Massachusetts Bay Transportation Authority - Keolis Contract - Finding 5

As part of our data reliability assessment procedures, we reviewed cybersecurity awareness training records²⁵ for a sample of 35 Keolis employees who had access to TRMS at any point during the audit period. We found that Keolis employees with access to TRMS did not complete annual cybersecurity awareness training during the audit period, as outlined in the table below.

If the MBTA does not ensure that its contracted service provider’s employees with access to the MBTA’s information technology systems complete annual cybersecurity awareness training, then the MBTA exposes itself to an increased risk of cybersecurity attacks and financial and/or reputational losses. In addition, the integrity and security of information in TRMS, which is used to monitor all aspects of commuter rail performance, may become compromised.

According to Section 4.1.5 of Schedule 3.17 of the MBTA’s “Commuter Rail Operating Agreement 159–12,”

The Operator [Keolis] shall provide and ensure that it, its personnel and MBTA employees with access to the Commuter Rail [information technology] Environment or the MBTA Internal [information technology] Environment shall complete initial information assurance awareness and annual refresher training in MBTA policies governing security, information assurance and workforce management, and such trainees shall certify to said training.

In an email on August 21, 2024, in response to our request for cybersecurity awareness training records for a sample of Keolis employees who had access to the MBTA’s TRMS system during the audit period, the MBTA stated,

While MBTA requires Keolis to complete a comparable cyber security training to that conducted by MBTA employees, we do not have records of Keolis employees’ cybersecurity training certificates.

The MBTA has not established policies and procedures, including a monitoring component, to ensure that Keolis is complying with its contract by providing cybersecurity awareness training to its employees who have access to TRMS. In fact, based on our interviews with both MBTA and Keolis officials, it appears that the MBTA was not actively monitoring Keolis’s compliance with this training requirement during the audit period, despite its being an explicit part of the contract.

1. The MBTA should establish policies and procedures, including a monitoring component, to ensure that its contracted service provider’s employees with access to the MBTA’s information technology systems complete cybersecurity awareness training.
2. The MBTA should ensure that its contractor complies with all terms and conditions of its contract and that it retains sufficient documentation of this.

The MBTA with Keolis have identified the Keolis employees that did not complete annual cybersecurity training. The MBTA recognizes that with additional resources, the MBTA can conduct more thorough review of the cybersecurity training completed by Keolis employees. The MBTA also acknowledges that cyber security training conducted by Keolis is more thorough for those who had administrative/editing rights to TRMS as opposed to individuals who are restricted to basic data entry access rights to TRMS. Further information regarding the individuals for whom evidence of cybersecurity training was not completed was provided to the SAO in a series of emails in September and October 2024 by Keolis’ . . . Chief Legal Officer & Vice President of Strategy to your office. The reasoning for the lack of evidence that certain “employees” completed cybersecurity training was (a) a number of employees left employment prior to cybersecurity training required completion and (b) five (5) of the identified “employees” were actually contractors with limited access to the TRMS system. This left only 3 employees that Keolis and the MBTA were unable to locate records of their completion of cybersecurity training.

In its response, the MBTA states that with additional resources, it could have conducted a “more thorough review” of the cybersecurity awareness training completed by Keolis employees. This statement implies that the MBTA was monitoring Keolis’s compliance to some extent during the audit period. This is inaccurate. As noted above, based on our discussions with both MBTA and Keolis, it appeared that the MBTA was not monitoring Keolis’s compliance with this training requirement at all during the audit period. Any specific information we requested regarding the cybersecurity awareness training completed by Keolis employees, including any evidence of training completion for the Keolis employees in our testing sample, had to be obtained directly from Keolis. This information was not available through the MBTA’s own records or monitoring processes, highlighting the lack of oversight and enforcement by the MBTA.

In its response, the MBTA indicates that, in some cases, cybersecurity awareness training records could not be provided because the employee had left their employment with Keolis prior to the required completion date of the training. The absence of training records for those individuals did not have an impact on our testing results, as we focused solely on employees who were still employed and were required to complete the training in each respective year. As can be seen in the table in Finding 5 above, there were 35 total employees in our sample. Of these, only 29 were required to complete the training in 2021, 25 in 2022, and 27 in 2023.

The MBTA also indicates that five of the Keolis employees in our testing sample were contractors with limited access to MBTA’s TRMS system. While we acknowledge that these individuals were contractors with limited access rights, we believe that all TRMS users, regardless of their employment status or access level, should be required to complete cybersecurity awareness training. Even individuals with restricted access to systems or data can be targets for cybersecurity attacks. Contractors and/or users with limited access could still serve as an entry point for attackers, or they themselves may unintentionally compromise security through negligence or lack of awareness. Therefore, training is essential for all users in order to mitigate risks and maintain the integrity and security of information in the MBTA’s TRMS.

We urge the MBTA to implement our recommendations fully and to improve its oversight of cybersecurity awareness training for Keolis employees with access to MBTA systems.