Audit of MassHire Department of Career Services (May 27, 2025)
May 27, 2025 · MassHire Department of Career Services · Read the full official report on mass.gov ↗
source
“The MDCS JobQuest website is not fully accessible for all Massachusetts residents and users.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the MassHire Department of Career Services for July 1, 2022 through June 30, 2023.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the MassHire Department of Career Services (MDCS) for the period July 1, 2022 through June 30, 2023.”
Auditors checked whether MassHire’s main website, career center websites, and JobQuest met accessibility rules, and whether MassHire had basic information security practices for sensitive data.
“The purpose of this performance audit was to determine whether MDCS’s website, as well as its career centers and JobQuest websites, adhered to the accessibility standards established by the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility.”
These problems matter because people may have trouble using job-search services online, and sensitive personal information may be exposed to avoidable risks.
“Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it.”
If you use MassHire services, the findings affect whether you can easily access job help online and whether your personal information is protected properly.
“These career centers offer job seekers services and events like career guidance, resume writing, workshops, and trainings.”
MassHire needs to fix website accessibility problems, classify its data and systems, and tighten approval for access to personal information.
“MDCS did not ensure that access to PII stored at the career centers was limited to approved personnel members who have business needs to access it.”
MassHire said it is working on modernization, new data governance, accessibility reviews, and better access controls.
“Based on its response, MDCS is taking measures to address our concerns regarding this matter.”
This report is significant because MassHire serves many job seekers and companies, so website access and data protection affect a large public workforce system.
“In fiscal year 2022, MDCS aided more than 72,000 job seekers (including those seeking unemployment insurance) and supported more than 19,000 companies.”
PII means personal details that can identify someone, and WCAG is a set of rules meant to make websites usable for people with disabilities.
“PII personally identifiable information”
What the Auditor checked
- Did not comply Was MDCS’s website in compliance with the Executive Office of Technology Services and Security’s (EOTSS’s) Enterprise Information Technology Accessibility Policy and the World Wide Web Consortium’s (W3C’s) Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility?
- Did not comply Was the JobQuest website in compliance with EOTSS’s Enterprise Information Technology Accessibility Policy and W3C’s WCAG 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility?
- Did not comply Did MDCS establish classification or sensitivity levels, securely delete stored information exceeding retention periods, and conduct a business impact analysis or risk assessment to determine information system classification?
- Did not comply Did MDCS restrict access to personally identifiable information (PII) to a narrow subset of personnel members who had a business need to access the information in accordance with Section 6.2.1. of EOTSS’s Asset Management Standard IS.004?
What the Auditor found
Why it matters: The accessibility issues can impair users’ ability to use the website and undermine equitable digital access.
Standard: WCAG 2.1 Success Criterion 1.4.10 Reflow and Success Criterion 3.1.1 Language of a Page. ( WCAG 2.1 Success Criterion 1.4.10 Reflow; WCAG 2.1 Success Criterion 3.1.1 Language of a Page )
3 recommendations
- MDCS should implement a policy to review its webpages periodically for WCAG 2.1 compliance.
- MDCS should collaborate with EOTSS to develop a periodic web maintenance schedule for incorrect language tags and improper reflow.
- MDCS should assign staff to oversee accessibility compliance and website updates.
Agency response & Auditor reply
Agency: "Throughout this modernization, EOLWD/MDCS will collaborate with EOTSS to revise internal policies and procedures to ensure compliance with Web Content Accessibility Guidelines and other Commonwealth standards."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
Why it matters: Accessibility failures can prevent users from accessing critical information and services, especially users with visual impairments or mobility issues.
Standard: WCAG 2.1 Success Criteria 1.4.10, 2.4.5, 1.4.1, 2.1.1, and 3.3.1. ( WCAG 2.1 Success Criterion 1.4.10 Reflow; WCAG 2.1 Success Criterion 2.4.5 Multiple Ways; WCAG 2.1 Success Criterion 1.4.1 Use of Color; WCAG 2.1 Success Criterion 2.1.1 Keyboard; WCAG 2.1 Success Criterion 3.3.1 Error Identification )
3 recommendations
- MDCS should implement and enforce a policy for career centers to review webpages periodically for WCAG 2.1 compliance.
- MDCS should collaborate with EOTSS and career centers to develop a periodic web maintenance schedule.
- MDCS should require career centers to assign staff to oversee accessibility compliance and website updates.
Agency response & Auditor reply
Agency: "Additionally, MDCS will continue to collaborate with EOTSS and local career centers to support compliance with the latest WCAG standards."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
Why it matters: Accessibility failures can limit access to job, training, and workshop information and make the website difficult to use for people relying on assistive technology.
Standard: WCAG 2.1 Success Criteria 1.4.10, 2.4.5, 1.4.1, 2.1.1, 2.1.2, 2.4.1, 2.4.2, 3.1.1, and 3.3.2. ( WCAG 2.1 Success Criterion 2.1.2 No Keyboard Trap; WCAG 2.1 Success Criterion 2.4.1 Bypass Blocks; WCAG 2.1 Success Criterion 2.4.2 Page Titled; WCAG 2.1 Success Criterion 3.3.2 Labels of Instructions )
3 recommendations
- MDCS should ensure its third-party contractor complies with WCAG 2.1.
- MDCS should work with the third-party contractor to develop a periodic maintenance schedule for noncompliant JobQuest webpages.
- MDCS should assign staff to oversee accessibility compliance for all JobQuest webpages.
Agency response & Auditor reply
Agency: "Additionally, MDCS is working with a third-party contractor to develop a plan to align JobQuest with WCAG 2.1."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
Why it matters: Without data classification, sensitive data may be more vulnerable to unauthorized access, theft, misuse, legal liabilities, regulatory violations, and reputational damage.
Standard: EOTSS Information Asset Management Standard IS.004, Section 6.2. ( EOTSS Information Asset Management Standard IS.004, Section 6.2 )
2 recommendations
- MDCS should develop and implement an information classification policy that complies with IS.004 and assigns an information custodian.
- MDCS should conduct a data inventory and classification assessment based on sensitivity, criticality, and regulatory requirements.
Agency response & Auditor reply
Agency: "EOLWD is in the process of developing a comprehensive data framework and related governance strategy that will apply to all MDCS data."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
Why it matters: Without system classification, MDCS may not properly protect vital systems or prioritize IT resources during emergencies.
Standard: EOTSS Asset Management Standard IS.004, Section 6.6.2. ( EOTSS Asset Management Standard IS.004, Section 6.6.2 )
2 recommendations
- MDCS should implement a policy to periodically conduct a business impact analysis or risk assessment to classify information systems.
- MDCS should review information system classifications annually or when significant system changes occur.
Agency response & Auditor reply
Agency: "This will include a related business impact analysis and risk assessment."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
Why it matters: Unauthorized or undocumented access to PII increases the risk of data breaches, identity theft, reputational damage, and legal liability.
Standard: EOTSS Asset Management Standard IS.004, Section 6.2.1. ( EOTSS Asset Management Standard IS.004, Section 6.2.1; EOTSS Asset Management Standard IS.004, Section 6.2.1.1 )
4 recommendations
- MDCS should ensure every user requiring access to PII in the centralized database has their business need reviewed and approved before access is granted.
- MDCS should implement role-based access aligned with least privilege.
- MDCS should periodically review current users’ access to determine whether they have appropriate approval.
- MDCS should have users hired before fiscal year 2014 resubmit database access forms electronically.
Agency response & Auditor reply
Agency: "MDCS will review user access to ensure that all users have formal authorization to access the database; as part of a comprehensive policy review built into the new system, MDCS intends to build in an automated annual review process."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
Why it matters: Unapproved access to PII stored outside the centralized database increases risks of data breaches, identity theft, reputational damage, and legal liability.
Standard: EOTSS Asset Management Standard IS.004, Section 6.2.1. ( EOTSS Asset Management Standard IS.004, Section 6.2.1; EOTSS Asset Management Standard IS.004, Section 6.2.1.1 )
3 recommendations
- MDCS should implement a strict access control policy requiring formal approval before granting access to PII stored outside the centralized database.
- MDCS should implement role-based access aligned with least privilege.
- MDCS should ensure career centers periodically review current users’ access for appropriate approval.
Agency response & Auditor reply
Agency: "As part of system modernization, MDCS will implement a multi-tiered authorized access management system based on necessary functions, including a periodic review of user access to determine whether these users have the appropriate approval."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."