U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Vulnerability Management

Report Information

Date Issued
Report Number
2024-17508
Report Type
Audit
Description
The Office of the Inspector General performed an audit of the Tennessee Valley Authority’s (TVA) cybersecurity vulnerability management program.  Our objective was to determine if TVA is compliant with the Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities (KEVs), and CISA BOD 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems.  We determined TVA generally complied with CISA BOD 19-02 and CISA BOD 22-01; however, two requirements were not fully met. Specifically, TVA did not (1) update CISA with modifications to the inventory of internet-accessible internet protocol (IP) addresses within the five-day requirement or (2) meet the CISA required remediation timeline for 8 of 22 KEVs.
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, (1) design and implement a documented process for maintaining an accurate inventory of internet accessible internet protocal addresses and update Cybersecurity and Infrastructure Security Agency within five days of changes.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, update patch management processes to verify known exploited vulnerabilities are patched or mitigated in accordance with policy.