2015 Federal Information Security Management Act Compliance Audit

FISMA is meant to bolster computer and network security within the federal government. In accordance with FISMA and guidance from the Office of Management and Budget, TVA and the TVA OIG are required to report on agency-wide IT security and privacy practices annually. In our 2015 review of TVA's information security program, we found TVA was in compliance in the security program control areas of (1) identity and access management, (2) incident response and reporting, (3) plan of action and milestones, (4) remote access management, and (5) contingency planning. However, TVA still has ongoing actions in the following areas: (1) continuous monitoring management, (2) configuration management, (3) risk management, (4) security training, and (5) contractor systems control. Additionally, we found controls over the issuing of virtual private network tokens could be improved. TVA management agreed with our findings and recommendations and is implementing its remediation plan.(Summary Only)