The Office of the Inspector General conducted an audit of TVA’s cloud inventory due to the Tennessee Valley Authority’s (TVA) increased use of cloud services. Our objective was to determine if TVA maintained an accurate and complete cloud inventory. Although we determined TVA’s (1) defined processes related to managing cloud inventory were designed in alignment with identified best practices, and (2) access controls for the cloud inventory were operating effectively, TVA does not maintain an accurate and complete cloud inventory. Specifically, (1) cloud services procured outside of the IT organization’s procurement process were not included in inventory, (2) reconciliation controls did not include all available sources to identify cloud services, and (3) required fields in existing inventory data were incomplete.
This report, specifically identifies Center for Internet Security, a nongovernmental organization/business entity. Pursuant to the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263 §5274, any such organization may submit a written response to the report within 30 days, clarifying or providing additional context for each instance within the report in which the organization is specifically identified. Any response provided for that purpose will be appended to the final, published report. If you have any questions about this process, please contact Jeffrey McKenzie at (865) 633-7374 or jtmckenzie@tvaoig.gov within 30 days of publication.
