Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Department of Fire Services (March 20, 2024)

March 20, 2024 · Department of Fire Services · Read the full official report on mass.gov ↗

Published March 20, 2024 Audit covers July 1, 2021 – December 31, 2022 Under Diana DiZoglio · 2023–present

In plain English
The audit found four main problems: DFS had a website accessibility issue, did not update its business continuity plan, relied on an incomplete cybersecurity incident response plan, and did not train contractors on cybersecurity during the 2021-2022 cycle.
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Department of Fire Services covering July 1, 2021 through December 31, 2022.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Fire Services (DFS) for the period July 1, 2021 through December 31, 2022.”
Why was it audited?

Auditors checked whether DFS's website met accessibility rules and whether its technology policies met state requirements for continuity planning, incident response, disaster recovery, and cybersecurity training.

“In this performance audit, we determined the following:”
Why it matters

DFS handles fire safety information and services, so problems with website access or cybersecurity planning can affect residents, especially people with disabilities and anyone relying on DFS during disruptions or emergencies.

“They can also limit some users from having equitable access to critical information and key online services offered by DFS (e.g., proper fire safety equipment use or how to be prepared for fire emergencies).”
What's in it for me?

If DFS fixes these issues, residents should have better access to online fire safety information, and the agency should be better prepared to keep operating and protect information during emergencies or cyber incidents.

“Government websites are an important way for the general public to access government information and services.”
The bottom line

DFS had weaknesses in web accessibility and IT governance, and the auditor recommended updates, better plans, and cybersecurity training access for contractors.

“DFS did not provide its contractors with cybersecurity awareness training.”
What happens next

DFS said it corrected the formatting issue, is updating its continuity plan, will develop a supplemental incident response plan, and now ensures contractors can complete required training.

“Based on its response, DFS has taken measures to address our concerns on this matter.”
Why it's significant

The biggest practical concern is that many DFS workers are contractors, and they were not given cybersecurity awareness training during the audited training cycle, which could raise risk for DFS systems and protected information.

“Contractors make up approximately 87% of the DFS workforce.”
Jargon, unpacked

IT governance means the rules and processes an agency uses to manage technology, including backup planning, disaster recovery, cyberattack response, and cybersecurity training.

“IT governance refers to the processes that state agencies use to manage their IT resources.”

What the Auditor checked

What the Auditor found

DFS’s website had a faulty hyperlink that could prevent users from navigating to intended information.
data privacyinternal controls

Why it matters: Broken or faulty hyperlinks can make relevant information difficult to locate, limit equitable access to critical online services, and increase the risk that users rely on outdated or incorrect information.

Standard: EOTSS Enterprise Information Technology Accessibility Policy and WCAG 2.1, Success Criterion 2.4.5 Multiple Ways. ( The Rehabilitation Act of 1973; Americans with Disabilities Act of 1990; Section 3 of Chapter 7D of the Massachusetts General Laws; Commonwealth of Massachusetts Executive Order 348; Web Content Accessibility Guidelines 2.1 (WCAG), level A and AA Guidelines )

1 recommendation
  • DFS should review its webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by DFS to all Commonwealth residents.agency: already implemented
Agency response & Auditor reply
Agency: "DFS staff corrected this formatting error immediately upon learning of it."
Auditor: "Based on its response, DFS has taken measures to address our concerns on this matter."
DFS did not update its business continuity plan in 2021.
cybersecurityinternal controls

Why it matters: Without an updated business continuity plan, DFS may not have adequate procedures to protect information assets or recover critical operations during interruptions or disasters.

Standard: Section 6.1.1.4.3 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005. ( Section 6.1.1.4.3 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 )

1 recommendation
  • DFS should update its business continuity plan annually and whenever a major organizational change occurs.
Agency response & Auditor reply
Agency: "DFS is in the process of updating the COOP plan and will ensure that it is updated annually and whenever a major organizational change occurs."
Auditor: "Based on its response, DFS is taking measures to address our concerns on this matter."
DFS relied on an information security incident response plan and procedures that lacked required elements.
cybersecurityinternal controls

Why it matters: Without an adequate incident response plan and procedures, DFS may not take sufficient containment measures or complete proper documentation, investigation, risk analysis, and impact analysis after a security incident.

Standard: Sections 6.5.1 and 6.5.2 of EOTSS’s Information Security Incident Management Standard IS.009. ( EOTSS’s Information Security Incident Management Standard IS.009; Section 2 of Chapter 7D of the General Laws )

2 recommendations
  • DFS should rely on an information security incident response plan and procedures that include all required elements.
  • Alternatively, DFS could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting IT system compromises.
Agency response & Auditor reply
Agency: "DFS will continue to collaborate with EOPSS and develop a DFS supplemental plan which will complement the secretariat-wide standards, and which will identify Information Security Response actions and procedures specific to DFS."
Auditor: "Based on its response, DFS is taking measures to address our concerns on this matter."
DFS did not provide cybersecurity awareness training to its contractors for the 2021–2022 training cycle.
cybersecurityinternal controlsvendor oversight

Why it matters: Untrained contractors may make user errors or compromise the integrity and security of protected information in DFS’s IT systems.

Standard: EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2. ( EOTSS’s Information Security Risk Management Standard IS.010; Section 2 of Chapter 7D of the General Laws )

2 recommendations
  • DFS should ensure that its contractors complete cybersecurity awareness training.agency: already implemented
  • DFS should ensure that its contractors have access to its cybersecurity awareness training platform.agency: already implemented
Agency response & Auditor reply
Agency: "In FY 2023, HRD was able to provide all statewide contract employees with access to Mass Achieve and the DFS contract employees completed all mandatory training."
Auditor: "Based on its response, DFS has taken measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Department of Fire Services .

See this entity's page with all 4 audits →