Massachusetts Cultural Council - Finding 2

MCC did not ensure that all seven of its contractors who had access to its grant management system completed the required cybersecurity awareness training during the audit period. This oversight raises concerns, as the absence of proper training for these contractors increases MCC’s vulnerability to cyberattacks. Without cybersecurity awareness training, these contractors may inadvertently expose sensitive data or expose MCC’s systems to malicious threats. 

According to the Executive Office of Technology Services and Security’s Information Security Risk Security Standard IS.010,⁹ which states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

MCC told us that it has a comprehensive cybersecurity program designed to protect the integrity of its systems, data, and operations. However, it did not have the capacity to extend the full cybersecurity awareness training module to its contractors because of time constraints related to processing the Cultural Sector Recovery Relief Grants. Additionally, MCC did not have monitoring controls to ensure that contractors complete cybersecurity awareness training.

1. MCC should ensure that all contractors with access to its grant management system complete cybersecurity awareness training.
2. MCC should develop and implement monitoring controls to ensure that contractors complete the cybersecurity awareness training.

[MCC’s response to our recommendation that MCC should ensure that all contractors with access to its grant management system complete cybersecurity awareness training.] We recognize the importance of ensuring that every individual with systems access including contractors completes formal cybersecurity awareness training. To address this, [MCC] will strengthen its internal procedures so that contractors are now required to complete the same cybersecurity awareness training as employees within the first thirty days of hire and the requirement will be incorporated into all contractor agreements. These measures ensure that both employees and contractors are consistently trained in cybersecurity best practices, thereby mitigating risks and safeguarding the Agency’s financial, operational, and reputational integrity.

[MCC’s response to our recommendation that MCC should develop and implement monitoring controls to ensure that contractors complete the cybersecurity awareness training.] MCC currently has monitoring controls in place to verify that all employees complete the required cybersecurity awareness training. During the audit period, contractors were not subject to this same requirement as employees. Going forward, contractor compliance will be integrated into the existing monitoring control process used for employees, ensuring that completion is tracked and documented for all.

Based on its response, MCC is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.