Audit of the Department of Fire Services (March 20, 2024)
March 20, 2024 · Department of Fire Services · Read the full official report on mass.gov ↗
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a state performance audit of the Massachusetts Department of Fire Services covering July 1, 2021 through December 31, 2022.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Fire Services (DFS) for the period July 1, 2021 through December 31, 2022.”
Auditors checked whether DFS's website met accessibility rules and whether its technology policies met state requirements for continuity planning, incident response, disaster recovery, and cybersecurity training.
“In this performance audit, we determined the following:”
DFS handles fire safety information and services, so problems with website access or cybersecurity planning can affect residents, especially people with disabilities and anyone relying on DFS during disruptions or emergencies.
“They can also limit some users from having equitable access to critical information and key online services offered by DFS (e.g., proper fire safety equipment use or how to be prepared for fire emergencies).”
If DFS fixes these issues, residents should have better access to online fire safety information, and the agency should be better prepared to keep operating and protect information during emergencies or cyber incidents.
“Government websites are an important way for the general public to access government information and services.”
DFS had weaknesses in web accessibility and IT governance, and the auditor recommended updates, better plans, and cybersecurity training access for contractors.
“DFS did not provide its contractors with cybersecurity awareness training.”
DFS said it corrected the formatting issue, is updating its continuity plan, will develop a supplemental incident response plan, and now ensures contractors can complete required training.
“Based on its response, DFS has taken measures to address our concerns on this matter.”
The biggest practical concern is that many DFS workers are contractors, and they were not given cybersecurity awareness training during the audited training cycle, which could raise risk for DFS systems and protected information.
“Contractors make up approximately 87% of the DFS workforce.”
IT governance means the rules and processes an agency uses to manage technology, including backup planning, disaster recovery, cyberattack response, and cybersecurity training.
“IT governance refers to the processes that state agencies use to manage their IT resources.”
What the Auditor checked
- Partially Did DFS’s website meet the Executive Office of Technology Services and Security’s (EOTSS’s) Enterprise Information Technology Accessibility Policy and the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility?
- Did not comply Did DFS establish information technology (IT) governance policies and procedures for the following areas: business continuity and disaster recovery plans that met the requirements of Sections 6.1.1.4 and 6.2.1 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005; information security incident response plan and procedures that met the requirements of Sections 6.5.1 and 6.5.2 of EOTSS’s Information Security Incident Management Standard IS.009; and cybersecurity awareness training that met the requirements of Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: Broken or faulty hyperlinks can make relevant information difficult to locate, limit equitable access to critical online services, and increase the risk that users rely on outdated or incorrect information.
Standard: EOTSS Enterprise Information Technology Accessibility Policy and WCAG 2.1, Success Criterion 2.4.5 Multiple Ways. ( The Rehabilitation Act of 1973; Americans with Disabilities Act of 1990; Section 3 of Chapter 7D of the Massachusetts General Laws; Commonwealth of Massachusetts Executive Order 348; Web Content Accessibility Guidelines 2.1 (WCAG), level A and AA Guidelines )
1 recommendation
- DFS should review its webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by DFS to all Commonwealth residents.agency: already implemented
Agency response & Auditor reply
Agency: "DFS staff corrected this formatting error immediately upon learning of it."
Auditor: "Based on its response, DFS has taken measures to address our concerns on this matter."
Why it matters: Without an updated business continuity plan, DFS may not have adequate procedures to protect information assets or recover critical operations during interruptions or disasters.
Standard: Section 6.1.1.4.3 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005. ( Section 6.1.1.4.3 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 )
1 recommendation
- DFS should update its business continuity plan annually and whenever a major organizational change occurs.
Agency response & Auditor reply
Agency: "DFS is in the process of updating the COOP plan and will ensure that it is updated annually and whenever a major organizational change occurs."
Auditor: "Based on its response, DFS is taking measures to address our concerns on this matter."
Why it matters: Without an adequate incident response plan and procedures, DFS may not take sufficient containment measures or complete proper documentation, investigation, risk analysis, and impact analysis after a security incident.
Standard: Sections 6.5.1 and 6.5.2 of EOTSS’s Information Security Incident Management Standard IS.009. ( EOTSS’s Information Security Incident Management Standard IS.009; Section 2 of Chapter 7D of the General Laws )
2 recommendations
- DFS should rely on an information security incident response plan and procedures that include all required elements.
- Alternatively, DFS could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting IT system compromises.
Agency response & Auditor reply
Agency: "DFS will continue to collaborate with EOPSS and develop a DFS supplemental plan which will complement the secretariat-wide standards, and which will identify Information Security Response actions and procedures specific to DFS."
Auditor: "Based on its response, DFS is taking measures to address our concerns on this matter."
Why it matters: Untrained contractors may make user errors or compromise the integrity and security of protected information in DFS’s IT systems.
Standard: EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2. ( EOTSS’s Information Security Risk Management Standard IS.010; Section 2 of Chapter 7D of the General Laws )
2 recommendations
- DFS should ensure that its contractors complete cybersecurity awareness training.agency: already implemented
- DFS should ensure that its contractors have access to its cybersecurity awareness training platform.agency: already implemented
Agency response & Auditor reply
Agency: "In FY 2023, HRD was able to provide all statewide contract employees with access to Mass Achieve and the DFS contract employees completed all mandatory training."
Auditor: "Based on its response, DFS has taken measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Department of Fire Services .
- Department of Fire Services-Examination of Annual Internal Control QuestionnaireState Agency / Office · May 20, 2016
- Audit of the Department of Fire Services (DFS)State Agency / Office · May 12, 2020
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Department of Fire Services (January 28, 2025)State Agency / Office · January 28, 2025