The Massachusetts Water Resources Authority Did Not Ensure That All Employees and Contractors Completed Required Cybersecurity Awareness Training for Its Administrative Computer Network.

For fiscal year 2020, we identified 4 MWRA employees (out of a population of 102) and six contractors (out of a population of six) who had access to MWRA’s administrative computer network but had not completed required annual cybersecurity awareness training. For fiscal year 2021, 2 MWRA employees (out of a population of 102) and six contractors (out of a population of six) had access to MWRA’s administrative computer network but had not completed the necessary annual cybersecurity awareness training.

A lack of such training may lead to user error and may compromise the integrity and security of protected information in MWRA’s administrative computer network.

According to Policy ADM.31,

MWRA shall ensure that all of its employees, contractors, and third party users understand their security responsibilities and have the requisite skills and knowledge to perform effectively in the roles they are assigned, and to reduce the risk of unauthorized access, use, or modifications of [information technology] resources . . . including . . . Security awareness and training during employment.

Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, which went into effect October 15, 2018, states,

All personnel will be required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

Although MWRA is not required to follow this standard, we consider it a best practice.

MWRA officials told us that they overlooked the requirement in MWRA’s ISP for contractors with access to its administrative computer network to complete cybersecurity awareness training. MWRA officials did not provide a reason why all employees did not complete required annual cybersecurity awareness training.

MWRA should ensure that all its employees and contractors with access to its administrative computer network complete cybersecurity awareness training annually. MWRA should also implement internal controls to ensure that the employees and contractors complete the training.

Supervisors and managers now receive a monthly report of staff that have not completed the required training. In [fiscal year 2022], 100% of MWRA staff successfully completed cybersecurity awareness training and MWRA is on track to achieve 100% completion for [fiscal year 2023]. Considerations are under review to modify the current cadence for the release and delivery of training modules to improve responsiveness without impacting operational schedules.

MWRA’s existing training platform does not support students without MWRA domain email addresses, which currently limits our ability to have contractors directly use MWRA’s cyber training materials. A review of the training system configuration will be conducted to accommodate Contractors, or an alternative approach developed.

Based on its response, MWRA is taking measures to address our concerns on this matter.