Federal Reports

The report summarizes the FTC OIG’s activities and accomplishments during the first half of the FY 2024 reporting period.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

Why We Did This ReportThe U.S. Environmental Protection Agency Office of Inspector General conducted this audit to assess the U.S. Chemical Safety and Hazard Investigation Board’s compliance with the FY 2023–2024 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics. We contracted with SB & Company LLC to perform this audit under our direction and oversight. Summary of FindingsSB & Company concluded that the CSB achieved an overall maturity of Level 2, Defined, in fiscal year 2023. This means that the CSB’s policies, procedures, and strategies are formalized and documented but not consistently implemented. While the CSB has improved its overall maturity from the Level 1, Ad Hoc, rating it achieved in fiscal year 2022, SB & Company identified that improvements are still needed in the Incident Response domain within the Respond Function Area. Specifically, SB & Company concluded that the CSB should formally document the results of and the lessons learned during its disaster recovery testing scenarios. Because the CSB only has an informal process for documenting testing results and lessons learned, it did not fully document the results of its disaster recovery testing in a manner that was consistent with the National Institute of Standards and Technology guidelines.

The Office of the Inspector General performed an audit to determine if TVA’s security controls were appropriately configured to protect corporate Wi-Fi networks. Our scope was limited to Wi-Fi networks maintained by TVA’s Technology and Innovation organization. We determined TVA’s security controls related to overall architecture design and implementation were generally configured appropriately to protect corporate Wi Fi networks. However, we identified several areas that should be addressed to further improve the security of corporate Wi-Fi networks. Specifically, we identified:• Internal controls for specific types of attacks were ineffective.• Wireless software and hardware were unsupported by the manufacturer.• Data in transit (electronic transmission of information) was not properly secured.• Primary accounts improperly provided privileged user access.• Service account usage was not in accordance with TVA policy.• Baseline configuration management process was not designed or implemented properly.TVA management agreed with our recommendations.