Federal Information Security Modernization Act

The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General (IG) to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practices of its respective agency. Our audit objective was to determine the effectiveness of Tennessee Valley Authority’s (TVA) ISP and practices as defined by the Fiscal Year (FY) 2022 Core IG Metrics Implementation Analysis and Guidelines (see Appendix B). Our audit scope was limited to answering the core IG metrics.The FISMA methodology considers metrics at a level 4 (managed and measurable) or higher to be at an effective level of security. Based on our analysis of the core IG metrics and associated maturity models, we found 12 of the 20 core IG metrics were at a level 1 (ad-hoc), level 2 (defined), or level 3 (consistently implemented); therefore, TVA's ISP was not operating in an effective manner as defined by the FY 2022 Core IG Metrics Implementation Analysis and Guidelines.