An official website of the United States government
Here's how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Brought to you by the Council of the Inspectors General on Integrity and Efficiency
The Office of the Inspector General performed an audit to determine if the Tennessee Valley Authority’s (TVA’s) corporate deployment of Microsoft 365® was configured to require and enforce the use of multi-factor authentication (MFA) for all accounts. Our scope was limited to MFA managed through Microsoft Entra® ID. We determined TVA has required and enforced the use of MFA for all accounts with limited exclusions for service accounts. Additionally, we reviewed a sample of service accounts and determined they were approved and documented in accordance with the applicable tech standard. However, we identified internal control deficiencies related to MFA enforcement access policies and MFA applicability to enterprise applications. Specifically, we found (1) an MFA enforcement access policy applicable to 26 of 2,448 enterprise applications was not fully implemented in accordance with the applicable TVA tech standard and identified best practices, and (2) 1,802 of 2,448 enterprise applications were not covered by an MFA enforcement access policy.
This report specifically identifies Microsoft, a nongovernmental organization/business entity. Pursuant to the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263 §5274, any such organization may submit a written response to the report within 30 days, clarifying or providing additional context for each instance within the report in which the organization is specifically identified. Any response provided for that purpose will be appended to the final, published report. If you have any questions about this process, please contact Jeffrey McKenzie at (865) 633-7374 or jtmckenzie@tvaoig.gov within 30 days of publication.
Termination Memorandum – Audit of the Department of the Treasury ‘s Pre-Award Process for the State Small Business Credit Initiative (SSBCI) Main Capital Allocation and Distribution for States and U.S. Territories
Performance Audit of the U.S. Nuclear Regulatory Commission’s Compliance with the Requirements of the Payment Integrity Information Act of 2019 for Fiscal Year 2024
The objective of our audit was to assess the NRC’s compliance with the Payment Integrity Information Act of 2019 for fiscal year 2024 in accordance with Office of Management and Budget Memorandum M-21-19, Appendix C to OMB Circular No. A-123, Requirements for Payment Integrity Improvement, dated March 5, 2021. The OIG found that the NRC complied with the requirements of the Payment Integrity Information Act of 2019 for Fiscal Year 2024.
Performance Audit of the Defense Nuclear Facilities Safety Board’s Compliance with the Requirements of the Payment Integrity Information Act of 2019 for Fiscal Year 2024
Closeout Audit of Business Excellence for Sustainability and Transparency Project in Mongolia, Managed by Development Solutions NGO, Cooperative Agreement 72043820CA00001, January 1 to December 1, 2024
