you and arrange the initial meeting. This meeting will last about 20-30 minutes, during which the vendor will confirm the service you've selected, explain what it involves, and ask some general questions about your environment (e.g., number of users, locations, and servers). Following this, the vendor will coordinate with you to carry out any additional tasks, such as scans or interviews. Once the data collection is complete, it may take 2-6 weeks for the final report to be ready, and we will then schedule a final meeting to review the report and vendor recommendations. 

OMST reviews your application and based on service selected and the information you provided, will align you with a vendor that best meets your needs.  We have partnered with multiple vendors to provide this service; however, not all services are offered by each of them.    Please ensure that you are as specific as possible in your application about the results that you are seeking, and OMST will work with you to get started as quickly as possible.

All of the vendors have an office in Massachusetts, and most are headquartered here.   Applicants are not permitted to select their vendor due to service availability and resource allocation.

Yes, in fact we encourage you to do so. Please inform your MSP that you have applied and also provide their name and contact information of your MSP in the Cyber Health application if you would like OMST to include them in on communications about the service.

Most services are completed within 30-45 days, some may take slightly longer dependent on the service selected. If you are working against a time constraint, please ensure that you share that information with us, and we will do our best to accommodate you.

We hope that you’ll be a return customer!  While we only allow one active application at a time, as soon as you complete a service you are welcome to apply for a new health check in any category.

All vendors participating in the health check program have signed a Statement of Work requiring them to comply with Massachusetts General Legislation pertinent to PII, relevant PCI standards, HIPAA, CJIS, and Social Security data.  Further, 30 days after the completion of the Health Check vendors Final Report, they will be asked to confirm the destruction of any data collected during the service delivery.

Vendors are strictly prohibited from any sales-oriented communication for the duration of the health check.  You are free to ask the vendor about services they provide and/or to engage the vendor after the health check, but the vendor may not include any of that information in their report or make any portion of your findings contingent upon your hiring of them.

Your feedback is essential to ensure that the service met your expectations. OMST will reach out 7-10 days after your final meeting and ask you a few questions about your experience.  We may also ask whether there is a service that you would like to have access to that was not available as part of the health check.