The Tennessee Valley Authority has failed to comply with new federal cyber security rules for email and web sites, a new audit shows.
The TVA Inspector General said among 116 TVA registered internet domains identified for testing e-mail security requirements, 115 were found not meeting Department of Homeland Security standards for cyber security during an audit earlier this year.
TVA internal auditors also found encryption requirements were inadequate at 20 of 55 TVA web sites.
The Office of Management and Budget (OMB) wants all federal agencies to adopt Domain-based Message Authentication, Reporting and Compliance (DMARC) protocols for email security to reduce risks of attacks from unauthorized e-mail senders, such as phishing.
"We reviewed TVA's internet domains and publicly accessible web site and determined that TVA was not in compliance with OMB (requirements)," said David Wheeler, assistant inspector general for audits and evaluations. "In addition, we found that TVA's web site inventory was incomplete."
Jeremy Fisher, vice president and chief information officer at TVA, accepted the audit findings and vowed to work to correct any deficiencies.
TVA officials said the problems identified by the Inspector General's office were not major risks to the federal utility and either have been or soon will be corrected.
Andrea Brackett, director of TVA cybersecurity, said the concerns raised in the audit "have been remediated or a mitigation plan has been developed" to bring any shortcomings into compliance with the new federal rules.
"TVA Cybersecurity works with the Department of Homeland Security (DHS) on a continuous monitoring basis to identify vulnerabilities and potential weaknesses in systems, " Brackett said. "TVA Cybersecurity has classified these findings as low risk to TVA."
Last year, TVA opened a cybersecurity facility in the Chattanooga Office Complex to spot any signs of cyber threats.