Audit of the Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority (February 5, 2024)
February 5, 2024 · Woods Hole, Martha · Read the full official report on mass.gov ↗
source
“We noted no exceptions in our testing; therefore, we conclude that the Steamship Authority spent CARES Act funds in accordance with FTA guidance and the Steamship Authority’s memorandum of understanding with CCRTA during our audit period.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the ferry authority that serves Martha’s Vineyard and Nantucket, covering mainly 2020 and 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority (the Steamship Authority) for the period January 1, 2020 through December 31, 2021.”
The audit checked two main things: whether federal COVID relief funds were spent properly, and whether employees completed cybersecurity awareness training.
“We also determined whether the Steamship Authority ensured that its employees completed cybersecurity awareness training in accordance with its internal practice.”
The Steamship Authority runs essential ferry service to Martha’s Vineyard and Nantucket, so weak cybersecurity practices could create real operational, financial, and reputational risks.
“If the Steamship Authority does not ensure that all employees are trained on their responsibility to protect information assets, then the Steamship Authority is exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
If you rely on these ferries, the audit matters because it looks at whether public money was handled properly and whether the ferry operator is reducing cyber risks that could affect services.
“These vessels provide ferry transportation services for passengers and vehicles between the Massachusetts mainland and the islands of Martha’s Vineyard and Nantucket.”
The biggest formal finding was that the Steamship Authority lacked a written cybersecurity training program and did not make sure employees were assigned and completed required training.
“The Steamship Authority does not have a formal, documented cybersecurity awareness training program and does not monitor the assignment and completion of cybersecurity awareness training courses.”
The auditor recommended that the Steamship Authority create a formal cybersecurity training program, track completion, assign responsibility, and make sure employees can access the training.
“The Steamship Authority should replace its current, undocumented cybersecurity awareness training practice with a formal, documented cybersecurity awareness training program that follows best practices for these programs.”
The report is significant because it found no problem with the tested COVID relief spending, but it did find serious weaknesses in how the ferry authority handled cybersecurity training and noted additional concerns about free ferry passage controls.
“In addition to the conclusions we reached regarding our objectives, we also identified issues unrelated to our objectives regarding internal controls over the Steamship Authority’s employee and eligible nonemployee free ferry passage benefit and the Steamship Authority’s accountability for employee and eligible nonemployee identification badges.”
CARES Act funds were federal COVID relief dollars; FTA means the Federal Transit Administration; CCRTA means Cape Cod Regional Transit Authority; and a UZA is an urbanized area with at least 50,000 people.
“According to FTA’s website, “An urbanized area is an incorporated area with a population of 50,000 or more that is designated as such by the U.S. Department of Commerce, Bureau of the Census.””
What the Auditor checked
- Complied Did the Steamship Authority spend Coronavirus Aid, Relief, and Economic Security (CARES) Act funds in accordance with the Federal Transit Administration’s (FTA’s) Frequently Asked Questions from FTA Grantees Regarding Coronavirus Disease 2019 (COVID-19) and the Steamship Authority’s memorandum of understanding with the Cape Cod Regional Transit Authority (CCRTA), dated April 21, 2020?
- Did not comply Did the Steamship Authority ensure that its employees completed cybersecurity awareness training in accordance with its internal practice?
What the Auditor found
Why it matters: The Steamship Authority is exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.
Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 ( Section 12 of Chapter 11 of the Massachusetts General Laws; Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
4 recommendations
- The Steamship Authority should replace its current, undocumented cybersecurity awareness training practice with a formal, documented cybersecurity awareness training program that follows best practices for these programs.agency: agreed
- The Steamship Authority should implement monitoring controls to ensure that all employees are assigned to and complete cybersecurity awareness training.agency: agreed
- The Steamship Authority should clearly define and document the positions responsible for administering and monitoring its formal, documented cybersecurity awareness training program.agency: agreed
- If the Steamship Authority provides cybersecurity awareness training on a web-based platform, then it should ensure that all employees have access to computers to take the training.agency: agreed
Agency response & Auditor reply
Agency: "We agree with the importance of a comprehensive, documented training program and monitoring plan relative to cybersecurity awareness training."
Auditor: "Based on its response, the Steamship Authority is taking measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Woods Hole, Martha .
- Woods Hole, Martha’s Vineyard and Nantucket Steamship AuthorityTransit Authority · July 19, 2017
- Woods Hole, Martha's Vineyard, and Nantucket Steamship AuthorityTransit Authority · December 15, 2011