U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Federal Information Security Modernization Act

Report Information

Date Issued
Report Number
2023-17423
Report Type
Audit
Description
The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General (IG) to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practices of its respective agency. Our objective was to determine the effectiveness of the Tennessee Valley Authority’s (TVA) ISP and practices as defined by the FY [Fiscal Year] 2023 – 2024 IG FISMA Reporting Metrics. Our audit scope was limited to answering the fiscal year (FY) 2023 IG metrics, which include 20 core IG metrics to be evaluated annually and remaining supplemental IG metrics will be evaluated on a two year cycle (Appendix B). The 20 core IG metrics were chosen based on alignment with Executive Order 14028, Improving the Nation's Cybersecurity, as well as recent OMB guidance to agencies in furtherance of the modernization of federal cybersecurity. The FISMA methodology considers metrics at a level 4 (managed and measurable) or higher to be at an effective level of security. Based on our analysis of the 40 IG metrics and associated maturity models, we found 21 of 40 IG metrics were at a level 1 (ad-hoc), level 2 (defined), or level 3 (consistently implemented); therefore, TVA's information security program was not operating in an effective manner.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, implement a knowledge, skills, and abilities assessment to tailor cybersecurity awareness and specialized training, identify gaps in TVA’s cybersecurity workforce, and subsequently address the identified gaps through training or talent acquisition.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, update processes to ensure that the results of Business Impact Analysis are consistently (a) integrated with the enterprise risk management process and (b) used in conjunction with the risk register to calculate potential overall risk and inform senior level decision-making.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, update TVA’s Vulnerability Disclosure Policy to include all internet-accessible federal systems in the scope of the policy and create performance measures to gauge the effectiveness of its Vulnerability Disclosure Policy and disclosure handling procedures.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, perform annual test, training, and exercise activities of each business critical application as required by TVA policy to ensure (a) contingency training is provided consistently with the roles and responsibilities to identify and include the appropriate content and level of detail, and (b) resources are allocated in a risk-based manner and stakeholders are held accountable.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, implement and communicate accurate, consistent, and reproducible metrics on the effectiveness of recovery activities to relevant stakeholders.