Federal Information Security Modernization Act

View Report

Date Issued

Tuesday, September 9, 2025

Submitting OIG

Tennessee Valley Authority OIG

Agencies Reviewed/Investigated

Tennessee Valley Authority

Report Number

2025-17548

Report Description

The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practices of its respective agency. Our objective was to determine the effectiveness of the Tennessee Valley Authority’s (TVA) ISP and practices as defined by the FY 2025 IG FISMA Reporting Metrics. Our audit scope was limited to answering the fiscal year (FY) 2025 IG metrics, which include 20 core and 5 supplemental IG metrics. The FISMA methodology considers metrics at a maturity level 4 (managed and measurable) or higher to be at an effective level of security.

Based on our analysis of the FY 2025 IG metrics and associated maturity models, we determined TVA's ISP and practices were operating in an effective manner as defined by the FY 2025 IG FISMA Reporting Metrics. However, we identified areas for improvement in both the core and supplemental metrics to further improve TVA’s ISP and practices.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend the Vice President, Chief Information and Digital Officer, Information Technology, consistently implement the defined policies, procedures, and processes for developing and maintaining a comprehensive and accurate inventory for public-facing websites.
2	No	$0	$0
We recommend the Vice President, Chief Information and Digital Officer, Information Technology, implement, assess, and maintain common secure configuration settings for all information systems.
3	No	$0	$0
We recommend the Vice President, Chief Information and Digital Officer, Information Technology, incorporate vulnerability scanning into the Continuous Diagnostics and Mitigation dashboard in accordance with Binding Operational Directive 23-01, in coordination with Department of Homeland Security as necessary.
4	No	$0	$0
We recommend the Vice President, Chief Information and Digital Officer, Information Technology, refine the profiles periodically based on known risk exposure and residual risk, align cybersecurity profiles with risk strategy, and periodically monitor and report on progress in reaching TVA’s target profile.
5	No	$0	$0
We recommend the Vice President, Chief Information and Digital Officer, Information Technology, verify the data and corresponding metadata in the data inventories are subject to the monitoring processes defined within TVA’s Information Security Continuous Monitoring strategy.