U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

SharePoint® Access Management

Report Information

Date Issued
Report Number
2024-17492
Report Type
Audit
Description
The Office of the Inspector General performed an audit to determine if TVA manages access to nonpublic critical and sensitive information in accordance with TVA information management policy. Our scope was limited to TVA’s SharePoint® sites as of March 19, 2024. We determined TVA’s management of access to nonpublic critical and sensitive information could be improved. In addition, we determined TVA was not providing SharePoint® site owners with appropriate training to properly manage access to TVA nonpublic critical and sensitive information. This report, specifically identifies Microsoft, a nongovernmental organization/business entity. Pursuant to the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263 §5274, any such organization may submit a written response to the report within 30 days, clarifying or providing additional context for each instance within the report in which the organization is specifically identified. Any response provided for that purpose will be appended to the final, published report. If you have any questions about this process, please contact Jeffrey McKenzie at (865) 633-7374 or jtmckenzie@tvaoig.gov within 30 days of publication.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, perform a risk assessment of SharePoint® access management to identify additional controls to mitigate inappropriate access to nonpublic critical and sensitive information.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, update TVA’s SharePoint® training to provide site owners with the knowledge they need to properly protect TVA nonpublic critical and sensitive information.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, create a process to identify SharePoint® site owners and require them to complete initial and periodic refresher training.