Review of Physical and Logical Access for Contractors

The Office of the Inspector General reviewed the IT controls for granting and monitoring non-nuclear contractor access to TVA Assets, including general network access. The OIG found TVA's controls over processes for managing and tracking non-Nuclear contractor logical and physical access need to be strengthened to reduce the risk of loss or compromise of sensitive TVA data and physical assets. Specifically, the OIG found:Three enterprise risks identified by TVA's Enterprise Risk Council could be impacted by weak controls over contractor access identified in this report.The current maturity of TVA's contractor management process is relatively low.Certain contractors had access to sensitive TVA assets without proper background investigation and clearance.TVA's system for assigning physical access to TVA facilities does not clearly identify facilities for which special clearance is needed.TVA does not have a process to require complete and accurate entry for all non-nuclear contractors into the Human Resource Information System.The IT Customer Center does not ensure Virtual Private Network tokens used by contractors are returned when the contractor leaves TVA employment. Summary Only