U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Federal Information Security Modernization Act

Report Information

Date Issued
Report Number
2022-17370
Report Type
Audit
Description
The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General (IG) to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practices of its respective agency. Our audit objective was to determine the effectiveness of Tennessee Valley Authority’s (TVA) ISP and practices as defined by the Fiscal Year (FY) 2022 Core IG Metrics Implementation Analysis and Guidelines (see Appendix B). Our audit scope was limited to answering the core IG metrics.The FISMA methodology considers metrics at a level 4 (managed and measurable) or higher to be at an effective level of security. Based on our analysis of the core IG metrics and associated maturity models, we found 12 of the 20 core IG metrics were at a level 1 (ad-hoc), level 2 (defined), or level 3 (consistently implemented); therefore, TVA's ISP was not operating in an effective manner as defined by the FY 2022 Core IG Metrics Implementation Analysis and Guidelines.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, define policies, procedures, and processes for developing and maintaining a comprehensive and accurate inventory of its information system and system interconnections that can be used for system authorizations and monitor the inventory as part of TVA’s information system continuous monitoring strategy.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, improve the hardware asset management processes to include standard data elements/taxonomy that are used to inform what assets can be or cannot be introduced into the network as part of network authentication process.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, define standard data elements/taxonomy for software assets that are used to (a) develop and maintain an up-to-date inventory of software assets and licenses, including mobile applications, and (b) inform what assets can or cannot be introduced to the network.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, ensure the configuration management process is consistently implemented for all information systems.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, ensure contingency plans are consistently tested as required by policy.