FDA Needs to Shore Up Information Security Controls According to GAO

House Subcommittees on Oversight and Investigations, and Health asked GAO to investigate FDA information security controls due to its heavy dependence of IT systems to fulfill its mission and the sensitive nature of the data FDA collects, reviews, and stores. GAO was asked to determine whether FDA had effectively implemented information security controls to protect the confidentiality, integrity, and availability of its data for key information systems.

FDA, part of the Health and Human Services Department, is tasked with ensuring the safety, effectiveness, and quality of U.S. consumer products. These products include human and animal drugs, foods, biological products, medical devices, and cosmetics. The agency collects, processes, and maintains highly sensitive information, including personally identifiable information, trade secrets, and confidential commercial information.

GAO examined seven FDA systems that are essential to FDA’s mission. During GAO’s 16 month review process, it found a significant number of security control weaknesses.  Although the agency had taken steps to protect the systems reviewed, more action is needed.  Specifically, GAO found the following security deficiencies with the systems reviewed:

• Inadequate protection of network boundaries
• Inconsistent user identification and authentication
• Broad user access beyond what is necessary for them to perform their duties
• Inconsistent encryption of sensitive data
• Inconsistent auditing and monitoring of system activity
• Lack of physical security reviews of facilities

In an interview with Fedscoop about the report, GAO Chief Technologist Nabajyoti Barkakati said that he would rank the FDA’s current digital security at “roughly a six or seven” on a scale of one to 10, putting it on par with most other federal agencies. 

FDA has not fully implemented an agency-wide information security program as required by FISMA, which explains some of the security gaps cited in the report.

GAO made 15 broad recommendations in order to improve FDA’s information security program, including  

• Developing a policy for system maintenance.
• Reviewing and approving security plans for six of the systems reviewed at least annually.
• Implementing a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

GAO recommended 166 specific technical actions that it released in a report that has not been made available to the public.

FDA agreed with GAO’s recommendations and has begun implementing them. FDA security deficiencies may offer opportunities for contractors to assist the agency with shoring up their security posture.