Massachusetts Bay Transportation Authority - Finding 6

The MBTA did not ensure that all of its information system users completed cybersecurity training.

Specifically, for the MBTA’s enterprise asset management system, 5 out of 35 randomly sampled existing employees (14%) did not complete annual refresher cybersecurity awareness training, and 5 out of 10 randomly sampled newly hired employees (50%) did not complete new hire cybersecurity awareness training.

For the MBTA defect module, 15 out of 35 randomly sampled existing employees (43%) did not complete annual refresher cybersecurity awareness training.

If the MBTA does not ensure that all of its information system users complete cybersecurity awareness training, then the MBTA is exposed to an elevated risk of cybersecurity attacks, which may cause financial and/or reputational losses.

Section AT-2 of the National Institute of Standards and Technology’s Special Publication 800-53 Revision 5 states,

a.   Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):

1.   As part of initial training for new users and . . . [organization-defined frequency] thereafter.

The Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 that was in effect during the audit period stated,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course shall be conducted via web-based learning or in class training and shall be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

The MBTA did not provide a reason why the cybersecurity awareness training certificates for the sampled employees could not be provided to us.

The MBTA should ensure that all of its information system users complete cybersecurity awareness training as part of initial training and annually thereafter and should maintain records of this training.

The MBTA agrees with the SAO’s Draft Report that cyber security training for all MBTA employees is essential and the MBTA is investigating the failures to complete such training as discussed in the Draft Report. The MBTA notes that, as a quasi-public authority, the MBTA is only required to follow guidelines from the Executive Office of Safety and Security (EOTSS) when shared resources are involved. Nonetheless, the MBTA’s current cybersecurity training requirements match or exceed EOTSS requirements. The MBTA’s cybersecurity training included, but is not limited to: (1) annual attestation to the MBTA’s acceptable use policy for all employees; (2) annual cybersecurity awareness training for all employees; (3) additional annual cybersecurity training for employees handling specific data; (4) annual tabletop training in compliance with the MBTA’s cybersecurity liability insurance requirements; (5) annual Cyber Day which includes speakers from across the MBTA and key outside partners discussing the current state of cybersecurity in critical infrastructure. Additionally, the MBTA conducts phishing training throughout the year and specific group trainings, including additional training for front line workers, most attacked users, and senior leadership. The MBTA also continues to review and update its cybersecurity training, as evidenced by the development of its AI Awareness training beginning in 2025. 

Based on its response, the MBTA is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.