Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority (February 5, 2024)

February 5, 2024 · Woods Hole, Martha · Read the full official report on mass.gov ↗

Published February 5, 2024 Audit covers January 1, 2020 – December 31, 2021 Under Diana DiZoglio · 2023–present

In plain English
The auditor found that the Steamship Authority used its COVID relief money properly, but did not properly manage cybersecurity training for employees.
source
“We noted no exceptions in our testing; therefore, we conclude that the Steamship Authority spent CARES Act funds in accordance with FTA guidance and the Steamship Authority’s memorandum of understanding with CCRTA during our audit period.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the ferry authority that serves Martha’s Vineyard and Nantucket, covering mainly 2020 and 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority (the Steamship Authority) for the period January 1, 2020 through December 31, 2021.”
Why was it audited?

The audit checked two main things: whether federal COVID relief funds were spent properly, and whether employees completed cybersecurity awareness training.

“We also determined whether the Steamship Authority ensured that its employees completed cybersecurity awareness training in accordance with its internal practice.”
Why it matters

The Steamship Authority runs essential ferry service to Martha’s Vineyard and Nantucket, so weak cybersecurity practices could create real operational, financial, and reputational risks.

“If the Steamship Authority does not ensure that all employees are trained on their responsibility to protect information assets, then the Steamship Authority is exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

If you rely on these ferries, the audit matters because it looks at whether public money was handled properly and whether the ferry operator is reducing cyber risks that could affect services.

“These vessels provide ferry transportation services for passengers and vehicles between the Massachusetts mainland and the islands of Martha’s Vineyard and Nantucket.”
The bottom line

The biggest formal finding was that the Steamship Authority lacked a written cybersecurity training program and did not make sure employees were assigned and completed required training.

“The Steamship Authority does not have a formal, documented cybersecurity awareness training program and does not monitor the assignment and completion of cybersecurity awareness training courses.”
What happens next

The auditor recommended that the Steamship Authority create a formal cybersecurity training program, track completion, assign responsibility, and make sure employees can access the training.

“The Steamship Authority should replace its current, undocumented cybersecurity awareness training practice with a formal, documented cybersecurity awareness training program that follows best practices for these programs.”
Why it's significant

The report is significant because it found no problem with the tested COVID relief spending, but it did find serious weaknesses in how the ferry authority handled cybersecurity training and noted additional concerns about free ferry passage controls.

“In addition to the conclusions we reached regarding our objectives, we also identified issues unrelated to our objectives regarding internal controls over the Steamship Authority’s employee and eligible nonemployee free ferry passage benefit and the Steamship Authority’s accountability for employee and eligible nonemployee identification badges.”
Jargon, unpacked

CARES Act funds were federal COVID relief dollars; FTA means the Federal Transit Administration; CCRTA means Cape Cod Regional Transit Authority; and a UZA is an urbanized area with at least 50,000 people.

“According to FTA’s website, “An urbanized area is an incorporated area with a population of 50,000 or more that is designated as such by the U.S. Department of Commerce, Bureau of the Census.””

What the Auditor checked

What the Auditor found

The Steamship Authority lacked a formal cybersecurity awareness training program and did not monitor employee training assignment or completion.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The Steamship Authority is exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.

Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 ( Section 12 of Chapter 11 of the Massachusetts General Laws; Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

4 recommendations
  • The Steamship Authority should replace its current, undocumented cybersecurity awareness training practice with a formal, documented cybersecurity awareness training program that follows best practices for these programs.agency: agreed
  • The Steamship Authority should implement monitoring controls to ensure that all employees are assigned to and complete cybersecurity awareness training.agency: agreed
  • The Steamship Authority should clearly define and document the positions responsible for administering and monitoring its formal, documented cybersecurity awareness training program.agency: agreed
  • If the Steamship Authority provides cybersecurity awareness training on a web-based platform, then it should ensure that all employees have access to computers to take the training.agency: agreed
Agency response & Auditor reply
Agency: "We agree with the importance of a comprehensive, documented training program and monitoring plan relative to cybersecurity awareness training."
Auditor: "Based on its response, the Steamship Authority is taking measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Woods Hole, Martha .

See this entity's page with all 3 audits →