Audit: TVA Failed to Meet Federal Cybersecurity Standards

The Tennessee Valley Authority, a federally owned power company, got failing marks around email, encryption and website security. Officials say the corporate agency is working to correct the deficiencies.

by Dave Flessner, Chattanooga Times/Free Press / June 5, 2019

(TNS) — The Tennessee Valley Authority has failed to comply with new federal cybersecurity rules for email and web sites, a new audit shows.

The TVA Inspector General said among 116 TVA registered internet domains identified for testing e-mail security requirements, 115 were found not meeting Department of Homeland Security standards for cybersecurity during an audit earlier this year.

TVA internal auditors also found encryption requirements were inadequate at 20 of 55 TVA web sites.

The Office of Management and Budget (OMB) wants all federal agencies to adopt Domain-based Message Authentication, Reporting and Compliance (DMARC) protocols for email security to reduce risks of attacks from unauthorized e-mail senders, such as phishing.

"We reviewed TVA's internet domains and publicly accessible web site and determined that TVA was not in compliance with OMB (requirements)," said David Wheeler, assistant inspector general for audits and evaluations. "In addition, we found that TVA's web site inventory was incomplete."

Jeremy Fisher, vice president and chief information officer at TVA, accepted the audit findings and vowed to work to correct any deficiencies.

©2019 the Chattanooga Times/Free Press (Chattanooga, Tenn.). Distributed by Tribune Content Agency, LLC.