The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General (IG) to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practices of its respective agency. Our objective was to determine the effectiveness of the Tennessee Valley Authority’s (TVA) ISP and practices as defined by the FY [Fiscal Year] 2023 – 2024 IG FISMA Reporting Metrics. Our audit scope was limited to answering the fiscal year (FY) 2023 IG metrics, which include 20 core IG metrics to be evaluated annually and remaining supplemental IG metrics will be evaluated on a two year cycle (Appendix B). The 20 core IG metrics were chosen based on alignment with Executive Order 14028, Improving the Nation's Cybersecurity, as well as recent OMB guidance to agencies in furtherance of the modernization of federal cybersecurity. The FISMA methodology considers metrics at a level 4 (managed and measurable) or higher to be at an effective level of security. Based on our analysis of the 40 IG metrics and associated maturity models, we found 21 of 40 IG metrics were at a level 1 (ad-hoc), level 2 (defined), or level 3 (consistently implemented); therefore, TVA's information security program was not operating in an effective manner.
Tuesday, September 26, 2023
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
Type of Report:
Funds for Better Use:
Number of Recommendations:
Report updated under NDAA 5274: