Information Technology Contractor Access

We audited TVA’s onboarding actions completed for all active IT contractors as of March 26, 2020, including background investigations and cybersecurity awareness training requirements to determine if IT contractors are granted logical access in accordance with TVA policy. TVA Information Technology and TVA Police require contractors have various levels of background investigations completed for logical access to different classifications of information. We found that (1) TVA policy does not align between business units, (2) the majority of Tier 1 IT contractor suitability background investigations were not in accordance with TVA policy, and (3) the majority of IT contractor higher level background investigations were not in accordance with TVA policy. TVA management agreed with the recommendations.