Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts Department of Transportation Aeronautics Division

June 30, 2022 · Massachusetts Department of Transportation · Read the full official report on mass.gov ↗ · official site ↗

Published June 30, 2022 Audit covers July 1, 2019 – June 30, 2021 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found three main problems: the Aeronautics Division did not have a business continuity plan, did not make sure all staff signed technology-use rules or completed cybersecurity training, and did not have an internal control plan.
source
“The Aeronautics Division does not have a BCP.”
Read the plain-English breakdown
What is this?

This is a state performance audit of MassDOT's Aeronautics Division covering July 1, 2019 through June 30, 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Department of Transportation’s (MassDOT’s) Aeronautics Division for the period July 1, 2019 through June 30, 2021.”
Why was it audited?

Auditors checked whether the division followed rules for software project oversight, cybersecurity, business continuity, aircraft registration revenue, internal controls, and its drone program.

“In this performance audit, we determined whether the Aeronautics Division established a review process for its contract with Aurigo Software Technologies, Inc.1 and assigned a project manager to ensure that changes made to the software development project under contract were reviewed and approved, whether the division followed policies and procedures for the acceptable use of its information technology resources and for cybersecurity awareness training, whether the division established a business continuity plan (BCP), and whether the division registered aircraft and recorded the registration revenue2 generated during the audit period.”
Why it matters

Without a plan for disruptions, the division may not be ready to keep critical work going during an emergency, and that could create financial, reputation, or data-security problems.

“In addition, the division has not assessed its ability to continue operations in the event of a business interruption, which could lead to reputational loss, financial loss, or breaches of data.”
What's in it for me?

For residents, this matters because the division oversees many public-use airports and supports aviation safety, airport inspections, drone operations, and other public services.

“The division has jurisdiction over 35 of the Commonwealth’s 38 public-use airports.”
The bottom line

The division passed some audit areas, but failed on basic planning and cybersecurity follow-through.

“The Aeronautics Division did not ensure that staff members signed the “Acceptable Use of Information Technology (IT) Resources” policy and completed cybersecurity awareness training.”
What happens next

The division said it would create and test a business continuity plan, update cybersecurity training and acceptable-use procedures, and finalize an internal control plan.

“The Deputy Administrator will work with the MassDOT IT Department to finalize and implement the Aeronautics Division BCP.”
Why it's significant

The audit is significant because some of the same business-continuity problems had already been reported in earlier audits and still had not been fixed.

“In our two previous audits (2008-0044-4T, issued November 13, 2008, and 2016-0044-4A, issued August 18, 2017), we reported that the Massachusetts Department of Transportation’s (MassDOT’s) Aeronautics Division had not documented and tested a business continuity plan (BCP) to restore mission-critical and essential business functions in the event of an emergency.”
Jargon, unpacked

A business continuity plan is a written plan for how an agency keeps essential work going, or gets it running again, after an emergency or major disruption.

“Commonwealth Executive Offices and Agencies must establish a Business Continuity Program.”

What the Auditor checked

What the Auditor found

The Aeronautics Division did not have a documented and tested business continuity plan.
cybersecurityinternal controls

Why it matters: Without a business continuity plan, staff may not be trained to recover mission-critical functions, and operations could be interrupted, causing reputational loss, financial loss, or data breaches.

Standard: Executive Office of Technology Services and Security’s Business Continuity and Disaster Recovery Standard IS.005, Section 6. ( Section 6 of the Executive Office of Technology Services and Security’s Business Continuity and Disaster Recovery Standard IS.005 )

1 recommendation
  • The Aeronautics Division should develop, document, and test a business continuity plan.agency: agreed
Agency response & Auditor reply
Agency: "Management concurs with the auditors’ Recommendations, and the following actions will be taken to correct the situation."
Auditor: "Based on its response, the Aeronautics Division has taken measures to address our concerns on this matter."
The Aeronautics Division did not ensure staff signed the acceptable use policy or completed cybersecurity awareness training.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: The division faces a higher risk of viruses, malware, sensitive data loss, unauthorized data use, and financial or reputational losses.

Standard: MassDOT’s “Acceptable Use of Information Technology (IT) Resources” policy and EOTSS Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4. ( MassDOT’s “Acceptable Use of Information Technology (IT) Resources” policy; Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 )

3 recommendations
  • The Aeronautics Division should implement a policy requiring personnel to complete new hire and annual cybersecurity awareness training.
  • The Aeronautics Division should maintain a record of completion of cybersecurity awareness training for each employee.
  • The Aeronautics Division should require all personnel to sign the “Acceptable Use of Information Technology (IT) Resources” policy.
Agency response & Auditor reply
Agency: "MassDOT will update the “Acceptable Use of Information Technology (IT) Resources” policy to include mandatory security awareness training at the time of onboarding and annually thereafter."
Auditor: "Based on its response, the Aeronautics Division has taken measures to address our concerns on this matter."
The Aeronautics Division did not have an implemented internal control plan.
internal controlsrecordkeeping/documentation

Why it matters: Without an internal control plan, the division may not identify vulnerabilities that could prevent it from achieving organizational goals and objectives.

Standard: Chapter 647 of the Acts of 1989, CTR’s Internal Control Guide, and CTR’s September 30, 2020 COVID-19 Pandemic Response Internal Controls Guidance. ( Chapter 647 of the Acts of 1989; Office of the Comptroller of the Commonwealth Internal Control Guide; CTR’s “COVID-19 Pandemic Response Internal Controls Guidance” )

2 recommendations
  • The Aeronautics Division should implement an internal control plan.agency: agreed
  • The Aeronautics Division should maintain an up-to-date internal control plan and review and update it at least annually.agency: agreed
Agency response & Auditor reply
Agency: "Management concurs with the auditors’ Recommendations, and the following action will be taken to improve the situation."
Auditor: "Based on its response, the Aeronautics Division has taken measures to address our concerns on this matter."

Prior findings revisited

Still a problem
"In our two previous audits (2008-0044-4T, issued November 13, 2008, and 2016-0044-4A, issued August 18, 2017), we reported that the Massachusetts Department of Transportation’s (MassDOT’s) Aeronautics Division had not documented and tested a business continuity plan (BCP) to restore mission-critical and essential business functions in the event of an emergency."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Department of Transportation , including the prior audits referenced above.

See this entity's page with all 7 audits →