LANSING – Not all volunteers with the Michigan Cyber Civilian Corps are meeting program requirements, including passing criminal background checks, signing a nondisclosure agreement for confidential security work and failing components of a test which validated their abilities to work with the group.

These findings come from an audit released Friday by the Office of the Auditor General, which found issues with both volunteers failing to meet all program requirements and then not being held accountable for missing training certification sessions. It also found the group does not have the adequate tools to properly defend the state from a cyberattack, should one occur.

MiC3 is a cybersecurity program created in 2013 and falls under the Department of Technology, Management and Budget. The program’s mission, parameters and volunteer recruitment did not begin, however, until PA 132 of 2017 was signed by then Governor Rick Snyder. Work through the program did not commence until 2018, with the goal of providing a rapid response to municipal, educational, nonprofit or business groups experiencing a cybersecurity incident.

This could range from ransomware to a phishing scam to a distributed denial-of-service attack.

According to the report, as of February the program employed 99 volunteers and spent almost $1.5 million on training certification, recruiting and administration, funds for a program manager and program coordinator and other miscellaneous expenses.

Of those 99 volunteers, the audit notes contracts did not exist for a quarter of employees, DTMB did not sign any of the existing 74 contacts and that the volunteers’ names were not listed on more than half of the written contracts. Furthermore, of the 99 volunteers, 35 of them did not have criminal background checks done by either the FBI or Department of State Police before being employed and another two had failed their background checks but were still employed.

In terms of certification, the audit states DTMB requires “all volunteers have at least two years of direct involvement with information security and possess a basic security certification” and are “required to pass a series of tests to demonstrate basic networking and security knowledge, including incident response and forensic skills.”

What the OAG found, however, was that 14 of the 99 volunteers did not pass all components of their test, 23 did not meet the required level of experience and no records were provided by the DTMB to prove 11 of the volunteers even passed their examinations as a whole.

The audit also notes that volunteers are required by the National Institute of Standards and Technology to take certification training on the latest cybersecurity standards nationwide, yet the MiC3 routinely had almost a third of its staff from 2016 to 2018 fail to take any sort of exam.

During this time, the DTMB lost $28,789 in exam fees for those who failed obtain certification.

The DTMB acknowledged both findings and issued a response to the OAG that, in future, it would require all employees to sign a revised volunteer agreement approved by the Department of Attorney General and it would “ensure that its formal training vendor selection methodology is documented and that training is based on the needs of the program and its volunteer members’ individual training needs.”

The department did, however, dispute one of the two flagged volunteers who failed their background checks, writing that the “one member who failed the criminal background check was already a member of the program under the Merit Network, prior to PA 132” and as a result was allowed to “benefit from the networking opportunities” but not allowed access to any personal client information or state building.

Despite this, the department wrote that both the members who failed background checks had their MiC3 volunteer status revoked.

This story was published by Gongwer News Service.