2014 Federal Information Security Management Act Compliance Audit

The Federal Information Security Management Act of 2002 (FISMA) is meant to bolster computer and network security within the federal government. In accordance with FISMA and guidance from the U.S. Office of Management and Budget, TVA and the TVA OIG are required to report on agency-wide IT security and privacy practices annually. In our 2014 review of TVA's information security program, we found TVA was in compliance in the areas of: (1) incident response and reporting, (2) plan of action and milestones, (3) remote access management, (4) contingency planning, and (5) security capital planning. However, TVA needs improvements in the areas of: (1) continuous monitoring management, (2) configuration management, (3) identity and access management, (4) risk management, (5) security training, and (6) contractor systems. We recommended TVA implement additional improvements in its security configuration management program, update its security awareness and training, update interconnection security agreements, and update the FISMA system inventory. TVA management agreed with our findings and recommendations and is implementing its remediation plan. Summary Only