The Office of the Inspector General performed an audit to determine if TVA manages access to nonpublic critical and sensitive information in accordance with TVA information management policy. Our scope was limited to TVA’s SharePoint® sites as of March 19, 2024. We determined TVA’s management of access to nonpublic critical and sensitive information could be improved. In addition, we determined TVA was not providing SharePoint® site owners with appropriate training to properly manage access to TVA nonpublic critical and sensitive information. This report, specifically identifies Microsoft, a nongovernmental organization/business entity. Pursuant to the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263 §5274, any such organization may submit a written response to the report within 30 days, clarifying or providing additional context for each instance within the report in which the organization is specifically identified. Any response provided for that purpose will be appended to the final, published report. If you have any questions about this process, please contact Jeffrey McKenzie at (865) 633-7374 or jtmckenzie@tvaoig.gov within 30 days of publication.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | No | $0 | $0 | ||
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, perform a risk assessment of SharePoint® access management to identify additional controls to mitigate inappropriate access to nonpublic critical and sensitive information. | |||||
2 | No | $0 | $0 | ||
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, update TVA’s SharePoint® training to provide site owners with the knowledge they need to properly protect TVA nonpublic critical and sensitive information. | |||||
3 | No | $0 | $0 | ||
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, create a process to identify SharePoint® site owners and require them to complete initial and periodic refresher training. |