Cybersecurity Vulnerability Management

View Report

Date Issued

Thursday, January 30, 2025

Submitting OIG

Tennessee Valley Authority OIG

Agencies Reviewed/Investigated

Tennessee Valley Authority

Report Number

2024-17508

Report Description

The Office of the Inspector General performed an audit of the Tennessee Valley Authority’s (TVA) cybersecurity vulnerability management program. Our objective was to determine if TVA is compliant with the Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities (KEVs), and CISA BOD 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems.

We determined TVA generally complied with CISA BOD 19-02 and CISA BOD 22-01; however, two requirements were not fully met. Specifically, TVA did not (1) update CISA with modifications to the inventory of internet-accessible internet protocol (IP) addresses within the five-day requirement or (2) meet the CISA required remediation timeline for 8 of 22 KEVs.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, (1) design and implement a documented process for maintaining an accurate inventory of internet accessible internet protocal addresses and update Cybersecurity and Infrastructure Security Agency within five days of changes.
2	No	$0	$0
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, update patch management processes to verify known exploited vulnerabilities are patched or mitigated in accordance with policy.