Audit of the Massachusetts Department of Transportation Aeronautics Division
June 30, 2022 · Massachusetts Department of Transportation · Read the full official report on mass.gov ↗ · official site ↗
source
“The Aeronautics Division does not have a BCP.”
Read the plain-English breakdown
This is a state performance audit of MassDOT's Aeronautics Division covering July 1, 2019 through June 30, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Department of Transportation’s (MassDOT’s) Aeronautics Division for the period July 1, 2019 through June 30, 2021.”
Auditors checked whether the division followed rules for software project oversight, cybersecurity, business continuity, aircraft registration revenue, internal controls, and its drone program.
“In this performance audit, we determined whether the Aeronautics Division established a review process for its contract with Aurigo Software Technologies, Inc.1 and assigned a project manager to ensure that changes made to the software development project under contract were reviewed and approved, whether the division followed policies and procedures for the acceptable use of its information technology resources and for cybersecurity awareness training, whether the division established a business continuity plan (BCP), and whether the division registered aircraft and recorded the registration revenue2 generated during the audit period.”
Without a plan for disruptions, the division may not be ready to keep critical work going during an emergency, and that could create financial, reputation, or data-security problems.
“In addition, the division has not assessed its ability to continue operations in the event of a business interruption, which could lead to reputational loss, financial loss, or breaches of data.”
For residents, this matters because the division oversees many public-use airports and supports aviation safety, airport inspections, drone operations, and other public services.
“The division has jurisdiction over 35 of the Commonwealth’s 38 public-use airports.”
The division passed some audit areas, but failed on basic planning and cybersecurity follow-through.
“The Aeronautics Division did not ensure that staff members signed the “Acceptable Use of Information Technology (IT) Resources” policy and completed cybersecurity awareness training.”
The division said it would create and test a business continuity plan, update cybersecurity training and acceptable-use procedures, and finalize an internal control plan.
“The Deputy Administrator will work with the MassDOT IT Department to finalize and implement the Aeronautics Division BCP.”
The audit is significant because some of the same business-continuity problems had already been reported in earlier audits and still had not been fixed.
“In our two previous audits (2008-0044-4T, issued November 13, 2008, and 2016-0044-4A, issued August 18, 2017), we reported that the Massachusetts Department of Transportation’s (MassDOT’s) Aeronautics Division had not documented and tested a business continuity plan (BCP) to restore mission-critical and essential business functions in the event of an emergency.”
A business continuity plan is a written plan for how an agency keeps essential work going, or gets it running again, after an emergency or major disruption.
“Commonwealth Executive Offices and Agencies must establish a Business Continuity Program.”
What the Auditor checked
- Complied For the contract between the Aeronautics Division and Aurigo Software Technologies, Inc., did the division establish a review process and assign a project manager to ensure that changes made to the software development project under contract were reviewed and approved in accordance with the executed contract’s “Statement of Work”?
- Did not comply Has the Aeronautics Division established information technology (IT) policies and procedures for the acceptable use of its IT resources and for cybersecurity awareness training in accordance with MassDOT’s “Acceptable Use of Information Technology (IT) Resources” policy and Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010?
- Did not comply Has the Aeronautics Division established a business continuity plan (BCP) in accordance with EOTSS’s Business Continuity and Disaster Recovery Standard IS.005?
- Complied Did the Aeronautics Division register aircraft and record the registration revenue generated during the audit period in accordance with the MassDOT Aeronautics Division Finance Department Policies and Procedures Manual?
- Did not comply Has the Aeronautics Division updated its internal control plan (ICP) in accordance with the Office of the Comptroller of the Commonwealth’s (CTR’s) September 30, 2020 memorandum “[2019 Coronavirus, or] COVID-19 Pandemic Response Internal Controls Guidance”?
- Partially Does the Aeronautics Division Drone Program operate in accordance with Section 48 of Title 14 of the Code of Federal Regulations (CFR), 14 CFR 107.61, 14 CFR 107.73, and the “MassDOT Aeronautics Drone Team Inventory Standard Operating Procedures”?
What the Auditor found
Why it matters: Without a business continuity plan, staff may not be trained to recover mission-critical functions, and operations could be interrupted, causing reputational loss, financial loss, or data breaches.
Standard: Executive Office of Technology Services and Security’s Business Continuity and Disaster Recovery Standard IS.005, Section 6. ( Section 6 of the Executive Office of Technology Services and Security’s Business Continuity and Disaster Recovery Standard IS.005 )
1 recommendation
- The Aeronautics Division should develop, document, and test a business continuity plan.agency: agreed
Agency response & Auditor reply
Agency: "Management concurs with the auditors’ Recommendations, and the following actions will be taken to correct the situation."
Auditor: "Based on its response, the Aeronautics Division has taken measures to address our concerns on this matter."
Why it matters: The division faces a higher risk of viruses, malware, sensitive data loss, unauthorized data use, and financial or reputational losses.
Standard: MassDOT’s “Acceptable Use of Information Technology (IT) Resources” policy and EOTSS Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4. ( MassDOT’s “Acceptable Use of Information Technology (IT) Resources” policy; Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 )
3 recommendations
- The Aeronautics Division should implement a policy requiring personnel to complete new hire and annual cybersecurity awareness training.
- The Aeronautics Division should maintain a record of completion of cybersecurity awareness training for each employee.
- The Aeronautics Division should require all personnel to sign the “Acceptable Use of Information Technology (IT) Resources” policy.
Agency response & Auditor reply
Agency: "MassDOT will update the “Acceptable Use of Information Technology (IT) Resources” policy to include mandatory security awareness training at the time of onboarding and annually thereafter."
Auditor: "Based on its response, the Aeronautics Division has taken measures to address our concerns on this matter."
Why it matters: Without an internal control plan, the division may not identify vulnerabilities that could prevent it from achieving organizational goals and objectives.
Standard: Chapter 647 of the Acts of 1989, CTR’s Internal Control Guide, and CTR’s September 30, 2020 COVID-19 Pandemic Response Internal Controls Guidance. ( Chapter 647 of the Acts of 1989; Office of the Comptroller of the Commonwealth Internal Control Guide; CTR’s “COVID-19 Pandemic Response Internal Controls Guidance” )
2 recommendations
- The Aeronautics Division should implement an internal control plan.agency: agreed
- The Aeronautics Division should maintain an up-to-date internal control plan and review and update it at least annually.agency: agreed
Agency response & Auditor reply
Agency: "Management concurs with the auditors’ Recommendations, and the following action will be taken to improve the situation."
Auditor: "Based on its response, the Aeronautics Division has taken measures to address our concerns on this matter."
Prior findings revisited
"In our two previous audits (2008-0044-4T, issued November 13, 2008, and 2016-0044-4A, issued August 18, 2017), we reported that the Massachusetts Department of Transportation’s (MassDOT’s) Aeronautics Division had not documented and tested a business continuity plan (BCP) to restore mission-critical and essential business functions in the event of an emergency."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Department of Transportation , including the prior audits referenced above.
-
Audit of the Massachusetts Department of Transportation - Millbury Roadway Reconstruction and Related Work (Contract 86774)State Agency / Office · October 19, 2021 -
Close-out of Agencies and Authorities combined into the Massachusetts Department of TransportationState Agency / Office · October 18, 2012 -
Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Massachusetts Department of TransportationState Agency / Office · November 8, 2024 -
The Department of Transportation's Office of Information Technology's Activities Relating to the Registry of Motor VehiclesState Agency / Office · July 20, 2011 -
Massachusetts Department of Transportation Use of Consultants and Contract EmployeesState Agency / Office · January 9, 2014 -
Massachusetts Department of Transportation Aeronautics DivisionState Agency / Office · August 18, 2017