Federal Reports

The Office of Inspector General performed an evaluation of an Agricultural Research Service (ARS) facility’s physical condition and security.

The Office of Inspector General is issuing this management advisory to bring to the U.S. Small Business Administration’s (SBA) attention possible security threats from personally owned devices accessing the agency’s information technology network from national and international locations with only a username and password.

We identified in our fiscal years 2023 and 2024 Federal Information Security Modernization Act assessments that SBA did not have multifactor authentication enabled for users to access the agency’s secure network. Relying on usernames and passwords alone greatly increases the risk of SBA data being accessed and exploited by cyber criminals and other bad actors. We also determined personally owned devices could access the SBA network from foreign locations, which is prohibited by SBA information technology policy.

We made five recommendations, and SBA management agreed with all five. All of the recommendations have been closed or resolved.

The Office of the Inspector General performed an audit of TVA’s transmission network cybersecurity.  The audit scope was limited to a specific type of connectivity within TVA’s transmission network.  The audit objective was to determine the level of cybersecurity in place for this type of connectivity.

We determined the connectivity within TVA’s transmission network had a high level of cybersecurity in place commensurate with the level of associated risk.  In addition, our testing of internal controls identified process improvements related to configuration management.  We recommend the Senior Vice President, Grid, update configuration management processes to improve periodic reviews.