2017 Federal Information Security Modernization Act

The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General (IG) to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practice of its respective agency. Our objective was to evaluate the Tennessee Valley Authority’s (TVA) strategy and the progress of TVA’s ISP and agency practices for ensuring compliance with FISMA and applicable standards, including guidelines issued by the Office of Management and Budget and the National Institute of Standards and Technology. Our audit scope was limited to answering the fiscal year (FY) 2017 IG metrics developed as a collaborative effort by Office of Management and Budget, Department of Homeland Security, and Council of Inspector Generals on Integrity and Efficiency in consultation with the Federal Chief Information Officer Council. The FY2017 IG FISMA metrics recommend a majority of the functions be at a maturity level 4 (managed and measurable) or higher to be considered effective. Based on our analysis of the metrics and associated maturity levels defined within the FY2017 IG FISMA metrics, we found TVA’s ISP was operating in an effective manner.