The Department of Fire Services Did Not Provide Its Contractors With Cybersecurity Awareness Training.

DFS did not provide its contractors with cybersecurity awareness training for the 2021–2022 training cycle.

Contractors make up approximately 87% of the DFS workforce. A lack of cybersecurity awareness training for these contractors may lead to user error or compromise the integrity and security of protected information in DFS’s IT systems.

EOTSS’s Information Security Risk Management Standard IS.010 states,

6.2        Information Security Training and Awareness

             The objective of the Commonwealth information security training is to educate users on their                                 responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s                           information assets. Commonwealth Offices and Agencies must ensure that all personnel are trained                 on all relevant rules and regulations for cybersecurity.

             6.2.1  Implement an enterprise-wide information security awareness and training program.

                       6.2.1.1     Develop appropriate training materials in collaboration with Human Resources and                                               Legal.

                       6.2.1.2     Conduct periodic refresher training for personnel and, where relevant, contractors and                                         temporary staff.

DFS management stated that contractors were not given access to the training platform it uses, Mass Achieves, during the 2021‍–‍2022 mandatory training session. They stated that Mass Achieves did not have access solutions for contractors to complete this training.

1. DFS should ensure that its contractors complete cybersecurity awareness training.
2. DFS should ensure that its contractors have access to its cybersecurity awareness training platform.

DFS has always required contract employees to participate in Cyber Security Awareness Training, which has historically been delivered through a 3rd party on-line platform launched and managed by the Executive Office of Technology Services and Security. In [fiscal year (FY)] 2022, the on-line training was launched by the Human Resources Division (HRD) via a new statewide employee training platform called Mass Achieve. In FY 2022, HRD was not able to provide Mass Achieve access for contract employees statewide, not limited to just DFS, and therefore contract employees were not required to take the training. In FY 2023, HRD was able to provide all statewide contract employees with access to Mass Achieve and the DFS contract employees completed all mandatory training. DFS continues to ensure that all contract employees attain access to the training platform and complete mandatory training within 30 days of hire, and annually thereafter.

While we acknowledge that EOTSS (as the oversight agency) plays a role in ensuring that DFS provides cybersecurity awareness training to its contractors, DFS must train contractors in compliance with EOTSS’s Information Security Risk Management Standard IS.010. This is pursuant to Section 2 of Chapter 7D of the General Laws, which requires all state executive branch agencies, including DFS, to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.” Based on its response, DFS has taken measures to address our concerns on this matter.